Edit tour

Windows Analysis Report
fa_rss.exe

Overview

General Information

Sample Name:	fa_rss.exe
Analysis ID:	727557
MD5:	b7819e2c9ada79f6123ba7a492e39715
SHA1:	e7f05363626233ace6dfd7c7e8055b5b304b7257
SHA256:	3c153e1c96c5fff2c5ed5aada23e1ec65eece4a64891b104164b5728276fefae
Infos:

Detection

Score:	56
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Multi AV Scanner detection for submitted file

Creates a DirectInput object (often for capturing keystrokes)

Uses 32bit PE files

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to read the PEB

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Detected potential crypto function

Contains functionality to query CPU information (cpuid)

Found potential string decryption / allocating functions

JA3 SSL client fingerprint seen in connection with other malware

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Classification

Process Tree

System is w10x64

fa_rss.exe (PID: 5928 cmdline: C:\Users\user\Desktop\fa_rss.exe MD5: B7819E2C9ADA79F6123BA7A492E39715)

cleanup

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: fa_rss.exe

Avira: detected

Multi AV Scanner detection for submitted file

Source: fa_rss.exe	ReversingLabs: Detection: 27%
Source: fa_rss.exe	Virustotal: Detection: 44%			Perma Link

Source: fa_rss.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: fa_rss.exe

Static PE information: certificate valid

Source: unknown

HTTPS traffic detected: 3.233.131.217:443 -> 192.168.2.5:49709 version: TLS 1.2

Source: fa_rss.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:

Binary string: C:\on-service\fa_rss\engine\Release\fa_rss.pdb source: fa_rss.exe

Source: C:\Users\user\Desktop\fa_rss.exe

Code function: 3_2_00403176 FindFirstFileExW,

3_2_00403176

Source: global traffic

HTTP traffic detected: GET /pixel.gif?guid=32BB3542-7533-27D2-5200-3CE24BD43271&version=&evt_src=fa_product&evt_action=channel&id=-1&nocache=4734296 HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: veryfast.ioConnection: Keep-Alive

Source: Joe Sandbox View

JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: unknown	Network traffic detected: HTTP traffic on port 49709 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49709

Source: fa_rss.exe	String found in binary or memory: http://certificates.godaddy.com/repository/0
Source: fa_rss.exe	String found in binary or memory: http://certificates.godaddy.com/repository/gdig2.crt0
Source: fa_rss.exe	String found in binary or memory: http://certs.godaddy.com/repository/1301
Source: fa_rss.exe	String found in binary or memory: http://certs.starfieldtech.com/repository/1402
Source: fa_rss.exe, 00000003.00000003.291816648.00000000014E0000.00000004.00000020.00020000.00000000.sdmp, fa_rss.exe, 00000003.00000003.291895441.00000000014E0000.00000004.00000020.00020000.00000000.sdmp, fa_rss.exe, 00000003.00000002.300565669.00000000014E0000.00000004.00000020.00020000.00000000.sdmp, fa_rss.exe, 00000003.00000003.292178040.00000000014E0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: fa_rss.exe	String found in binary or memory: http://crl.godaddy.com/gdig2s5-4.crl0
Source: fa_rss.exe	String found in binary or memory: http://crl.godaddy.com/gdroot-g2.crl0F
Source: fa_rss.exe	String found in binary or memory: http://crl.starfieldtech.com/repository/0
Source: fa_rss.exe	String found in binary or memory: http://crl.starfieldtech.com/repository/masterstarfield2issuing.crl0P
Source: fa_rss.exe	String found in binary or memory: http://crl.starfieldtech.com/repository/sf_issuing_ca-g2.crt0T
Source: fa_rss.exe	String found in binary or memory: http://crl.starfieldtech.com/sfroot-g2.crl0L
Source: fa_rss.exe	String found in binary or memory: http://ocsp.godaddy.com/0
Source: fa_rss.exe	String found in binary or memory: http://ocsp.godaddy.com/05
Source: fa_rss.exe	String found in binary or memory: http://ocsp.starfieldtech.com/0;
Source: fa_rss.exe	String found in binary or memory: http://ocsp.starfieldtech.com/0H
Source: fa_rss.exe	String found in binary or memory: https://certs.godaddy.com/repository/0
Source: fa_rss.exe	String found in binary or memory: https://certs.starfieldtech.com/repository/0
Source: fa_rss.exe, 00000003.00000002.300526801.00000000014B5000.00000004.00000020.00020000.00000000.sdmp, fa_rss.exe, 00000003.00000003.292235654.00000000014B5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com
Source: fa_rss.exe, 00000003.00000002.300464511.0000000001440000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://veryfast.io/
Source: fa_rss.exe	String found in binary or memory: https://veryfast.io/notify_app_v2.php?guid=%ws&lastid=%d&lasttime=%d&nocache=%d%ws
Source: fa_rss.exe	String found in binary or memory: https://veryfast.io/notify_app_v2.php?guid=%ws&lastid=%d&lasttime=%d&nocache=%d%wsr.#https://veryfas
Source: fa_rss.exe	String found in binary or memory: https://veryfast.io/notify_click_v2.php?&oid=%d&guid=%ws&nocache=%d
Source: fa_rss.exe	String found in binary or memory: https://veryfast.io/notify_click_v2.php?&oid=%d&guid=%ws&nocache=%dopen
Source: fa_rss.exe	String found in binary or memory: https://veryfast.io/notify_show_v2.php?&oid=%d&guid=%ws&nocache=
Source: fa_rss.exe	String found in binary or memory: https://veryfast.io/notify_show_v2.php?&oid=%d&guid=%ws&nocache=%s
Source: fa_rss.exe	String found in binary or memory: https://veryfast.io/notify_show_v2.php?oid=%d&guid=%ws&nocache=%d
Source: fa_rss.exe	String found in binary or memory: https://veryfast.io/pixel.gif?guid=%ws&version=%ws&evt_src=fa_%ws&evt_action=%ws&%ws&nocache=%d
Source: fa_rss.exe	String found in binary or memory: https://veryfast.io/pixel.gif?guid=%ws&version=%ws&evt_src=fa_%ws&evt_action=%ws&%ws&nocache=%dSoftw
Source: fa_rss.exe, 00000003.00000003.292178040.00000000014E0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://veryfast.io/pixel.gif?guid=32BB3542-7533-27D2-5200-3CE24BD43271&version=&evt_src=fa_product&

Source: unknown

DNS traffic detected: queries for: veryfast.io

Source: C:\Users\user\Desktop\fa_rss.exe

Code function: 3_2_003F1F10 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z,GetTickCount,URLDownloadToFileW,DeleteFileW,

3_2_003F1F10

Source: global traffic

Source: unknown

HTTPS traffic detected: 3.233.131.217:443 -> 192.168.2.5:49709 version: TLS 1.2

Source: fa_rss.exe, 00000003.00000002.300471899.000000000144A000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

Source: fa_rss.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Users\user\Desktop\fa_rss.exe	Code function: 3_2_003FB0F4	3_2_003FB0F4
Source: C:\Users\user\Desktop\fa_rss.exe	Code function: 3_2_00406A78	3_2_00406A78
Source: C:\Users\user\Desktop\fa_rss.exe	Code function: 3_2_0040A201	3_2_0040A201
Source: C:\Users\user\Desktop\fa_rss.exe	Code function: 3_2_0040A321	3_2_0040A321
Source: C:\Users\user\Desktop\fa_rss.exe	Code function: 3_2_003F1CD0	3_2_003F1CD0
Source: C:\Users\user\Desktop\fa_rss.exe	Code function: 3_2_0040B57D	3_2_0040B57D
Source: C:\Users\user\Desktop\fa_rss.exe	Code function: 3_2_004065E0	3_2_004065E0
Source: C:\Users\user\Desktop\fa_rss.exe	Code function: 3_2_003FAEC2	3_2_003FAEC2

Source: C:\Users\user\Desktop\fa_rss.exe

Code function: String function: 003F6720 appears 43 times

Source: fa_rss.exe	ReversingLabs: Detection: 27%
Source: fa_rss.exe	Virustotal: Detection: 44%

Source: fa_rss.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\fa_rss.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\fa_rss.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32

Jump to behavior

Source: C:\Users\user\Desktop\fa_rss.exe

Code function: 3_2_003F4E20 LoadResource,LockResource,SizeofResource,

3_2_003F4E20

Source: C:\Users\user\Desktop\fa_rss.exe	Command line argument: APPDATA	3_2_003F38C0
Source: C:\Users\user\Desktop\fa_rss.exe	Command line argument: HyA	3_2_003F38C0
Source: C:\Users\user\Desktop\fa_rss.exe	Command line argument: \fa_rss	3_2_003F38C0
Source: C:\Users\user\Desktop\fa_rss.exe	Command line argument: \fa_rss	3_2_003F38C0
Source: C:\Users\user\Desktop\fa_rss.exe	Command line argument: \fa_rss	3_2_003F38C0
Source: C:\Users\user\Desktop\fa_rss.exe	Command line argument: TEMP	3_2_003F38C0
Source: C:\Users\user\Desktop\fa_rss.exe	Command line argument: DyA	3_2_003F38C0
Source: C:\Users\user\Desktop\fa_rss.exe	Command line argument: H5A	3_2_003F38C0
Source: C:\Users\user\Desktop\fa_rss.exe	Command line argument: MachineGuid	3_2_003F38C0
Source: C:\Users\user\Desktop\fa_rss.exe	Command line argument: %wsX	3_2_003F38C0
Source: C:\Users\user\Desktop\fa_rss.exe	Command line argument: default	3_2_003F38C0
Source: C:\Users\user\Desktop\fa_rss.exe	Command line argument: Local\fa_rss	3_2_003F38C0
Source: C:\Users\user\Desktop\fa_rss.exe	Command line argument: Local\fa_rss	3_2_003F38C0
Source: C:\Users\user\Desktop\fa_rss.exe	Command line argument: active	3_2_003F38C0
Source: C:\Users\user\Desktop\fa_rss.exe	Command line argument: product	3_2_003F38C0
Source: C:\Users\user\Desktop\fa_rss.exe	Command line argument: id=-1	3_2_003F38C0
Source: C:\Users\user\Desktop\fa_rss.exe	Command line argument: id=-1	3_2_003F38C0
Source: C:\Users\user\Desktop\fa_rss.exe	Command line argument: channel	3_2_003F38C0
Source: C:\Users\user\Desktop\fa_rss.exe	Command line argument: channel	3_2_003F38C0
Source: C:\Users\user\Desktop\fa_rss.exe	Command line argument: product	3_2_003F38C0
Source: C:\Users\user\Desktop\fa_rss.exe	Command line argument: product	3_2_003F38C0
Source: C:\Users\user\Desktop\fa_rss.exe	Command line argument: ERROR	3_2_003F38C0
Source: C:\Users\user\Desktop\fa_rss.exe	Command line argument: <yA	3_2_003F38C0

Source: C:\Users\user\Desktop\fa_rss.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM

Jump to behavior

Source: C:\Users\user\Desktop\fa_rss.exe

File created: C:\Users\user\AppData\Local\Temp\temp_event

Jump to behavior

Source: classification engine

Classification label: mal56.winEXE@1/2@1/1

Source: C:\Users\user\Desktop\fa_rss.exe

Code function: 3_2_003F56C0 CoInitializeEx,CoInitializeSecurity,CoCreateInstance,SysAllocString,SysFreeString,CoSetProxyBlanket,CoUninitialize,SysFreeString,SysFreeString,VariantClear,VariantClear,CoUninitialize,SysFreeString,

3_2_003F56C0

Source: C:\Users\user\Desktop\fa_rss.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Users\user\Desktop\fa_rss.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: fa_rss.exe

Static PE information: certificate valid

Source: fa_rss.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: fa_rss.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: fa_rss.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: fa_rss.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: fa_rss.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: fa_rss.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: fa_rss.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: fa_rss.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:

Binary string: C:\on-service\fa_rss\engine\Release\fa_rss.pdb source: fa_rss.exe

Source: fa_rss.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: fa_rss.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: fa_rss.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: fa_rss.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: fa_rss.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\fa_rss.exe

Code function: 3_2_003F6766 push ecx; ret

3_2_003F6779

Source: C:\Users\user\Desktop\fa_rss.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_ComputerSystemProduct

Source: C:\Users\user\Desktop\fa_rss.exe

Code function: 3_2_00403176 FindFirstFileExW,

3_2_00403176

Source: fa_rss.exe, 00000003.00000002.300471899.000000000144A000.00000004.00000020.00020000.00000000.sdmp, fa_rss.exe, 00000003.00000003.292213547.000000000147A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW0H
Source: fa_rss.exe, 00000003.00000003.292251039.00000000014CF000.00000004.00000020.00020000.00000000.sdmp, fa_rss.exe, 00000003.00000002.300471899.000000000144A000.00000004.00000020.00020000.00000000.sdmp, fa_rss.exe, 00000003.00000003.292213547.000000000147A000.00000004.00000020.00020000.00000000.sdmp, fa_rss.exe, 00000003.00000002.300552708.00000000014CF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW

Source: C:\Users\user\Desktop\fa_rss.exe

Code function: 3_2_003FD890 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

3_2_003FD890

Source: C:\Users\user\Desktop\fa_rss.exe	Code function: 3_2_003FED36 mov eax, dword ptr fs:[00000030h]	3_2_003FED36
Source: C:\Users\user\Desktop\fa_rss.exe	Code function: 3_2_00402DEB mov eax, dword ptr fs:[00000030h]	3_2_00402DEB
Source: C:\Users\user\Desktop\fa_rss.exe	Code function: 3_2_00402E2F mov eax, dword ptr fs:[00000030h]	3_2_00402E2F

Source: C:\Users\user\Desktop\fa_rss.exe

Code function: 3_2_003F5450 GetProcessHeap,__Init_thread_footer,__Init_thread_footer,

3_2_003F5450

Source: C:\Users\user\Desktop\fa_rss.exe	Code function: 3_2_003F6657 SetUnhandledExceptionFilter,	3_2_003F6657
Source: C:\Users\user\Desktop\fa_rss.exe	Code function: 3_2_003FD890 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	3_2_003FD890
Source: C:\Users\user\Desktop\fa_rss.exe	Code function: 3_2_003F64C4 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	3_2_003F64C4
Source: C:\Users\user\Desktop\fa_rss.exe	Code function: 3_2_003F5D16 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	3_2_003F5D16

Source: C:\Users\user\Desktop\fa_rss.exe

Code function: 3_2_003F677B cpuid

3_2_003F677B

Source: C:\Users\user\Desktop\fa_rss.exe

Code function: 3_2_003F63B3 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

3_2_003F63B3

Source: C:\Users\user\Desktop\fa_rss.exe	Code function: 3_2_003F1030 __ehhandler$??1_Scoped_lock@?$SafeRWList@UListEntry@details@Concurrency@@VNoCount@CollectionTypes@23@V_ReaderWriterLock@23@@details@Concurrency@@QAE@XZ,		3_2_003F1030
Source: C:\Users\user\Desktop\fa_rss.exe	Code function: 3_2_003F1090 __ehhandler$??1_Scoped_lock@?$SafeRWList@UListEntry@details@Concurrency@@VNoCount@CollectionTypes@23@V_ReaderWriterLock@23@@details@Concurrency@@QAE@XZ,__ehhandler$??1_Scoped_lock@?$SafeRWList@UListEntry@details@Concurrency@@VNoCount@CollectionTypes@23@V_ReaderWriterLock@23@@details@Concurrency@@QAE@XZ,		3_2_003F1090

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	1 Windows Management Instrumentation	Path Interception	Path Interception	1 Masquerading	1 Input Capture	1 System Time Discovery	Remote Services	1 Input Capture	Exfiltration Over Other Network Medium	11 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	2 Command and Scripting Interpreter	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	1 Virtualization/Sandbox Evasion	LSASS Memory	31 Security Software Discovery	Remote Desktop Protocol	1 Archive Collected Data	Exfiltration Over Bluetooth	2 Ingress Tool Transfer	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	1 Deobfuscate/Decode Files or Information	Security Account Manager	1 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	2 Non-Application Layer Protocol	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	2 Obfuscated Files or Information	NTDS	1 Remote System Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	13 Application Layer Protocol	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Software Packing	LSA Secrets	1 File and Directory Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Steganography	Cached Domain Credentials	22 System Information Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
fa_rss.exe	28%	ReversingLabs	Win32.Adware.FstApp
fa_rss.exe	44%	Virustotal		Browse
fa_rss.exe	11%	Metadefender		Browse
fa_rss.exe	100%	Avira	ADWARE/Redcap.cpspx

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

⊘No Antivirus matches

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
veryfast.io	3.233.131.217	true	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://veryfast.io/pixel.gif?guid=32BB3542-7533-27D2-5200-3CE24BD43271&version=&evt_src=fa_product&evt_action=channel&id=-1&nocache=4734296	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
https://veryfast.io/notify_show_v2.php?&oid=%d&guid=%ws&nocache=%s	fa_rss.exe	false	high
https://certs.starfieldtech.com/repository/0	fa_rss.exe	false	high
http://crl.godaddy.com/gdig2s5-4.crl0	fa_rss.exe	false	high
https://veryfast.io/notify_click_v2.php?&oid=%d&guid=%ws&nocache=%d	fa_rss.exe	false	high
http://certificates.godaddy.com/repository/0	fa_rss.exe	false	high
https://veryfast.io/	fa_rss.exe, 00000003.00000002.300464511.0000000001440000.00000004.00000020.00020000.00000000.sdmp	false	high
http://certs.starfieldtech.com/repository/1402	fa_rss.exe	false	high
http://crl.starfieldtech.com/sfroot-g2.crl0L	fa_rss.exe	false	high
http://certs.godaddy.com/repository/1301	fa_rss.exe	false	high
https://veryfast.io/pixel.gif?guid=%ws&version=%ws&evt_src=fa_%ws&evt_action=%ws&%ws&nocache=%d	fa_rss.exe	false	high
https://veryfast.io/notify_show_v2.php?&oid=%d&guid=%ws&nocache=	fa_rss.exe	false	high
http://ocsp.starfieldtech.com/0;	fa_rss.exe	false	high
https://certs.godaddy.com/repository/0	fa_rss.exe	false	high
http://crl.godaddy.com/gdroot-g2.crl0F	fa_rss.exe	false	high
http://ocsp.starfieldtech.com/0H	fa_rss.exe	false	high
http://crl.starfieldtech.com/repository/0	fa_rss.exe	false	high
http://crl.starfieldtech.com/repository/masterstarfield2issuing.crl0P	fa_rss.exe	false	high
https://veryfast.io/notify_app_v2.php?guid=%ws&lastid=%d&lasttime=%d&nocache=%d%ws	fa_rss.exe	false	high
https://veryfast.io/notify_show_v2.php?oid=%d&guid=%ws&nocache=%d	fa_rss.exe	false	high
https://veryfast.io/notify_app_v2.php?guid=%ws&lastid=%d&lasttime=%d&nocache=%d%wsr.#https://veryfas	fa_rss.exe	false	high
http://crl.starfieldtech.com/repository/sf_issuing_ca-g2.crt0T	fa_rss.exe	false	high
https://veryfast.io/notify_click_v2.php?&oid=%d&guid=%ws&nocache=%dopen	fa_rss.exe	false	high
http://certificates.godaddy.com/repository/gdig2.crt0	fa_rss.exe	false	high
https://veryfast.io/pixel.gif?guid=%ws&version=%ws&evt_src=fa_%ws&evt_action=%ws&%ws&nocache=%dSoftw	fa_rss.exe	false	high
https://veryfast.io/pixel.gif?guid=32BB3542-7533-27D2-5200-3CE24BD43271&version=&evt_src=fa_product&	fa_rss.exe, 00000003.00000003.292178040.00000000014E0000.00000004.00000020.00020000.00000000.sdmp	false	high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
3.233.131.217	veryfast.io	United States		14618	AMAZON-AESUS	false

General Information

Joe Sandbox Version:	36.0.0 Rainbow Opal
Analysis ID:	727557
Start date and time:	2022-10-21 15:08:06 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 5m 20s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	fa_rss.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	18
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal56.winEXE@1/2@1/1
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 99.9% (good quality ratio 94.1%) Quality average: 79% Quality standard deviation: 28.5%
HCA Information:	Successful, ratio: 97% Number of executed functions: 10 Number of non-executed functions: 61
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, RuntimeBroker.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe, wuapihost.exe
Excluded IPs from analysis (whitelisted): 80.67.82.235, 80.67.82.211
Excluded domains from analysis (whitelisted): login.live.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, a1449.dscg2.akamai.net, arc.msn.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

⊘No simulations

Joe Sandbox View / Context

IPs

⊘No context

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
veryfast.io	SetupFA.exe	Get hash	malicious	Browse	3.215.103.17
	https://veryfast.io/downloading.html	Get hash	malicious	Browse	34.195.48.210
	Setup 2.exe	Get hash	malicious	Browse	34.195.48.210
	SetupFA.exe	Get hash	malicious	Browse	34.195.48.210
	fa_rss.exe	Get hash	malicious	Browse	34.195.48.210
	SetupFA.exe	Get hash	malicious	Browse	34.195.48.210
	Fast! Installer.exe	Get hash	malicious	Browse	34.195.48.210
	{C57CA5B7-A655-48F9-AF02-CA9C6BB0E91B}.exe	Get hash	malicious	Browse	34.195.48.210
	fa_rss.exe	Get hash	malicious	Browse	34.195.48.210
	v77C369u1p.exe	Get hash	malicious	Browse	34.195.48.210
	Setup.exe	Get hash	malicious	Browse	34.195.48.210

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
AMAZON-AESUS	Quotation #7328071819-Xlsx.com.exe	Get hash	malicious	Browse	3.232.242.170
	QQ5e4BOEAi.exe	Get hash	malicious	Browse	52.20.78.240
	Q29TxrhFz0.elf	Get hash	malicious	Browse	18.207.157.53
	k4XtVYf7J6.elf	Get hash	malicious	Browse	54.27.198.249
	FB-108N & FB-108NK #U8a62#U50f9 - #U7530#U52e4.exe	Get hash	malicious	Browse	3.220.57.224
	4p2Isdc9i1.exe	Get hash	malicious	Browse	3.220.57.224
	T005H0jdjS.elf	Get hash	malicious	Browse	44.200.240.98
	MT0013562700.exe	Get hash	malicious	Browse	3.220.57.224
	Bank slip.exe	Get hash	malicious	Browse	54.91.59.199
	Purchase Order 247463.xll	Get hash	malicious	Browse	54.91.59.199
	Dokument_ZD_0071_10_22_pdf .exe	Get hash	malicious	Browse	3.232.242.170
	proforma invoice.pdf.z.exe	Get hash	malicious	Browse	54.91.59.199
	SecuriteInfo.com.Exploit.Rtf.Obfuscated.32.16235.2157.rtf	Get hash	malicious	Browse	52.20.78.240
	Offer_CTJV.exe	Get hash	malicious	Browse	54.91.59.199
	Mail-Office365_setup.htm	Get hash	malicious	Browse	3.232.242.170
	BALANCE PAYMENT.exe	Get hash	malicious	Browse	54.91.59.199
	order001.exe	Get hash	malicious	Browse	54.91.59.199
	Quote 5190842.exe	Get hash	malicious	Browse	54.91.59.199
	SecuriteInfo.com.Win32.RATX-gen.28731.10921.exe	Get hash	malicious	Browse	3.220.57.224
	PO-101583.exe	Get hash	malicious	Browse	52.20.78.240

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
37f463bf4616ecd445d4a1937da06e19	hYn08csSGY.exe	Get hash	malicious	Browse	3.233.131.217
	https://djyku.agbamoon.click/?ref=c7aW1wb3J0LWN1c3RvbXMuY21kLmJyZW1lbkB0aGVybW9maXNoZXIuY29t	Get hash	malicious	Browse	3.233.131.217
	xY5B7yM7nB.exe	Get hash	malicious	Browse	3.233.131.217
	JdAXiYMAx6.exe	Get hash	malicious	Browse	3.233.131.217
	SecuriteInfo.com.W32.MSIL_Kryptik.GYT.gen.Eldorado.23568.23625.exe	Get hash	malicious	Browse	3.233.131.217
	SecuriteInfo.com.Gen.Variant.Nemesis.12538.17658.28693.exe	Get hash	malicious	Browse	3.233.131.217
	BEST SOLU.vbs	Get hash	malicious	Browse	3.233.131.217
	http://keynstrings.com/qdop/shriejeapd-xtre-czoyj-wux-182-n-ql72-dn6/?c=fg228vRhwgeAXmTlARVFPNkYQLEru1SQGolYq6DI2QO81BQyaFaUvmsyEbo4THF&dx6ywq7xi--6pmvnh36bm-q6ly=LedZebpban&f5W%2bAIcMkGZ9Lp3h7Da%2bJcuQl1mIISCF0%2bsnvlLl1C7JZwlOpPadnHGgzJCg9kkRnhKcM0BjIT2Bh9Pj1vF476j%3d%1d&url=htths%2a%0v%0wfr-tr.fazeboak.bon%2fUrbanZoccer%7c	Get hash	malicious	Browse	3.233.131.217
	o7ACJlA38_15gGLr5NWIDvIgQW0.vbs	Get hash	malicious	Browse	3.233.131.217
	TOO TEE.vbs	Get hash	malicious	Browse	3.233.131.217
	RE DHL Shipment Notification(BL,INV and PL)215158433805.vbs	Get hash	malicious	Browse	3.233.131.217
	5Gxlq2tnrr.exe	Get hash	malicious	Browse	3.233.131.217
	PAAfelGKpR.exe	Get hash	malicious	Browse	3.233.131.217
	ADZVWz9JH5.exe	Get hash	malicious	Browse	3.233.131.217
	Attachment_name.html	Get hash	malicious	Browse	3.233.131.217
	file.exe	Get hash	malicious	Browse	3.233.131.217
	Mail-Office365_setup.htm	Get hash	malicious	Browse	3.233.131.217
	https://qrco.de/bdPLiz	Get hash	malicious	Browse	3.233.131.217
	exec_ap.exe	Get hash	malicious	Browse	3.233.131.217
	file.exe	Get hash	malicious	Browse	3.233.131.217

Dropped Files

⊘No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\pixel[1].gif

Download File

Process:	C:\Users\user\Desktop\fa_rss.exe
File Type:	GIF image data, version 89a, 1 x 1
Category:	dropped
Size (bytes):	42
Entropy (8bit):	2.9881439641616536
Encrypted:	false
SSDEEP:	3:CUXPQE/xlEy:1QEoy
MD5:	D89746888DA2D9510B64A9F031EAECD5
SHA1:	D5FCEB6532643D0D84FFE09C40C481ECDF59E15A
SHA-256:	EF1955AE757C8B966C83248350331BD3A30F658CED11F387F8EBF05AB3368629
SHA-512:	D5DA26B5D496EDB0221DF1A4057A8B0285D15592A8F8DC7016A294DF37ED335F3FDE6A2252962E0DF38B62847F8B771463A0124EF3F84299F262ED9D9D3CEE4C
Malicious:	false
Reputation:	high, very likely benign file
Preview:	GIF89a.............!.......,...........D.;

C:\Users\user\AppData\Local\Temp\temp_event

Download File

Process:	C:\Users\user\Desktop\fa_rss.exe
File Type:	GIF image data, version 89a, 1 x 1
Category:	dropped
Size (bytes):	42
Entropy (8bit):	2.9881439641616536
Encrypted:	false
SSDEEP:	3:CUXPQE/xlEy:1QEoy
MD5:	D89746888DA2D9510B64A9F031EAECD5
SHA1:	D5FCEB6532643D0D84FFE09C40C481ECDF59E15A
SHA-256:	EF1955AE757C8B966C83248350331BD3A30F658CED11F387F8EBF05AB3368629
SHA-512:	D5DA26B5D496EDB0221DF1A4057A8B0285D15592A8F8DC7016A294DF37ED335F3FDE6A2252962E0DF38B62847F8B771463A0124EF3F84299F262ED9D9D3CEE4C
Malicious:	false
Reputation:	high, very likely benign file
Preview:	GIF89a.............!.......,...........D.;

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.6479028323473806
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	fa_rss.exe
File size:	173248
MD5:	b7819e2c9ada79f6123ba7a492e39715
SHA1:	e7f05363626233ace6dfd7c7e8055b5b304b7257
SHA256:	3c153e1c96c5fff2c5ed5aada23e1ec65eece4a64891b104164b5728276fefae
SHA512:	005b67a73fa0879f6c1b203ffd2abbb330a36d0c3b84d684ab0163e9e8b67a5347afa0b8194afc9d817e3b6b581fef1e0516ef7a5a9d4c6ccb8b4f85ae71eb0a
SSDEEP:	3072:Sn8j9PPvjeApFiKPzove7Cs+rDUxJHjQmcpjW0PvpD9JRhcl1LPuRFX2qpFYFiD7:a+9PTeAjRPzh6DUxJ83j7vh/RYuRFava
TLSH:	44049C6138C1C072E967083468F4DBB29D7DBA701F7099DB63984B3A5F307D24A35A6E
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........S........................W.......................................................i...V.......V.t.....V.......Rich...........

File Icon


Icon Hash:	00828e8e8686b000

Static PE Info

General

Entrypoint:	0x405cfb
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x5E4C72E3 [Tue Feb 18 23:27:31 2020 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	b166f82d434fec4e0b63c22e68b29afc

Authenticode Signature

Signature Valid:	true
Signature Issuer:	CN=Go Daddy Secure Certificate Authority - G2, OU=http://certs.godaddy.com/repository/, O="GoDaddy.com, Inc.", L=Scottsdale, S=Arizona, C=US
Signature Validation Error:	The operation completed successfully
Error Number:	0
Not Before, Not After	5/20/2019 9:39:50 AM 5/20/2020 8:51:43 AM
Subject Chain	CN=Fast Corporate LTD, O=Fast Corporate LTD, L=Kfar Saba, C=IL
Version:	3
Thumbprint MD5:	86CAA7A78F480716D11551D0DAFDF8B3
Thumbprint SHA-1:	28C92A8D1C570AD2219A62789E7D6388DAFD2F83
Thumbprint SHA-256:	F890446C69A9185F3C0CBCBC1E7C54CFA9933F6974DA61AA72F6C41BFFBF1F45
Serial:	00EAE2AED6D6A503F0

Entrypoint Preview

Instruction
call 00007FDB0CAFECE5h
jmp 00007FDB0CAFE45Fh
cmp ecx, dword ptr [00426014h]
jne 00007FDB0CAFE5E5h
ret
jmp 00007FDB0CAFE60Eh
push ebp
mov ebp, esp
push 00000000h
call dword ptr [0041D144h]
push dword ptr [ebp+08h]
call dword ptr [0041D140h]
push C0000409h
call dword ptr [0041D148h]
push eax
call dword ptr [0041D14Ch]
pop ebp
ret
push ebp
mov ebp, esp
sub esp, 00000324h
push 00000017h
call 00007FDB0CB143DAh
test eax, eax
je 00007FDB0CAFE5E7h
push 00000002h
pop ecx
int 29h
mov dword ptr [00426CA0h], eax
mov dword ptr [00426C9Ch], ecx
mov dword ptr [00426C98h], edx
mov dword ptr [00426C94h], ebx
mov dword ptr [00426C90h], esi
mov dword ptr [00426C8Ch], edi
mov word ptr [00426CB8h], ss
mov word ptr [00426CACh], cs
mov word ptr [00426C88h], ds
mov word ptr [00426C84h], es
mov word ptr [00426C80h], fs
mov word ptr [00426C7Ch], gs
pushfd
pop dword ptr [00426CB0h]
mov eax, dword ptr [ebp+00h]
mov dword ptr [00426CA4h], eax
mov eax, dword ptr [ebp+04h]
mov dword ptr [00426CA8h], eax
lea eax, dword ptr [ebp+08h]
mov dword ptr [00426CB4h], eax

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x24a34	0xa0	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x30000	0x288	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x27000	0x34c0	.data
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x31000	0x17bc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x235a0	0x70	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x236b4	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x23610	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x1d000	0x254	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x1ba4c	0x1bc00	False	0.5721952421171171	data	6.638663182635866	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x1d000	0x873a	0x8800	False	0.45272288602941174	data	5.134953489350377	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x26000	0x99cc	0xc00	False	0.2177734375	DOS executable (block device driver @\273\)	2.950510818044723	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x30000	0x288	0x400	False	0.33203125	data	3.8415391786312774	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x31000	0x17bc	0x1800	False	0.7928059895833334	data	6.591107848231252	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_MANIFEST	0x30060	0x224	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with very long lines (488), with CRLF line terminators	English	United States

Imports

DLL	Import
urlmon.dll	URLDownloadToFileW
KERNEL32.dll	Process32FirstW, Process32NextW, CloseHandle, GetCommandLineW, LocalFree, OpenEventW, CreateEventW, MultiByteToWideChar, HeapDestroy, HeapSize, HeapReAlloc, HeapFree, HeapAlloc, GetProcessHeap, WideCharToMultiByte, SizeofResource, LockResource, LoadResource, FindResourceExW, FindResourceW, InitializeCriticalSectionEx, GetLastError, RaiseException, DecodePointer, DeleteCriticalSection, ExitThread, CreateToolhelp32Snapshot, LoadLibraryExW, WriteConsoleW, SetEndOfFile, CreateFileW, SetFilePointerEx, GetFileSizeEx, GetConsoleCP, FlushFileBuffers, GetStringTypeW, SetStdHandle, SetEnvironmentVariableW, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetCommandLineA, GetCPInfo, GetOEMCP, GetACP, IsValidCodePage, FindNextFileW, FindFirstFileExW, FindClose, ReadConsoleW, GetConsoleMode, ReadFile, Sleep, FreeLibraryAndExitThread, DeleteFileW, GetTickCount, GlobalFree, GlobalAlloc, ResumeThread, CreateThread, GetFileType, LCMapStringW, CompareStringW, ExitProcess, GetModuleFileNameW, WriteFile, GetStdHandle, FreeLibrary, TlsFree, TlsSetValue, TlsGetValue, TlsAlloc, EncodePointer, SetLastError, GetModuleHandleExW, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, TerminateProcess, IsProcessorFeaturePresent, EnterCriticalSection, LeaveCriticalSection, InitializeCriticalSectionAndSpinCount, SetEvent, ResetEvent, WaitForSingleObjectEx, GetModuleHandleW, GetProcAddress, QueryPerformanceCounter, GetCurrentProcessId, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, IsDebuggerPresent, GetStartupInfoW, OutputDebugStringW, RtlUnwind
USER32.dll	KillTimer, GetClientRect, SetWindowLongW, SystemParametersInfoW, TranslateMessage, SetTimer, DispatchMessageW, PostQuitMessage, UpdateWindow, wsprintfW, ShowWindow, GetWindowThreadProcessId, WindowFromPoint, GetPhysicalCursorPos, GetAsyncKeyState, GetSystemMetrics, GetWindowLongW, GetMessageW, DefWindowProcW, PostMessageW, DestroyWindow, SetWindowPos, MessageBoxW, CreateWindowExW, RegisterClassExW
ADVAPI32.dll	RegSetKeyValueW, RegCreateKeyW, RegCloseKey, RegOpenKeyExW, RegQueryValueExW
SHELL32.dll	CommandLineToArgvW, ShellExecuteW
ole32.dll	CoGetClassObject, OleUninitialize, OleSetContainedObject, OleInitialize, CoInitializeEx, CoInitializeSecurity, CoUninitialize, CoCreateInstance, CoSetProxyBlanket
OLEAUT32.dll	VariantInit, SysAllocString, VariantClear, SysFreeString

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 21, 2022 15:08:57.587954044 CEST	49709	443	192.168.2.5	3.233.131.217
Oct 21, 2022 15:08:57.588038921 CEST	443	49709	3.233.131.217	192.168.2.5
Oct 21, 2022 15:08:57.588138103 CEST	49709	443	192.168.2.5	3.233.131.217
Oct 21, 2022 15:08:57.608814001 CEST	49709	443	192.168.2.5	3.233.131.217
Oct 21, 2022 15:08:57.608966112 CEST	443	49709	3.233.131.217	192.168.2.5
Oct 21, 2022 15:08:57.902762890 CEST	443	49709	3.233.131.217	192.168.2.5
Oct 21, 2022 15:08:57.903000116 CEST	49709	443	192.168.2.5	3.233.131.217
Oct 21, 2022 15:08:58.359415054 CEST	49709	443	192.168.2.5	3.233.131.217
Oct 21, 2022 15:08:58.359491110 CEST	443	49709	3.233.131.217	192.168.2.5
Oct 21, 2022 15:08:58.360066891 CEST	443	49709	3.233.131.217	192.168.2.5
Oct 21, 2022 15:08:58.360208035 CEST	49709	443	192.168.2.5	3.233.131.217
Oct 21, 2022 15:08:58.363142967 CEST	49709	443	192.168.2.5	3.233.131.217
Oct 21, 2022 15:08:58.363192081 CEST	443	49709	3.233.131.217	192.168.2.5
Oct 21, 2022 15:08:58.502279997 CEST	443	49709	3.233.131.217	192.168.2.5
Oct 21, 2022 15:08:58.502384901 CEST	443	49709	3.233.131.217	192.168.2.5
Oct 21, 2022 15:08:58.502509117 CEST	49709	443	192.168.2.5	3.233.131.217
Oct 21, 2022 15:08:58.502509117 CEST	49709	443	192.168.2.5	3.233.131.217
Oct 21, 2022 15:08:58.504504919 CEST	49709	443	192.168.2.5	3.233.131.217
Oct 21, 2022 15:08:58.504549980 CEST	443	49709	3.233.131.217	192.168.2.5

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 21, 2022 15:08:57.525113106 CEST	49177	53	192.168.2.5	8.8.8.8
Oct 21, 2022 15:08:57.573355913 CEST	53	49177	8.8.8.8	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Oct 21, 2022 15:08:57.525113106 CEST	192.168.2.5	8.8.8.8	0xb402	Standard query (0)	veryfast.io	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Oct 21, 2022 15:08:57.573355913 CEST	8.8.8.8	192.168.2.5	0xb402	No error (0)	veryfast.io	3.233.131.217	A (IP address)	IN (0x0001)	false
Oct 21, 2022 15:08:57.573355913 CEST	8.8.8.8	192.168.2.5	0xb402	No error (0)	veryfast.io	44.196.98.136	A (IP address)	IN (0x0001)	false
Oct 21, 2022 15:08:57.573355913 CEST	8.8.8.8	192.168.2.5	0xb402	No error (0)	veryfast.io	3.224.151.187	A (IP address)	IN (0x0001)	false
Oct 21, 2022 15:08:57.573355913 CEST	8.8.8.8	192.168.2.5	0xb402	No error (0)	veryfast.io	3.217.61.79	A (IP address)	IN (0x0001)	false
Oct 21, 2022 15:08:57.573355913 CEST	8.8.8.8	192.168.2.5	0xb402	No error (0)	veryfast.io	44.205.194.40	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

veryfast.io

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.5	49709	3.233.131.217	443	C:\Users\user\Desktop\fa_rss.exe

Timestamp	Direction	Data
2022-10-21 13:08:58 UTC	OUT	GET /pixel.gif?guid=32BB3542-7533-27D2-5200-3CE24BD43271&version=&evt_src=fa_product&evt_action=channel&id=-1&nocache=4734296 HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729) Host: veryfast.io Connection: Keep-Alive
2022-10-21 13:08:58 UTC	IN	HTTP/1.1 200 OK Server: nginx Date: Fri, 21 Oct 2022 13:08:58 GMT Content-Type: image/gif Content-Length: 42 Last-Modified: Mon, 10 Oct 2022 15:03:59 GMT Connection: close ETag: "6344345f-2a" Accept-Ranges: bytes
2022-10-21 13:08:58 UTC	IN	Data Raw: 47 49 46 38 39 61 01 00 01 00 80 00 00 00 00 00 ff ff ff 21 f9 04 01 00 00 00 00 2c 00 00 00 00 01 00 01 00 00 02 01 44 00 3b Data Ascii: GIF89a!,D;

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

System Behavior

Analysis Process: fa_rss.exePID: 5928, Parent PID: 3324

General

Target ID:	3
Start time:	15:08:56
Start date:	21/10/2022
Path:	C:\Users\user\Desktop\fa_rss.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\fa_rss.exe
Imagebase:	0x3f0000
File size:	173248 bytes
MD5 hash:	B7819E2C9ADA79F6123BA7A492E39715
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Analysis Process: fa_rss.exePID: 5928, Parent PID: 3324COMMON

Execution Graph

Execution Coverage:	3.7%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	9.1%
Total number of Nodes:	1802
Total number of Limit Nodes:	45

Executed Functions

Function 003F38C0 Relevance: 58.1, APIs: 11, Strings: 22, Instructions: 349
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 75%

			E003F38C0(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __eflags, intOrPtr _a4) {
				signed int _v8;
				signed int _v16;
				int _v528;
				char _v532;
				intOrPtr _v536;
				int _v540;
				void* _v544;
				int _v548;
				void* __esi;
				signed int _t71;
				signed int _t75;
				intOrPtr _t77;
				void* _t78;
				intOrPtr _t81;
				intOrPtr* _t84;
				WCHAR* _t89;
				intOrPtr _t91;
				intOrPtr _t92;
				signed int _t94;
				signed int _t96;
				signed int _t97;
				signed int _t99;
				signed int _t100;
				void* _t116;
				signed int _t118;
				void* _t121;
				signed int _t123;
				signed int _t124;
				void* _t137;
				void* _t140;
				signed int _t141;
				signed int _t142;
				void* _t148;
				signed int _t150;
				void* _t153;
				signed int _t155;
				signed int _t156;
				void* _t157;
				void* _t170;
				void* _t174;
				signed int _t180;
				signed int _t181;
				void* _t188;
				void* _t193;
				void* _t198;
				void* _t200;
				void* _t204;
				signed int _t206;
				signed int _t208;
				signed int _t209;
				signed int _t210;
				signed int _t211;
				signed int _t212;
				signed int _t213;
				void* _t214;
				void* _t218;
				intOrPtr* _t222;
				signed int _t223;
				signed int _t224;
				intOrPtr _t229;
				intOrPtr* _t232;
				signed int _t233;
				signed int _t234;
				signed int _t237;
				signed int _t238;
				signed int _t239;
				signed int _t240;
				signed int _t241;
				intOrPtr* _t247;
				signed int _t248;
				signed int _t249;
				signed int _t250;
				signed int _t251;
				signed int _t252;
				intOrPtr* _t257;
				intOrPtr* _t258;
				intOrPtr* _t260;
				signed int _t261;
				intOrPtr* _t262;
				signed int _t263;
				intOrPtr* _t264;
				signed int _t265;
				signed int _t266;
				signed int _t268;
				signed int _t269;
				signed int _t270;
				signed int _t271;
				void* _t277;
				intOrPtr* _t279;
				void* _t280;
				intOrPtr _t283;
				signed int _t287;
				signed int _t290;
				intOrPtr* _t291;
				signed int* _t296;
				signed int _t301;
				signed int _t303;
				void* _t304;
				signed int _t305;
				void* _t307;
				signed int _t365;

				_t217 = __ebx;
				_t303 = (_t301 & 0xfffffff8) - 0x21c;
				_t71 =  *0x416014; // 0x9d5f503d
				_v8 = _t71 ^ _t303;
				_push(__ebx);
				_push(_t290);
				_push(__edi);
				 *0x417938 = _a4;
				_t275 = E003FDBA0(__ecx, __edx, __eflags, L"APPDATA");
				_t304 = _t303 + 4;
				if(_t275 != 0) {
					_t222 = _t275;
					_t3 = _t222 + 2; // 0x2
					_t290 = _t3;
					do {
						_t75 =  *_t222;
						_t222 = _t222 + 2;
						__eflags = _t75;
					} while (_t75 != 0);
					_t223 = _t222 - _t290;
					__eflags = _t223;
					_t224 = _t223 >> 1;
				} else {
					_t224 = 0;
				}
				_push(_t224);
				E003F4890(_t217, 0x417948, _t275);
				_t77 =  *0x417948; // 0x1447170
				_t218 =  *(_t77 - 0xc);
				_t287 = L"\\fa_rss" - _t77 >> 1;
				_t78 = E003FE090(L"\\fa_rss", 7);
				_v544 = _t78;
				_t305 = _t304 + 8;
				if(0x7fffffff - _t78 < _t218) {
					L133:
					_push(0x80070057);
					E003F5550(_t218, _t275, _t287, _t290);
					goto L134;
				} else {
					_t290 = _t218 + _t78;
					if(_t290 < 0) {
						goto L133;
					} else {
						_t229 =  *0x417948; // 0x1447170
						_t277 = 1 -  *((intOrPtr*)(_t229 - 4));
						if(( *((intOrPtr*)(_t229 - 8)) - _t290 | 0x00000001) < 0) {
							E003F4820(0x417948, _t277, _t290);
							_t229 =  *0x417948;
						}
						_t89 = _t229 + _t287 * 2;
						if(_t287 > _t218) {
							_t89 = L"\\fa_rss";
						}
						_t275 = _v540 + _v540;
						E003F4F00(_t229 + _t218 * 2, _v540 + _v540, _t89, _v540 + _v540);
						_t91 =  *0x417948; // 0x1447170
						_t305 = _t305 + 8;
						_t321 = _t290 -  *((intOrPtr*)(_t91 - 8));
						if(_t290 >  *((intOrPtr*)(_t91 - 8))) {
							goto L133;
						} else {
							 *(_t91 - 0xc) = _t290;
							_t92 =  *0x417948; // 0x1447170
							 *((short*)(_t92 + _t290 * 2)) = 0;
							_t279 = E003FDBA0(0, _t275, _t321, L"TEMP");
							_t307 = _t305 + 4;
							if(_t279 != 0) {
								_t232 = _t279;
								_t18 = _t232 + 2; // 0x2
								_t290 = _t18;
								do {
									_t94 =  *_t232;
									_t232 = _t232 + 2;
									__eflags = _t94;
								} while (_t94 != 0);
								_t233 = _t232 - _t290;
								__eflags = _t233;
								_t234 = _t233 >> 1;
							} else {
								_t234 = 0;
							}
							_push(_t234);
							E003F4890(_t218, 0x417944, _t279);
							_t96 =  *0x417944; // 0x1451ac8
							_t236 = 0x413548;
							while(1) {
								_t280 =  *_t96;
								if(_t280 !=  *_t236) {
									break;
								}
								if(_t280 == 0) {
									L22:
									_t97 = 0;
								} else {
									_t283 =  *((intOrPtr*)(_t96 + 2));
									if(_t283 != _t236[0]) {
										break;
									} else {
										_t96 = _t96 + 4;
										_t236 =  &(_t236[1]);
										if(_t283 != 0) {
											continue;
										} else {
											goto L22;
										}
									}
								}
								L24:
								if(_t97 == 0) {
									_t236 = 0x417944;
									E003F42B0(_t218, 0x417944, _t287, _t290, ".");
								}
								_v540 = 0x200;
								E003F56C0(_t218, _t236); // executed
								_t237 = L"03000200-0400-0500-0006-000700080009";
								_t99 = 0x417738;
								asm("o16 nop [eax+eax]");
								while(1) {
									_t275 =  *_t99;
									if(_t275 !=  *_t237) {
										break;
									}
									if(_t275 == 0) {
										L31:
										_t100 = 0;
									} else {
										_t275 =  *((intOrPtr*)(_t99 + 2));
										if(_t275 !=  *((intOrPtr*)(_t237 + 2))) {
											break;
										} else {
											_t99 = _t99 + 4;
											_t237 = _t237 + 4;
											if(_t275 != 0) {
												continue;
											} else {
												goto L31;
											}
										}
									}
									L33:
									if(_t100 == 0) {
										L61:
										RegOpenKeyExW(0x80000002, L"SOFTWARE\\Microsoft\\Cryptography", 0, 0x101,  &_v544);
										RegQueryValueExW(_v544, L"MachineGuid", 0,  &_v548,  &_v532,  &_v540);
										RegCloseKey(_v544);
										wsprintfW("32BB3542-7533-27D2-5200-3CE24BD43271", L"%wsX", E003FC590( &_v532));
										_t305 = _t307 + 0x10;
									} else {
										_t237 = L"12345678-1234-5678-90AB-CDDEEFAABBCC";
										_t208 = 0x417738;
										while(1) {
											_t275 =  *_t208;
											if(_t275 !=  *_t237) {
												break;
											}
											if(_t275 == 0) {
												L39:
												_t209 = 0;
											} else {
												_t275 =  *((intOrPtr*)(_t208 + 2));
												if(_t275 !=  *((intOrPtr*)(_t237 + 2))) {
													break;
												} else {
													_t208 = _t208 + 4;
													_t237 = _t237 + 4;
													if(_t275 != 0) {
														continue;
													} else {
														goto L39;
													}
												}
											}
											L41:
											if(_t209 == 0) {
												goto L61;
											} else {
												_t237 = L"00000000-0000-0000-0000-000000000000";
												_t210 = 0x417738;
												while(1) {
													_t275 =  *_t210;
													if(_t275 !=  *_t237) {
														break;
													}
													if(_t275 == 0) {
														L47:
														_t211 = 0;
													} else {
														_t275 =  *((intOrPtr*)(_t210 + 2));
														if(_t275 !=  *((intOrPtr*)(_t237 + 2))) {
															break;
														} else {
															_t210 = _t210 + 4;
															_t237 = _t237 + 4;
															if(_t275 != 0) {
																continue;
															} else {
																goto L47;
															}
														}
													}
													L49:
													if(_t211 == 0) {
														goto L61;
													} else {
														_t237 = L"FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFF";
														_t212 = 0x417738;
														while(1) {
															_t275 =  *_t212;
															if(_t275 !=  *_t237) {
																break;
															}
															if(_t275 == 0) {
																L55:
																_t213 = 0;
															} else {
																_t275 =  *((intOrPtr*)(_t212 + 2));
																if(_t275 !=  *((intOrPtr*)(_t237 + 2))) {
																	break;
																} else {
																	_t212 = _t212 + 4;
																	_t237 = _t237 + 4;
																	if(_t275 != 0) {
																		continue;
																	} else {
																		goto L55;
																	}
																}
															}
															L57:
															if(_t213 == 0) {
																goto L61;
															} else {
																_t271 = 0x417738;
																_t275 = 0x41773a;
																do {
																	_t214 =  *_t271;
																	_t271 = _t271 + 2;
																} while (_t214 != 0);
																_t237 = _t271 - 0x41773a >> 1;
																if(_t237 != 0x24) {
																	goto L61;
																}
															}
															goto L62;
														}
														asm("sbb eax, eax");
														_t213 = _t212 | 0x00000001;
														__eflags = _t213;
														goto L57;
													}
													goto L62;
												}
												asm("sbb eax, eax");
												_t211 = _t210 | 0x00000001;
												__eflags = _t211;
												goto L49;
											}
											goto L62;
										}
										asm("sbb eax, eax");
										_t209 = _t208 | 0x00000001;
										__eflags = _t209;
										goto L41;
									}
									L62:
									_t218 = CommandLineToArgvW(GetCommandLineW(),  &_v528);
									if(_t218 == 0) {
										L123:
										_push(_t237);
										_t290 = _t305;
										_t238 = E003F5450(_t290);
										__eflags = _t238;
										if(_t238 == 0) {
											goto L134;
										} else {
											_t116 =  *((intOrPtr*)( *_t238 + 0xc))();
											_t239 = _t290;
											 *_t290 = _t116 + 0x10;
											_t118 = E003F4640(_t218, _t239, _t275, L"id=-1");
											__eflags = _t118;
											if(_t118 == 0) {
												_push(5);
												_t239 = _t290;
												E003F4890(_t218, _t239, L"id=-1");
											}
											_push(_t239);
											_t290 = _t305;
											_t240 = E003F5450(_t290);
											__eflags = _t240;
											if(_t240 == 0) {
												goto L134;
											} else {
												_t121 =  *((intOrPtr*)( *_t240 + 0xc))();
												_t241 = _t290;
												 *_t290 = _t121 + 0x10;
												_t123 = E003F4640(_t218, _t241, _t275, "channel");
												__eflags = _t123;
												if(_t123 == 0) {
													_t241 = _t290;
													E003F42B0(_t218, _t241, _t287, _t290, "channel");
												}
												_push(_t241);
												_t290 = _t305;
												_t124 = E003F5450(_t290);
												__eflags = _t124;
												if(_t124 == 0) {
													goto L134;
												} else {
													 *_t290 =  *((intOrPtr*)( *_t124 + 0xc))() + 0x10;
													__eflags = E003F4640(_t218, _t290,  *_t124, "product");
													if(__eflags == 0) {
														E003F42B0(_t218, _t290, _t287, _t290, "product"); // executed
													}
													E003F1F10(_t218, _t287, __eflags); // executed
													MessageBoxW(0, L"No News Channel", L"ERROR", 0x10); // executed
													__eflags = _v16 ^ _t305 + 0x0000000c;
													return E003F5D05(_v16 ^ _t305 + 0x0000000c);
												}
											}
										}
									} else {
										_t290 =  *(_t218 + 4);
										_push(_t237);
										_t287 = _t305;
										_t247 = E003F5450(_t290);
										if(_t247 == 0) {
											L134:
											_push(0x80004005);
											E003F5550(_t218, _t275, _t287, _t290);
											asm("int3");
											asm("int3");
											_t81 =  *0x41793c; // 0x1458948
											_push(_t290);
											_t291 =  *((intOrPtr*)(_t81 + 4));
											__eflags =  *((char*)(_t291 + 0xd));
											if( *((char*)(_t291 + 0xd)) == 0) {
												do {
													E003F4B30(0x41793c, 0x41793c,  *((intOrPtr*)(_t291 + 8)));
													_t84 = _t291;
													_t291 =  *_t291;
													_push(0x18);
													E003F6168(_t84);
													_t305 = _t305 + 8;
													__eflags =  *((char*)(_t291 + 0xd));
												} while ( *((char*)(_t291 + 0xd)) == 0);
												_t81 =  *0x41793c; // 0x1458948
											}
											_push(0x18);
											return E003F6168(_t81);
										} else {
											_t137 =  *((intOrPtr*)( *_t247 + 0xc))();
											_t237 = _t287;
											 *_t287 = _t137 + 0x10;
											if(E003F4640(_t218, _t237, _t275, _t290) == 0) {
												_t353 = _t290;
												if(_t290 != 0) {
													_t268 = _t290;
													_t275 = _t268 + 2;
													do {
														_t206 =  *_t268;
														_t268 = _t268 + 2;
														__eflags = _t206;
													} while (_t206 != 0);
													_t269 = _t268 - _t275;
													__eflags = _t269;
													_t270 = _t269 >> 1;
												} else {
													_t270 = 0;
												}
												_push(_t270);
												_t237 = _t287;
												E003F4890(_t218, _t237, _t290);
											}
											_t140 = E003F1E10(_t218, _t275, _t287, _t290, _t353);
											_t305 = _t305 + 4;
											if(_t140 != 0x628374a0 || _v536 != 3) {
												goto L123;
											} else {
												_t248 =  *(_t218 + 8);
												_t141 = L"default";
												while(1) {
													_t275 =  *_t141;
													if(_t275 !=  *_t248) {
														break;
													}
													if(_t275 == 0) {
														L78:
														_t142 = 0;
													} else {
														_t275 =  *((intOrPtr*)(_t141 + 2));
														if(_t275 !=  *((intOrPtr*)(_t248 + 2))) {
															break;
														} else {
															_t141 = _t141 + 4;
															_t248 = _t248 + 4;
															if(_t275 != 0) {
																continue;
															} else {
																goto L78;
															}
														}
													}
													L80:
													if(_t142 == 0) {
														 *0x4169b8 = 0;
														goto L108;
													} else {
														_t257 = E003F5450(_t290);
														if(_t257 == 0) {
															goto L134;
														} else {
															_t170 =  *((intOrPtr*)( *_t257 + 0xc))();
															_push(_t257);
															_v544 = _t170 + 0x10;
															_t290 = _t305;
															_t258 = E003F5450(_t290);
															if(_t258 == 0) {
																goto L134;
															} else {
																_t174 =  *((intOrPtr*)( *_t258 + 0xc))();
																_t259 = _t290;
																 *_t290 = _t174 + 0x10;
																if(E003F4640(_t218, _t290, _t275, 0x417738) == 0) {
																	_t265 = 0x417738;
																	_t275 = 0x41773a;
																	do {
																		_t204 =  *_t265;
																		_t265 = _t265 + 2;
																	} while (_t204 != 0);
																	_t266 = _t265 - 0x41773a;
																	_t365 = _t266;
																	_push(_t266 >> 1);
																	_t259 = _t290;
																	E003F4890(_t218, _t290, 0x417738);
																}
																_push(E003F1E10(_t218, _t275, _t287, _t290, _t365));
																E003F4AB0(_t259,  &_v544, L"%u");
																_t290 = _v544;
																_t305 = _t305 + 0x10;
																_t248 =  *(_t218 + 8);
																_t180 = _t290;
																while(1) {
																	_t275 =  *_t180;
																	if(_t275 !=  *_t248) {
																		break;
																	}
																	if(_t275 == 0) {
																		L92:
																		_t181 = 0;
																	} else {
																		_t275 =  *((intOrPtr*)(_t180 + 2));
																		if(_t275 !=  *((intOrPtr*)(_t248 + 2))) {
																			break;
																		} else {
																			_t180 = _t180 + 4;
																			_t248 = _t248 + 4;
																			if(_t275 != 0) {
																				continue;
																			} else {
																				goto L92;
																			}
																		}
																	}
																	L94:
																	if(_t181 == 0) {
																		L105:
																		_t296 = _t290 + 0xfffffff0;
																		asm("lock xadd [esi+0xc], eax");
																		if((_t181 | 0xffffffff) - 1 <= 0) {
																			_t248 =  *_t296;
																			 *((intOrPtr*)( *_t248 + 4))(_t296);
																		}
																		L108:
																		LocalFree(_t218);
																		if(OpenEventW(0x1f0003, 1, L"Local\\fa_rss") == 0) {
																			CreateEventW(0, 0, 0, L"Local\\fa_rss");
																			_push(_t248);
																			_t290 = _t305;
																			_t249 = E003F5450(_t290);
																			__eflags = _t249;
																			if(_t249 != 0) {
																				_t148 =  *((intOrPtr*)( *_t249 + 0xc))();
																				_t250 = _t290;
																				 *_t290 = _t148 + 0x10;
																				_t150 = E003F4640(_t218, _t250, _t275, 0x413548);
																				__eflags = _t150;
																				if(_t150 == 0) {
																					_push(0);
																					_t250 = _t290;
																					E003F4890(_t218, _t250, 0x413548);
																				}
																				_push(_t250);
																				_t290 = _t305;
																				_t251 = E003F5450(_t290);
																				__eflags = _t251;
																				if(_t251 != 0) {
																					_t153 =  *((intOrPtr*)( *_t251 + 0xc))();
																					_t252 = _t290;
																					 *_t290 = _t153 + 0x10;
																					_t155 = E003F4640(_t218, _t252, _t275, "active");
																					__eflags = _t155;
																					if(_t155 == 0) {
																						_t252 = _t290;
																						E003F42B0(_t218, _t252, _t287, _t290, "active");
																					}
																					_push(_t252);
																					_t290 = _t305;
																					_t156 = E003F5450(_t290);
																					__eflags = _t156;
																					if(_t156 != 0) {
																						_t282 =  *_t156;
																						_t157 =  *((intOrPtr*)( *_t156 + 0xc))();
																						_t254 = _t290;
																						 *_t290 = _t157 + 0x10;
																						__eflags = E003F4640(_t218, _t290,  *_t156, "product");
																						if(__eflags == 0) {
																							_t254 = _t290;
																							E003F42B0(_t218, _t290, _t287, _t290, "product");
																						}
																						E003F1F10(_t218, _t287, __eflags);
																						__eflags =  *0x4169b8;
																						if(__eflags != 0) {
																							E003FDD09(_t254,  &M003F3670, 0, 0);
																						}
																						L122:
																						Sleep(0xdbba0);
																						L003F24C0(_t218, _t282, _t287, __eflags);
																						goto L122;
																					}
																				}
																			}
																			goto L134;
																		} else {
																			return E003F5D05(_v16 ^ _t305);
																		}
																	} else {
																		_push(_t248);
																		_t287 = _t305;
																		_t260 = E003F5450(_t290);
																		if(_t260 == 0) {
																			goto L134;
																		} else {
																			_t188 =  *((intOrPtr*)( *_t260 + 0xc))();
																			_t261 = _t287;
																			 *_t287 = _t188 + 0x10;
																			if(E003F4640(_t218, _t261, _t275, L"id=-2") == 0) {
																				_push(5);
																				_t261 = _t287;
																				E003F4890(_t218, _t261, L"id=-2");
																			}
																			_push(_t261);
																			_t287 = _t305;
																			_t262 = E003F5450(_t290);
																			if(_t262 == 0) {
																				goto L134;
																			} else {
																				_t193 =  *((intOrPtr*)( *_t262 + 0xc))();
																				_t263 = _t287;
																				 *_t287 = _t193 + 0x10;
																				if(E003F4640(_t218, _t263, _t275, "channel") == 0) {
																					_t263 = _t287;
																					E003F42B0(_t218, _t263, _t287, _t290, "channel");
																				}
																				_push(_t263);
																				_t287 = _t305;
																				_t264 = E003F5450(_t290);
																				if(_t264 == 0) {
																					goto L134;
																				} else {
																					_t198 =  *((intOrPtr*)( *_t264 + 0xc))();
																					_t248 = _t287;
																					 *_t287 = _t198 + 0x10;
																					_t200 = E003F4640(_t218, _t248, _t275, "product");
																					_t376 = _t200;
																					if(_t200 == 0) {
																						_t248 = _t287;
																						E003F42B0(_t218, _t248, _t287, _t290, "product");
																					}
																					_t181 = E003F1F10(_t218, _t287, _t376);
																					_t305 = _t305 + 0xc;
																					 *0x4169b8 = 0;
																					goto L105;
																				}
																			}
																		}
																	}
																	goto L139;
																}
																asm("sbb eax, eax");
																_t181 = _t180 | 0x00000001;
																__eflags = _t181;
																goto L94;
															}
														}
													}
													goto L139;
												}
												asm("sbb eax, eax");
												_t142 = _t141 | 0x00000001;
												__eflags = _t142;
												goto L80;
											}
										}
									}
									goto L139;
								}
								asm("sbb eax, eax");
								_t100 = _t99 | 0x00000001;
								__eflags = _t100;
								goto L33;
							}
							asm("sbb eax, eax");
							_t97 = _t96 | 0x00000001;
							__eflags = _t97;
							goto L24;
						}
					}
				}
				L139:
			}

0x003f38c0
0x003f38c6
0x003f38cc
0x003f38d3
0x003f38dd
0x003f38de
0x003f38df
0x003f38e5
0x003f38ef
0x003f38f1
0x003f38f6
0x003f38fc
0x003f38fe
0x003f38fe
0x003f3901
0x003f3901
0x003f3904
0x003f3907
0x003f3907
0x003f390c
0x003f390c
0x003f390e
0x003f38f8
0x003f38f8
0x003f38f8
0x003f3910
0x003f3917
0x003f391c
0x003f392f
0x003f3932
0x003f3934
0x003f393e
0x003f3944
0x003f3949
0x003f403a
0x003f403a
0x003f403f
0x00000000
0x003f394f
0x003f394f
0x003f3954
0x00000000
0x003f395a
0x003f395a
0x003f3968
0x003f396f
0x003f3977
0x003f397c
0x003f397c
0x003f3982
0x003f3987
0x003f3989
0x003f3989
0x003f3995
0x003f3999
0x003f399e
0x003f39a3
0x003f39a6
0x003f39a9
0x00000000
0x003f39af
0x003f39af
0x003f39b4
0x003f39be
0x003f39c7
0x003f39c9
0x003f39ce
0x003f39d4
0x003f39d6
0x003f39d6
0x003f39e0
0x003f39e0
0x003f39e3
0x003f39e6
0x003f39e6
0x003f39eb
0x003f39eb
0x003f39ed
0x003f39d0
0x003f39d0
0x003f39d0
0x003f39ef
0x003f39f6
0x003f39fb
0x003f3a00
0x003f3a05
0x003f3a05
0x003f3a0b
0x00000000
0x00000000
0x003f3a10
0x003f3a27
0x003f3a27
0x003f3a12
0x003f3a12
0x003f3a1a
0x00000000
0x003f3a1c
0x003f3a1c
0x003f3a1f
0x003f3a25
0x00000000
0x00000000
0x00000000
0x00000000
0x003f3a25
0x003f3a1a
0x003f3a30
0x003f3a32
0x003f3a39
0x003f3a3e
0x003f3a3e
0x003f3a43
0x003f3a4b
0x003f3a50
0x003f3a55
0x003f3a5a
0x003f3a60
0x003f3a60
0x003f3a66
0x00000000
0x00000000
0x003f3a6b
0x003f3a82
0x003f3a82
0x003f3a6d
0x003f3a6d
0x003f3a75
0x00000000
0x003f3a77
0x003f3a77
0x003f3a7a
0x003f3a80
0x00000000
0x00000000
0x00000000
0x00000000
0x003f3a80
0x003f3a75
0x003f3a8b
0x003f3a8d
0x003f3b6b
0x003f3b81
0x003f3ba1
0x003f3bab
0x003f3bc9
0x003f3bcf
0x003f3a93
0x003f3a93
0x003f3a98
0x003f3aa0
0x003f3aa0
0x003f3aa6
0x00000000
0x00000000
0x003f3aab
0x003f3ac2
0x003f3ac2
0x003f3aad
0x003f3aad
0x003f3ab5
0x00000000
0x003f3ab7
0x003f3ab7
0x003f3aba
0x003f3ac0
0x00000000
0x00000000
0x00000000
0x00000000
0x003f3ac0
0x003f3ab5
0x003f3acb
0x003f3acd
0x00000000
0x003f3ad3
0x003f3ad3
0x003f3ad8
0x003f3ae0
0x003f3ae0
0x003f3ae6
0x00000000
0x00000000
0x003f3aeb
0x003f3b02
0x003f3b02
0x003f3aed
0x003f3aed
0x003f3af5
0x00000000
0x003f3af7
0x003f3af7
0x003f3afa
0x003f3b00
0x00000000
0x00000000
0x00000000
0x00000000
0x003f3b00
0x003f3af5
0x003f3b0b
0x003f3b0d
0x00000000
0x003f3b0f
0x003f3b0f
0x003f3b14
0x003f3b20
0x003f3b20
0x003f3b26
0x00000000
0x00000000
0x003f3b2b
0x003f3b42
0x003f3b42
0x003f3b2d
0x003f3b2d
0x003f3b35
0x00000000
0x003f3b37
0x003f3b37
0x003f3b3a
0x003f3b40
0x00000000
0x00000000
0x00000000
0x00000000
0x003f3b40
0x003f3b35
0x003f3b4b
0x003f3b4d
0x00000000
0x003f3b4f
0x003f3b4f
0x003f3b54
0x003f3b57
0x003f3b57
0x003f3b5a
0x003f3b5d
0x003f3b64
0x003f3b69
0x00000000
0x00000000
0x003f3b69
0x00000000
0x003f3b4d
0x003f3b46
0x003f3b48
0x003f3b48
0x00000000
0x003f3b48
0x00000000
0x003f3b0d
0x003f3b06
0x003f3b08
0x003f3b08
0x00000000
0x003f3b08
0x00000000
0x003f3acd
0x003f3ac6
0x003f3ac8
0x003f3ac8
0x00000000
0x003f3ac8
0x003f3bd2
0x003f3be4
0x003f3be8
0x003f3f5e
0x003f3f5e
0x003f3f5f
0x003f3f66
0x003f3f68
0x003f3f6a
0x00000000
0x003f3f70
0x003f3f72
0x003f3f78
0x003f3f7f
0x003f3f81
0x003f3f86
0x003f3f88
0x003f3f8a
0x003f3f91
0x003f3f93
0x003f3f93
0x003f3f98
0x003f3f99
0x003f3fa0
0x003f3fa2
0x003f3fa4
0x00000000
0x003f3faa
0x003f3fac
0x003f3fb2
0x003f3fb9
0x003f3fbb
0x003f3fc0
0x003f3fc2
0x003f3fc9
0x003f3fcb
0x003f3fcb
0x003f3fd0
0x003f3fd1
0x003f3fd3
0x003f3fd8
0x003f3fda
0x00000000
0x003f3fdc
0x003f3fed
0x003f3ff4
0x003f3ff6
0x003f3fff
0x003f3fff
0x003f4004
0x003f401a
0x003f402d
0x003f4037
0x003f4037
0x003f3fda
0x003f3fa4
0x003f3bee
0x003f3bee
0x003f3bf1
0x003f3bf2
0x003f3bf9
0x003f3bfd
0x003f4044
0x003f4044
0x003f4049
0x003f404e
0x003f404f
0x003f4050
0x003f4055
0x003f4056
0x003f4059
0x003f405d
0x003f4060
0x003f406d
0x003f4072
0x003f4074
0x003f4076
0x003f4079
0x003f407e
0x003f4081
0x003f4081
0x003f4087
0x003f4087
0x003f408c
0x003f4098
0x003f3c03
0x003f3c05
0x003f3c0b
0x003f3c0e
0x003f3c17
0x003f3c19
0x003f3c1b
0x003f3c21
0x003f3c23
0x003f3c26
0x003f3c26
0x003f3c29
0x003f3c2c
0x003f3c2c
0x003f3c31
0x003f3c31
0x003f3c33
0x003f3c1d
0x003f3c1d
0x003f3c1d
0x003f3c35
0x003f3c37
0x003f3c39
0x003f3c39
0x003f3c3e
0x003f3c43
0x003f3c4b
0x00000000
0x003f3c5c
0x003f3c5c
0x003f3c5f
0x003f3c64
0x003f3c64
0x003f3c6a
0x00000000
0x00000000
0x003f3c6f
0x003f3c86
0x003f3c86
0x003f3c71
0x003f3c71
0x003f3c79
0x00000000
0x003f3c7b
0x003f3c7b
0x003f3c7e
0x003f3c84
0x00000000
0x00000000
0x00000000
0x00000000
0x003f3c84
0x003f3c79
0x003f3c8f
0x003f3c91
0x003f3e2c
0x00000000
0x003f3c97
0x003f3c9c
0x003f3ca0
0x00000000
0x003f3ca6
0x003f3ca8
0x003f3cae
0x003f3caf
0x003f3cb3
0x003f3cba
0x003f3cbe
0x00000000
0x003f3cc4
0x003f3cc6
0x003f3ccc
0x003f3cd3
0x003f3cdc
0x003f3cde
0x003f3ce3
0x003f3ce6
0x003f3ce6
0x003f3ce9
0x003f3cec
0x003f3cf1
0x003f3cf1
0x003f3cf5
0x003f3cfb
0x003f3cfd
0x003f3cfd
0x003f3d0a
0x003f3d15
0x003f3d1a
0x003f3d1e
0x003f3d21
0x003f3d24
0x003f3d26
0x003f3d26
0x003f3d2c
0x00000000
0x00000000
0x003f3d31
0x003f3d48
0x003f3d48
0x003f3d33
0x003f3d33
0x003f3d3b
0x00000000
0x003f3d3d
0x003f3d3d
0x003f3d40
0x003f3d46
0x00000000
0x00000000
0x00000000
0x00000000
0x003f3d46
0x003f3d3b
0x003f3d51
0x003f3d53
0x003f3e12
0x003f3e12
0x003f3e18
0x003f3e20
0x003f3e22
0x003f3e27
0x003f3e27
0x003f3e33
0x003f3e34
0x003f3e4e
0x003f3e74
0x003f3e7a
0x003f3e7b
0x003f3e82
0x003f3e84
0x003f3e86
0x003f3e8e
0x003f3e94
0x003f3e9b
0x003f3e9d
0x003f3ea2
0x003f3ea4
0x003f3ea6
0x003f3ead
0x003f3eaf
0x003f3eaf
0x003f3eb4
0x003f3eb5
0x003f3ebc
0x003f3ebe
0x003f3ec0
0x003f3ec8
0x003f3ece
0x003f3ed5
0x003f3ed7
0x003f3edc
0x003f3ede
0x003f3ee5
0x003f3ee7
0x003f3ee7
0x003f3eec
0x003f3eed
0x003f3eef
0x003f3ef4
0x003f3ef6
0x003f3efc
0x003f3f00
0x003f3f06
0x003f3f0d
0x003f3f14
0x003f3f16
0x003f3f1d
0x003f3f1f
0x003f3f1f
0x003f3f24
0x003f3f2c
0x003f3f33
0x003f3f3e
0x003f3f43
0x003f3f50
0x003f3f55
0x003f3f57
0x00000000
0x003f3f57
0x003f3ef6
0x003f3ec0
0x00000000
0x003f3e50
0x003f3e66
0x003f3e66
0x003f3d59
0x003f3d59
0x003f3d5a
0x003f3d61
0x003f3d65
0x00000000
0x003f3d6b
0x003f3d6d
0x003f3d73
0x003f3d7a
0x003f3d83
0x003f3d85
0x003f3d8c
0x003f3d8e
0x003f3d8e
0x003f3d93
0x003f3d94
0x003f3d9b
0x003f3d9f
0x00000000
0x003f3da5
0x003f3da7
0x003f3dad
0x003f3db4
0x003f3dbd
0x003f3dc4
0x003f3dc6
0x003f3dc6
0x003f3dcb
0x003f3dcc
0x003f3dd3
0x003f3dd7
0x00000000
0x003f3ddd
0x003f3ddf
0x003f3de5
0x003f3dec
0x003f3dee
0x003f3df3
0x003f3df5
0x003f3dfc
0x003f3dfe
0x003f3dfe
0x003f3e03
0x003f3e08
0x003f3e0b
0x00000000
0x003f3e0b
0x003f3dd7
0x003f3d9f
0x003f3d65
0x00000000
0x003f3d53
0x003f3d4c
0x003f3d4e
0x003f3d4e
0x00000000
0x003f3d4e
0x003f3cbe
0x003f3ca0
0x00000000
0x003f3c91
0x003f3c8a
0x003f3c8c
0x003f3c8c
0x00000000
0x003f3c8c
0x003f3c4b
0x003f3bfd
0x00000000
0x003f3be8
0x003f3a86
0x003f3a88
0x003f3a88
0x00000000
0x003f3a88
0x003f3a2b
0x003f3a2d
0x003f3a2d
0x00000000
0x003f3a2d
0x003f39a9
0x003f3954
0x00000000

Strings

HyA, xrefs: 003F3912
invalid stoll argument, xrefs: 003F3421
32BB3542-7533-27D2-5200-3CE24BD43271, xrefs: 003F3A55, 003F3BC4
stoll argument out of range, xrefs: 003F3417
TEMP, xrefs: 003F39B9
DyA, xrefs: 003F39F1
%wsX, xrefs: 003F3BBF
default, xrefs: 003F3C5F
\fa_rss, xrefs: 003F3921, 003F392A, 003F3998
active, xrefs: 003F3ED0
Local\fa_rss, xrefs: 003F3E3A, 003F3E69
product, xrefs: 003F3F08, 003F3FE8, 003F3FF8
ERROR, xrefs: 003F400E
SOFTWARE\Microsoft\Cryptography, xrefs: 003F3B77
APPDATA, xrefs: 003F38E0
MachineGuid, xrefs: 003F3B98
id=-1, xrefs: 003F3F7A, 003F3F8C
<yA, xrefs: 003F4063
No News Channel, xrefs: 003F4013
03000200-0400-0500-0006-000700080009, xrefs: 003F3A50
H5A, xrefs: 003F3A00
channel, xrefs: 003F3FB4, 003F3FC4

Memory Dump Source

Source File: 00000003.00000002.300378751.00000000003F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000003.00000002.300374579.00000000003F0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.300394386.000000000040D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.300406424.0000000000416000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.300411239.0000000000420000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3f0000_fa_rss.jbxd

Similarity

API ID:
String ID: %wsX$03000200-0400-0500-0006-000700080009$32BB3542-7533-27D2-5200-3CE24BD43271$<yA$APPDATA$DyA$ERROR$H5A$HyA$Local\fa_rss$MachineGuid$No News Channel$SOFTWARE\Microsoft\Cryptography$TEMP$\fa_rss$active$channel$default$id=-1$invalid stoll argument$product$stoll argument out of range
API String ID: 0-1771998785
Opcode ID: ba031cfea62108597ed7860c8467a9432063d709913a52c69b11d41ce5741b8e
Instruction ID: 5af29cf219acb9125e47992cfefee9c3613a9bebb850aec6dde866da649b9094
Opcode Fuzzy Hash: ba031cfea62108597ed7860c8467a9432063d709913a52c69b11d41ce5741b8e
Instruction Fuzzy Hash: BEB13431B002099BDB22AF64EC0ABBB7BA59F40704F144068FB499F2A2DF35DD44C799

Uniqueness

Uniqueness Score: -1.00%

Function 003F56C0 Relevance: 31.8, APIs: 12, Strings: 6, Instructions: 340
commemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 52%

			E003F56C0(signed int __ebx, signed int* __ecx) {
				signed int _v8;
				char _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed short* _v52;
				char _v60;
				void* __edi;
				void* __ebp;
				signed int _t77;
				char* _t79;
				signed int* _t81;
				signed int _t82;
				signed int _t84;
				signed int _t86;
				signed int _t87;
				intOrPtr* _t89;
				signed int _t90;
				intOrPtr* _t91;
				intOrPtr* _t95;
				signed int _t97;
				intOrPtr* _t99;
				signed int _t101;
				signed int _t103;
				intOrPtr* _t108;
				signed int _t110;
				signed int _t113;
				signed int _t115;
				signed int _t116;
				signed int _t119;
				signed int _t126;
				signed int _t128;
				signed int* _t131;
				signed int _t141;
				signed short* _t148;
				signed int _t150;
				signed int _t158;
				signed int* _t160;
				signed int _t162;
				void* _t164;
				signed int _t166;
				signed int _t167;
				signed int _t169;
				intOrPtr* _t171;
				signed int _t172;
				void* _t174;
				void* _t175;
				void* _t176;

				_t131 = __ecx;
				_t126 = __ebx;
				_t175 = _t174 - 0x2c;
				_t77 =  *0x416014; // 0x9d5f503d
				_t79 =  &_v16;
				 *[fs:0x0] = _t79;
				__imp__CoInitializeEx(0, 0, _t77 ^ _t172, _t158, _t164, __ebx,  *[fs:0x0], E0040C935, 0xffffffff); // executed
				if(_t79 < 0) {
					L19:
					 *[fs:0x0] = _v16;
					return 0;
				} else {
					__imp__CoInitializeSecurity(0, 0xffffffff, 0, 0, 0, 3, 0, 0, 0); // executed
					if(_t79 < 0) {
						L18:
						__imp__CoUninitialize();
						goto L19;
					} else {
						_t81 =  &_v24;
						_v24 = 0;
						__imp__CoCreateInstance(0x40d360, 0, 1, 0x40d370, _t81); // executed
						_t181 = _t81;
						if(_t81 < 0) {
							goto L18;
						} else {
							_v20 = 0;
							_t82 = E003F637E(__ebx, __ecx, _t158, _t181, 0xc);
							_t166 = _t82;
							_t176 = _t175 + 4;
							_v40 = _t166;
							_v8 = 0;
							if(_t166 == 0) {
								_t166 = 0;
								__eflags = 0;
								goto L7;
							} else {
								 *(_t166 + 4) = 0;
								 *((intOrPtr*)(_t166 + 8)) = 1;
								__imp__#2(L"ROOT\\CIMV2");
								 *_t166 = _t82;
								if(_t82 == 0) {
									L48:
									E003F6C30(0x8007000e);
									goto L49;
								} else {
									L7:
									_v8 = 0xffffffff;
									_v40 = _t166;
									if(_t166 == 0) {
										goto L48;
									} else {
										_v8 = 1;
										_t89 = _v24;
										_t90 =  *((intOrPtr*)( *_t89 + 0xc))(_t89,  *_t166, 0, 0, 0, 0, 0, 0,  &_v20);
										_t128 = _t126 | 0xffffffff;
										_v8 = 0xffffffff;
										_t158 = _t90;
										asm("lock xadd [esi+0x8], ecx");
										_t131 = _t128 - 1;
										if(_t131 == 0) {
											_t131 =  *_t166;
											if(_t131 != 0) {
												__imp__#6(_t131);
												 *_t166 = 0;
											}
											_t124 =  *(_t166 + 4);
											if( *(_t166 + 4) != 0) {
												L003F63AE(_t124);
												_t176 = _t176 + 4;
												 *(_t166 + 4) = 0;
											}
											_push(0xc);
											_t90 = E003F6168(_t166);
											_t176 = _t176 + 8;
										}
										if(_t158 < 0) {
											L17:
											_t91 = _v24;
											 *((intOrPtr*)( *_t91 + 8))(_t91);
											goto L18;
										} else {
											__imp__CoSetProxyBlanket(_v20, 0xa, 0, 0, 3, 3, 0, 0); // executed
											if(_t90 >= 0) {
												_v28 = 0;
												_t169 = E003F637E(_t128, _t131, _t158, __eflags, 0xc);
												_t176 = _t176 + 4;
												_v40 = _t169;
												_v8 = 2;
												__eflags = _t169;
												if(_t169 == 0) {
													_t166 = 0;
													__eflags = 0;
												} else {
													 *(_t169 + 4) = 0;
													 *((intOrPtr*)(_t169 + 8)) = 1;
													 *_t169 = E003F6C50(_t128, "SELECT * FROM Win32_ComputerSystemProduct");
												}
												_v8 = 0xffffffff;
												_v40 = _t166;
												__eflags = _t166;
												if(__eflags == 0) {
													goto L48;
												} else {
													_v8 = 3;
													_t162 = E003F637E(_t128, _t131, _t158, __eflags, 0xc);
													_t176 = _t176 + 4;
													_v44 = _t162;
													_v8 = 4;
													__eflags = _t162;
													if(_t162 == 0) {
														_t158 = 0;
														__eflags = 0;
													} else {
														 *(_t162 + 4) = 0;
														 *((intOrPtr*)(_t162 + 8)) = 1;
														 *_t162 = E003F6C50(_t128, "WQL");
													}
													_v8 = 3;
													_v44 = _t158;
													__eflags = _t158;
													if(_t158 == 0) {
														L49:
														_t84 = E003F6C30(0x8007000e);
														asm("int3");
														_push(_t172);
														_push(_t131);
														_push(_t166);
														_push(_t158);
														_t160 = _t131;
														_t167 =  *_t160;
														__eflags = _t167;
														if(_t167 != 0) {
															asm("lock xadd [esi+0x8], eax");
															_t84 = (_t84 | 0xffffffff) - 1;
															__eflags = _t84;
															if(_t84 == 0) {
																_t86 =  *_t167;
																__eflags = _t86;
																if(_t86 != 0) {
																	__imp__#6(_t86);
																	 *_t167 = 0;
																}
																_t87 =  *(_t167 + 4);
																__eflags = _t87;
																if(_t87 != 0) {
																	L003F63AE(_t87);
																	_t176 = _t176 + 4;
																	 *(_t167 + 4) = 0;
																}
																_push(0xc);
																_t84 = E003F6168(_t167);
															}
															 *_t160 = 0;
														}
														return _t84;
													} else {
														_v8 = 5;
														_t95 = _v20;
														_v40 =  *((intOrPtr*)( *_t95 + 0x50))(_t95,  *_t158,  *_t166, 0x30, 0,  &_v28);
														asm("lock xadd [edi+0x8], ecx");
														__eflags = _t128 == 1;
														if(_t128 == 1) {
															_t150 =  *_t158;
															__eflags = _t150;
															if(_t150 != 0) {
																__imp__#6(_t150);
																 *_t158 = 0;
															}
															_t119 =  *(_t158 + 4);
															__eflags = _t119;
															if(_t119 != 0) {
																L003F63AE(_t119);
																_t176 = _t176 + 4;
																 *(_t158 + 4) = 0;
															}
															_push(0xc);
															E003F6168(_t158);
															_t176 = _t176 + 8;
														}
														_v8 = 0xffffffff;
														asm("lock xadd [esi+0x8], ebx");
														__eflags = _t128 == 1;
														if(_t128 == 1) {
															_t115 =  *_t166;
															__eflags = _t115;
															if(_t115 != 0) {
																__imp__#6(_t115);
																 *_t166 = 0;
															}
															_t116 =  *(_t166 + 4);
															__eflags = _t116;
															if(_t116 != 0) {
																L003F63AE(_t116);
																_t176 = _t176 + 4;
																 *(_t166 + 4) = 0;
															}
															_push(0xc);
															E003F6168(_t166);
														}
														__eflags = _v40;
														if(_v40 < 0) {
															goto L16;
														} else {
															_t141 = _v28;
															_v32 = 0;
															_v36 = 0;
															__eflags = _t141;
															if(_t141 != 0) {
																_t171 = __imp__#9;
																while(1) {
																	 *((intOrPtr*)( *_t141 + 0x10))(_t141, 0xffffffff, 1,  &_v32,  &_v36);
																	__eflags = _v36;
																	if(_v36 == 0) {
																		goto L47;
																	}
																	_t108 = _v32;
																	 *((intOrPtr*)( *_t108 + 0x10))(_t108, L"UUID", 0,  &_v60, 0, 0);
																	_t148 = _v52;
																	__eflags = 0x417738;
																	do {
																		_t110 =  *_t148 & 0x0000ffff;
																		_t148 =  &(_t148[1]);
																		 *(0x417738 + _t148 - 2) = _t110;
																		__eflags = _t110;
																	} while (_t110 != 0);
																	 *_t171( &_v60);
																	_t113 = _v32;
																	 *((intOrPtr*)( *_t113 + 8))(_t113);
																	_t141 = _v28;
																	__eflags = _t141;
																	if(_t141 != 0) {
																		continue;
																	}
																	goto L47;
																}
															}
															L47:
															_t99 = _v20;
															 *((intOrPtr*)( *_t99 + 8))(_t99);
															_t101 = _v24;
															 *((intOrPtr*)( *_t101 + 8))(_t101);
															_t103 = _v28;
															 *((intOrPtr*)( *_t103 + 8))(_t103);
															__imp__CoUninitialize(); // executed
															 *[fs:0x0] = _v16;
															return 1;
														}
													}
												}
											} else {
												L16:
												_t97 = _v20;
												 *((intOrPtr*)( *_t97 + 8))(_t97);
												goto L17;
											}
										}
									}
								}
							}
						}
					}
				}
			}

0x003f56c0
0x003f56c0
0x003f56d1
0x003f56d7
0x003f56df
0x003f56e2
0x003f56ec
0x003f56f4
0x003f583f
0x003f5844
0x003f5852
0x003f56fa
0x003f570c
0x003f5714
0x003f5839
0x003f5839
0x00000000
0x003f571a
0x003f571a
0x003f571d
0x003f5733
0x003f5739
0x003f573b
0x00000000
0x003f5741
0x003f5743
0x003f574a
0x003f574f
0x003f5751
0x003f5754
0x003f5757
0x003f5760
0x003f5787
0x003f5787
0x00000000
0x003f5762
0x003f5767
0x003f576e
0x003f5775
0x003f577b
0x003f577f
0x003f5a4b
0x003f5a50
0x00000000
0x003f5785
0x003f5789
0x003f5789
0x003f5790
0x003f5795
0x00000000
0x003f579b
0x003f579e
0x003f57a5
0x003f57ba
0x003f57bd
0x003f57c0
0x003f57c7
0x003f57cb
0x003f57d0
0x003f57d1
0x003f57d3
0x003f57d7
0x003f57da
0x003f57e0
0x003f57e0
0x003f57e6
0x003f57eb
0x003f57ee
0x003f57f3
0x003f57f6
0x003f57f6
0x003f57fd
0x003f5800
0x003f5805
0x003f5805
0x003f580a
0x003f5830
0x003f5830
0x003f5836
0x00000000
0x003f580c
0x003f581d
0x003f5825
0x003f5855
0x003f5861
0x003f5863
0x003f5866
0x003f5869
0x003f5870
0x003f5872
0x003f5890
0x003f5890
0x003f5874
0x003f5879
0x003f5880
0x003f588c
0x003f588c
0x003f5892
0x003f5899
0x003f589c
0x003f589e
0x00000000
0x003f58a4
0x003f58a6
0x003f58b2
0x003f58b4
0x003f58b7
0x003f58ba
0x003f58be
0x003f58c0
0x003f58de
0x003f58de
0x003f58c2
0x003f58c7
0x003f58ce
0x003f58da
0x003f58da
0x003f58e0
0x003f58e4
0x003f58e7
0x003f58e9
0x003f5a55
0x003f5a5a
0x003f5a5f
0x003f5a60
0x003f5a63
0x003f5a64
0x003f5a65
0x003f5a66
0x003f5a68
0x003f5a6a
0x003f5a6c
0x003f5a71
0x003f5a76
0x003f5a76
0x003f5a77
0x003f5a79
0x003f5a7b
0x003f5a7d
0x003f5a80
0x003f5a86
0x003f5a86
0x003f5a8c
0x003f5a8f
0x003f5a91
0x003f5a94
0x003f5a99
0x003f5a9c
0x003f5a9c
0x003f5aa3
0x003f5aa6
0x003f5aab
0x003f5aae
0x003f5aae
0x003f5ab9
0x003f58ef
0x003f58f2
0x003f58f6
0x003f5908
0x003f590d
0x003f5912
0x003f5913
0x003f5915
0x003f5917
0x003f5919
0x003f591c
0x003f5922
0x003f5922
0x003f5928
0x003f592b
0x003f592d
0x003f5930
0x003f5935
0x003f5938
0x003f5938
0x003f593f
0x003f5942
0x003f5947
0x003f5947
0x003f594a
0x003f5951
0x003f5956
0x003f5957
0x003f5959
0x003f595b
0x003f595d
0x003f5960
0x003f5966
0x003f5966
0x003f596c
0x003f596f
0x003f5971
0x003f5974
0x003f5979
0x003f597c
0x003f597c
0x003f5983
0x003f5986
0x003f598b
0x003f598e
0x003f5992
0x00000000
0x003f5998
0x003f5998
0x003f599b
0x003f59a2
0x003f59a9
0x003f59ab
0x003f59ad
0x003f59b3
0x003f59c2
0x003f59c5
0x003f59c9
0x00000000
0x00000000
0x003f59cb
0x003f59e0
0x003f59e3
0x003f59eb
0x003f59f0
0x003f59f0
0x003f59f3
0x003f59f6
0x003f59fb
0x003f59fb
0x003f5a04
0x003f5a06
0x003f5a0c
0x003f5a0f
0x003f5a12
0x003f5a14
0x00000000
0x00000000
0x00000000
0x003f5a14
0x003f59b3
0x003f5a16
0x003f5a16
0x003f5a1c
0x003f5a1f
0x003f5a25
0x003f5a28
0x003f5a2e
0x003f5a31
0x003f5a3c
0x003f5a4a
0x003f5a4a
0x003f5992
0x003f58e9
0x003f5827
0x003f5827
0x003f5827
0x003f582d
0x00000000
0x003f582d
0x003f5825
0x003f580a
0x003f5795
0x003f577f
0x003f5760
0x003f573b
0x003f5714

APIs

CoInitializeEx.OLE32(00000000,00000000,9D5F503D,\fa_rss,00000002,?), ref: 003F56EC
CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000), ref: 003F570C
CoCreateInstance.OLE32(0040D360,00000000,00000001,0040D370,?), ref: 003F5733
SysAllocString.OLEAUT32(ROOT\CIMV2), ref: 003F5775
SysFreeString.OLEAUT32(?), ref: 003F57DA
CoSetProxyBlanket.OLE32(00000000,0000000A,00000000,00000000,00000003,00000003,00000000,00000000), ref: 003F581D
CoUninitialize.OLE32 ref: 003F5839
SysFreeString.OLEAUT32(?), ref: 003F591C
SysFreeString.OLEAUT32(00000000), ref: 003F5960
VariantClear.OLEAUT32(?), ref: 003F5A04
CoUninitialize.OLE32 ref: 003F5A31
SysFreeString.OLEAUT32(-00000001), ref: 003F5A80

Strings

ROOT\CIMV2, xrefs: 003F5762
32BB3542-7533-27D2-5200-3CE24BD43271, xrefs: 003F59E6
UUID, xrefs: 003F59DA
WQL, xrefs: 003F58C2
SELECT * FROM Win32_ComputerSystemProduct, xrefs: 003F5874
\fa_rss, xrefs: 003F56D6, 003F5A65

Memory Dump Source

Source File: 00000003.00000002.300378751.00000000003F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000003.00000002.300374579.00000000003F0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.300394386.000000000040D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.300406424.0000000000416000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.300411239.0000000000420000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3f0000_fa_rss.jbxd

Similarity

API ID: String$Free$InitializeUninitialize$AllocBlanketClearCreateInstanceProxySecurityVariant
String ID: 32BB3542-7533-27D2-5200-3CE24BD43271$ROOT\CIMV2$SELECT * FROM Win32_ComputerSystemProduct$UUID$WQL$\fa_rss
API String ID: 3344067834-3430109729
Opcode ID: f828b476d7f2ccea8dcffbecd3835f508b934f0f6d7e8acc8866516a6e60b167
Instruction ID: eedb0f6357462483cce70a6e6422ca75c3349f9c8b2f220e48bd1b5a05877443
Opcode Fuzzy Hash: f828b476d7f2ccea8dcffbecd3835f508b934f0f6d7e8acc8866516a6e60b167
Instruction Fuzzy Hash: 37C1A270A01709EFEB21DF94CD45B6ABBB4EF44B11F20422DF615AB2D0D7B5A904CB94

Uniqueness

Uniqueness Score: -1.00%

Function 003F1F10 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 142
filenetworkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 32%

			E003F1F10(void* __ebx, signed int __edi, void* __eflags, short* _a4, intOrPtr _a8, intOrPtr _a12) {
				short* _v0;
				intOrPtr _v4;
				char _v8;
				char _v12;
				char _v16;
				WCHAR* _v20;
				int _v24;
				void* _v28;
				char _v32;
				int _v40;
				char _v56;
				char _v64;
				int* _v76;
				char** _v80;
				short* _v88;
				short* _v92;
				char _v108;
				char _v116;
				void* _v120;
				void* __esi;
				signed int _t86;
				signed int _t93;
				signed int _t99;
				short* _t104;
				void* _t109;
				char* _t130;
				signed int _t152;
				intOrPtr* _t163;
				signed int _t176;
				char** _t178;
				signed int _t179;
				int _t201;
				intOrPtr* _t203;
				short* _t205;
				short* _t207;
				short* _t210;
				short* _t212;
				intOrPtr* _t213;
				short* _t215;
				intOrPtr* _t217;
				signed int _t219;
				signed int _t220;
				int _t223;
				intOrPtr* _t224;
				void* _t226;
				char** _t227;
				signed int _t228;
				signed int _t229;
				WCHAR* _t233;
				signed int _t234;
				signed int _t238;
				void* _t240;
				signed int _t241;
				signed int _t242;

				_t219 = __edi;
				_t174 = __ebx;
				_push(0xffffffff);
				_push(E0040C618);
				_push( *[fs:0x0]);
				_t241 = _t240 - 8;
				_push(__ebx);
				_push(_t226);
				_push(__edi);
				_t86 =  *0x416014; // 0x9d5f503d
				_push(_t86 ^ _t237);
				 *[fs:0x0] =  &_v16;
				_v8 = 2;
				_t178 = E003F5450(_t226);
				if(_t178 == 0) {
					_push(0x80004005);
					E003F5550(__ebx, _t201, __edi, _t226);
					goto L14;
				} else {
					_v24 = ( *_t178)[0xc]() + 0x10;
					_v8 = 3;
					_t178 = E003F5450(_t226);
					if(_t178 == 0) {
						L14:
						_push(0x80004005);
						E003F5550(_t174, _t201, _t219, _t226);
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						_t238 = _t241;
						_push(0xffffffff);
						_push(E0040C699);
						_push( *[fs:0x0]);
						_t242 = _t241 - 0x14;
						_push(_t226);
						_push(_t219);
						_t93 =  *0x416014; // 0x9d5f503d
						_push(_t93 ^ _t238);
						 *[fs:0x0] =  &_v64;
						_t227 = _t178;
						_v80 = _t227;
						_v76 = 0;
						_v56 = 2;
						_t179 = E003F5450(_t227);
						if(_t179 == 0) {
							L29:
							_push(0x80004005);
							E003F5550(_t174, _t201, _t219, _t227);
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							_push(_t238);
							_push(0xffffffff);
							_push(E0040C6D8);
							_push( *[fs:0x0]);
							_push(_t179);
							_push(_t227);
							_t99 =  *0x416014; // 0x9d5f503d
							_push(_t99 ^ _t242);
							 *[fs:0x0] =  &_v116;
							_v108 = 2;
							RegCreateKeyW(0x80000001, _v88,  &_v120);
							_t104 = _v92;
							_t228 =  *(_t104 - 0xc);
							if( *((intOrPtr*)(_t104 - 4)) > 1) {
								E003F4710(_t174,  &_v0, _t228);
								_t104 = _v0;
							}
							__imp__RegSetKeyValueW(_v28, 0, _v4, 1, _t104, _t228 + _t228);
							RegCloseKey(_v28);
							_v16 = 1;
							_t229 = _t228 | 0xffffffff;
							_t203 = _v4 + 0xfffffff0;
							asm("lock xadd [edx+0xc], eax");
							if(_t229 - 1 <= 0) {
								 *((intOrPtr*)( *((intOrPtr*)( *_t203)) + 4))(_t203);
							}
							_v16 = 0;
							_t205 =  &(_v0[0xfffffffffffffff8]);
							asm("lock xadd [edx+0xc], eax");
							_t109 = _t229 - 1;
							if(_t109 <= 0) {
								_t109 =  *((intOrPtr*)( *( *_t205) + 4))(_t205);
							}
							_v16 = 0xffffffff;
							_t207 =  &(_a4[0xfffffffffffffff8]);
							asm("lock xadd [edx+0xc], esi");
							if(_t229 - 1 <= 0) {
								_t109 =  *((intOrPtr*)( *( *_t207) + 4))(_t207);
							}
							 *[fs:0x0] = _v24;
							return _t109;
						} else {
							 *_t227 =  *((intOrPtr*)( *_t179 + 0xc))() + 0x10;
							_v32 = 1;
							_v24 = 0x1000;
							RegCreateKeyW(0x80000001, _a4,  &_v28);
							_t201 = _v24;
							if(_t201 < 0) {
								L28:
								_push(0x80070057);
								E003F5550(_t174, _t201, _t219, _t227);
								goto L29;
							} else {
								if(( *((intOrPtr*)( *_t227 - 8)) - _t201 | 0x00000001 -  *((intOrPtr*)( *_t227 - 4))) < 0) {
									E003F4820(_t227, _t201, _t201);
								}
								RegQueryValueExW(_v28, _v0, 0,  &_v40,  *_t227,  &_v24);
								_t128 =  *_t227;
								if( *_t227 != 0) {
									_t179 = E003FE090(_t128,  *((intOrPtr*)(_t128 - 8)));
									_t242 = _t242 + 8;
									if(_t179 < 0) {
										goto L28;
									} else {
										goto L22;
									}
								} else {
									_t179 = 0;
									L22:
									_t130 =  *_t227;
									if(_t179 >  *((intOrPtr*)(_t130 - 8))) {
										goto L28;
									} else {
										 *(_t130 - 0xc) = _t179;
										 *((short*)( *_t227 + _t179 * 2)) = 0;
										RegCloseKey(_v28);
										_v12 = 1;
										_t220 = _t219 | 0xffffffff;
										_t210 =  &(_v0[0xfffffffffffffff8]);
										asm("lock xadd [edx+0xc], eax");
										if(_t220 - 1 <= 0) {
											 *((intOrPtr*)( *( *_t210) + 4))(_t210);
										}
										_v12 = 0;
										_t212 =  &(_a4[0xfffffffffffffff8]);
										asm("lock xadd [edx+0xc], edi");
										if(_t220 - 1 <= 0) {
											 *((intOrPtr*)( *( *_t212) + 4))(_t212);
										}
										 *[fs:0x0] = _v20;
										return _t227;
									}
								}
							}
						}
					} else {
						_v20 = ( *_t178)[0xc]() + 0x10;
						_v8 = 4;
						E003F4AB0(_t178,  &_v20, L"%ws\\temp_event");
						_t152 = E003F4AB0(_t178,  &_v24, L"https://veryfast.io/pixel.gif?guid=%ws&version=%ws&evt_src=fa_%ws&evt_action=%ws&%ws&nocache=%d");
						_t233 = _v20;
						_t223 = _v24;
						__imp__URLDownloadToFileW(0, _t223, _t233, 0, 0, "32BB3542-7533-27D2-5200-3CE24BD43271", 0x413548, _a4, _a8, _a12, GetTickCount(),  *0x417944); // executed
						DeleteFileW(_t233); // executed
						_v8 = 3;
						_t213 = _t233 - 0x10;
						_t176 = _t152 & 0xffffff00 | _t152 == 0x00000000;
						_t234 = _t233 | 0xffffffff;
						asm("lock xadd [edx+0xc], eax");
						if(_t234 - 1 <= 0) {
							 *((intOrPtr*)( *((intOrPtr*)( *_t213)) + 4))(_t213);
						}
						_v8 = 2;
						_t224 = _t223 + 0xfffffff0;
						asm("lock xadd [edi+0xc], eax");
						if(_t234 - 1 <= 0) {
							 *((intOrPtr*)( *((intOrPtr*)( *_t224)) + 4))(_t224);
						}
						_v8 = 1;
						_t215 =  &(_a4[0xfffffffffffffff8]);
						asm("lock xadd [edx+0xc], eax");
						if(_t234 - 1 <= 0) {
							 *((intOrPtr*)( *( *_t215) + 4))(_t215);
						}
						_v8 = 0;
						_t217 = _a8 + 0xfffffff0;
						asm("lock xadd [edx+0xc], eax");
						if(_t234 - 1 <= 0) {
							 *((intOrPtr*)( *((intOrPtr*)( *_t217)) + 4))(_t217);
						}
						_v8 = 0xffffffff;
						_t163 = _a12 + 0xfffffff0;
						asm("lock xadd [eax+0xc], esi");
						if(_t234 - 1 <= 0) {
							 *((intOrPtr*)( *((intOrPtr*)( *_t163)) + 4))(_t163);
						}
						 *[fs:0x0] = _v16;
						return _t176;
					}
				}
			}

0x003f1f10
0x003f1f10
0x003f1f13
0x003f1f15
0x003f1f20
0x003f1f21
0x003f1f24
0x003f1f25
0x003f1f26
0x003f1f27
0x003f1f2e
0x003f1f32
0x003f1f38
0x003f1f44
0x003f1f48
0x003f2087
0x003f208c
0x00000000
0x003f1f4e
0x003f1f56
0x003f1f59
0x003f1f62
0x003f1f66
0x003f2091
0x003f2091
0x003f2096
0x003f209b
0x003f209c
0x003f209d
0x003f209e
0x003f209f
0x003f20a1
0x003f20a3
0x003f20a5
0x003f20b0
0x003f20b1
0x003f20b4
0x003f20b5
0x003f20b6
0x003f20bd
0x003f20c1
0x003f20c7
0x003f20c9
0x003f20cc
0x003f20d3
0x003f20df
0x003f20e3
0x003f21e2
0x003f21e2
0x003f21e7
0x003f21ec
0x003f21ed
0x003f21ee
0x003f21ef
0x003f21f0
0x003f21f3
0x003f21f5
0x003f2200
0x003f2201
0x003f2202
0x003f2203
0x003f220a
0x003f220e
0x003f2217
0x003f2227
0x003f222d
0x003f2234
0x003f2237
0x003f223d
0x003f2242
0x003f2242
0x003f2254
0x003f225d
0x003f2263
0x003f2267
0x003f226f
0x003f2272
0x003f227a
0x003f2281
0x003f2281
0x003f2284
0x003f228d
0x003f2290
0x003f2295
0x003f2298
0x003f229f
0x003f229f
0x003f22a2
0x003f22ac
0x003f22af
0x003f22b7
0x003f22be
0x003f22be
0x003f22c4
0x003f22d0
0x003f20e9
0x003f20f1
0x003f20f6
0x003f2101
0x003f210d
0x003f2113
0x003f2118
0x003f21d8
0x003f21d8
0x003f21dd
0x00000000
0x003f211e
0x003f212f
0x003f2134
0x003f2134
0x003f214b
0x003f2151
0x003f2155
0x003f2164
0x003f2166
0x003f216b
0x00000000
0x00000000
0x00000000
0x00000000
0x003f2157
0x003f2157
0x003f216d
0x003f216d
0x003f2172
0x00000000
0x003f2174
0x003f2174
0x003f217b
0x003f2182
0x003f2188
0x003f218c
0x003f2194
0x003f2197
0x003f219f
0x003f21a6
0x003f21a6
0x003f21a9
0x003f21b0
0x003f21b3
0x003f21bb
0x003f21c2
0x003f21c2
0x003f21ca
0x003f21d7
0x003f21d7
0x003f2172
0x003f2155
0x003f2118
0x003f1f6c
0x003f1f74
0x003f1f77
0x003f1f8a
0x003f1fb5
0x003f1fba
0x003f1fc0
0x003f1fcb
0x003f1fd4
0x003f1fdc
0x003f1fe0
0x003f1fe3
0x003f1fe6
0x003f1feb
0x003f1ff3
0x003f1ffa
0x003f1ffa
0x003f1ffd
0x003f2001
0x003f2006
0x003f200e
0x003f2015
0x003f2015
0x003f2018
0x003f2021
0x003f2024
0x003f202c
0x003f2033
0x003f2033
0x003f2036
0x003f203f
0x003f2042
0x003f204a
0x003f2051
0x003f2051
0x003f2054
0x003f205e
0x003f2061
0x003f2069
0x003f2070
0x003f2070
0x003f2078
0x003f2086
0x003f2086
0x003f1f66

APIs

Part of subcall function 003F5450: GetProcessHeap.KERNEL32 ref: 003F547C
Part of subcall function 003F5450: __Init_thread_footer.LIBCMT ref: 003F54A7
Part of subcall function 003F5450: __Init_thread_footer.LIBCMT ref: 003F5525

GetTickCount.KERNEL32 ref: 003F1F92
URLDownloadToFileW.URLMON(00000000,?,?,00000000,00000000), ref: 003F1FCB
DeleteFileW.KERNEL32(?), ref: 003F1FD4

Strings

32BB3542-7533-27D2-5200-3CE24BD43271, xrefs: 003F1FAA
%ws\temp_event, xrefs: 003F1F84
https://veryfast.io/pixel.gif?guid=%ws&version=%ws&evt_src=fa_%ws&evt_action=%ws&%ws&nocache=%d, xrefs: 003F1FAF

Memory Dump Source

Source File: 00000003.00000002.300378751.00000000003F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000003.00000002.300374579.00000000003F0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.300394386.000000000040D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.300406424.0000000000416000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.300411239.0000000000420000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3f0000_fa_rss.jbxd

Similarity

API ID: FileInit_thread_footer$CountDeleteDownloadHeapProcessTick
String ID: %ws\temp_event$32BB3542-7533-27D2-5200-3CE24BD43271$https://veryfast.io/pixel.gif?guid=%ws&version=%ws&evt_src=fa_%ws&evt_action=%ws&%ws&nocache=%d
API String ID: 3783453630-257641997
Opcode ID: 275b5c51ee057624cce9ac0dce0df972bff55997a1693d1f210b966f063a7326
Instruction ID: 19948c92d77ce48cfb6d306de27293482957cb2c5b28fa5ccb62e69298239f71
Opcode Fuzzy Hash: 275b5c51ee057624cce9ac0dce0df972bff55997a1693d1f210b966f063a7326
Instruction Fuzzy Hash: 9351C13160164AEFD701CF6CCC48B5ABBE8EF05325F158269B918DB2A1DB30DD04CB90

Uniqueness

Uniqueness Score: -1.00%

Function 003FED36 Relevance: 4.5, APIs: 3, Instructions: 20
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E003FED36(int _a4) {
				void* _t14;

				if(E00402E2F(_t14) != 1 && ( *( *[fs:0x30] + 0x68) >> 0x00000008 & 0x00000001) == 0) {
					TerminateProcess(GetCurrentProcess(), _a4);
				}
				E003FED78(_t14, _a4);
				ExitProcess(_a4);
			}

0x003fed43
0x003fed5f
0x003fed5f
0x003fed68
0x003fed71

APIs

GetCurrentProcess.KERNEL32(?,?,003FED35,8007000E,?,?,8007000E,?,003F9BEA), ref: 003FED58
TerminateProcess.KERNEL32(00000000,?,003FED35,8007000E,?,?,8007000E,?,003F9BEA), ref: 003FED5F
ExitProcess.KERNEL32 ref: 003FED71

Memory Dump Source

Source File: 00000003.00000002.300378751.00000000003F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000003.00000002.300374579.00000000003F0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.300394386.000000000040D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.300406424.0000000000416000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.300411239.0000000000420000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3f0000_fa_rss.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 50d738223193b42794e4e777aa677c69d1e250b2d23a7a649228ac286e68764f
Instruction ID: 9d42a97ab3796a130b4859f96cff760a30bb0b9c377e73381e5375119c204cb2
Opcode Fuzzy Hash: 50d738223193b42794e4e777aa677c69d1e250b2d23a7a649228ac286e68764f
Instruction Fuzzy Hash: D7E0B63184054CAFCB226F94DE0D9683B69EB84741B014825F9059A531CF35DD85DA84

Uniqueness

Uniqueness Score: -1.00%

Function 003F6657 Relevance: 1.5, APIs: 1, Instructions: 3
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E003F6657() {
				_Unknown_base(*)()* _t1;

				_t1 = SetUnhandledExceptionFilter(E003F6663); // executed
				return _t1;
			}

0x003f665c
0x003f6662

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_00006663,003F5B72), ref: 003F665C

Memory Dump Source

Source File: 00000003.00000002.300378751.00000000003F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000003.00000002.300374579.00000000003F0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.300394386.000000000040D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.300406424.0000000000416000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.300411239.0000000000420000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3f0000_fa_rss.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: ab617c203ff8d131d43b7cd4719750334d20aeb7db4333e320b304ac0a0930a8
Instruction ID: d925d8e31a8d66b83d838028e9da8b9b22b29e8c0f0116bdc9b0a46af2430fd2
Opcode Fuzzy Hash: ab617c203ff8d131d43b7cd4719750334d20aeb7db4333e320b304ac0a0930a8
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 003F61C0 Relevance: 22.8, APIs: 9, Strings: 4, Instructions: 51
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 91%

			E003F61C0(_Unknown_base(*)()* __edi, void* __esi) {
				struct HINSTANCE__* _t2;
				void* _t4;
				void* _t7;
				void* _t10;
				struct HINSTANCE__* _t14;

				_t11 = __edi;
				_push(__edi);
				InitializeCriticalSectionAndSpinCount(0x416ee8, 0xfa0);
				_t2 = GetModuleHandleW(L"api-ms-win-core-synch-l1-2-0.dll"); // executed
				_t14 = _t2;
				if(_t14 != 0) {
					L2:
					_t11 = GetProcAddress(_t14, "SleepConditionVariableCS");
					_t4 = GetProcAddress(_t14, "WakeAllConditionVariable");
					if(_t11 == 0 || _t4 == 0) {
						_t4 = CreateEventW(0, 1, 0, 0);
						 *0x416ee4 = _t4;
						if(_t4 != 0) {
							goto L5;
						} else {
							goto L7;
						}
					} else {
						 *0x416f00 = _t11;
						 *0x416f04 = _t4;
						L5:
						return _t4;
					}
				} else {
					_t14 = GetModuleHandleW(L"kernel32.dll");
					if(_t14 == 0) {
						L7:
						E003F64C4(_t10, _t11, _t14, 7);
						asm("int3");
						DeleteCriticalSection(0x416ee8);
						_t7 =  *0x416ee4; // 0x0
						if(_t7 != 0) {
							return CloseHandle(_t7);
						}
						return _t7;
					} else {
						goto L2;
					}
				}
			}

0x003f61c0
0x003f61c1
0x003f61cc
0x003f61d7
0x003f61dd
0x003f61e1
0x003f61f4
0x003f6206
0x003f6208
0x003f6210
0x003f622b
0x003f6231
0x003f6238
0x00000000
0x00000000
0x00000000
0x00000000
0x003f6216
0x003f6216
0x003f621c
0x003f6221
0x003f6223
0x003f6223
0x003f61e3
0x003f61ee
0x003f61f2
0x003f623a
0x003f623c
0x003f6241
0x003f6247
0x003f624d
0x003f6254
0x00000000
0x003f6257
0x003f625d
0x00000000
0x00000000
0x00000000
0x003f61f2

APIs

InitializeCriticalSectionAndSpinCount.KERNEL32(00416EE8,00000FA0,?,?,003F619E), ref: 003F61CC
GetModuleHandleW.KERNEL32(api-ms-win-core-synch-l1-2-0.dll,?,?,003F619E), ref: 003F61D7
GetModuleHandleW.KERNEL32(kernel32.dll,?,?,003F619E), ref: 003F61E8
GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 003F61FA
GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 003F6208
CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,?,?,003F619E), ref: 003F622B
___scrt_fastfail.LIBCMT ref: 003F623C
DeleteCriticalSection.KERNEL32(00416EE8,00000007,?,?,003F619E), ref: 003F6247
CloseHandle.KERNEL32(00000000,?,?,003F619E), ref: 003F6257

Strings

SleepConditionVariableCS, xrefs: 003F61F4
WakeAllConditionVariable, xrefs: 003F6200
api-ms-win-core-synch-l1-2-0.dll, xrefs: 003F61D2
kernel32.dll, xrefs: 003F61E3

Memory Dump Source

Source File: 00000003.00000002.300378751.00000000003F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000003.00000002.300374579.00000000003F0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.300394386.000000000040D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.300406424.0000000000416000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.300411239.0000000000420000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3f0000_fa_rss.jbxd

Similarity

API ID: Handle$AddressCriticalModuleProcSection$CloseCountCreateDeleteEventInitializeSpin___scrt_fastfail
String ID: SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
API String ID: 3578986977-3242537097
Opcode ID: 471e4f0195d08e5376921e17e00900a08a13a65da6269438340fabc2be380c40
Instruction ID: 3f18d4eb526a837432485929c289a46605840181048b7abe3d586df57204a9db
Opcode Fuzzy Hash: 471e4f0195d08e5376921e17e00900a08a13a65da6269438340fabc2be380c40
Instruction Fuzzy Hash: 8001B175F41305ABDB215BF4BD0EF663A68EB45B00B124532BE05F6290DF74CC058668

Uniqueness

Uniqueness Score: -1.00%

Function 00403DB8 Relevance: 4.5, APIs: 3, Instructions: 37
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00403DB8(void* __ecx) {
				void* _t3;
				void* _t13;
				void* _t17;
				WCHAR* _t18;

				_t13 = __ecx;
				_t18 = GetEnvironmentStringsW();
				if(_t18 != 0) {
					_t11 = E00403D81(_t18) - _t18 & 0xfffffffe;
					_t3 = E00400374(_t13, E00403D81(_t18) - _t18 & 0xfffffffe); // executed
					_t17 = _t3;
					if(_t17 != 0) {
						E003F92F0(_t17, _t18, _t11);
					}
					E003FF8AF(0);
					FreeEnvironmentStringsW(_t18);
				} else {
					_t17 = 0;
				}
				return _t17;
			}

0x00403db8
0x00403dc2
0x00403dc6
0x00403dd7
0x00403ddb
0x00403de0
0x00403de6
0x00403deb
0x00403df0
0x00403df5
0x00403dfc
0x00403dc8
0x00403dc8
0x00403dc8
0x00403e07

APIs

GetEnvironmentStringsW.KERNEL32 ref: 00403DBC
_free.LIBCMT ref: 00403DF5
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00403DFC

Memory Dump Source

Source File: 00000003.00000002.300378751.00000000003F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000003.00000002.300374579.00000000003F0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.300394386.000000000040D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.300406424.0000000000416000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.300411239.0000000000420000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3f0000_fa_rss.jbxd

Similarity

API ID: EnvironmentStrings$Free_free
String ID:
API String ID: 2716640707-0
Opcode ID: 0d0483309ed1d7405e952d0a91c81c330eb1ace52360e4119c635d7da77fbeed
Instruction ID: 3882ca41e749aec7d949fc6c257eba0cc6792c120c700e895274b24cd17c29cc
Opcode Fuzzy Hash: 0d0483309ed1d7405e952d0a91c81c330eb1ace52360e4119c635d7da77fbeed
Instruction Fuzzy Hash: CCE0E52760461136D22227357C85A6B1D0ECFC27B9B250236F919662C2EE388E0340A9

Uniqueness

Uniqueness Score: -1.00%

Function 00404196 Relevance: 1.6, APIs: 1, Instructions: 52
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 91%

			E00404196(void* __edi, void* __eflags) {
				intOrPtr _v12;
				void* __ecx;
				char _t17;
				void* _t18;
				void* _t27;
				intOrPtr* _t32;
				char _t35;
				void* _t37;

				_push(_t27);
				_push(_t27);
				_t17 = E003FF852(_t27, 0x40, 0x38); // executed
				_t35 = _t17;
				_v12 = _t35;
				if(_t35 != 0) {
					_t2 = _t35 + 0xe00; // 0xe00
					_t18 = _t2;
					__eflags = _t35 - _t18;
					if(__eflags != 0) {
						_t3 = _t35 + 0x20; // 0x20
						_t32 = _t3;
						_t37 = _t18;
						do {
							_t4 = _t32 - 0x20; // 0x0
							E003FFC5D(__eflags, _t4, 0xfa0, 0);
							 *(_t32 - 8) =  *(_t32 - 8) | 0xffffffff;
							 *_t32 = 0;
							_t32 = _t32 + 0x38;
							 *((intOrPtr*)(_t32 - 0x34)) = 0;
							 *((intOrPtr*)(_t32 - 0x30)) = 0xa0a0000;
							 *((char*)(_t32 - 0x2c)) = 0xa;
							 *(_t32 - 0x2b) =  *(_t32 - 0x2b) & 0x000000f8;
							 *((intOrPtr*)(_t32 - 0x2a)) = 0;
							 *((char*)(_t32 - 0x26)) = 0;
							__eflags = _t32 - 0x20 - _t37;
						} while (__eflags != 0);
						_t35 = _v12;
					}
				} else {
					_t35 = 0;
				}
				E003FF8AF(0);
				return _t35;
			}

0x0040419b
0x0040419c
0x004041a3
0x004041a8
0x004041ac
0x004041b3
0x004041b9
0x004041b9
0x004041bf
0x004041c1
0x004041c4
0x004041c4
0x004041c7
0x004041c9
0x004041cf
0x004041d3
0x004041d8
0x004041dc
0x004041de
0x004041e1
0x004041e7
0x004041ee
0x004041f2
0x004041f6
0x004041f9
0x004041fc
0x004041fc
0x00404200
0x00404203
0x004041b5
0x004041b5
0x004041b5
0x00404205
0x00404210

APIs

Part of subcall function 003FF852: RtlAllocateHeap.NTDLL(00000008,?,00000000,?,00400B76,00000001,00000364,00000006,000000FF,?,003FF6D2,?,00000004,00000004,?,00000000), ref: 003FF893

_free.LIBCMT ref: 00404205

Memory Dump Source

Source File: 00000003.00000002.300378751.00000000003F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000003.00000002.300374579.00000000003F0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.300394386.000000000040D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.300406424.0000000000416000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.300411239.0000000000420000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3f0000_fa_rss.jbxd

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: 2674e8dcdbd025e2c9de59997509421f4b4fa03c3e2f49e124f1530669c3430a
Instruction ID: 1d1f9b83e48070053dbdd2e67d284c14ebde0258e73c60d9da7dd7ca8bd31771
Opcode Fuzzy Hash: 2674e8dcdbd025e2c9de59997509421f4b4fa03c3e2f49e124f1530669c3430a
Instruction Fuzzy Hash: E9012BB26043166FC3219F58D88599AFB98EB453B0F14067EE655B76C0D7706C00CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 003FF852 Relevance: 1.5, APIs: 1, Instructions: 39
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 95%

			E003FF852(void* __ecx, signed int _a4, signed int _a8) {
				void* _t8;
				void* _t12;
				signed int _t13;
				void* _t15;
				signed int _t18;
				long _t19;

				_t15 = __ecx;
				_t18 = _a4;
				if(_t18 == 0) {
					L2:
					_t19 = _t18 * _a8;
					if(_t19 == 0) {
						_t19 = _t19 + 1;
					}
					while(1) {
						_t8 = RtlAllocateHeap( *0x417708, 8, _t19); // executed
						if(_t8 != 0) {
							break;
						}
						__eflags = E003FF085();
						if(__eflags == 0) {
							L8:
							 *((intOrPtr*)(E003FD87D(__eflags))) = 0xc;
							__eflags = 0;
							return 0;
						}
						_t12 = E003FF565(_t15, __eflags, _t19);
						_pop(_t15);
						__eflags = _t12;
						if(__eflags == 0) {
							goto L8;
						}
					}
					return _t8;
				}
				_t13 = 0xffffffe0;
				if(_t13 / _t18 < _a8) {
					goto L8;
				}
				goto L2;
			}

0x003ff852
0x003ff858
0x003ff85d
0x003ff86b
0x003ff86b
0x003ff871
0x003ff873
0x003ff873
0x003ff88a
0x003ff893
0x003ff89b
0x00000000
0x00000000
0x003ff87b
0x003ff87d
0x003ff89f
0x003ff8a4
0x003ff8aa
0x00000000
0x003ff8aa
0x003ff880
0x003ff885
0x003ff886
0x003ff888
0x00000000
0x00000000
0x003ff888
0x00000000
0x003ff88a
0x003ff863
0x003ff869
0x00000000
0x00000000
0x00000000

APIs

RtlAllocateHeap.NTDLL(00000008,?,00000000,?,00400B76,00000001,00000364,00000006,000000FF,?,003FF6D2,?,00000004,00000004,?,00000000), ref: 003FF893

Memory Dump Source

Source File: 00000003.00000002.300378751.00000000003F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000003.00000002.300374579.00000000003F0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.300394386.000000000040D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.300406424.0000000000416000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.300411239.0000000000420000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3f0000_fa_rss.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: e7e2a8289a96a8bbd8c7fb01a8ae6efa5be649687fabbbaa89dd87b573b40720
Instruction ID: aeb709144fa892bb698e70fa9be3e11aa0ae92626e19a648d3afc853f61c51ba
Opcode Fuzzy Hash: e7e2a8289a96a8bbd8c7fb01a8ae6efa5be649687fabbbaa89dd87b573b40720
Instruction Fuzzy Hash: 5DF0E93254122D6EDB275A62CC05B7A37589F41BF0F198171EE18EA090CA30DC0186A0

Uniqueness

Uniqueness Score: -1.00%

Function 00400374 Relevance: 1.5, APIs: 1, Instructions: 32
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 94%

			E00400374(void* __ecx, long _a4) {
				void* _t4;
				void* _t6;
				void* _t7;
				long _t8;

				_t7 = __ecx;
				_t8 = _a4;
				if(_t8 > 0xffffffe0) {
					L7:
					 *((intOrPtr*)(E003FD87D(__eflags))) = 0xc;
					__eflags = 0;
					return 0;
				}
				if(_t8 == 0) {
					_t8 = _t8 + 1;
				}
				while(1) {
					_t4 = RtlAllocateHeap( *0x417708, 0, _t8); // executed
					if(_t4 != 0) {
						break;
					}
					__eflags = E003FF085();
					if(__eflags == 0) {
						goto L7;
					}
					_t6 = E003FF565(_t7, __eflags, _t8);
					_pop(_t7);
					__eflags = _t6;
					if(__eflags == 0) {
						goto L7;
					}
				}
				return _t4;
			}

0x00400374
0x0040037a
0x00400380
0x004003b2
0x004003b7
0x004003bd
0x00000000
0x004003bd
0x00400384
0x00400386
0x00400386
0x0040039d
0x004003a6
0x004003ae
0x00000000
0x00000000
0x0040038e
0x00400390
0x00000000
0x00000000
0x00400393
0x00400398
0x00400399
0x0040039b
0x00000000
0x00000000
0x0040039b
0x00000000

APIs

RtlAllocateHeap.NTDLL(00000000,?,00000004,?,0040566F,?,00000000,?,003FF6D2,?,00000004,00000004,?,00000000,?,003FF200), ref: 004003A6

Memory Dump Source

Source File: 00000003.00000002.300378751.00000000003F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000003.00000002.300374579.00000000003F0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.300394386.000000000040D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.300406424.0000000000416000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.300411239.0000000000420000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3f0000_fa_rss.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: bb294f4b124d6483f42545756fb40e936f80186b2c9a35b97db472258d9fbd42
Instruction ID: 48eac9981e8249b372f90ab8c35e160b7908f00757778e9f0e61812cd9af5fb3
Opcode Fuzzy Hash: bb294f4b124d6483f42545756fb40e936f80186b2c9a35b97db472258d9fbd42
Instruction Fuzzy Hash: 0CE09B315403259BD73326659C05B6B36589F417F4F194233EE15F62D1CB38DC4181AD

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00406A78 Relevance: 10.2, APIs: 1, Strings: 4, Instructions: 1451
COMMONCrypto

Download Yara Rule

C-Code - Quality: 65%

			E00406A78(void* __esi, void* __eflags, signed int _a4, signed int _a8, intOrPtr _a12, intOrPtr* _a16, signed int _a20, intOrPtr _a24) {
				signed char _v0;
				signed int _v8;
				signed int _v464;
				void _v468;
				signed int _v472;
				signed int _v932;
				signed int _v936;
				signed int _v1392;
				signed int _v1396;
				signed int _v1400;
				char _v1860;
				signed int _v1864;
				signed int _v1868;
				signed int _v1872;
				signed int _v1876;
				signed int _v1880;
				signed int _v1884;
				signed int _v1888;
				signed int _v1892;
				signed int _v1896;
				signed int _v1900;
				signed int _v1904;
				signed int _v1908;
				signed int _v1912;
				intOrPtr _v1916;
				signed int _v1920;
				intOrPtr* _v1924;
				signed int _v1928;
				char _v1936;
				signed int _v1944;
				char _v2404;
				signed int _v2408;
				intOrPtr _v2432;
				void* __edi;
				signed int _t750;
				intOrPtr _t760;
				signed int _t764;
				signed int _t765;
				signed char _t774;
				signed int _t781;
				signed int _t782;
				signed int _t783;
				void* _t786;
				signed int _t787;
				void* _t789;
				signed int _t790;
				signed int _t791;
				signed int _t800;
				signed int _t801;
				signed int _t807;
				intOrPtr _t814;
				void* _t815;
				unsigned int* _t817;
				signed int _t826;
				signed int _t831;
				signed int _t832;
				signed int _t833;
				signed int _t836;
				signed int _t837;
				signed int _t838;
				signed int _t840;
				signed int _t841;
				signed int _t842;
				signed int _t843;
				signed int _t848;
				signed int _t849;
				signed int _t855;
				signed int _t856;
				signed int _t859;
				signed int _t864;
				signed int _t872;
				signed int* _t875;
				signed int _t879;
				signed int _t890;
				signed int _t891;
				signed int _t892;
				signed int _t893;
				char* _t894;
				signed int _t897;
				signed int _t903;
				signed int _t905;
				signed int _t909;
				signed int _t912;
				signed int _t921;
				signed int _t924;
				signed int _t926;
				signed int _t929;
				signed int _t930;
				signed int _t933;
				signed int _t946;
				signed int _t947;
				signed int _t948;
				signed int _t949;
				char* _t950;
				signed int _t953;
				signed int* _t956;
				signed int _t959;
				signed int _t961;
				signed int _t965;
				signed int _t968;
				signed int _t976;
				signed int _t979;
				signed int _t983;
				intOrPtr _t987;
				void* _t988;
				unsigned int* _t990;
				unsigned int _t1000;
				signed int _t1001;
				signed int _t1005;
				signed int _t1006;
				void* _t1007;
				signed int _t1020;
				signed int _t1022;
				unsigned int _t1027;
				signed int _t1028;
				signed int _t1032;
				signed int _t1033;
				void* _t1034;
				signed int _t1039;
				signed int _t1043;
				signed int _t1045;
				signed int _t1053;
				void* _t1054;
				signed char _t1055;
				signed int _t1058;
				signed int _t1061;
				void* _t1065;
				signed int _t1066;
				signed int _t1068;
				signed int _t1070;
				signed int _t1072;
				signed int _t1073;
				signed int _t1074;
				signed int _t1075;
				intOrPtr* _t1088;
				void* _t1101;
				signed int _t1112;
				signed int _t1113;
				signed int _t1116;
				signed int _t1117;
				signed int _t1119;
				signed int _t1120;
				signed int _t1121;
				signed int _t1125;
				signed int _t1129;
				signed int _t1130;
				signed int _t1131;
				signed int _t1133;
				signed int _t1134;
				signed int _t1135;
				signed int _t1136;
				signed int _t1137;
				signed int _t1138;
				signed int _t1139;
				signed int _t1141;
				signed int _t1142;
				signed int _t1143;
				signed int _t1144;
				signed int _t1145;
				void* _t1146;
				signed int _t1147;
				signed int _t1152;
				signed int _t1153;
				signed int _t1158;
				void* _t1159;
				signed int _t1163;
				signed int _t1166;
				signed int _t1171;
				signed int _t1174;
				signed int _t1175;
				signed int _t1176;
				unsigned int _t1177;
				char _t1186;
				signed int _t1188;
				signed int _t1189;
				signed int _t1190;
				signed int _t1191;
				signed int _t1192;
				signed int _t1193;
				signed int _t1195;
				signed int _t1197;
				signed int _t1198;
				signed int _t1199;
				signed int _t1200;
				signed int _t1201;
				signed int _t1203;
				unsigned int _t1205;
				signed int _t1210;
				intOrPtr* _t1212;
				signed int _t1214;
				intOrPtr* _t1216;
				intOrPtr _t1218;
				void* _t1219;
				void* _t1224;
				signed int _t1225;
				unsigned int _t1227;
				signed int _t1228;
				signed int _t1229;
				void* _t1230;
				signed int _t1231;
				signed int _t1232;
				signed int _t1233;
				signed int _t1236;
				signed int _t1237;
				signed int _t1238;
				signed int _t1239;
				signed int _t1242;
				signed int _t1243;
				signed int _t1244;
				signed int _t1245;
				signed int _t1247;
				signed int _t1250;
				signed int _t1251;
				signed int _t1254;
				void* _t1255;
				signed int _t1256;
				signed int _t1262;
				signed int _t1263;
				signed int _t1264;
				unsigned int* _t1265;
				signed int _t1266;
				signed int _t1269;
				signed int _t1270;
				signed int _t1271;
				signed int _t1272;
				signed int _t1274;
				signed int _t1275;
				signed int _t1276;
				signed int _t1277;
				signed int _t1278;
				signed int _t1280;
				signed int _t1281;
				signed int _t1282;
				signed int _t1283;
				signed int _t1284;
				unsigned int* _t1285;
				signed int _t1286;
				signed int _t1290;
				signed int _t1292;
				signed int _t1294;
				signed int _t1296;
				signed int _t1297;
				signed int* _t1299;
				signed int* _t1301;
				signed int _t1304;
				signed int _t1311;

				_t1255 = __esi;
				_t750 =  *0x416014; // 0x9d5f503d
				_v8 = _t750 ^ _t1297;
				_v1924 = _a16;
				_v1904 = _a20;
				E004097FF(__eflags,  &_v1944);
				if((_v1944 & 0x0000001f) != 0x1f) {
					E00409867(__eflags,  &_v1944);
					_v1936 = 1;
				} else {
					_v1936 = 0;
				}
				_t1053 = _a4;
				_push(_t1255);
				_t1256 = _a8;
				_t1218 = 0x20;
				_t1304 = _t1256;
				if(_t1304 > 0 || _t1304 >= 0 && _t1053 >= 0) {
					_t760 = _t1218;
				} else {
					_t760 = 0x2d;
				}
				_t1088 = _v1924;
				_t1174 = _v1904;
				 *_t1088 = _t760;
				 *((intOrPtr*)(_t1088 + 8)) = _t1174;
				if((_t1256 & 0x7ff00000) != 0) {
					L11:
					_t764 = E00400C80( &_a4);
					__eflags = _t764;
					if(_t764 != 0) {
						 *(_v1924 + 4) = 1;
					}
					_t765 = _t764 - 1;
					__eflags = _t765;
					if(_t765 == 0) {
						_push("1#INF");
						goto L310;
					} else {
						_t800 = _t765 - 1;
						__eflags = _t800;
						if(_t800 == 0) {
							_push("1#QNAN");
							goto L310;
						} else {
							_t801 = _t800 - 1;
							__eflags = _t801;
							if(_t801 == 0) {
								_push("1#SNAN");
								goto L310;
							} else {
								__eflags = _t801 == 1;
								if(_t801 == 1) {
									_push("1#IND");
									L310:
									_push(_a24);
									_t1092 = _v1904;
									_push(_v1904);
									goto L311;
								} else {
									_v1928 = _v1928 & 0x00000000;
									_a8 = _t1256 & 0x7fffffff;
									_a4 = _t1053;
									_t1311 = _a4;
									asm("fst qword [ebp-0x778]");
									_t1262 = _v1912;
									_v1920 = _a12 + 1;
									_t1112 = _t1262 >> 0x14;
									_t807 = _t1112 & 0x000007ff;
									__eflags = _t807;
									if(_t807 != 0) {
										_t807 = 0;
										_t1175 = 0x100000;
										_t1058 = 0;
										__eflags = 0;
									} else {
										_t1175 = 0;
										_t1058 = 1;
									}
									_t1263 = _t1262 & 0x000fffff;
									_v1888 = _v1916 + _t807;
									asm("adc esi, edx");
									_t1113 = _t1112 & 0x000007ff;
									_v1868 = _t1113 + _t1058;
									E004098C0(_t1113, _t1311);
									_push(_t1113);
									_push(_t1113);
									 *_t1299 = _t1311;
									E004099D0(_t1113, _v1916 + _t807);
									_t1116 = E0040BF30(_t1175);
									_v1900 = _t1116;
									_t1224 = 0x20;
									__eflags = _t1116 - 0x7fffffff;
									if(_t1116 == 0x7fffffff) {
										L22:
										__eflags = 0;
										_v1900 = 0;
									} else {
										__eflags = _t1116 - 0x80000000;
										if(_t1116 == 0x80000000) {
											goto L22;
										}
									}
									_t1176 = _v1868;
									__eflags = _t1263;
									_v468 = _v1888;
									_v464 = _t1263;
									_v936 = _v936 & 0x00000000;
									_t1061 = (0 | _t1263 != 0x00000000) + 1;
									_v472 = _t1061;
									__eflags = _t1176 - 0x433;
									if(_t1176 < 0x433) {
										__eflags = _t1176 - 0x35;
										if(_t1176 == 0x35) {
											L110:
											_t814 =  *((intOrPtr*)(_t1297 + _t1061 * 4 - 0x1d4));
											_t202 =  &_v1912;
											 *_t202 = _v1912 & 0x00000000;
											__eflags =  *_t202;
											asm("bsr eax, eax");
											if( *_t202 == 0) {
												_t815 = 0;
												__eflags = 0;
											} else {
												_t815 = _t814 + 1;
											}
											_t1264 = _t1061;
											_t1225 = _t1224 - _t815;
											__eflags = _t1225;
											_v1888 = _t1264;
											_t1117 = _t1264;
											_t817 =  &(( &_v472)[_t1264]);
											_v1884 = _t817;
											_t1265 = _t817;
											while(1) {
												__eflags = _t1117 - _t1061;
												if(_t1117 >= _t1061) {
													_t213 =  &_v1872;
													 *_t213 = _v1872 & 0x00000000;
													__eflags =  *_t213;
												} else {
													_v1872 =  *(_t1297 + _t1117 * 4 - 0x1d0);
												}
												_t215 = _t1117 - 1; // -1
												__eflags = _t215 - _t1061;
												if(_t215 >= _t1061) {
													_t1177 = 0;
													__eflags = 0;
												} else {
													_t1177 =  *_t1265;
												}
												_t1265 = _t1265 - 4;
												 *(_t1297 + _t1117 * 4 - 0x1d0) = _t1177 >> 0x0000001f | _v1872 + _v1872;
												_t1117 = _t1117 - 1;
												__eflags = _t1117 - 0xffffffff;
												if(_t1117 == 0xffffffff) {
													break;
												}
												_t1061 = _v472;
											}
											_t1266 = _v1888;
											__eflags = _t1225 - 1;
											if(_t1225 >= 1) {
												_v472 = _t1266;
											} else {
												_v472 = _t1266 + 1;
											}
											_t1227 = 0x434 >> 5;
											E003F7720(0x434 >> 5,  &_v1396, 0, 0x434);
											__eflags = 1;
											 *(_t1297 + 0xbad63d) = 1 << (0x00000434 - _v1868 & 0x0000001f);
										} else {
											_v1396 = _v1396 & 0x00000000;
											_v1392 = 0x100000;
											_v1400 = 2;
											__eflags = _t1263;
											if(_t1263 != 0) {
												_t1146 = 0;
												__eflags = 0;
												while(1) {
													_t987 =  *((intOrPtr*)(_t1297 + _t1146 - 0x570));
													__eflags = _t987 -  *((intOrPtr*)(_t1297 + _t1146 - 0x1d0));
													if(_t987 !=  *((intOrPtr*)(_t1297 + _t1146 - 0x1d0))) {
														goto L110;
													}
													_t1146 = _t1146 + 4;
													__eflags = _t1146 - 8;
													if(_t1146 != 8) {
														continue;
													} else {
														_t172 =  &_v1912;
														 *_t172 = _v1912 & 0x00000000;
														__eflags =  *_t172;
														asm("bsr eax, esi");
														if( *_t172 == 0) {
															_t988 = 0;
															__eflags = 0;
														} else {
															_t988 = _t987 + 1;
														}
														_t1284 = _t1061;
														_t1245 = _t1224 - _t988;
														__eflags = _t1245;
														_v1888 = _t1284;
														_t1147 = _t1284;
														_t990 =  &(( &_v472)[_t1284]);
														_v1884 = _t990;
														_t1285 = _t990;
														while(1) {
															__eflags = _t1147 - _t1061;
															if(_t1147 >= _t1061) {
																_t183 =  &_v1872;
																 *_t183 = _v1872 & 0x00000000;
																__eflags =  *_t183;
															} else {
																_v1872 =  *(_t1297 + _t1147 * 4 - 0x1d0);
															}
															_t185 = _t1147 - 1; // -1
															__eflags = _t185 - _t1061;
															if(_t185 >= _t1061) {
																_t1205 = 0;
																__eflags = 0;
															} else {
																_t1205 =  *_t1285;
															}
															_t1285 = _t1285 - 4;
															 *(_t1297 + _t1147 * 4 - 0x1d0) = _t1205 >> 0x0000001e | _v1872 << 0x00000002;
															_t1147 = _t1147 - 1;
															__eflags = _t1147 - 0xffffffff;
															if(_t1147 == 0xffffffff) {
																break;
															}
															_t1061 = _v472;
														}
														_t1286 = _v1888;
														__eflags = _t1245 - 2;
														if(_t1245 >= 2) {
															_v472 = _t1286;
														} else {
															_v472 = _t1286 + 1;
														}
														_t1227 = 0x435 >> 5;
														E003F7720(0x435 >> 5,  &_v1396, 0, 0x435);
														 *(_t1297 + 0xbad63d) = 1 << (0x00000435 - _v1868 & 0x0000001f);
													}
													goto L126;
												}
											}
											goto L110;
										}
										L126:
										_t826 = _t1227 + 1;
										_t1065 = 0x1cc;
										_v1400 = _t826;
										_v936 = _t826;
										__eflags = _t826 << 2;
										E00403BBE( &_v932, 0x1cc,  &_v1396, _t826 << 2);
										_t1301 =  &(_t1299[7]);
									} else {
										_v1396 = _v1396 & 0x00000000;
										_v1392 = 0x100000;
										_v1400 = 2;
										__eflags = _t1263;
										if(_t1263 == 0) {
											L59:
											_t1000 = _t1176 - 0x432;
											_t1001 = _t1000 & 0x0000001f;
											_t1290 = _t1000 >> 5;
											_v1868 = _t1001;
											_v1876 = _t1290;
											_v1888 = _t1224 - _t1001;
											_t1005 = E0040BF10(1, _t1224 - _t1001, 0) - 1;
											_t117 =  &_v1912;
											 *_t117 = _v1912 & 0x00000000;
											__eflags =  *_t117;
											_v1908 = _t1005;
											_t1006 =  !_t1005;
											_v1884 = _t1006;
											asm("bsr eax, ecx");
											if( *_t117 == 0) {
												_t1007 = 0;
												__eflags = 0;
											} else {
												_t1007 = _t1006 + 1;
											}
											_t1210 = _t1061 + _t1290;
											_t1247 = _t1224 - _t1007;
											_v1880 = _t1247;
											_v1892 = _t1210;
											__eflags = _t1210 - 0x73;
											if(_t1210 != 0x73) {
												L65:
												_t1152 = 0;
												__eflags = 0;
											} else {
												__eflags = _v1868 - _t1247;
												if(_v1868 <= _t1247) {
													goto L65;
												} else {
													_t1152 = 1;
												}
											}
											__eflags = _t1210 - 0x73;
											if(_t1210 > 0x73) {
												L87:
												__eflags = 0;
												_t1065 = 0x1cc;
												_v1400 = 0;
												_v472 = 0;
												E00403BBE( &_v468, 0x1cc,  &_v1396, 0);
												_t1299 =  &(_t1299[4]);
											} else {
												__eflags = _t1152;
												if(_t1152 != 0) {
													goto L87;
												} else {
													__eflags = _t1210 - 0x72;
													if(_t1210 >= 0x72) {
														_t1210 = 0x72;
														_v1892 = _t1210;
													}
													_t1153 = _t1210;
													_v1896 = _t1153;
													__eflags = _t1210 - 0xffffffff;
													if(_t1210 != 0xffffffff) {
														_t1250 = _v1876;
														_t1292 = _t1210 - _t1250;
														__eflags = _t1292;
														_t1212 =  &_v468 + _t1292 * 4;
														while(1) {
															__eflags = _t1153 - _t1250;
															if(_t1153 < _t1250) {
																break;
															}
															__eflags = _t1292 - _t1061;
															if(_t1292 >= _t1061) {
																_t1020 = 0;
																__eflags = 0;
															} else {
																_t1020 =  *_t1212;
															}
															_v1872 = _t1020;
															__eflags = _t1292 - 1 - _t1061;
															if(_t1292 - 1 >= _t1061) {
																_t1022 = 0;
																__eflags = 0;
															} else {
																_t1022 =  *(_t1212 - 4);
															}
															_t1212 = _t1212 - 4;
															_t1158 = _v1896;
															 *(_t1297 + _t1158 * 4 - 0x1d0) = (_t1022 & _v1884) >> _v1888 | (_v1872 & _v1908) << _v1868;
															_t1153 = _t1158 - 1;
															_t1292 = _t1292 - 1;
															_v1896 = _t1153;
															__eflags = _t1153 - 0xffffffff;
															if(_t1153 != 0xffffffff) {
																_t1061 = _v472;
																continue;
															}
															break;
														}
														_t1247 = _v1880;
														_t1210 = _v1892;
														_t1290 = _v1876;
													}
													__eflags = _t1290;
													if(_t1290 != 0) {
														__eflags = 0;
														memset( &_v468, 0, _t1290 << 2);
														_t1299 =  &(_t1299[3]);
														_t1247 = _v1880;
													}
													_t1065 = 0x1cc;
													__eflags = _v1868 - _t1247;
													if(_v1868 <= _t1247) {
														_v472 = _t1210;
													} else {
														_v472 = _t1210 + 1;
													}
												}
											}
											_v1392 = _v1392 & 0x00000000;
											_v1396 = 2;
											_v1400 = 1;
											_v936 = 1;
											_push(4);
										} else {
											_t1159 = 0;
											__eflags = 0;
											while(1) {
												__eflags =  *((intOrPtr*)(_t1297 + _t1159 - 0x570)) -  *((intOrPtr*)(_t1297 + _t1159 - 0x1d0));
												if( *((intOrPtr*)(_t1297 + _t1159 - 0x570)) !=  *((intOrPtr*)(_t1297 + _t1159 - 0x1d0))) {
													goto L59;
												}
												_t1159 = _t1159 + 4;
												__eflags = _t1159 - 8;
												if(_t1159 != 8) {
													continue;
												} else {
													_t1027 = _t1176 - 0x431;
													_t1028 = _t1027 & 0x0000001f;
													_t1294 = _t1027 >> 5;
													_v1868 = _t1028;
													_v1872 = _t1294;
													_v1908 = _t1224 - _t1028;
													_t1032 = E0040BF10(1, _t1224 - _t1028, 0) - 1;
													_t61 =  &_v1912;
													 *_t61 = _v1912 & 0x00000000;
													__eflags =  *_t61;
													_v1884 = _t1032;
													_t1033 =  !_t1032;
													_v1888 = _t1033;
													asm("bsr eax, ecx");
													if( *_t61 == 0) {
														_t1034 = 0;
														__eflags = 0;
													} else {
														_t1034 = _t1033 + 1;
													}
													_t1214 = _t1061 + _t1294;
													_t1251 = _t1224 - _t1034;
													_v1880 = _t1251;
													_v1896 = _t1214;
													__eflags = _t1214 - 0x73;
													if(_t1214 != 0x73) {
														L34:
														_t1163 = 0;
														__eflags = 0;
													} else {
														__eflags = _v1868 - _t1251;
														if(_v1868 <= _t1251) {
															goto L34;
														} else {
															_t1163 = 1;
														}
													}
													__eflags = _t1214 - 0x73;
													if(_t1214 > 0x73) {
														L56:
														__eflags = 0;
														_t1065 = 0x1cc;
														_v1400 = 0;
														_v472 = 0;
														E00403BBE( &_v468, 0x1cc,  &_v1396, 0);
														_t1299 =  &(_t1299[4]);
													} else {
														__eflags = _t1163;
														if(_t1163 != 0) {
															goto L56;
														} else {
															__eflags = _t1214 - 0x72;
															if(_t1214 >= 0x72) {
																_t1214 = 0x72;
																_v1896 = _t1214;
															}
															_t1166 = _t1214;
															_v1892 = _t1166;
															__eflags = _t1214 - 0xffffffff;
															if(_t1214 != 0xffffffff) {
																_t1254 = _v1872;
																_t1296 = _t1214 - _t1254;
																__eflags = _t1296;
																_t1216 =  &_v468 + _t1296 * 4;
																while(1) {
																	__eflags = _t1166 - _t1254;
																	if(_t1166 < _t1254) {
																		break;
																	}
																	__eflags = _t1296 - _t1061;
																	if(_t1296 >= _t1061) {
																		_t1043 = 0;
																		__eflags = 0;
																	} else {
																		_t1043 =  *_t1216;
																	}
																	_v1876 = _t1043;
																	__eflags = _t1296 - 1 - _t1061;
																	if(_t1296 - 1 >= _t1061) {
																		_t1045 = 0;
																		__eflags = 0;
																	} else {
																		_t1045 =  *(_t1216 - 4);
																	}
																	_t1216 = _t1216 - 4;
																	_t1171 = _v1892;
																	 *(_t1297 + _t1171 * 4 - 0x1d0) = (_t1045 & _v1888) >> _v1908 | (_v1876 & _v1884) << _v1868;
																	_t1166 = _t1171 - 1;
																	_t1296 = _t1296 - 1;
																	_v1892 = _t1166;
																	__eflags = _t1166 - 0xffffffff;
																	if(_t1166 != 0xffffffff) {
																		_t1061 = _v472;
																		continue;
																	}
																	break;
																}
																_t1214 = _v1896;
																_t1251 = _v1880;
																_t1294 = _v1872;
															}
															__eflags = _t1294;
															if(_t1294 != 0) {
																__eflags = 0;
																memset( &_v468, 0, _t1294 << 2);
																_t1299 =  &(_t1299[3]);
																_t1251 = _v1880;
															}
															_t1065 = 0x1cc;
															__eflags = _v1868 - _t1251;
															if(_v1868 <= _t1251) {
																_v472 = _t1214;
															} else {
																_v472 = _t1214 + 1;
															}
														}
													}
													_v1392 = _v1392 & 0x00000000;
													_t1039 = 4;
													__eflags = 1;
													_v1396 = _t1039;
													_v1400 = 1;
													_v936 = 1;
													_push(_t1039);
												}
												goto L58;
											}
											goto L59;
										}
										L58:
										_push( &_v1396);
										_push(_t1065);
										_push( &_v932);
										E00403BBE();
										_t1301 =  &(_t1299[4]);
									}
									_t831 = _v1900;
									_t1119 = 0xa;
									_v1888 = _t1119;
									__eflags = _t831;
									if(_t831 < 0) {
										_t832 =  ~_t831;
										_t833 = _t832 / _t1119;
										_v1892 = _t833;
										_t1120 = _t832 % _t1119;
										_v1912 = _t1120;
										__eflags = _t833;
										if(_t833 == 0) {
											L249:
											__eflags = _t1120;
											if(_t1120 != 0) {
												_t872 =  *(0x4120d4 + _t1120 * 4);
												_v1912 = _t872;
												__eflags = _t872;
												if(_t872 == 0) {
													L260:
													__eflags = 0;
													_push(0);
													_v472 = 0;
													_v2408 = 0;
													goto L261;
												} else {
													__eflags = _t872 - 1;
													if(_t872 != 1) {
														_t1131 = _v472;
														__eflags = _t1131;
														if(_t1131 != 0) {
															_t1233 = 0;
															_t1272 = 0;
															__eflags = 0;
															do {
																_t1189 = _t872 *  *(_t1297 + _t1272 * 4 - 0x1d0) >> 0x20;
																 *(_t1297 + _t1272 * 4 - 0x1d0) = _t872 *  *(_t1297 + _t1272 * 4 - 0x1d0) + _t1233;
																_t872 = _v1912;
																asm("adc edx, 0x0");
																_t1272 = _t1272 + 1;
																_t1233 = _t1189;
																__eflags = _t1272 - _t1131;
															} while (_t1272 != _t1131);
															__eflags = _t1233;
															if(_t1233 != 0) {
																_t879 = _v472;
																__eflags = _t879 - 0x73;
																if(_t879 >= 0x73) {
																	goto L260;
																} else {
																	 *(_t1297 + _t879 * 4 - 0x1d0) = _t1233;
																	_v472 = _v472 + 1;
																}
															}
														}
													}
												}
											}
										} else {
											do {
												__eflags = _t833 - 0x26;
												if(_t833 > 0x26) {
													_t833 = 0x26;
												}
												_t1132 =  *(0x41203e + _t833 * 4) & 0x000000ff;
												_v1868 = _t833;
												_v1400 = ( *(0x41203e + _t833 * 4) & 0x000000ff) + ( *(0x41203f + _t833 * 4) & 0x000000ff);
												E003F7720(_t1132 << 2,  &_v1396, 0, _t1132 << 2);
												_t890 = E003F92F0( &(( &_v1396)[_t1132]), 0x411738 + ( *(0x41203c + _v1868 * 4) & 0x0000ffff) * 4, ( *(0x41203f + _t833 * 4) & 0x000000ff) << 2);
												_t1236 = _v1400;
												_t1301 =  &(_t1301[6]);
												__eflags = _t1236 - 1;
												if(_t1236 > 1) {
													__eflags = _v472 - 1;
													if(_v472 > 1) {
														__eflags = _t1236 - _v472;
														_t1190 =  &_v1396;
														_t499 = _t1236 - _v472 > 0;
														__eflags = _t499;
														_t891 = _t890 & 0xffffff00 | _t499;
														if(_t499 >= 0) {
															_t1190 =  &_v468;
														}
														_v1876 = _t1190;
														_t1133 =  &_v468;
														__eflags = _t891;
														if(_t891 == 0) {
															_t1133 =  &_v1396;
														}
														_v1908 = _t1133;
														__eflags = _t891;
														if(_t891 == 0) {
															_t1134 = _v472;
															_v1896 = _t1134;
														} else {
															_t1134 = _t1236;
															_v1896 = _t1236;
														}
														__eflags = _t891;
														if(_t891 != 0) {
															_t1236 = _v472;
														}
														_t892 = 0;
														_t1274 = 0;
														_v1864 = 0;
														__eflags = _t1134;
														if(_t1134 == 0) {
															L243:
															_v472 = _t892;
															_t893 = _t892 << 2;
															__eflags = _t893;
															_push(_t893);
															_t894 =  &_v1860;
															goto L244;
														} else {
															do {
																__eflags =  *(_t1190 + _t1274 * 4);
																if( *(_t1190 + _t1274 * 4) != 0) {
																	_t1193 = 0;
																	_t1135 = _t1274;
																	_v1880 = _v1880 & 0;
																	_v1872 = 0;
																	__eflags = _t1236;
																	if(_t1236 == 0) {
																		L240:
																		__eflags = _t1135 - 0x73;
																		if(_t1135 == 0x73) {
																			goto L258;
																		} else {
																			_t1134 = _v1896;
																			_t1190 = _v1876;
																			goto L242;
																		}
																	} else {
																		while(1) {
																			__eflags = _t1135 - 0x73;
																			if(_t1135 == 0x73) {
																				goto L235;
																			}
																			__eflags = _t1135 - _t892;
																			if(_t1135 == _t892) {
																				 *(_t1297 + _t1135 * 4 - 0x740) =  *(_t1297 + _t1135 * 4 - 0x740) & 0x00000000;
																				_t912 = _v1880 + 1 + _t1274;
																				__eflags = _t912;
																				_v1864 = _t912;
																			}
																			_t905 =  *(_v1908 + _v1880 * 4);
																			_t1195 = _v1876;
																			_t1193 = _t905 *  *(_t1195 + _t1274 * 4) >> 0x20;
																			asm("adc edx, 0x0");
																			 *(_t1297 + _t1135 * 4 - 0x740) =  *(_t1297 + _t1135 * 4 - 0x740) + _t905 *  *(_t1195 + _t1274 * 4) + _v1872;
																			asm("adc edx, 0x0");
																			_t909 = _v1880 + 1;
																			_t1135 = _t1135 + 1;
																			_v1880 = _t909;
																			__eflags = _t909 - _t1236;
																			_v1872 = _t1193;
																			_t892 = _v1864;
																			if(_t909 != _t1236) {
																				continue;
																			} else {
																				goto L235;
																			}
																			while(1) {
																				L235:
																				__eflags = _t1193;
																				if(_t1193 == 0) {
																					goto L240;
																				}
																				__eflags = _t1135 - 0x73;
																				if(_t1135 == 0x73) {
																					goto L258;
																				} else {
																					__eflags = _t1135 - _t892;
																					if(_t1135 == _t892) {
																						_t555 = _t1297 + _t1135 * 4 - 0x740;
																						 *_t555 =  *(_t1297 + _t1135 * 4 - 0x740) & 0x00000000;
																						__eflags =  *_t555;
																						_t561 = _t1135 + 1; // 0x1
																						_v1864 = _t561;
																					}
																					_t903 = _t1193;
																					_t1193 = 0;
																					 *(_t1297 + _t1135 * 4 - 0x740) =  *(_t1297 + _t1135 * 4 - 0x740) + _t903;
																					_t892 = _v1864;
																					asm("adc edx, edx");
																					_t1135 = _t1135 + 1;
																					continue;
																				}
																				goto L246;
																			}
																			goto L240;
																		}
																		goto L235;
																	}
																} else {
																	__eflags = _t1274 - _t892;
																	if(_t1274 == _t892) {
																		 *(_t1297 + _t1274 * 4 - 0x740) =  *(_t1297 + _t1274 * 4 - 0x740) & 0x00000000;
																		_t518 = _t1274 + 1; // 0x1
																		_t892 = _t518;
																		_v1864 = _t892;
																	}
																	goto L242;
																}
																goto L246;
																L242:
																_t1274 = _t1274 + 1;
																__eflags = _t1274 - _t1134;
															} while (_t1274 != _t1134);
															goto L243;
														}
													} else {
														_t1275 = _v468;
														_v1928 = _t1275;
														_v472 = _t1236;
														E00403BBE( &_v468, _t1065,  &_v1396, _t1236 << 2);
														_t1301 =  &(_t1301[4]);
														__eflags = _t1275;
														if(_t1275 == 0) {
															goto L202;
														} else {
															__eflags = _t1275 - 1;
															if(_t1275 == 1) {
																goto L245;
															} else {
																__eflags = _v472;
																if(_v472 == 0) {
																	goto L245;
																} else {
																	_t1136 = 0;
																	_t1237 = _v1928;
																	_t1276 = 0;
																	__eflags = 0;
																	_t1073 = _v472;
																	do {
																		_t921 = _t1237;
																		_t1191 = _t921 *  *(_t1297 + _t1276 * 4 - 0x1d0) >> 0x20;
																		 *(_t1297 + _t1276 * 4 - 0x1d0) = _t921 *  *(_t1297 + _t1276 * 4 - 0x1d0) + _t1136;
																		asm("adc edx, 0x0");
																		_t1276 = _t1276 + 1;
																		_t1136 = _t1191;
																		__eflags = _t1276 - _t1073;
																	} while (_t1276 != _t1073);
																	goto L207;
																}
															}
														}
													}
												} else {
													_t1238 = _v1396;
													__eflags = _t1238;
													if(_t1238 != 0) {
														__eflags = _t1238 - 1;
														if(_t1238 == 1) {
															goto L245;
														} else {
															__eflags = _v472;
															if(_v472 == 0) {
																goto L245;
															} else {
																_t1137 = 0;
																_t1277 = 0;
																__eflags = 0;
																_t1072 = _v472;
																do {
																	_t926 = _t1238;
																	_t1192 = _t926 *  *(_t1297 + _t1277 * 4 - 0x1d0) >> 0x20;
																	 *(_t1297 + _t1277 * 4 - 0x1d0) = _t926 *  *(_t1297 + _t1277 * 4 - 0x1d0) + _t1137;
																	asm("adc edx, 0x0");
																	_t1277 = _t1277 + 1;
																	_t1137 = _t1192;
																	__eflags = _t1277 - _t1072;
																} while (_t1277 != _t1072);
																L207:
																_t1065 = 0x1cc;
																__eflags = _t1136;
																if(_t1136 == 0) {
																	goto L245;
																} else {
																	_t924 = _v472;
																	__eflags = _t924 - 0x73;
																	if(_t924 >= 0x73) {
																		L258:
																		_v2408 = 0;
																		_v472 = 0;
																		E00403BBE( &_v468, _t1065,  &_v2404, 0);
																		_t1301 =  &(_t1301[4]);
																		_t897 = 0;
																	} else {
																		 *(_t1297 + _t924 * 4 - 0x1d0) = _t1136;
																		_v472 = _v472 + 1;
																		goto L245;
																	}
																}
															}
														}
													} else {
														L202:
														_v2408 = 0;
														_v472 = 0;
														_push(0);
														_t894 =  &_v2404;
														L244:
														_push(_t894);
														_push(_t1065);
														_push( &_v468);
														E00403BBE();
														_t1301 =  &(_t1301[4]);
														L245:
														_t897 = 1;
													}
												}
												L246:
												__eflags = _t897;
												if(_t897 == 0) {
													_v2408 = _v2408 & 0x00000000;
													_v472 = _v472 & 0x00000000;
													_push(0);
													L261:
													_push( &_v2404);
													_t875 =  &_v468;
													goto L262;
												} else {
													goto L247;
												}
												goto L263;
												L247:
												_t833 = _v1892 - _v1868;
												__eflags = _t833;
												_v1892 = _t833;
											} while (_t833 != 0);
											_t1120 = _v1912;
											goto L249;
										}
									} else {
										_t929 = _t831 / _t1119;
										_v1908 = _t929;
										_t1138 = _t831 % _t1119;
										_v1928 = _t1138;
										__eflags = _t929;
										if(_t929 == 0) {
											L183:
											__eflags = _t1138;
											if(_t1138 != 0) {
												_t930 =  *(0x4120d4 + _t1138 * 4);
												_v1928 = _t930;
												__eflags = _t930;
												if(_t930 != 0) {
													__eflags = _t930 - 1;
													if(_t930 != 1) {
														_t1139 = _v936;
														__eflags = _t1139;
														if(_t1139 != 0) {
															_t1239 = 0;
															_t1278 = 0;
															__eflags = 0;
															do {
																_t1197 = _t930 *  *(_t1297 + _t1278 * 4 - 0x3a0) >> 0x20;
																 *(_t1297 + _t1278 * 4 - 0x3a0) = _t930 *  *(_t1297 + _t1278 * 4 - 0x3a0) + _t1239;
																_t930 = _v1928;
																asm("adc edx, 0x0");
																_t1278 = _t1278 + 1;
																_t1239 = _t1197;
																__eflags = _t1278 - _t1139;
															} while (_t1278 != _t1139);
															__eflags = _t1239;
															if(_t1239 != 0) {
																_t933 = _v936;
																__eflags = _t933 - 0x73;
																if(_t933 >= 0x73) {
																	goto L185;
																} else {
																	 *(_t1297 + _t933 * 4 - 0x3a0) = _t1239;
																	_v936 = _v936 + 1;
																}
															}
														}
													}
												} else {
													L185:
													_v2408 = 0;
													_v936 = 0;
													_push(0);
													goto L189;
												}
											}
										} else {
											do {
												__eflags = _t929 - 0x26;
												if(_t929 > 0x26) {
													_t929 = 0x26;
												}
												_t1140 =  *(0x41203e + _t929 * 4) & 0x000000ff;
												_v1876 = _t929;
												_v1400 = ( *(0x41203e + _t929 * 4) & 0x000000ff) + ( *(0x41203f + _t929 * 4) & 0x000000ff);
												E003F7720(_t1140 << 2,  &_v1396, 0, _t1140 << 2);
												_t946 = E003F92F0( &(( &_v1396)[_t1140]), 0x411738 + ( *(0x41203c + _v1876 * 4) & 0x0000ffff) * 4, ( *(0x41203f + _t929 * 4) & 0x000000ff) << 2);
												_t1242 = _v1400;
												_t1301 =  &(_t1301[6]);
												__eflags = _t1242 - 1;
												if(_t1242 > 1) {
													__eflags = _v936 - 1;
													if(_v936 > 1) {
														__eflags = _t1242 - _v936;
														_t1198 =  &_v1396;
														_t312 = _t1242 - _v936 > 0;
														__eflags = _t312;
														_t947 = _t946 & 0xffffff00 | _t312;
														if(_t312 >= 0) {
															_t1198 =  &_v932;
														}
														_v1868 = _t1198;
														_t1141 =  &_v932;
														__eflags = _t947;
														if(_t947 == 0) {
															_t1141 =  &_v1396;
														}
														_v1872 = _t1141;
														__eflags = _t947;
														if(_t947 == 0) {
															_t1142 = _v936;
															_v1892 = _t1142;
														} else {
															_t1142 = _t1242;
															_v1892 = _t1242;
														}
														__eflags = _t947;
														if(_t947 != 0) {
															_t1242 = _v936;
														}
														_t948 = 0;
														_t1280 = 0;
														_v1864 = 0;
														__eflags = _t1142;
														if(_t1142 == 0) {
															L176:
															_v936 = _t948;
															_t949 = _t948 << 2;
															__eflags = _t949;
															goto L177;
														} else {
															do {
																__eflags =  *(_t1198 + _t1280 * 4);
																if( *(_t1198 + _t1280 * 4) != 0) {
																	_t1201 = 0;
																	_t1143 = _t1280;
																	_v1880 = _v1880 & 0;
																	_v1896 = 0;
																	__eflags = _t1242;
																	if(_t1242 == 0) {
																		L173:
																		__eflags = _t1143 - 0x73;
																		if(_t1143 == 0x73) {
																			goto L186;
																		} else {
																			_t1142 = _v1892;
																			_t1198 = _v1868;
																			goto L175;
																		}
																	} else {
																		while(1) {
																			__eflags = _t1143 - 0x73;
																			if(_t1143 == 0x73) {
																				goto L168;
																			}
																			__eflags = _t1143 - _t948;
																			if(_t1143 == _t948) {
																				 *(_t1297 + _t1143 * 4 - 0x740) =  *(_t1297 + _t1143 * 4 - 0x740) & 0x00000000;
																				_t968 = _v1880 + 1 + _t1280;
																				__eflags = _t968;
																				_v1864 = _t968;
																			}
																			_t961 =  *(_v1872 + _v1880 * 4);
																			_t1203 = _v1868;
																			_t1201 = _t961 *  *(_t1203 + _t1280 * 4) >> 0x20;
																			asm("adc edx, 0x0");
																			 *(_t1297 + _t1143 * 4 - 0x740) =  *(_t1297 + _t1143 * 4 - 0x740) + _t961 *  *(_t1203 + _t1280 * 4) + _v1896;
																			asm("adc edx, 0x0");
																			_t965 = _v1880 + 1;
																			_t1143 = _t1143 + 1;
																			_v1880 = _t965;
																			__eflags = _t965 - _t1242;
																			_v1896 = _t1201;
																			_t948 = _v1864;
																			if(_t965 != _t1242) {
																				continue;
																			} else {
																				goto L168;
																			}
																			while(1) {
																				L168:
																				__eflags = _t1201;
																				if(_t1201 == 0) {
																					goto L173;
																				}
																				__eflags = _t1143 - 0x73;
																				if(_t1143 == 0x73) {
																					L186:
																					__eflags = 0;
																					_v2408 = 0;
																					_v936 = 0;
																					_push(0);
																					_t956 =  &_v2404;
																					goto L187;
																				} else {
																					__eflags = _t1143 - _t948;
																					if(_t1143 == _t948) {
																						_t368 = _t1297 + _t1143 * 4 - 0x740;
																						 *_t368 =  *(_t1297 + _t1143 * 4 - 0x740) & 0x00000000;
																						__eflags =  *_t368;
																						_t374 = _t1143 + 1; // 0x1
																						_v1864 = _t374;
																					}
																					_t959 = _t1201;
																					_t1201 = 0;
																					 *(_t1297 + _t1143 * 4 - 0x740) =  *(_t1297 + _t1143 * 4 - 0x740) + _t959;
																					_t948 = _v1864;
																					asm("adc edx, edx");
																					_t1143 = _t1143 + 1;
																					continue;
																				}
																				goto L180;
																			}
																			goto L173;
																		}
																		goto L168;
																	}
																} else {
																	__eflags = _t1280 - _t948;
																	if(_t1280 == _t948) {
																		 *(_t1297 + _t1280 * 4 - 0x740) =  *(_t1297 + _t1280 * 4 - 0x740) & 0x00000000;
																		_t331 = _t1280 + 1; // 0x1
																		_t948 = _t331;
																		_v1864 = _t948;
																	}
																	goto L175;
																}
																goto L180;
																L175:
																_t1280 = _t1280 + 1;
																__eflags = _t1280 - _t1142;
															} while (_t1280 != _t1142);
															goto L176;
														}
													} else {
														_t1281 = _v932;
														_v1884 = _t1281;
														_v936 = _t1242;
														E00403BBE( &_v932, _t1065,  &_v1396, _t1242 << 2);
														_t1301 =  &(_t1301[4]);
														__eflags = _t1281;
														if(_t1281 != 0) {
															__eflags = _t1281 - 1;
															if(_t1281 == 1) {
																goto L179;
															} else {
																__eflags = _v936;
																if(_v936 == 0) {
																	goto L179;
																} else {
																	_t1144 = 0;
																	_t1243 = _v1884;
																	_t1282 = 0;
																	__eflags = 0;
																	_t1075 = _v936;
																	do {
																		_t976 = _t1243;
																		_t1199 = _t976 *  *(_t1297 + _t1282 * 4 - 0x3a0) >> 0x20;
																		 *(_t1297 + _t1282 * 4 - 0x3a0) = _t976 *  *(_t1297 + _t1282 * 4 - 0x3a0) + _t1144;
																		asm("adc edx, 0x0");
																		_t1282 = _t1282 + 1;
																		_t1144 = _t1199;
																		__eflags = _t1282 - _t1075;
																	} while (_t1282 != _t1075);
																	goto L147;
																}
															}
														} else {
															_v1400 = 0;
															_v936 = 0;
															_push(0);
															_t950 =  &_v1396;
															goto L178;
														}
													}
												} else {
													_t1244 = _v1396;
													__eflags = _t1244;
													if(_t1244 != 0) {
														__eflags = _t1244 - 1;
														if(_t1244 == 1) {
															goto L179;
														} else {
															__eflags = _v936;
															if(_v936 == 0) {
																goto L179;
															} else {
																_t1145 = 0;
																_t1283 = 0;
																__eflags = 0;
																_t1074 = _v936;
																do {
																	_t983 = _t1244;
																	_t1200 = _t983 *  *(_t1297 + _t1283 * 4 - 0x3a0) >> 0x20;
																	 *(_t1297 + _t1283 * 4 - 0x3a0) = _t983 *  *(_t1297 + _t1283 * 4 - 0x3a0) + _t1145;
																	asm("adc edx, 0x0");
																	_t1283 = _t1283 + 1;
																	_t1145 = _t1200;
																	__eflags = _t1283 - _t1074;
																} while (_t1283 != _t1074);
																L147:
																_t1065 = 0x1cc;
																__eflags = _t1144;
																if(_t1144 == 0) {
																	goto L179;
																} else {
																	_t979 = _v936;
																	__eflags = _t979 - 0x73;
																	if(_t979 < 0x73) {
																		 *(_t1297 + _t979 * 4 - 0x3a0) = _t1144;
																		_v936 = _v936 + 1;
																		goto L179;
																	} else {
																		_v1400 = 0;
																		_v936 = 0;
																		_push(0);
																		_t956 =  &_v1396;
																		L187:
																		_push(_t956);
																		_push(_t1065);
																		_push( &_v932);
																		E00403BBE();
																		_t1301 =  &(_t1301[4]);
																		_t953 = 0;
																	}
																}
															}
														}
													} else {
														_t949 = 0;
														_v1864 = 0;
														_v936 = 0;
														L177:
														_push(_t949);
														_t950 =  &_v1860;
														L178:
														_push(_t950);
														_push(_t1065);
														_push( &_v932);
														E00403BBE();
														_t1301 =  &(_t1301[4]);
														L179:
														_t953 = 1;
													}
												}
												L180:
												__eflags = _t953;
												if(_t953 == 0) {
													_v2408 = _v2408 & 0x00000000;
													_t403 =  &_v936;
													 *_t403 = _v936 & 0x00000000;
													__eflags =  *_t403;
													_push(0);
													L189:
													_push( &_v2404);
													_t875 =  &_v932;
													L262:
													_push(_t1065);
													_push(_t875);
													E00403BBE();
													_t1301 =  &(_t1301[4]);
												} else {
													goto L181;
												}
												goto L263;
												L181:
												_t929 = _v1908 - _v1876;
												__eflags = _t929;
												_v1908 = _t929;
											} while (_t929 != 0);
											_t1138 = _v1928;
											goto L183;
										}
									}
									L263:
									_t1228 = _v1904;
									_t1269 = _t1228;
									_t1121 = _v472;
									_v1876 = _t1269;
									__eflags = _t1121;
									if(_t1121 != 0) {
										_t1271 = 0;
										_t1232 = 0;
										__eflags = 0;
										_t1070 = 0xa;
										do {
											_t864 =  *(_t1297 + _t1232 * 4 - 0x1d0);
											_t1188 = _t864 * _t1070 >> 0x20;
											 *(_t1297 + _t1232 * 4 - 0x1d0) = _t864 * _t1070 + _t1271;
											asm("adc edx, 0x0");
											_t1232 = _t1232 + 1;
											_t1271 = _t1188;
											__eflags = _t1232 - _t1121;
										} while (_t1232 != _t1121);
										_v1912 = _t1271;
										__eflags = _t1271;
										_t1269 = _v1876;
										if(_t1271 != 0) {
											_t1130 = _v472;
											__eflags = _t1130 - 0x73;
											if(_t1130 >= 0x73) {
												__eflags = 0;
												_v2408 = 0;
												_v472 = 0;
												E00403BBE( &_v468, 0x1cc,  &_v2404, 0);
												_t1301 =  &(_t1301[4]);
											} else {
												 *(_t1297 + _t1130 * 4 - 0x1d0) = _t1188;
												_v472 = _v472 + 1;
											}
										}
										_t1228 = _t1269;
									}
									_t836 = E004065E0( &_v472,  &_v936);
									__eflags = _t836 - 0xa;
									if(_t836 != 0xa) {
										__eflags = _t836;
										if(_t836 != 0) {
											_t837 = _t836 + 0x30;
											__eflags = _t837;
											_t1269 = _t1228 + 1;
											 *_t1228 = _t837;
											goto L282;
										} else {
											_t838 = _v1900 - 1;
										}
									} else {
										_v1900 = _v1900 + 1;
										_t1269 = _t1228 + 1;
										_t855 = _v936;
										 *_t1228 = 0x31;
										_v1876 = _t1269;
										__eflags = _t855;
										if(_t855 != 0) {
											_t1231 = 0;
											_t1270 = _t855;
											_t1129 = 0;
											__eflags = 0;
											_t1068 = 0xa;
											do {
												_t856 =  *(_t1297 + _t1129 * 4 - 0x3a0);
												 *(_t1297 + _t1129 * 4 - 0x3a0) = _t856 * _t1068 + _t1231;
												asm("adc edx, 0x0");
												_t1129 = _t1129 + 1;
												_t1231 = _t856 * _t1068 >> 0x20;
												__eflags = _t1129 - _t1270;
											} while (_t1129 != _t1270);
											_t1269 = _v1876;
											__eflags = _t1231;
											if(_t1231 != 0) {
												_t859 = _v936;
												__eflags = _t859 - 0x73;
												if(_t859 >= 0x73) {
													_v2408 = 0;
													_v936 = 0;
													E00403BBE( &_v932, 0x1cc,  &_v2404, 0);
													_t1301 =  &(_t1301[4]);
												} else {
													 *(_t1297 + _t859 * 4 - 0x3a0) = _t1231;
													_v936 = _v936 + 1;
												}
											}
										}
										L282:
										_t838 = _v1900;
									}
									 *(_v1924 + 4) = _t838;
									_t1092 = _v1920;
									__eflags = _t838;
									if(_t838 >= 0) {
										__eflags = _t1092 - 0x7fffffff;
										if(_t1092 <= 0x7fffffff) {
											_t1092 = _t1092 + _t838;
											__eflags = _t1092;
										}
									}
									_t840 = _a24 - 1;
									__eflags = _t840 - _t1092;
									if(_t840 >= _t1092) {
										_t840 = _t1092;
									}
									_t841 = _t840 + _v1904;
									_v1920 = _t841;
									__eflags = _t1269 - _t841;
									if(__eflags != 0) {
										while(1) {
											_t842 = _v472;
											__eflags = _t842;
											if(__eflags == 0) {
												goto L303;
											}
											_t1229 = 0;
											_t1066 = _t842;
											_t1125 = 0;
											__eflags = 0;
											do {
												_t843 =  *(_t1297 + _t1125 * 4 - 0x1d0);
												 *(_t1297 + _t1125 * 4 - 0x1d0) = _t843 * 0x3b9aca00 + _t1229;
												asm("adc edx, 0x0");
												_t1125 = _t1125 + 1;
												_t1229 = _t843 * 0x3b9aca00 >> 0x20;
												__eflags = _t1125 - _t1066;
											} while (_t1125 != _t1066);
											__eflags = _t1229;
											if(_t1229 != 0) {
												_t849 = _v472;
												__eflags = _t849 - 0x73;
												if(_t849 >= 0x73) {
													__eflags = 0;
													_v2408 = 0;
													_v472 = 0;
													E00403BBE( &_v468, 0x1cc,  &_v2404, 0);
													_t1301 =  &(_t1301[4]);
												} else {
													 *(_t1297 + _t849 * 4 - 0x1d0) = _t1229;
													_v472 = _v472 + 1;
												}
											}
											_t848 = E004065E0( &_v472,  &_v936);
											_t1230 = 8;
											_t1092 = _v1920 - _t1269;
											__eflags = _t1092;
											do {
												_t703 = _t848 % _v1888;
												_t848 = _t848 / _v1888;
												_t1186 = _t703 + 0x30;
												__eflags = _t1092 - _t1230;
												if(_t1092 >= _t1230) {
													 *((char*)(_t1230 + _t1269)) = _t1186;
												}
												_t1230 = _t1230 - 1;
												__eflags = _t1230 - 0xffffffff;
											} while (_t1230 != 0xffffffff);
											__eflags = _t1092 - 9;
											if(_t1092 > 9) {
												_t1092 = 9;
											}
											_t1269 = _t1269 + _t1092;
											__eflags = _t1269 - _v1920;
											if(__eflags != 0) {
												continue;
											}
											goto L303;
										}
									}
									L303:
									 *_t1269 = 0;
									goto L304;
								}
							}
						}
					}
				} else {
					_t1092 = _t1256 & 0x000fffff;
					if((_t1053 | _t1256 & 0x000fffff) != 0) {
						goto L11;
					} else {
						_push(0x4120fc);
						_push(_a24);
						 *(_v1924 + 4) =  *(_v1924 + 4) & 0x00000000;
						_push(_t1174);
						L311:
						if(E003FF73A() != 0) {
							_push(0);
							_push(0);
							_push(0);
							_push(0);
							_push(0);
							E003FDA69();
							asm("int3");
							_push(_t1297);
							_push(_t1218);
							_t1219 = E00401606(_v2432);
							__eflags =  *(_v2432 + 0xc) & 0x00000006;
							if(__eflags != 0) {
								__eflags =  *(_a4 + 0xc) >> 0x0000000c & 0x00000001;
								if(__eflags == 0) {
									_t774 =  *(_a4 + 0xc);
									__eflags = _t774 & 0x00000001;
									if((_t774 & 0x00000001) == 0) {
										L324:
										_push(_t1053);
										_t1054 = 2;
										asm("lock or [eax], ebx");
										_push(0xfffffff7);
										asm("lock and [eax], ecx");
										 *(_a4 + 8) =  *(_a4 + 8) & 0x00000000;
										_t781 =  *(_a4 + 0xc);
										__eflags = _t781 & 0x000004c0;
										if((_t781 & 0x000004c0) == 0) {
											_push(_t1256);
											_t786 = E003F992C(1);
											__eflags = _a4 - _t786;
											if(_a4 == _t786) {
												L327:
												_t787 = E00408033(_t1219);
												_pop(_t1101);
												__eflags = _t787;
												if(__eflags == 0) {
													goto L328;
												}
											} else {
												_t789 = E003F992C(_t1054);
												_pop(_t1101);
												__eflags = _a4 - _t789;
												if(__eflags != 0) {
													L328:
													E00408D0B(_t1101, __eflags, _a4);
												} else {
													goto L327;
												}
											}
										}
										_t1055 = _v0;
										_t782 = E00407ED7(_t1055, _a4);
										__eflags = _t782;
										if(_t782 != 0) {
											_t783 = _t1055 & 0x000000ff;
										} else {
											_push(0x10);
											asm("lock or [eax], ecx");
											_t783 = _a4 + 0x0000000c | 0xffffffff;
										}
									} else {
										_t790 = E00407FA3(_a4);
										 *(_a4 + 8) =  *(_a4 + 8) & 0x00000000;
										__eflags = _t790;
										_t791 = _a4;
										if(_t790 == 0) {
											goto L318;
										} else {
											 *_t791 =  *((intOrPtr*)(_t791 + 4));
											_push(0xfffffffe);
											asm("lock and [eax], ecx");
											goto L324;
										}
									}
								} else {
									 *((intOrPtr*)(E003FD87D(__eflags))) = 0x22;
									goto L317;
								}
							} else {
								 *((intOrPtr*)(E003FD87D(__eflags))) = 9;
								L317:
								_t791 = _a4;
								L318:
								_push(0x10);
								asm("lock or [eax], ecx");
								_t783 = _t791 + 0x0000000c | 0xffffffff;
							}
							return _t783;
						} else {
							L304:
							_t1309 = _v1936;
							if(_v1936 != 0) {
								E0040981C(_t1092, _t1309,  &_v1944);
							}
							return E003F5D05(_v8 ^ _t1297);
						}
					}
				}
			}

0x00406a78
0x00406a83
0x00406a8a
0x00406a90
0x00406a99
0x00406aa6
0x00406ab7
0x00406ac9
0x00406acf
0x00406ab9
0x00406ab9
0x00406ab9
0x00406ad7
0x00406ada
0x00406adb
0x00406ae1
0x00406ae2
0x00406ae4
0x00406af1
0x00406aec
0x00406aee
0x00406aee
0x00406af3
0x00406af9
0x00406aff
0x00406b03
0x00406b10
0x00406b38
0x00406b3c
0x00406b42
0x00406b44
0x00406b4c
0x00406b4c
0x00406b53
0x00406b53
0x00406b56
0x00407dae
0x00000000
0x00406b5c
0x00406b5c
0x00406b5c
0x00406b5f
0x00407d91
0x00000000
0x00406b65
0x00406b65
0x00406b65
0x00406b68
0x00407d8a
0x00000000
0x00406b6e
0x00406b6e
0x00406b71
0x00407d83
0x00407d96
0x00407d96
0x00407d99
0x00407d9f
0x00000000
0x00406b77
0x00406b80
0x00406b88
0x00406b8b
0x00406b8e
0x00406b91
0x00406b97
0x00406b9f
0x00406ba5
0x00406baf
0x00406baf
0x00406bb2
0x00406bbb
0x00406bbd
0x00406bc2
0x00406bc2
0x00406bb4
0x00406bb6
0x00406bb8
0x00406bb8
0x00406bca
0x00406bd2
0x00406bd8
0x00406bda
0x00406be3
0x00406be9
0x00406bee
0x00406bef
0x00406bf0
0x00406bf3
0x00406bff
0x00406c01
0x00406c09
0x00406c0a
0x00406c10
0x00406c1a
0x00406c1a
0x00406c1c
0x00406c12
0x00406c12
0x00406c18
0x00000000
0x00000000
0x00406c18
0x00406c22
0x00406c30
0x00406c32
0x00406c3b
0x00406c41
0x00406c48
0x00406c49
0x00406c4f
0x00406c55
0x00407033
0x00407036
0x0040714e
0x0040714e
0x00407155
0x00407155
0x00407155
0x0040715c
0x0040715f
0x00407164
0x00407164
0x00407161
0x00407161
0x00407161
0x00407166
0x00407168
0x00407168
0x00407170
0x00407176
0x00407178
0x0040717b
0x00407181
0x00407183
0x00407183
0x00407185
0x00407196
0x00407196
0x00407196
0x00407187
0x0040718e
0x0040718e
0x0040719d
0x004071a0
0x004071a2
0x004071a8
0x004071a8
0x004071a4
0x004071a4
0x004071a4
0x004071b0
0x004071ba
0x004071c1
0x004071c2
0x004071c5
0x00000000
0x00000000
0x004071c7
0x004071c7
0x004071cf
0x004071d5
0x004071d8
0x004071e5
0x004071da
0x004071dd
0x004071dd
0x004071fe
0x0040720a
0x00407217
0x00407219
0x0040703c
0x0040703c
0x00407043
0x0040704d
0x00407057
0x00407059
0x0040705f
0x0040705f
0x00407061
0x00407061
0x00407068
0x0040706f
0x00000000
0x00000000
0x00407075
0x00407078
0x0040707b
0x00000000
0x0040707d
0x0040707d
0x0040707d
0x0040707d
0x00407084
0x00407087
0x0040708c
0x0040708c
0x00407089
0x00407089
0x00407089
0x0040708e
0x00407090
0x00407090
0x00407098
0x0040709e
0x004070a0
0x004070a3
0x004070a9
0x004070ab
0x004070ab
0x004070ad
0x004070be
0x004070be
0x004070be
0x004070af
0x004070b6
0x004070b6
0x004070c5
0x004070c8
0x004070ca
0x004070d0
0x004070d0
0x004070cc
0x004070cc
0x004070cc
0x004070d8
0x004070e3
0x004070ea
0x004070eb
0x004070ee
0x00000000
0x00000000
0x004070f0
0x004070f0
0x004070f8
0x004070fe
0x00407101
0x0040710e
0x00407103
0x00407106
0x00407106
0x00407127
0x00407133
0x00407142
0x00407142
0x00000000
0x0040707b
0x00407061
0x00000000
0x00407059
0x00407220
0x00407220
0x00407223
0x00407228
0x0040722e
0x00407234
0x00407247
0x0040724c
0x00406c5b
0x00406c5b
0x00406c62
0x00406c6c
0x00406c76
0x00406c78
0x00406e72
0x00406e72
0x00406e7e
0x00406e81
0x00406e86
0x00406e8e
0x00406e95
0x00406ea7
0x00406ea8
0x00406ea8
0x00406ea8
0x00406eaf
0x00406eb5
0x00406eb7
0x00406ebd
0x00406ec0
0x00406ec5
0x00406ec5
0x00406ec2
0x00406ec2
0x00406ec2
0x00406ec7
0x00406eca
0x00406ecc
0x00406ed2
0x00406ed8
0x00406edb
0x00406ee9
0x00406ee9
0x00406ee9
0x00406edd
0x00406edd
0x00406ee3
0x00000000
0x00406ee5
0x00406ee5
0x00406ee5
0x00406ee3
0x00406eeb
0x00406eee
0x00406fe1
0x00406fe1
0x00406fe3
0x00406fe9
0x00406fef
0x00407004
0x00407009
0x00406ef4
0x00406ef4
0x00406ef6
0x00000000
0x00406efc
0x00406efc
0x00406eff
0x00406f03
0x00406f04
0x00406f04
0x00406f0a
0x00406f0c
0x00406f12
0x00406f15
0x00406f1b
0x00406f23
0x00406f23
0x00406f2b
0x00406f2e
0x00406f2e
0x00406f30
0x00000000
0x00000000
0x00406f32
0x00406f34
0x00406f3a
0x00406f3a
0x00406f36
0x00406f36
0x00406f36
0x00406f3c
0x00406f45
0x00406f47
0x00406f4e
0x00406f4e
0x00406f49
0x00406f49
0x00406f49
0x00406f56
0x00406f75
0x00406f7d
0x00406f84
0x00406f85
0x00406f86
0x00406f8c
0x00406f8f
0x00406f91
0x00000000
0x00406f91
0x00000000
0x00406f8f
0x00406f99
0x00406f9f
0x00406fa5
0x00406fa5
0x00406fab
0x00406fad
0x00406fb7
0x00406fb9
0x00406fb9
0x00406fbb
0x00406fbb
0x00406fc1
0x00406fc6
0x00406fcc
0x00406fd9
0x00406fce
0x00406fd1
0x00406fd1
0x00406fcc
0x00406ef6
0x0040700c
0x00407016
0x00407020
0x00407026
0x0040702c
0x00406c7e
0x00406c7e
0x00406c7e
0x00406c80
0x00406c87
0x00406c8e
0x00000000
0x00000000
0x00406c94
0x00406c97
0x00406c9a
0x00000000
0x00406c9c
0x00406c9c
0x00406ca8
0x00406cab
0x00406cb0
0x00406cb8
0x00406cbf
0x00406cd1
0x00406cd2
0x00406cd2
0x00406cd2
0x00406cd9
0x00406cdf
0x00406ce1
0x00406ce7
0x00406cea
0x00406cef
0x00406cef
0x00406cec
0x00406cec
0x00406cec
0x00406cf1
0x00406cf4
0x00406cf6
0x00406cfc
0x00406d02
0x00406d05
0x00406d13
0x00406d13
0x00406d13
0x00406d07
0x00406d07
0x00406d0d
0x00000000
0x00406d0f
0x00406d0f
0x00406d0f
0x00406d0d
0x00406d15
0x00406d18
0x00406e0b
0x00406e0b
0x00406e0d
0x00406e13
0x00406e19
0x00406e2e
0x00406e33
0x00406d1e
0x00406d1e
0x00406d20
0x00000000
0x00406d26
0x00406d26
0x00406d29
0x00406d2d
0x00406d2e
0x00406d2e
0x00406d34
0x00406d36
0x00406d3c
0x00406d3f
0x00406d45
0x00406d4d
0x00406d4d
0x00406d55
0x00406d58
0x00406d58
0x00406d5a
0x00000000
0x00000000
0x00406d5c
0x00406d5e
0x00406d64
0x00406d64
0x00406d60
0x00406d60
0x00406d60
0x00406d66
0x00406d6f
0x00406d71
0x00406d78
0x00406d78
0x00406d73
0x00406d73
0x00406d73
0x00406d80
0x00406d9f
0x00406da7
0x00406dae
0x00406daf
0x00406db0
0x00406db6
0x00406db9
0x00406dbb
0x00000000
0x00406dbb
0x00000000
0x00406db9
0x00406dc3
0x00406dc9
0x00406dcf
0x00406dcf
0x00406dd5
0x00406dd7
0x00406de1
0x00406de3
0x00406de3
0x00406de5
0x00406de5
0x00406deb
0x00406df0
0x00406df6
0x00406e03
0x00406df8
0x00406dfb
0x00406dfb
0x00406df6
0x00406d20
0x00406e36
0x00406e41
0x00406e42
0x00406e43
0x00406e49
0x00406e4f
0x00406e55
0x00406e55
0x00000000
0x00406c9a
0x00000000
0x00406c80
0x00406e56
0x00406e5c
0x00406e63
0x00406e64
0x00406e65
0x00406e6a
0x00406e6a
0x0040724f
0x00407259
0x0040725a
0x00407260
0x00407262
0x004076bc
0x004076be
0x004076c0
0x004076c6
0x004076c8
0x004076ce
0x004076d0
0x00407a17
0x00407a17
0x00407a19
0x00407a1f
0x00407a26
0x00407a2c
0x00407a2e
0x00407acc
0x00407acc
0x00407ace
0x00407acf
0x00407ad5
0x00000000
0x00407a34
0x00407a34
0x00407a37
0x00407a3d
0x00407a43
0x00407a45
0x00407a4b
0x00407a4d
0x00407a4d
0x00407a4f
0x00407a4f
0x00407a58
0x00407a5f
0x00407a65
0x00407a68
0x00407a69
0x00407a6b
0x00407a6b
0x00407a6f
0x00407a71
0x00407a73
0x00407a79
0x00407a7c
0x00000000
0x00407a7e
0x00407a7e
0x00407a85
0x00407a85
0x00407a7c
0x00407a71
0x00407a45
0x00407a37
0x00407a2e
0x004076d6
0x004076d6
0x004076d6
0x004076d9
0x004076dd
0x004076dd
0x004076de
0x004076f0
0x004076fd
0x0040770c
0x00407736
0x0040773b
0x00407741
0x00407744
0x00407747
0x004077dd
0x004077e4
0x0040786a
0x00407870
0x00407876
0x00407876
0x00407876
0x00407879
0x0040787b
0x0040787b
0x00407881
0x00407887
0x0040788d
0x0040788f
0x00407891
0x00407891
0x00407897
0x0040789d
0x0040789f
0x004078ab
0x004078b1
0x004078a1
0x004078a1
0x004078a3
0x004078a3
0x004078b7
0x004078b9
0x004078bb
0x004078bb
0x004078c1
0x004078c3
0x004078c5
0x004078cb
0x004078cd
0x004079ce
0x004079ce
0x004079d4
0x004079d4
0x004079d7
0x004079d8
0x00000000
0x004078d3
0x004078d3
0x004078d3
0x004078d7
0x004078f7
0x004078f9
0x004078fb
0x00407901
0x00407907
0x00407909
0x004079b0
0x004079b0
0x004079b3
0x00000000
0x004079b9
0x004079b9
0x004079bf
0x00000000
0x004079bf
0x0040790f
0x0040790f
0x0040790f
0x00407912
0x00000000
0x00000000
0x00407914
0x00407916
0x0040791e
0x00407927
0x00407927
0x00407929
0x00407929
0x0040793b
0x0040793e
0x00407944
0x0040794d
0x00407950
0x0040795d
0x00407960
0x00407961
0x00407962
0x00407968
0x0040796a
0x00407970
0x00407976
0x00000000
0x00000000
0x00000000
0x00000000
0x00407978
0x00407978
0x00407978
0x0040797a
0x00000000
0x00000000
0x0040797c
0x0040797f
0x00000000
0x00407985
0x00407985
0x00407987
0x00407989
0x00407989
0x00407989
0x00407991
0x00407994
0x00407994
0x0040799a
0x0040799c
0x0040799e
0x004079a5
0x004079ab
0x004079ad
0x00000000
0x004079ad
0x00000000
0x0040797f
0x00000000
0x00407978
0x00000000
0x0040790f
0x004078d9
0x004078d9
0x004078db
0x004078e1
0x004078e9
0x004078e9
0x004078ec
0x004078ec
0x00000000
0x004078db
0x00000000
0x004079c5
0x004079c5
0x004079c6
0x004079c6
0x00000000
0x004078d3
0x004077ea
0x004077ea
0x004077fc
0x00407809
0x00407811
0x00407816
0x00407819
0x0040781b
0x00000000
0x00407821
0x00407821
0x00407824
0x00000000
0x0040782a
0x0040782a
0x00407831
0x00000000
0x00407837
0x0040783d
0x0040783f
0x00407845
0x00407845
0x00407847
0x00407849
0x00407849
0x0040784b
0x00407854
0x0040785b
0x0040785e
0x0040785f
0x00407861
0x00407861
0x00000000
0x00407865
0x00407831
0x00407824
0x0040781b
0x0040774d
0x0040774d
0x00407753
0x00407755
0x00407771
0x00407774
0x00000000
0x0040777a
0x0040777a
0x00407781
0x00000000
0x00407787
0x0040778d
0x0040778f
0x0040778f
0x00407791
0x00407793
0x00407793
0x00407795
0x0040779e
0x004077a5
0x004077a8
0x004077a9
0x004077ab
0x004077ab
0x004077af
0x004077af
0x004077b4
0x004077b6
0x00000000
0x004077bc
0x004077bc
0x004077c2
0x004077c5
0x00407a8d
0x00407a90
0x00407a96
0x00407aab
0x00407ab0
0x00407ab3
0x004077cb
0x004077cb
0x004077d2
0x00000000
0x004077d2
0x004077c5
0x004077b6
0x00407781
0x00407757
0x00407757
0x00407759
0x0040775f
0x00407765
0x00407766
0x004079de
0x004079de
0x004079e5
0x004079e6
0x004079e7
0x004079ec
0x004079ef
0x004079ef
0x004079ef
0x00407755
0x004079f1
0x004079f1
0x004079f3
0x00407aba
0x00407ac1
0x00407ac8
0x00407adb
0x00407ae1
0x00407ae2
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x004079f9
0x004079ff
0x004079ff
0x00407a05
0x00407a05
0x00407a11
0x00000000
0x00407a11
0x00407268
0x00407268
0x0040726a
0x00407270
0x00407272
0x00407278
0x0040727a
0x004075e2
0x004075e2
0x004075e4
0x004075ea
0x004075f1
0x004075f7
0x004075f9
0x00407658
0x0040765b
0x00407661
0x00407667
0x00407669
0x0040766f
0x00407671
0x00407671
0x00407673
0x00407673
0x0040767c
0x00407683
0x00407689
0x0040768c
0x0040768d
0x0040768f
0x0040768f
0x00407693
0x00407695
0x0040769b
0x004076a1
0x004076a4
0x00000000
0x004076aa
0x004076aa
0x004076b1
0x004076b1
0x004076a4
0x00407695
0x00407669
0x004075fb
0x004075fb
0x004075fd
0x00407603
0x00407609
0x00000000
0x00407609
0x004075f9
0x00407280
0x00407280
0x00407280
0x00407283
0x00407287
0x00407287
0x00407288
0x0040729a
0x004072a7
0x004072b6
0x004072e0
0x004072e5
0x004072eb
0x004072ee
0x004072f1
0x00407365
0x0040736c
0x00407439
0x0040743f
0x00407445
0x00407445
0x00407445
0x00407448
0x0040744a
0x0040744a
0x00407450
0x00407456
0x0040745c
0x0040745e
0x00407460
0x00407460
0x00407466
0x0040746c
0x0040746e
0x0040747a
0x00407480
0x00407470
0x00407470
0x00407472
0x00407472
0x00407486
0x00407488
0x0040748a
0x0040748a
0x00407490
0x00407492
0x00407494
0x0040749a
0x0040749c
0x0040759d
0x0040759d
0x004075a3
0x004075a3
0x00000000
0x004074a2
0x004074a2
0x004074a2
0x004074a6
0x004074c6
0x004074c8
0x004074ca
0x004074d0
0x004074d6
0x004074d8
0x0040757f
0x0040757f
0x00407582
0x00000000
0x00407588
0x00407588
0x0040758e
0x00000000
0x0040758e
0x004074de
0x004074de
0x004074de
0x004074e1
0x00000000
0x00000000
0x004074e3
0x004074e5
0x004074ed
0x004074f6
0x004074f6
0x004074f8
0x004074f8
0x0040750a
0x0040750d
0x00407513
0x0040751c
0x0040751f
0x0040752c
0x0040752f
0x00407530
0x00407531
0x00407537
0x00407539
0x0040753f
0x00407545
0x00000000
0x00000000
0x00000000
0x00000000
0x00407547
0x00407547
0x00407547
0x00407549
0x00000000
0x00000000
0x0040754b
0x0040754e
0x0040760c
0x0040760c
0x0040760e
0x00407614
0x0040761a
0x0040761b
0x00000000
0x00407554
0x00407554
0x00407556
0x00407558
0x00407558
0x00407558
0x00407560
0x00407563
0x00407563
0x00407569
0x0040756b
0x0040756d
0x00407574
0x0040757a
0x0040757c
0x00000000
0x0040757c
0x00000000
0x0040754e
0x00000000
0x00407547
0x00000000
0x004074de
0x004074a8
0x004074a8
0x004074aa
0x004074b0
0x004074b8
0x004074b8
0x004074bb
0x004074bb
0x00000000
0x004074aa
0x00000000
0x00407594
0x00407594
0x00407595
0x00407595
0x00000000
0x004074a2
0x00407372
0x00407372
0x00407384
0x00407391
0x00407399
0x0040739e
0x004073a1
0x004073a3
0x004073bf
0x004073c2
0x00000000
0x004073c8
0x004073c8
0x004073cf
0x00000000
0x004073d5
0x004073db
0x004073dd
0x004073e3
0x004073e3
0x004073e5
0x004073e7
0x004073e7
0x004073e9
0x004073f2
0x004073f9
0x004073fc
0x004073fd
0x004073ff
0x004073ff
0x00000000
0x004073e7
0x004073cf
0x004073a5
0x004073a7
0x004073ad
0x004073b3
0x004073b4
0x00000000
0x004073b4
0x004073a3
0x004072f3
0x004072f3
0x004072f9
0x004072fb
0x00407310
0x00407313
0x00000000
0x00407319
0x00407319
0x00407320
0x00000000
0x00407326
0x0040732c
0x0040732e
0x0040732e
0x00407330
0x00407332
0x00407332
0x00407334
0x0040733d
0x00407344
0x00407347
0x00407348
0x0040734a
0x0040734a
0x00407403
0x00407403
0x00407408
0x0040740a
0x00000000
0x00407410
0x00407410
0x00407416
0x00407419
0x00407353
0x0040735a
0x00000000
0x0040741f
0x00407421
0x00407427
0x0040742d
0x0040742e
0x00407621
0x00407621
0x00407628
0x00407629
0x0040762a
0x0040762f
0x00407632
0x00407632
0x00407419
0x0040740a
0x00407320
0x004072fd
0x004072fd
0x004072ff
0x00407305
0x004075a6
0x004075a6
0x004075a7
0x004075ad
0x004075ad
0x004075b4
0x004075b5
0x004075b6
0x004075bb
0x004075be
0x004075be
0x004075be
0x004072fb
0x004075c0
0x004075c0
0x004075c2
0x00407636
0x0040763d
0x0040763d
0x0040763d
0x00407644
0x00407646
0x0040764c
0x0040764d
0x00407ae8
0x00407ae8
0x00407ae9
0x00407aea
0x00407aef
0x00000000
0x00000000
0x00000000
0x00000000
0x004075c4
0x004075ca
0x004075ca
0x004075d0
0x004075d0
0x004075dc
0x00000000
0x004075dc
0x0040727a
0x00407af2
0x00407af2
0x00407af8
0x00407afa
0x00407b00
0x00407b06
0x00407b08
0x00407b0c
0x00407b0e
0x00407b0e
0x00407b10
0x00407b11
0x00407b11
0x00407b18
0x00407b1c
0x00407b23
0x00407b26
0x00407b27
0x00407b29
0x00407b29
0x00407b2d
0x00407b33
0x00407b35
0x00407b40
0x00407b42
0x00407b48
0x00407b4b
0x00407b5e
0x00407b61
0x00407b67
0x00407b7c
0x00407b81
0x00407b4d
0x00407b4f
0x00407b56
0x00407b56
0x00407b4b
0x00407b84
0x00407b84
0x00407b94
0x00407b9b
0x00407b9e
0x00407c3a
0x00407c3c
0x00407c47
0x00407c47
0x00407c49
0x00407c4c
0x00000000
0x00407c3e
0x00407c44
0x00407c44
0x00407ba4
0x00407ba4
0x00407baa
0x00407bad
0x00407bb3
0x00407bb6
0x00407bbc
0x00407bbe
0x00407bc6
0x00407bc8
0x00407bca
0x00407bca
0x00407bcc
0x00407bcd
0x00407bcd
0x00407bd8
0x00407bdf
0x00407be2
0x00407be3
0x00407be5
0x00407be5
0x00407be9
0x00407bf4
0x00407bf6
0x00407bf8
0x00407bfe
0x00407c01
0x00407c15
0x00407c1b
0x00407c30
0x00407c35
0x00407c03
0x00407c03
0x00407c0a
0x00407c0a
0x00407c01
0x00407bf6
0x00407c4e
0x00407c4e
0x00407c4e
0x00407c5a
0x00407c5d
0x00407c63
0x00407c65
0x00407c67
0x00407c6d
0x00407c6f
0x00407c6f
0x00407c6f
0x00407c6d
0x00407c74
0x00407c75
0x00407c77
0x00407c79
0x00407c79
0x00407c7b
0x00407c81
0x00407c87
0x00407c89
0x00407c8f
0x00407c8f
0x00407c95
0x00407c97
0x00000000
0x00000000
0x00407c9d
0x00407c9f
0x00407ca1
0x00407ca1
0x00407ca3
0x00407ca3
0x00407cb3
0x00407cba
0x00407cbd
0x00407cbe
0x00407cc0
0x00407cc0
0x00407cc9
0x00407ccb
0x00407ccd
0x00407cd3
0x00407cd6
0x00407ce7
0x00407cea
0x00407cf0
0x00407d05
0x00407d0a
0x00407cd8
0x00407cd8
0x00407cdf
0x00407cdf
0x00407cd6
0x00407d1b
0x00407d2a
0x00407d2b
0x00407d2b
0x00407d2d
0x00407d2f
0x00407d2f
0x00407d35
0x00407d38
0x00407d3a
0x00407d3c
0x00407d3c
0x00407d3f
0x00407d40
0x00407d40
0x00407d45
0x00407d48
0x00407d4c
0x00407d4c
0x00407d4d
0x00407d4f
0x00407d55
0x00000000
0x00000000
0x00000000
0x00407d55
0x00407c8f
0x00407d5b
0x00407d5b
0x00000000
0x00407d5b
0x00406b71
0x00406b68
0x00406b5f
0x00406b12
0x00406b16
0x00406b1e
0x00000000
0x00406b20
0x00406b26
0x00406b2b
0x00406b2e
0x00406b32
0x00407da0
0x00407daa
0x00407db7
0x00407db8
0x00407db9
0x00407dba
0x00407dbb
0x00407dbc
0x00407dc1
0x00407dc4
0x00407dc7
0x00407dd4
0x00407dda
0x00407ddd
0x00407e08
0x00407e0a
0x00407e1c
0x00407e20
0x00407e22
0x00407e4c
0x00407e4f
0x00407e52
0x00407e56
0x00407e5c
0x00407e62
0x00407e68
0x00407e6f
0x00407e73
0x00407e78
0x00407e7a
0x00407e80
0x00407e86
0x00407e88
0x00407e98
0x00407e99
0x00407e9e
0x00407e9f
0x00407ea1
0x00000000
0x00000000
0x00407e8a
0x00407e8e
0x00407e93
0x00407e94
0x00407e96
0x00407ea3
0x00407ea6
0x00000000
0x00000000
0x00000000
0x00407e96
0x00407eac
0x00407eb0
0x00407eb4
0x00407ebb
0x00407ebd
0x00407ed0
0x00407ebf
0x00407ec2
0x00407ec8
0x00407ecb
0x00407ecb
0x00407e24
0x00407e27
0x00407e30
0x00407e34
0x00407e36
0x00407e39
0x00000000
0x00407e3b
0x00407e3e
0x00407e43
0x00407e49
0x00000000
0x00407e49
0x00407e39
0x00407e0c
0x00407e11
0x00000000
0x00407e11
0x00407ddf
0x00407de4
0x00407dea
0x00407dea
0x00407ded
0x00407ded
0x00407df3
0x00407df6
0x00407df6
0x00407ed6
0x00407dac
0x00407d5e
0x00407d5e
0x00407d68
0x00407d71
0x00407d76
0x00407d82
0x00407d82
0x00407daa
0x00406b1e

APIs

__floor_pentium4.LIBCMT ref: 00406BF3

Strings

1#SNAN, xrefs: 00407D8A
1#QNAN, xrefs: 00407D91
1#IND, xrefs: 00407D83
1#INF, xrefs: 00407DAE

Memory Dump Source

Source File: 00000003.00000002.300378751.00000000003F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000003.00000002.300374579.00000000003F0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.300394386.000000000040D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.300406424.0000000000416000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.300411239.0000000000420000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3f0000_fa_rss.jbxd

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: 79ffc2a7f8c5e3c5e97d6c250fc2ae970be34e0d7401ab8ea54fa69886af143a
Instruction ID: 33b9508c43ea720ab95b2f5f48ebbca491f24157a8068768e6f3ca63728659e4
Opcode Fuzzy Hash: 79ffc2a7f8c5e3c5e97d6c250fc2ae970be34e0d7401ab8ea54fa69886af143a
Instruction Fuzzy Hash: 53C22B71E082288FDB25CE28DD407EAB7B5EB44315F1541EBD80EB7281E778AE818F45

Uniqueness

Uniqueness Score: -1.00%

Function 003F5450 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 44
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E003F5450(void* __esi) {
				intOrPtr _t4;
				intOrPtr _t5;
				void* _t12;
				void* _t15;
				intOrPtr _t17;
				void* _t19;

				_t17 =  *((intOrPtr*)( *[fs:0x2c]));
				_t4 =  *0x417954; // 0x80000001
				if(_t4 >  *((intOrPtr*)(_t17 + 4))) {
					E003F62A8(_t4, 0x417954);
					_t19 = _t19 + 4;
					_t23 =  *0x417954 - 0xffffffff;
					if( *0x417954 == 0xffffffff) {
						_t12 = GetProcessHeap();
						 *0x417978 = 0x4134e4;
						 *0x41797c = _t12;
						 *0x417980 = 0;
						E003F6153(_t15, _t23, 0x40ca00);
						E003F625E(0x417954);
						_t19 = _t19 + 8;
					}
				}
				_t5 =  *0x417958; // 0x80000002
				if(_t5 >  *((intOrPtr*)(_t17 + 4))) {
					E003F62A8(_t5, 0x417958);
					if( *0x417958 == 0xffffffff) {
						 *0x41795c = 0x4134fc;
						 *0x417960 = 0x417978;
						 *0x417970 = 2;
						 *0x417968 = 0;
						 *0x41796c = 0;
						 *0x417974 = 0;
						 *0x417964 = 0x41795c;
						E003F6153(_t15, 0, 0x40ca30);
						E003F625E("hXyA");
					}
				}
				return 0x41795c;
			}

0x003f5457
0x003f5459
0x003f5464
0x003f546b
0x003f5470
0x003f5473
0x003f547a
0x003f547c
0x003f5487
0x003f5491
0x003f5496
0x003f549d
0x003f54a7
0x003f54ac
0x003f54ac
0x003f547a
0x003f54af
0x003f54bb
0x003f54c2
0x003f54d1
0x003f54d5
0x003f54e4
0x003f54ee
0x003f54f8
0x003f5502
0x003f550c
0x003f5511
0x003f551b
0x003f5525
0x003f552a
0x003f54d1
0x003f5532

APIs

GetProcessHeap.KERNEL32 ref: 003F547C
__Init_thread_footer.LIBCMT ref: 003F54A7

Part of subcall function 003F625E: EnterCriticalSection.KERNEL32(00416EE8,?,?,003F552A,hXyA,0040CA30), ref: 003F6268
Part of subcall function 003F625E: LeaveCriticalSection.KERNEL32(00416EE8,?,?,003F552A,hXyA,0040CA30), ref: 003F629B
Part of subcall function 003F625E: RtlWakeAllConditionVariable.NTDLL ref: 003F6312

__Init_thread_footer.LIBCMT ref: 003F5525

Part of subcall function 003F62A8: EnterCriticalSection.KERNEL32(00416EE8,?,?,?,003F54C7,00417958,003F10B7,9D5F503D,?,0040C58A,000000FF), ref: 003F62B3
Part of subcall function 003F62A8: LeaveCriticalSection.KERNEL32(00416EE8,?,?,?,003F54C7,00417958,003F10B7,9D5F503D,?,0040C58A,000000FF), ref: 003F62F0

Strings

hXyA, xrefs: 003F5520
\yA, xrefs: 003F552D

Memory Dump Source

Source File: 00000003.00000002.300378751.00000000003F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000003.00000002.300374579.00000000003F0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.300394386.000000000040D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.300406424.0000000000416000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.300411239.0000000000420000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3f0000_fa_rss.jbxd

Similarity

API ID: CriticalSection$EnterInit_thread_footerLeave$ConditionHeapProcessVariableWake
String ID: \yA$hXyA
API String ID: 3269001908-2365976392
Opcode ID: d52324b1e5b85f5e9da8e869792112c2767c38e1c349fa3e04a0989058beed32
Instruction ID: 3633a22fe1735bea6f18eb1f6ddc50949ff08cf915336df9f2333ebaace3e7de
Opcode Fuzzy Hash: d52324b1e5b85f5e9da8e869792112c2767c38e1c349fa3e04a0989058beed32
Instruction Fuzzy Hash: 79119EF056A2969BF711DF28ED46BE43BB0A301314F108237E2159A2A1D378588CCF5E

Uniqueness

Uniqueness Score: -1.00%

Function 003F1090 Relevance: 6.3, Strings: 5, Instructions: 92
COMMON

Download Yara Rule

C-Code - Quality: 32%

			E003F1090(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _v8;
				char _v16;
				intOrPtr _v24;
				char _v40;
				signed int _t10;
				signed int _t16;
				void* _t27;
				void* _t32;
				void* _t33;
				intOrPtr* _t36;
				intOrPtr* _t37;
				signed int _t50;
				signed int _t54;

				_t50 = _t54;
				_push(0xffffffff);
				_push(E0040C58A);
				_push( *[fs:0x0]);
				_t10 =  *0x416014; // 0x9d5f503d
				_push(_t10 ^ _t50);
				 *[fs:0x0] =  &_v16;
				_t36 = E003F5450(__esi);
				if(_t36 == 0) {
					_push(0x80004005);
					E003F5550(__ebx, __edx, __edi, __esi);
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					_push(_t50);
					_push(0xffffffff);
					_push(E0040C64A);
					_push( *[fs:0x0]);
					_t16 =  *0x416014; // 0x9d5f503d
					_push(_t16 ^ _t54);
					 *[fs:0x0] =  &_v40;
					_t37 = E003F5450(__esi);
					__eflags = _t37;
					if(_t37 == 0) {
						_push(0x80004005);
						E003F5550(__ebx, __edx, __edi, __esi);
						asm("int3");
						E003F698C(0x416f28, __eflags);
						return E003F6153(0x416f28, __eflags, E0040CA31);
					} else {
						 *0x417950 =  *((intOrPtr*)( *_t37 + 0xc))() + 0x10;
						_t40 = 0x417950;
						_v16 = 0;
						__eflags = E003F4640(__ebx, 0x417950, __edx, L"Software\\FA_RSS");
						if(__eflags == 0) {
							_push(0xf);
							_t40 = 0x417950;
							E003F4890(__ebx, 0x417950, L"Software\\FA_RSS");
						}
						_t27 = E003F6153(_t40, __eflags, E0040C9E0);
						 *[fs:0x0] = _v24;
						return _t27;
					}
				} else {
					 *0x41794c =  *((intOrPtr*)( *_t36 + 0xc))() + 0x10;
					_t43 = 0x41794c;
					_v8 = 0;
					_t32 = E003F4640(__ebx, 0x41794c, __edx, 0x413548);
					_t61 = _t32;
					if(_t32 == 0) {
						_push(0);
						_t43 = 0x41794c;
						E003F4890(__ebx, 0x41794c, 0x413548);
					}
					_t33 = E003F6153(_t43, _t61, E0040C9C0);
					 *[fs:0x0] = _v16;
					return _t33;
				}
			}

0x003f1091
0x003f1093
0x003f1095
0x003f10a0
0x003f10a1
0x003f10a8
0x003f10ac
0x003f10b7
0x003f10bb
0x003f1111
0x003f1116
0x003f111b
0x003f111c
0x003f111d
0x003f111e
0x003f111f
0x003f1120
0x003f1123
0x003f1125
0x003f1130
0x003f1131
0x003f1138
0x003f113c
0x003f1147
0x003f1149
0x003f114b
0x003f11a1
0x003f11a6
0x003f11ab
0x003f11b1
0x003f11c1
0x003f114d
0x003f1155
0x003f115f
0x003f1164
0x003f1170
0x003f1172
0x003f1174
0x003f117b
0x003f1180
0x003f1180
0x003f118a
0x003f1195
0x003f11a0
0x003f11a0
0x003f10bd
0x003f10c5
0x003f10cf
0x003f10d4
0x003f10db
0x003f10e0
0x003f10e2
0x003f10e4
0x003f10eb
0x003f10f0
0x003f10f0
0x003f10fa
0x003f1105
0x003f1110
0x003f1110

Strings

PyA, xrefs: 003F117B
(oA, xrefs: 003F11AC
Software\FA_RSS, xrefs: 003F115A, 003F1176
PyA, xrefs: 003F115F
tyA, xrefs: 003F10C5, 003F10CF, 003F10EB

Memory Dump Source

Source File: 00000003.00000002.300378751.00000000003F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000003.00000002.300374579.00000000003F0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.300394386.000000000040D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.300406424.0000000000416000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.300411239.0000000000420000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3f0000_fa_rss.jbxd

Similarity

API ID: Init_thread_footer$DebugDebuggerFindHeapOutputPresentProcessResourceString
String ID: (oA$PyA$PyA$Software\FA_RSS$tyA
API String ID: 2022073159-2739190050
Opcode ID: 2540d670d8ea4cc3e288edeff8b417047fb4612998608a9853ad56ef9324f86f
Instruction ID: b3c5e0f3ff73ad7cd8bc3bd121917034edf4a65373cd29d478627db8d01cff05
Opcode Fuzzy Hash: 2540d670d8ea4cc3e288edeff8b417047fb4612998608a9853ad56ef9324f86f
Instruction Fuzzy Hash: FD2106B1644648EBDB05EF64DC12BB97BA4DB01B10F10817AFB16AB7C2EF3998044A49

Uniqueness

Uniqueness Score: -1.00%

Function 003FD890 Relevance: 4.6, APIs: 3, Instructions: 77
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 76%

			E003FD890(intOrPtr __ebx, intOrPtr __edx, intOrPtr __edi, intOrPtr __esi, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				char _v0;
				signed int _v8;
				intOrPtr _v524;
				intOrPtr _v528;
				void* _v532;
				intOrPtr _v536;
				char _v540;
				intOrPtr _v544;
				intOrPtr _v548;
				intOrPtr _v552;
				intOrPtr _v556;
				intOrPtr _v560;
				intOrPtr _v564;
				intOrPtr _v568;
				intOrPtr _v572;
				intOrPtr _v576;
				intOrPtr _v580;
				intOrPtr _v584;
				char _v724;
				intOrPtr _v792;
				intOrPtr _v800;
				char _v804;
				struct _EXCEPTION_POINTERS _v812;
				signed int _t40;
				char* _t47;
				char* _t49;
				intOrPtr _t61;
				intOrPtr _t62;
				intOrPtr _t66;
				intOrPtr _t67;
				int _t68;
				intOrPtr _t69;
				signed int _t70;

				_t69 = __esi;
				_t67 = __edi;
				_t66 = __edx;
				_t61 = __ebx;
				_t40 =  *0x416014; // 0x9d5f503d
				_t41 = _t40 ^ _t70;
				_v8 = _t40 ^ _t70;
				if(_a4 != 0xffffffff) {
					_push(_a4);
					E003F66B9(_t41);
					_pop(_t62);
				}
				E003F7720(_t67,  &_v804, 0, 0x50);
				E003F7720(_t67,  &_v724, 0, 0x2cc);
				_v812.ExceptionRecord =  &_v804;
				_t47 =  &_v724;
				_v812.ContextRecord = _t47;
				_v548 = _t47;
				_v552 = _t62;
				_v556 = _t66;
				_v560 = _t61;
				_v564 = _t69;
				_v568 = _t67;
				_v524 = ss;
				_v536 = cs;
				_v572 = ds;
				_v576 = es;
				_v580 = fs;
				_v584 = gs;
				asm("pushfd");
				_pop( *_t22);
				_v540 = _v0;
				_t49 =  &_v0;
				_v528 = _t49;
				_v724 = 0x10001;
				_v544 =  *((intOrPtr*)(_t49 - 4));
				_v804 = _a8;
				_v800 = _a12;
				_v792 = _v0;
				_t68 = IsDebuggerPresent();
				SetUnhandledExceptionFilter(0);
				if(UnhandledExceptionFilter( &_v812) == 0 && _t68 == 0 && _a4 != 0xffffffff) {
					_push(_a4);
					E003F66B9(_t57);
				}
				return E003F5D05(_v8 ^ _t70);
			}

0x003fd890
0x003fd890
0x003fd890
0x003fd890
0x003fd89b
0x003fd8a0
0x003fd8a2
0x003fd8aa
0x003fd8ac
0x003fd8af
0x003fd8b4
0x003fd8b4
0x003fd8c0
0x003fd8d3
0x003fd8e1
0x003fd8e7
0x003fd8ed
0x003fd8f3
0x003fd8f9
0x003fd8ff
0x003fd905
0x003fd90b
0x003fd911
0x003fd917
0x003fd91e
0x003fd925
0x003fd92c
0x003fd933
0x003fd93a
0x003fd941
0x003fd942
0x003fd94b
0x003fd951
0x003fd954
0x003fd95a
0x003fd967
0x003fd970
0x003fd979
0x003fd982
0x003fd990
0x003fd992
0x003fd9a7
0x003fd9b3
0x003fd9b6
0x003fd9bb
0x003fd9c8

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000004), ref: 003FD988
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000004), ref: 003FD992
UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,00000004), ref: 003FD99F

Memory Dump Source

Source File: 00000003.00000002.300378751.00000000003F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000003.00000002.300374579.00000000003F0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.300394386.000000000040D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.300406424.0000000000416000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.300411239.0000000000420000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3f0000_fa_rss.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: 888d4baad2e6e4cf92c7f0edb84477e01134c42308726d650bb90e5fd6a9407e
Instruction ID: 1b548acd8b051840e67103154752baa5655087856867c1f30155717b464109e7
Opcode Fuzzy Hash: 888d4baad2e6e4cf92c7f0edb84477e01134c42308726d650bb90e5fd6a9407e
Instruction Fuzzy Hash: E131C57491121C9BCB21DF64D9897DDBBB4BF08310F5041EAE91CAB251EB709F858F54

Uniqueness

Uniqueness Score: -1.00%

Function 003F4E20 Relevance: 4.5, APIs: 3, Instructions: 47
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E003F4E20(struct HINSTANCE__* __ecx, struct HRSRC__* __edx, signed int _a4) {
				void* _t5;
				struct HINSTANCE__* _t11;
				signed int _t14;
				void* _t16;
				struct HRSRC__* _t17;
				signed short* _t18;

				_t17 = __edx;
				_t11 = __ecx;
				_t5 = LoadResource(__ecx, __edx);
				if(_t5 == 0) {
					L8:
					return 0;
				} else {
					_t18 = LockResource(_t5);
					if(_t18 == 0) {
						goto L8;
					} else {
						_t16 = _t18 + SizeofResource(_t11, _t17);
						_t14 = _a4 & 0x0000000f;
						if(_t14 <= 0) {
							L5:
							if(_t18 >= _t16 ||  *_t18 == 0) {
								goto L8;
							} else {
								return _t18;
							}
						} else {
							while(_t18 < _t16) {
								_t18 =  &(( &(_t18[ *_t18 & 0x0000ffff]))[1]);
								_t14 = _t14 - 1;
								if(_t14 != 0) {
									continue;
								} else {
									goto L5;
								}
								goto L9;
							}
							goto L8;
						}
					}
				}
				L9:
			}

0x003f4e26
0x003f4e28
0x003f4e2c
0x003f4e34
0x003f4e7b
0x003f4e7f
0x003f4e36
0x003f4e3d
0x003f4e41
0x00000000
0x003f4e43
0x003f4e4e
0x003f4e51
0x003f4e54
0x003f4e68
0x003f4e6a
0x00000000
0x003f4e73
0x003f4e78
0x003f4e78
0x003f4e56
0x003f4e56
0x003f4e60
0x003f4e63
0x003f4e66
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x003f4e66
0x00000000
0x003f4e56
0x003f4e54
0x003f4e41
0x00000000

APIs

LoadResource.KERNEL32(00000000,00000000,00000001,00000000,?,?,003F4ECC,00000000,?,00000000,00000000,00417950), ref: 003F4E2C
LockResource.KERNEL32(00000000,?,?,003F4ECC,00000000,?,00000000,00000000,00417950,?,?,?,?,003F466A), ref: 003F4E37
SizeofResource.KERNEL32(00000000,00000000,?,?,003F4ECC,00000000,?,00000000,00000000,00417950,?,?,?,?,003F466A), ref: 003F4E45

Memory Dump Source

Source File: 00000003.00000002.300378751.00000000003F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000003.00000002.300374579.00000000003F0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.300394386.000000000040D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.300406424.0000000000416000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.300411239.0000000000420000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3f0000_fa_rss.jbxd

Similarity

API ID: Resource$LoadLockSizeof
String ID:
API String ID: 2853612939-0
Opcode ID: 2e0a81578732055194dd148999ac60545bcf89e0f4c12b3517356e1e16874446
Instruction ID: 15f3d33d9e5b124e156f07f414ae6ba9c3dc984f2a51fa706fa7510fc7ad8217
Opcode Fuzzy Hash: 2e0a81578732055194dd148999ac60545bcf89e0f4c12b3517356e1e16874446
Instruction Fuzzy Hash: ECF0C83290022A56DB322AA9AD44877B79CFFA1775B02092AEE5DD3114E771DC44C194

Uniqueness

Uniqueness Score: -1.00%

Function 004065E0 Relevance: 3.4, APIs: 2, Instructions: 450
COMMONCrypto

Download Yara Rule

C-Code - Quality: 94%

			E004065E0(signed int* _a4, intOrPtr* _a8) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				intOrPtr* _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int* _v80;
				char _v540;
				signed int _v544;
				signed int _t190;
				signed int _t191;
				intOrPtr _t192;
				signed int _t195;
				signed int _t197;
				signed int _t199;
				signed int _t200;
				signed int _t204;
				signed int _t210;
				intOrPtr _t216;
				void* _t219;
				signed int _t221;
				signed int _t232;
				void* _t236;
				signed int _t239;
				signed int* _t244;
				signed int _t245;
				signed int* _t246;
				signed int* _t247;
				signed int _t249;
				signed int _t250;
				void* _t251;
				intOrPtr* _t252;
				signed int _t253;
				unsigned int _t254;
				signed int _t256;
				signed int* _t260;
				signed int _t261;
				signed int _t262;
				intOrPtr _t264;
				void* _t268;
				signed char _t274;
				signed int* _t277;
				signed int _t281;
				signed int* _t282;
				intOrPtr* _t289;
				signed int _t291;
				signed int _t292;
				signed int* _t295;
				signed int _t296;
				signed int _t298;
				intOrPtr* _t299;
				signed int _t303;
				signed int _t304;
				signed int _t309;
				signed int _t312;
				signed int _t313;
				signed int _t314;
				void* _t315;
				signed int _t316;
				signed int _t319;
				signed int _t323;
				signed int* _t324;
				signed int _t325;
				signed int _t326;
				signed int _t327;
				signed int _t328;
				void* _t329;
				signed int _t334;
				signed int _t341;
				signed int* _t342;

				_t244 = _a4;
				_t325 =  *_t244;
				if(_t325 == 0) {
					L74:
					__eflags = 0;
					return 0;
				} else {
					_t289 = _a8;
					_t190 =  *_t289;
					_v56 = _t190;
					if(_t190 == 0) {
						goto L74;
					} else {
						_t312 = _t190 - 1;
						_t253 = _t325 - 1;
						_v12 = _t253;
						if(_t312 != 0) {
							__eflags = _t312 - _t253;
							if(_t312 > _t253) {
								goto L74;
							} else {
								_t191 = _t253;
								_t291 = _t253 - _t312;
								__eflags = _t253 - _t291;
								if(_t253 < _t291) {
									L19:
									_t291 = _t291 + 1;
									__eflags = _t291;
								} else {
									_t277 =  &(_t244[_t253 + 1]);
									_t341 = _a8 + _t312 * 4 + 4;
									__eflags = _t341;
									while(1) {
										__eflags =  *_t341 -  *_t277;
										if(__eflags != 0) {
											break;
										}
										_t191 = _t191 - 1;
										_t341 = _t341 - 4;
										_t277 = _t277 - 4;
										__eflags = _t191 - _t291;
										if(_t191 >= _t291) {
											continue;
										} else {
											goto L19;
										}
										goto L20;
									}
									if(__eflags < 0) {
										goto L19;
									}
								}
								L20:
								__eflags = _t291;
								if(__eflags == 0) {
									goto L74;
								} else {
									_t192 = _a8;
									_t245 = _v56;
									_t326 =  *(_t192 + _t245 * 4);
									_t55 = _t245 * 4; // 0xffffea47
									_t254 =  *(_t192 + _t55 - 4);
									asm("bsr eax, esi");
									_v52 = _t326;
									_v36 = _t254;
									if(__eflags == 0) {
										_t313 = 0x20;
									} else {
										_t313 = 0x1f - _t192;
									}
									_v16 = _t313;
									_v48 = 0x20 - _t313;
									__eflags = _t313;
									if(_t313 != 0) {
										_t274 = _t313;
										_v36 = _v36 << _t274;
										_v52 = _t326 << _t274 | _t254 >> _v48;
										__eflags = _t245 - 2;
										if(_t245 > 2) {
											_t68 = _t245 * 4; // 0xe850ffff
											_t70 =  &_v36;
											 *_t70 = _v36 |  *(_a8 + _t68 - 8) >> _v48;
											__eflags =  *_t70;
										}
									}
									_t327 = 0;
									_v32 = 0;
									_t292 = _t291 + 0xffffffff;
									__eflags = _t292;
									_v28 = _t292;
									if(_t292 >= 0) {
										_t197 = _t292 + _t245;
										_t247 = _a4;
										_v60 = _t197;
										_v64 = _t247 + 4 + _t292 * 4;
										_t260 = _t247 - 4 + _t197 * 4;
										_v80 = _t260;
										do {
											__eflags = _t197 - _v12;
											if(_t197 > _v12) {
												_t198 = 0;
												__eflags = 0;
											} else {
												_t198 = _t260[2];
											}
											_t296 = _t260[1];
											_t261 =  *_t260;
											_v76 = _t198;
											_v40 = 0;
											_v8 = _t198;
											_v24 = _t261;
											__eflags = _t313;
											if(_t313 != 0) {
												_t303 = _v8;
												_t319 = _t261 >> _v48;
												_t221 = E0040BF10(_t296, _v16, _t303);
												_t261 = _v16;
												_t198 = _t303;
												_t296 = _t319 | _t221;
												_t327 = _v24 << _t261;
												__eflags = _v60 - 3;
												_v8 = _t303;
												_v24 = _t327;
												if(_v60 >= 3) {
													_t261 = _v48;
													_t327 = _t327 |  *(_t247 + (_v56 + _v28) * 4 - 8) >> _t261;
													__eflags = _t327;
													_t198 = _v8;
													_v24 = _t327;
												}
											}
											_push(_t247);
											_t199 = E0040BD00(_t296, _t198, _v52, 0);
											_v40 = _t247;
											_t249 = _t199;
											_t328 = _t327 ^ _t327;
											_t200 = _t296;
											_v8 = _t249;
											_v20 = _t200;
											_t314 = _t261;
											_v72 = _t249;
											_v68 = _t200;
											_v40 = _t328;
											__eflags = _t200;
											if(_t200 != 0) {
												L37:
												_t250 = _t249 + 1;
												asm("adc eax, 0xffffffff");
												_t314 = _t314 + E0040BDA0(_t250, _t200, _v52, 0);
												asm("adc esi, edx");
												_t249 = _t250 | 0xffffffff;
												_t200 = 0;
												__eflags = 0;
												_v40 = _t328;
												_v8 = _t249;
												_v72 = _t249;
												_v20 = 0;
												_v68 = 0;
											} else {
												__eflags = _t249 - 0xffffffff;
												if(_t249 > 0xffffffff) {
													goto L37;
												}
											}
											__eflags = _t328;
											if(__eflags <= 0) {
												if(__eflags < 0) {
													goto L41;
												} else {
													__eflags = _t314 - 0xffffffff;
													if(_t314 <= 0xffffffff) {
														while(1) {
															L41:
															_v8 = _v24;
															_t219 = E0040BDA0(_v36, 0, _t249, _t200);
															__eflags = _t296 - _t314;
															if(__eflags < 0) {
																break;
															}
															if(__eflags > 0) {
																L44:
																_t200 = _v20;
																_t249 = _t249 + 0xffffffff;
																_v72 = _t249;
																asm("adc eax, 0xffffffff");
																_t314 = _t314 + _v52;
																__eflags = _t314;
																_v20 = _t200;
																asm("adc dword [ebp-0x24], 0x0");
																_v68 = _t200;
																if(_t314 == 0) {
																	__eflags = _t314 - 0xffffffff;
																	if(_t314 <= 0xffffffff) {
																		continue;
																	} else {
																	}
																}
															} else {
																__eflags = _t219 - _v8;
																if(_t219 <= _v8) {
																	break;
																} else {
																	goto L44;
																}
															}
															L48:
															_v8 = _t249;
															goto L49;
														}
														_t200 = _v20;
														goto L48;
													}
												}
											}
											L49:
											__eflags = _t200;
											if(_t200 != 0) {
												L51:
												_t262 = _v56;
												_t315 = 0;
												_t329 = 0;
												__eflags = _t262;
												if(_t262 != 0) {
													_t252 = _v64;
													_t210 = _a8 + 4;
													__eflags = _t210;
													_v40 = _t210;
													_v24 = _t262;
													do {
														_v12 =  *_t210;
														_t216 =  *_t252;
														_t268 = _t315 + _v72 * _v12;
														asm("adc esi, edx");
														_t315 = _t329;
														_t329 = 0;
														__eflags = _t216 - _t268;
														if(_t216 < _t268) {
															_t315 = _t315 + 1;
															asm("adc esi, esi");
														}
														 *_t252 = _t216 - _t268;
														_t252 = _t252 + 4;
														_t210 = _v40 + 4;
														_t153 =  &_v24;
														 *_t153 = _v24 - 1;
														__eflags =  *_t153;
														_v40 = _t210;
													} while ( *_t153 != 0);
													_t249 = _v8;
													_t262 = _v56;
												}
												__eflags = 0 - _t329;
												if(__eflags <= 0) {
													if(__eflags < 0) {
														L60:
														__eflags = _t262;
														if(_t262 != 0) {
															_t251 = 0;
															_t299 = _v64;
															_t334 = _a8 + 4;
															__eflags = _t334;
															_t316 = _t262;
															do {
																_t264 =  *_t299;
																_t161 = _t334 + 4; // 0xf8835959
																_t334 = _t161;
																_t299 = _t299 + 4;
																asm("adc eax, eax");
																 *((intOrPtr*)(_t299 - 4)) = _t264 +  *((intOrPtr*)(_t334 - 4)) + _t251;
																asm("adc eax, 0x0");
																_t251 = 0;
																_t316 = _t316 - 1;
																__eflags = _t316;
															} while (_t316 != 0);
															_t249 = _v8;
														}
														_t249 = _t249 + 0xffffffff;
														asm("adc dword [ebp-0x10], 0xffffffff");
													} else {
														__eflags = _v76 - _t315;
														if(_v76 < _t315) {
															goto L60;
														}
													}
												}
												_t204 = _v60 - 1;
												__eflags = _t204;
												_v12 = _t204;
											} else {
												__eflags = _t249;
												if(_t249 != 0) {
													goto L51;
												}
											}
											_t327 = _v32;
											_t247 = _a4;
											asm("adc esi, 0x0");
											_v64 = _v64 - 4;
											_t298 = _v28 - 1;
											_t313 = _v16;
											_t260 = _v80 - 4;
											_v32 = 0 + _t249;
											_t197 = _v60 - 1;
											_v28 = _t298;
											_v60 = _t197;
											_v80 = _t260;
											__eflags = _t298;
										} while (_t298 >= 0);
									}
									_t246 = _a4;
									_t256 = _v12 + 1;
									_t195 = _t256;
									__eflags = _t195 -  *_t246;
									if(_t195 <  *_t246) {
										_t295 =  &(( &(_t246[1]))[_t195]);
										do {
											 *_t295 = 0;
											_t295 =  &(_t295[1]);
											_t195 = _t195 + 1;
											__eflags = _t195 -  *_t246;
										} while (_t195 <  *_t246);
									}
									 *_t246 = _t256;
									__eflags = _t256;
									if(_t256 != 0) {
										while(1) {
											__eflags = _t246[_t256];
											if(_t246[_t256] != 0) {
												goto L73;
											}
											_t256 = _t256 + 0xffffffff;
											__eflags = _t256;
											 *_t246 = _t256;
											if(_t256 != 0) {
												continue;
											}
											goto L73;
										}
									}
									L73:
									return _v32;
								}
							}
						} else {
							_t7 = _t289 + 4; // 0x96850f0a
							_t304 =  *_t7;
							_v12 = _t304;
							if(_t304 != 1) {
								__eflags = _t253;
								if(_t253 != 0) {
									_t323 = 0;
									_v16 = 0;
									_v40 = 0;
									_v28 = 0;
									__eflags = _t253 - 0xffffffff;
									if(_t253 != 0xffffffff) {
										_t281 = _t253 + 1;
										__eflags = _t281;
										_t282 =  &(_t244[_t281]);
										_v32 = _t282;
										do {
											_t236 = E0040BD00( *_t282, _t323, _t304, 0);
											_v28 = _t244;
											_t244 = _t244;
											_v68 = _t304;
											_t323 = _t282;
											_v16 = 0 + _t236;
											_t304 = _v12;
											asm("adc ecx, 0x0");
											_v40 = _v16;
											_t282 = _v32 - 4;
											_v32 = _t282;
											_t325 = _t325 - 1;
											__eflags = _t325;
										} while (_t325 != 0);
										_t244 = _a4;
									}
									_v544 = 0;
									_t342 =  &(_t244[1]);
									 *_t244 = 0;
									E00403BBE(_t342, 0x1cc,  &_v540, 0);
									_t232 = _v28;
									__eflags = 0 - _t232;
									 *_t342 = _t323;
									_t244[2] = _t232;
									asm("sbb ecx, ecx");
									__eflags =  ~0x00000000;
									 *_t244 = 0xbadbae;
									return _v16;
								} else {
									_t324 =  &(_t244[1]);
									_v544 = _t253;
									 *_t244 = _t253;
									E00403BBE(_t324, 0x1cc,  &_v540, _t253);
									_t239 = _t244[1];
									_t309 = _t239 % _v12;
									__eflags = 0 - _t309;
									 *_t324 = _t309;
									asm("sbb ecx, ecx");
									__eflags = 0;
									 *_t244 =  ~0x00000000;
									return _t239 / _v12;
								}
							} else {
								_v544 = _t312;
								 *_t244 = _t312;
								E00403BBE( &(_t244[1]), 0x1cc,  &_v540, _t312);
								return _t244[1];
							}
						}
					}
				}
			}

0x004065ec
0x004065f1
0x004065f5
0x00406a6f
0x00406a71
0x00406a77
0x004065fb
0x004065fb
0x004065fe
0x00406600
0x00406605
0x00000000
0x0040660b
0x0040660b
0x0040660e
0x00406611
0x00406616
0x00406747
0x00406749
0x00000000
0x0040674f
0x00406751
0x00406753
0x00406755
0x00406757
0x0040677b
0x0040677b
0x0040677b
0x00406759
0x00406760
0x00406763
0x00406763
0x00406766
0x00406768
0x0040676a
0x00000000
0x00000000
0x0040676c
0x0040676d
0x00406770
0x00406773
0x00406775
0x00000000
0x00406777
0x00000000
0x00406777
0x00000000
0x00406775
0x00406779
0x00000000
0x00000000
0x00406779
0x0040677c
0x0040677c
0x0040677e
0x00000000
0x00406784
0x00406784
0x00406787
0x0040678a
0x0040678d
0x0040678d
0x00406791
0x00406794
0x00406797
0x0040679a
0x004067a5
0x0040679c
0x004067a1
0x004067a1
0x004067af
0x004067b4
0x004067b7
0x004067b9
0x004067c2
0x004067c4
0x004067cb
0x004067ce
0x004067d1
0x004067d9
0x004067df
0x004067df
0x004067df
0x004067df
0x004067d1
0x004067e2
0x004067e4
0x004067eb
0x004067eb
0x004067ee
0x004067f1
0x004067f7
0x004067fa
0x004067fd
0x00406806
0x0040680c
0x0040680f
0x00406812
0x00406812
0x00406815
0x0040681c
0x0040681c
0x00406817
0x00406817
0x00406817
0x0040681e
0x00406821
0x00406823
0x00406826
0x0040682d
0x00406830
0x00406833
0x00406835
0x00406840
0x00406843
0x00406848
0x0040684d
0x00406854
0x00406859
0x0040685b
0x0040685d
0x00406861
0x00406864
0x00406867
0x0040686f
0x00406878
0x00406878
0x0040687a
0x0040687d
0x0040687d
0x00406867
0x00406880
0x00406888
0x0040688d
0x00406892
0x00406894
0x00406896
0x00406898
0x0040689b
0x0040689e
0x004068a0
0x004068a3
0x004068a6
0x004068a9
0x004068ab
0x004068b2
0x004068b7
0x004068ba
0x004068c4
0x004068c6
0x004068c8
0x004068cb
0x004068cb
0x004068cd
0x004068d0
0x004068d3
0x004068d6
0x004068d9
0x004068ad
0x004068ad
0x004068b0
0x00000000
0x00000000
0x004068b0
0x004068dc
0x004068de
0x004068e0
0x00000000
0x004068e2
0x004068e2
0x004068e5
0x004068e7
0x004068e7
0x004068f5
0x004068f8
0x004068fd
0x004068ff
0x00000000
0x00000000
0x00406901
0x00406908
0x00406908
0x0040690b
0x0040690e
0x00406911
0x00406914
0x00406914
0x00406917
0x0040691a
0x0040691e
0x00406921
0x00406923
0x00406926
0x00000000
0x00000000
0x00406928
0x00406926
0x00406903
0x00406903
0x00406906
0x00000000
0x00000000
0x00000000
0x00000000
0x00406906
0x0040692d
0x0040692d
0x00000000
0x0040692d
0x0040692a
0x00000000
0x0040692a
0x004068e5
0x004068e0
0x00406930
0x00406930
0x00406932
0x0040693c
0x0040693c
0x0040693f
0x00406941
0x00406943
0x00406945
0x0040694a
0x0040694d
0x0040694d
0x00406950
0x00406953
0x00406956
0x00406958
0x0040696d
0x0040696f
0x00406971
0x00406973
0x00406975
0x00406977
0x00406979
0x0040697b
0x0040697e
0x0040697e
0x00406982
0x00406984
0x0040698a
0x0040698d
0x0040698d
0x0040698d
0x00406991
0x00406991
0x00406996
0x00406999
0x00406999
0x0040699e
0x004069a0
0x004069a2
0x004069a9
0x004069a9
0x004069ab
0x004069b0
0x004069b2
0x004069b5
0x004069b5
0x004069b8
0x004069c0
0x004069c0
0x004069c2
0x004069c2
0x004069c7
0x004069cd
0x004069d1
0x004069d4
0x004069d7
0x004069d9
0x004069d9
0x004069d9
0x004069de
0x004069de
0x004069e1
0x004069e4
0x004069a4
0x004069a4
0x004069a7
0x00000000
0x00000000
0x004069a7
0x004069a2
0x004069eb
0x004069eb
0x004069ec
0x00406934
0x00406934
0x00406936
0x00000000
0x00000000
0x00406936
0x004069ef
0x004069fc
0x004069ff
0x00406a02
0x00406a06
0x00406a07
0x00406a0a
0x00406a0d
0x00406a13
0x00406a14
0x00406a17
0x00406a1a
0x00406a1d
0x00406a1d
0x00406812
0x00406a28
0x00406a2b
0x00406a2c
0x00406a2e
0x00406a30
0x00406a35
0x00406a40
0x00406a40
0x00406a46
0x00406a49
0x00406a4a
0x00406a4a
0x00406a40
0x00406a4e
0x00406a50
0x00406a52
0x00406a54
0x00406a54
0x00406a58
0x00000000
0x00000000
0x00406a5a
0x00406a5a
0x00406a5d
0x00406a5f
0x00000000
0x00000000
0x00000000
0x00406a5f
0x00406a54
0x00406a61
0x00406a6c
0x00406a6c
0x0040677e
0x0040661c
0x0040661c
0x0040661c
0x0040661f
0x00406625
0x00406656
0x00406658
0x0040669a
0x0040669c
0x004066a3
0x004066aa
0x004066ad
0x004066b0
0x004066b2
0x004066b2
0x004066b3
0x004066b6
0x004066c0
0x004066ca
0x004066cf
0x004066d2
0x004066d4
0x004066d7
0x004066e0
0x004066e3
0x004066e6
0x004066e9
0x004066ef
0x004066f2
0x004066f5
0x004066f5
0x004066f5
0x004066fa
0x004066fa
0x00406705
0x00406710
0x00406713
0x0040671f
0x00406724
0x0040672f
0x00406731
0x00406733
0x00406739
0x0040673e
0x00406740
0x00406746
0x0040665a
0x00406665
0x00406668
0x00406674
0x00406676
0x0040667d
0x0040667f
0x00406687
0x00406689
0x0040668b
0x00406690
0x00406693
0x00406699
0x00406699
0x00406627
0x00406635
0x00406641
0x00406643
0x00406655
0x00406655
0x00406625
0x00406616
0x00406605

Memory Dump Source

Source File: 00000003.00000002.300378751.00000000003F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000003.00000002.300374579.00000000003F0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.300394386.000000000040D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.300406424.0000000000416000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.300411239.0000000000420000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3f0000_fa_rss.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 79b46af6489170977423e0c9b7219b13aac6f7701b04829e2f34bd6e7ff1741f
Instruction ID: 9bfb3983bfbf5ab0ed82313366e2722675e2353a03a803085abd39cffa36621c
Opcode Fuzzy Hash: 79b46af6489170977423e0c9b7219b13aac6f7701b04829e2f34bd6e7ff1741f
Instruction Fuzzy Hash: 37F16F71E012199FDF14DFA8C9806AEBBB1FF88314F15826AD819B7384D735AE11CB94

Uniqueness

Uniqueness Score: -1.00%

Function 0040B57D Relevance: 1.8, APIs: 1, Instructions: 274
COMMONLIBRARYCODECrypto

Download Yara Rule

C-Code - Quality: 100%

			E0040B57D(long _a4, signed int* _a8, signed char _a12, signed int _a16, intOrPtr* _a20, unsigned int* _a24, intOrPtr _a28) {
				signed int _t172;
				signed int _t175;
				signed int _t178;
				signed int* _t179;
				signed char _t193;
				signed int _t196;
				signed int _t200;
				signed int _t203;
				void* _t204;
				void* _t207;
				signed int _t210;
				void* _t211;
				signed int _t226;
				unsigned int* _t241;
				signed char _t243;
				signed int* _t251;
				unsigned int* _t257;
				signed int* _t258;
				signed char _t260;
				long _t263;
				signed int* _t266;

				 *(_a4 + 4) = 0;
				_t263 = 0xc000000d;
				 *(_a4 + 8) = 0;
				 *(_a4 + 0xc) = 0;
				_t243 = _a12;
				if((_t243 & 0x00000010) != 0) {
					_t263 = 0xc000008f;
					 *(_a4 + 4) =  *(_a4 + 4) | 1;
				}
				if((_t243 & 0x00000002) != 0) {
					_t263 = 0xc0000093;
					 *(_a4 + 4) =  *(_a4 + 4) | 0x00000002;
				}
				if((_t243 & 0x00000001) != 0) {
					_t263 = 0xc0000091;
					 *(_a4 + 4) =  *(_a4 + 4) | 0x00000004;
				}
				if((_t243 & 0x00000004) != 0) {
					_t263 = 0xc000008e;
					 *(_a4 + 4) =  *(_a4 + 4) | 0x00000008;
				}
				if((_t243 & 0x00000008) != 0) {
					_t263 = 0xc0000090;
					 *(_a4 + 4) =  *(_a4 + 4) | 0x00000010;
				}
				_t266 = _a8;
				 *(_a4 + 8) =  *(_a4 + 8) ^ ( !( *_t266 << 4) ^  *(_a4 + 8)) & 0x00000010;
				 *(_a4 + 8) =  *(_a4 + 8) ^ ( !( *_t266 +  *_t266) ^  *(_a4 + 8)) & 0x00000008;
				 *(_a4 + 8) =  *(_a4 + 8) ^ ( !( *_t266 >> 1) ^  *(_a4 + 8)) & 0x00000004;
				 *(_a4 + 8) =  *(_a4 + 8) ^ ( !( *_t266 >> 3) ^  *(_a4 + 8)) & 0x00000002;
				 *(_a4 + 8) =  *(_a4 + 8) ^ ( !( *_t266 >> 5) ^  *(_a4 + 8)) & 1;
				_t260 = E00409616(_a4);
				if((_t260 & 0x00000001) != 0) {
					 *(_a4 + 0xc) =  *(_a4 + 0xc) | 0x00000010;
				}
				if((_t260 & 0x00000004) != 0) {
					 *(_a4 + 0xc) =  *(_a4 + 0xc) | 0x00000008;
				}
				if((_t260 & 0x00000008) != 0) {
					 *(_a4 + 0xc) =  *(_a4 + 0xc) | 0x00000004;
				}
				if((_t260 & 0x00000010) != 0) {
					 *(_a4 + 0xc) =  *(_a4 + 0xc) | 0x00000002;
				}
				if((_t260 & 0x00000020) != 0) {
					 *(_a4 + 0xc) =  *(_a4 + 0xc) | 1;
				}
				_t172 =  *_t266 & 0x00000c00;
				if(_t172 == 0) {
					 *_a4 =  *_a4 & 0xfffffffc;
				} else {
					if(_t172 == 0x400) {
						_t258 = _a4;
						_t226 =  *_t258 & 0xfffffffd | 1;
						L26:
						 *_t258 = _t226;
						L29:
						_t175 =  *_t266 & 0x00000300;
						if(_t175 == 0) {
							_t251 = _a4;
							_t178 =  *_t251 & 0xffffffeb | 0x00000008;
							L35:
							 *_t251 = _t178;
							L36:
							_t179 = _a4;
							_t255 = (_a16 << 0x00000005 ^  *_t179) & 0x0001ffe0;
							 *_t179 =  *_t179 ^ (_a16 << 0x00000005 ^  *_t179) & 0x0001ffe0;
							 *(_a4 + 0x20) =  *(_a4 + 0x20) | 1;
							if(_a28 == 0) {
								 *(_a4 + 0x20) =  *(_a4 + 0x20) & 0xffffffe3 | 0x00000002;
								 *((long long*)(_a4 + 0x10)) =  *_a20;
								 *(_a4 + 0x60) =  *(_a4 + 0x60) | 1;
								_t255 = _a4;
								_t241 = _a24;
								 *(_a4 + 0x60) =  *(_a4 + 0x60) & 0xffffffe3 | 0x00000002;
								 *(_a4 + 0x50) =  *_t241;
							} else {
								 *(_a4 + 0x20) =  *(_a4 + 0x20) & 0xffffffe1;
								 *((intOrPtr*)(_a4 + 0x10)) =  *_a20;
								 *(_a4 + 0x60) =  *(_a4 + 0x60) | 1;
								_t241 = _a24;
								 *(_a4 + 0x60) =  *(_a4 + 0x60) & 0xffffffe1;
								 *(_a4 + 0x50) =  *_t241;
							}
							E00409582(_t255);
							RaiseException(_t263, 0, 1,  &_a4);
							_t257 = _a4;
							_t193 = _t257[2];
							if((_t193 & 0x00000010) != 0) {
								 *_t266 =  *_t266 & 0xfffffffe;
								_t193 = _t257[2];
							}
							if((_t193 & 0x00000008) != 0) {
								 *_t266 =  *_t266 & 0xfffffffb;
								_t193 = _t257[2];
							}
							if((_t193 & 0x00000004) != 0) {
								 *_t266 =  *_t266 & 0xfffffff7;
								_t193 = _t257[2];
							}
							if((_t193 & 0x00000002) != 0) {
								 *_t266 =  *_t266 & 0xffffffef;
								_t193 = _t257[2];
							}
							if((_t193 & 0x00000001) != 0) {
								 *_t266 =  *_t266 & 0xffffffdf;
							}
							_t196 =  *_t257 & 0x00000003;
							if(_t196 == 0) {
								 *_t266 =  *_t266 & 0xfffff3ff;
							} else {
								_t207 = _t196 - 1;
								if(_t207 == 0) {
									_t210 =  *_t266 & 0xfffff7ff | 0x00000400;
									L55:
									 *_t266 = _t210;
									L58:
									_t200 =  *_t257 >> 0x00000002 & 0x00000007;
									if(_t200 == 0) {
										_t203 =  *_t266 & 0xfffff3ff | 0x00000300;
										L64:
										 *_t266 = _t203;
										L65:
										if(_a28 == 0) {
											 *_t241 = _t257[0x14];
										} else {
											 *_t241 = _t257[0x14];
										}
										return _t203;
									}
									_t204 = _t200 - 1;
									if(_t204 == 0) {
										_t203 =  *_t266 & 0xfffff3ff | 0x00000200;
										goto L64;
									}
									_t203 = _t204 - 1;
									if(_t203 == 0) {
										 *_t266 =  *_t266 & 0xfffff3ff;
									}
									goto L65;
								}
								_t211 = _t207 - 1;
								if(_t211 == 0) {
									_t210 =  *_t266 & 0xfffffbff | 0x00000800;
									goto L55;
								}
								if(_t211 == 1) {
									 *_t266 =  *_t266 | 0x00000c00;
								}
							}
							goto L58;
						}
						if(_t175 == 0x200) {
							_t251 = _a4;
							_t178 =  *_t251 & 0xffffffe7 | 0x00000004;
							goto L35;
						}
						if(_t175 == 0x300) {
							 *_a4 =  *_a4 & 0xffffffe3;
						}
						goto L36;
					}
					if(_t172 == 0x800) {
						_t258 = _a4;
						_t226 =  *_t258 & 0xfffffffe | 0x00000002;
						goto L26;
					}
					if(_t172 == 0xc00) {
						 *_a4 =  *_a4 | 0x00000003;
					}
				}
			}

0x0040b58b
0x0040b592
0x0040b597
0x0040b59d
0x0040b5a0
0x0040b5a6
0x0040b5ab
0x0040b5b0
0x0040b5b0
0x0040b5b6
0x0040b5bb
0x0040b5c0
0x0040b5c0
0x0040b5c7
0x0040b5cc
0x0040b5d1
0x0040b5d1
0x0040b5d8
0x0040b5dd
0x0040b5e2
0x0040b5e2
0x0040b5e9
0x0040b5ee
0x0040b5f3
0x0040b5f3
0x0040b5fb
0x0040b60b
0x0040b61d
0x0040b62f
0x0040b642
0x0040b654
0x0040b65c
0x0040b661
0x0040b666
0x0040b666
0x0040b66d
0x0040b672
0x0040b672
0x0040b679
0x0040b67e
0x0040b67e
0x0040b685
0x0040b68a
0x0040b68a
0x0040b691
0x0040b696
0x0040b696
0x0040b6a0
0x0040b6a2
0x0040b6dc
0x0040b6a4
0x0040b6a9
0x0040b6cd
0x0040b6d5
0x0040b6c9
0x0040b6c9
0x0040b6df
0x0040b6e6
0x0040b6e8
0x0040b70a
0x0040b712
0x0040b715
0x0040b715
0x0040b717
0x0040b717
0x0040b722
0x0040b728
0x0040b72d
0x0040b734
0x0040b76e
0x0040b779
0x0040b77f
0x0040b782
0x0040b785
0x0040b791
0x0040b799
0x0040b736
0x0040b739
0x0040b745
0x0040b74b
0x0040b751
0x0040b754
0x0040b75d
0x0040b75d
0x0040b79c
0x0040b7aa
0x0040b7b0
0x0040b7b3
0x0040b7b8
0x0040b7ba
0x0040b7bd
0x0040b7bd
0x0040b7c2
0x0040b7c4
0x0040b7c7
0x0040b7c7
0x0040b7cc
0x0040b7ce
0x0040b7d1
0x0040b7d1
0x0040b7d6
0x0040b7d8
0x0040b7db
0x0040b7db
0x0040b7e0
0x0040b7e2
0x0040b7e2
0x0040b7ef
0x0040b7f2
0x0040b829
0x0040b7f4
0x0040b7f4
0x0040b7f7
0x0040b822
0x0040b817
0x0040b817
0x0040b82b
0x0040b833
0x0040b836
0x0040b855
0x0040b85a
0x0040b85a
0x0040b85c
0x0040b861
0x0040b86d
0x0040b863
0x0040b866
0x0040b866
0x0040b872
0x0040b872
0x0040b838
0x0040b83b
0x0040b84a
0x00000000
0x0040b84a
0x0040b83d
0x0040b840
0x0040b842
0x0040b842
0x00000000
0x0040b840
0x0040b7f9
0x0040b7fc
0x0040b812
0x00000000
0x0040b812
0x0040b801
0x0040b803
0x0040b803
0x0040b801
0x00000000
0x0040b7f2
0x0040b6ef
0x0040b6fd
0x0040b705
0x00000000
0x0040b705
0x0040b6f3
0x0040b6f8
0x0040b6f8
0x00000000
0x0040b6f3
0x0040b6b0
0x0040b6be
0x0040b6c6
0x00000000
0x0040b6c6
0x0040b6b4
0x0040b6b9
0x0040b6b9
0x0040b6b4

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,0040B578,?,?,00000008,?,?,0040B210,00000000), ref: 0040B7AA

Memory Dump Source

Source File: 00000003.00000002.300378751.00000000003F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000003.00000002.300374579.00000000003F0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.300394386.000000000040D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.300406424.0000000000416000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.300411239.0000000000420000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3f0000_fa_rss.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: 21e3d955341ff73959ddf9205c1e8d691d4065b3a0e5942838515f0d8e22e0cc
Instruction ID: 104593d3ad668b6ca442ba2c53fccd03ef3b18bf030b6e6c767c030cc558abf3
Opcode Fuzzy Hash: 21e3d955341ff73959ddf9205c1e8d691d4065b3a0e5942838515f0d8e22e0cc
Instruction Fuzzy Hash: 9CB15F31610604DFD719CF28C486B657BA0FF44364F258669E89ADF3E1C339E942CB89

Uniqueness

Uniqueness Score: -1.00%

Function 003F677B Relevance: 1.6, APIs: 1, Instructions: 144
COMMON

Download Yara Rule

C-Code - Quality: 88%

			E003F677B(signed int __edx) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				intOrPtr _t60;
				signed int _t61;
				signed int _t62;
				signed int _t63;
				signed int _t66;
				signed int _t67;
				signed int _t73;
				intOrPtr _t74;
				intOrPtr _t75;
				intOrPtr* _t77;
				signed int _t78;
				intOrPtr* _t82;
				signed int _t85;
				signed int _t90;
				intOrPtr* _t93;
				signed int _t96;
				signed int _t99;
				signed int _t104;

				_t90 = __edx;
				 *0x416f1c =  *0x416f1c & 0x00000000;
				 *0x416018 =  *0x416018 | 0x00000001;
				if(IsProcessorFeaturePresent(0xa) == 0) {
					L23:
					return 0;
				}
				_v20 = _v20 & 0x00000000;
				_push(_t74);
				_t93 =  &_v40;
				asm("cpuid");
				_t75 = _t74;
				 *_t93 = 0;
				 *((intOrPtr*)(_t93 + 4)) = _t74;
				 *((intOrPtr*)(_t93 + 8)) = 0;
				 *(_t93 + 0xc) = _t90;
				_v16 = _v40;
				_v12 = _v28 ^ 0x49656e69;
				_v8 = _v36 ^ 0x756e6547;
				_push(_t75);
				asm("cpuid");
				_t77 =  &_v40;
				 *_t77 = 1;
				 *((intOrPtr*)(_t77 + 4)) = _t75;
				 *((intOrPtr*)(_t77 + 8)) = 0;
				 *(_t77 + 0xc) = _t90;
				if((_v8 | _v32 ^ 0x6c65746e | _v12) != 0) {
					L9:
					_t96 =  *0x416f20; // 0x2
					L10:
					_t85 = _v32;
					_t60 = 7;
					_v8 = _t85;
					if(_v16 < _t60) {
						_t78 = _v20;
					} else {
						_push(_t77);
						asm("cpuid");
						_t82 =  &_v40;
						 *_t82 = _t60;
						 *((intOrPtr*)(_t82 + 4)) = _t77;
						 *((intOrPtr*)(_t82 + 8)) = 0;
						_t85 = _v8;
						 *(_t82 + 0xc) = _t90;
						_t78 = _v36;
						if((_t78 & 0x00000200) != 0) {
							 *0x416f20 = _t96 | 0x00000002;
						}
					}
					_t61 =  *0x416018; // 0x6f
					_t62 = _t61 | 0x00000002;
					 *0x416f1c = 1;
					 *0x416018 = _t62;
					if((_t85 & 0x00100000) != 0) {
						_t63 = _t62 | 0x00000004;
						 *0x416f1c = 2;
						 *0x416018 = _t63;
						if((_t85 & 0x08000000) != 0 && (_t85 & 0x10000000) != 0) {
							asm("xgetbv");
							_v24 = _t63;
							_v20 = _t90;
							_t104 = 6;
							if((_v24 & _t104) == _t104) {
								_t66 =  *0x416018; // 0x6f
								_t67 = _t66 | 0x00000008;
								 *0x416f1c = 3;
								 *0x416018 = _t67;
								if((_t78 & 0x00000020) != 0) {
									 *0x416f1c = 5;
									 *0x416018 = _t67 | 0x00000020;
									if((_t78 & 0xd0030000) == 0xd0030000 && (_v24 & 0x000000e0) == 0xe0) {
										 *0x416018 =  *0x416018 | 0x00000040;
										 *0x416f1c = _t104;
									}
								}
							}
						}
					}
					goto L23;
				}
				_t73 = _v40 & 0x0fff3ff0;
				if(_t73 == 0x106c0 || _t73 == 0x20660 || _t73 == 0x20670 || _t73 == 0x30650 || _t73 == 0x30660 || _t73 == 0x30670) {
					_t99 =  *0x416f20; // 0x2
					_t96 = _t99 | 0x00000001;
					 *0x416f20 = _t96;
					goto L10;
				} else {
					goto L9;
				}
			}

0x003f677b
0x003f677e
0x003f6788
0x003f6798
0x003f6947
0x003f694a
0x003f694a
0x003f679e
0x003f67a4
0x003f67a9
0x003f67ad
0x003f67b1
0x003f67b2
0x003f67b4
0x003f67b7
0x003f67bc
0x003f67c5
0x003f67d6
0x003f67e1
0x003f67e7
0x003f67e8
0x003f67ed
0x003f67f0
0x003f67f5
0x003f67fd
0x003f6800
0x003f6803
0x003f6848
0x003f6848
0x003f684e
0x003f684e
0x003f6853
0x003f6854
0x003f685a
0x003f688b
0x003f685c
0x003f685e
0x003f685f
0x003f6864
0x003f6867
0x003f6869
0x003f686c
0x003f686f
0x003f6872
0x003f6875
0x003f687e
0x003f6883
0x003f6883
0x003f687e
0x003f688e
0x003f6893
0x003f6896
0x003f68a0
0x003f68ab
0x003f68b1
0x003f68b4
0x003f68be
0x003f68c9
0x003f68d5
0x003f68d8
0x003f68db
0x003f68e6
0x003f68eb
0x003f68ed
0x003f68f2
0x003f68f5
0x003f68ff
0x003f6907
0x003f690c
0x003f6916
0x003f6924
0x003f6937
0x003f693e
0x003f693e
0x003f6924
0x003f6907
0x003f68eb
0x003f68c9
0x00000000
0x003f6946
0x003f6808
0x003f6812
0x003f6837
0x003f683d
0x003f6840
0x00000000
0x00000000
0x00000000
0x00000000

APIs

IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 003F6791

Memory Dump Source

Source File: 00000003.00000002.300378751.00000000003F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000003.00000002.300374579.00000000003F0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.300394386.000000000040D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.300406424.0000000000416000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.300411239.0000000000420000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3f0000_fa_rss.jbxd

Similarity

API ID: FeaturePresentProcessor
String ID:
API String ID: 2325560087-0
Opcode ID: dcf8fb3e12e2caec64816fd8f2791d1a4e5918af4de091c2d04bd3bf24196fb0
Instruction ID: da091344c0f0bf7b9ed1e5341e56afb41e1d5b4965c3acb3f29510f44138aa99
Opcode Fuzzy Hash: dcf8fb3e12e2caec64816fd8f2791d1a4e5918af4de091c2d04bd3bf24196fb0
Instruction Fuzzy Hash: A0515AB19002098BDB2ACF55E8867AEBBF0FB48350F26C43AD509EB254D375DA41CF94

Uniqueness

Uniqueness Score: -1.00%

Function 00403176 Relevance: 1.6, APIs: 1, Instructions: 108
COMMON

Download Yara Rule

C-Code - Quality: 69%

			E00403176(void* __ebx, void* __ecx, void* __edi, void* __esi, intOrPtr* _a4, intOrPtr _a8, signed int _a12, intOrPtr* _a16) {
				intOrPtr _v8;
				signed int _v12;
				intOrPtr* _v28;
				signed short* _v32;
				WCHAR* _v36;
				signed int _v48;
				intOrPtr _v556;
				intOrPtr _v558;
				struct _WIN32_FIND_DATAW _v604;
				char _v605;
				intOrPtr* _v612;
				signed int _v616;
				signed int _v620;
				intOrPtr _v648;
				intOrPtr _t42;
				void* _t47;
				signed int _t50;
				signed char _t52;
				intOrPtr* _t58;
				union _FINDEX_INFO_LEVELS _t60;
				int _t65;
				void* _t80;
				void* _t82;
				void* _t86;
				WCHAR* _t87;
				void* _t89;
				intOrPtr* _t92;
				intOrPtr _t95;
				intOrPtr* _t98;
				void* _t103;
				void* _t111;
				signed short* _t112;
				signed int _t118;
				intOrPtr* _t122;
				intOrPtr _t125;
				void* _t127;
				void* _t132;
				signed int _t133;
				void* _t134;

				_push(__ecx);
				_t92 = _a4;
				_push(__ebx);
				_push(__edi);
				_t2 = _t92 + 2; // 0x2
				_t111 = _t2;
				do {
					_t42 =  *_t92;
					_t92 = _t92 + 2;
				} while (_t42 != 0);
				_t118 = _a12;
				_t95 = (_t92 - _t111 >> 1) + 1;
				_v8 = _t95;
				if(_t95 <=  !_t118) {
					_push(__esi);
					_t5 = _t118 + 1; // 0x1
					_t86 = _t5 + _t95;
					_t125 = E003FF852(_t95, _t86, 2);
					if(_t118 == 0) {
						L7:
						_push(_v8);
						_t86 = _t86 - _t118;
						_t47 = E00402F2B(_t125 + _t118 * 2, _t86, _a4);
						_t133 = _t132 + 0x10;
						if(_t47 != 0) {
							goto L12;
						} else {
							_t122 = _a16;
							_t89 = E004033C0(_t122);
							if(_t89 == 0) {
								 *((intOrPtr*)( *((intOrPtr*)(_t122 + 4)))) = _t125;
								 *((intOrPtr*)(_t122 + 4)) =  *((intOrPtr*)(_t122 + 4)) + 4;
								_t89 = 0;
							} else {
								E003FF8AF(_t125);
							}
							E003FF8AF(0);
							_t80 = _t89;
							goto L4;
						}
					} else {
						_push(_t118);
						_t82 = E00402F2B(_t125, _t86, _a8);
						_t133 = _t132 + 0x10;
						if(_t82 != 0) {
							L12:
							_push(0);
							_push(0);
							_push(0);
							_push(0);
							_push(0);
							E003FDA69();
							asm("int3");
							_t131 = _t133;
							_t134 = _t133 - 0x264;
							_t50 =  *0x416014; // 0x9d5f503d
							_v48 = _t50 ^ _t133;
							_t112 = _v32;
							_t98 = _v28;
							_push(_t86);
							_t87 = _v36;
							_v648 = _t98;
							_push(_t125);
							_push(_t118);
							if(_t112 != _t87) {
								while(E0040339C( *_t112 & 0x0000ffff) == 0) {
									_t112 = _t112 - 2;
									if(_t112 != _t87) {
										continue;
									}
									break;
								}
								_t98 = _v612;
							}
							_t126 =  *_t112 & 0x0000ffff;
							if(( *_t112 & 0x0000ffff) != 0x3a || _t112 ==  &(_t87[1])) {
								_t52 = E0040339C(_t126);
								asm("sbb eax, eax");
								_t119 = 0;
								_v616 =  ~(_t52 & 0x000000ff) & (_t112 - _t87 >> 0x00000001) + 0x00000001;
								_t127 = FindFirstFileExW(_t87, 0,  &_v604, 0, 0, 0);
								_t58 = _v612;
								if(_t127 != 0xffffffff) {
									_v620 =  *((intOrPtr*)(_t58 + 4)) -  *_t58 >> 2;
									_t103 = 0x2e;
									do {
										if(_v604.cFileName != _t103 || _v558 != _t119 && (_v558 != _t103 || _v556 != _t119)) {
											_push(_t58);
											_t60 = E00403176(_t87, _t103, _t119, _t127,  &(_v604.cFileName), _t87, _v616);
											_t134 = _t134 + 0x10;
											if(_t60 != 0) {
												_t119 = _t60;
											} else {
												goto L28;
											}
										} else {
											goto L28;
										}
										L32:
										FindClose(_t127);
										goto L33;
										L28:
										_t65 = FindNextFileW(_t127,  &_v604);
										_t58 = _v612;
										_t103 = 0x2e;
									} while (_t65 != 0);
									_t116 =  *_t58;
									_t106 = _v620;
									_t68 =  *((intOrPtr*)(_t58 + 4)) -  *_t58 >> 2;
									if(_v620 !=  *((intOrPtr*)(_t58 + 4)) -  *_t58 >> 2) {
										E00408E30(_t87, _t119, _t127, _t116 + _t106 * 4, _t68 - _t106, 4, E00402F36);
									}
									goto L32;
								} else {
									_push(_t58);
									_t119 = E00403176(_t87,  &_v605, 0, _t127, _t87, 0, 0);
								}
								L33:
							} else {
								_push(_t98);
								E00403176(_t87, _t98, 0, _t126, _t87, 0, 0);
							}
							return E003F5D05(_v12 ^ _t131);
						} else {
							goto L7;
						}
					}
				} else {
					_t80 = 0xc;
					L4:
					return _t80;
				}
			}

0x0040317b
0x0040317c
0x0040317f
0x00403180
0x00403183
0x00403183
0x00403186
0x00403186
0x00403189
0x0040318c
0x00403191
0x0040319a
0x0040319d
0x004031a2
0x004031ab
0x004031ac
0x004031af
0x004031b9
0x004031bf
0x004031d3
0x004031d3
0x004031d6
0x004031e0
0x004031e5
0x004031ea
0x00000000
0x004031ec
0x004031ec
0x004031f6
0x004031fa
0x00403208
0x0040320a
0x0040320e
0x004031fc
0x004031fd
0x00403202
0x00403212
0x00403218
0x00000000
0x0040321a
0x004031c1
0x004031c1
0x004031c7
0x004031cc
0x004031d1
0x0040321d
0x0040321f
0x00403220
0x00403221
0x00403222
0x00403223
0x00403224
0x00403229
0x0040322d
0x0040322f
0x00403235
0x0040323c
0x0040323f
0x00403242
0x00403245
0x00403246
0x00403249
0x0040324f
0x00403250
0x00403253
0x00403255
0x00403268
0x0040326d
0x00000000
0x00000000
0x00000000
0x0040326d
0x0040326f
0x0040326f
0x00403275
0x0040327b
0x0040329e
0x004032ad
0x004032af
0x004032b6
0x004032cb
0x004032cd
0x004032d6
0x004032f5
0x004032fb
0x004032fc
0x00403303
0x00403320
0x0040332f
0x00403334
0x00403339
0x00403382
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00403384
0x00403385
0x00000000
0x0040333b
0x00403343
0x0040334d
0x00403353
0x00403353
0x00403356
0x0040335b
0x00403363
0x00403368
0x00403378
0x0040337d
0x00000000
0x004032d8
0x004032d8
0x004032e4
0x004032e4
0x0040338b
0x00403284
0x00403284
0x0040328a
0x0040328f
0x0040339b
0x00000000
0x00000000
0x00000000
0x004031d1
0x004031a4
0x004031a6
0x004031a7
0x004031aa
0x004031aa

Memory Dump Source

Source File: 00000003.00000002.300378751.00000000003F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000003.00000002.300374579.00000000003F0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.300394386.000000000040D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.300406424.0000000000416000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.300411239.0000000000420000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3f0000_fa_rss.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d0738c02154157d2f124a3828e499f2acc079bac23c301f1ceb43e88e4970082
Instruction ID: 292156cc3409c9abc41043274de9896579da670ed9094c1d958a7629103bb1f6
Opcode Fuzzy Hash: d0738c02154157d2f124a3828e499f2acc079bac23c301f1ceb43e88e4970082
Instruction Fuzzy Hash: FB31D972900219AFCB24DFA9CC89DBB7B7DEB84311F1441ADF915A7280EA34EE40CB54

Uniqueness

Uniqueness Score: -1.00%

Function 003FB0F4 Relevance: 1.5, Strings: 1, Instructions: 239
COMMONCrypto

Download Yara Rule

C-Code - Quality: 83%

			E003FB0F4(void* __ebx, intOrPtr* __ecx, void* __edi, void* __esi) {
				signed int _v8;
				short _v12;
				short _v16;
				signed int _v20;
				short _v24;
				signed int _t57;
				signed int _t59;
				signed int _t60;
				void* _t61;
				signed char _t65;
				signed char _t67;
				signed int _t68;
				short _t70;
				void* _t71;
				signed char _t77;
				signed char _t80;
				void* _t85;
				void* _t86;
				signed char _t88;
				signed char _t90;
				short _t91;
				signed int _t94;
				signed int _t96;
				signed int _t97;
				unsigned int _t102;
				signed int _t103;
				void* _t106;
				void* _t107;
				void* _t109;
				signed int _t113;
				unsigned int _t115;
				signed int* _t117;
				signed char _t118;
				void* _t126;
				signed int _t129;
				void* _t130;
				short _t131;
				short _t132;
				void* _t133;
				intOrPtr* _t136;
				signed int _t137;
				void* _t138;
				void* _t140;
				void* _t141;

				_t130 = __edi;
				_t57 =  *0x416014; // 0x9d5f503d
				_v8 = _t57 ^ _t137;
				_t136 = __ecx;
				_t126 = 0x41;
				_t59 =  *(__ecx + 0x32) & 0x0000ffff;
				_t109 = 0x58;
				_t140 = _t59 - 0x64;
				if(_t140 > 0) {
					__eflags = _t59 - 0x70;
					if(__eflags > 0) {
						_t60 = _t59 - 0x73;
						__eflags = _t60;
						if(_t60 == 0) {
							L9:
							_t61 = E003FBC8B(_t136);
							L10:
							if(_t61 != 0) {
								__eflags =  *(_t136 + 0x30);
								if( *(_t136 + 0x30) != 0) {
									L70:
									L71:
									return E003F5D05(_v8 ^ _t137);
								}
								_t113 = 0;
								_v16 = 0;
								_v12 = 0;
								_t102 =  *(_t136 + 0x20);
								_push(_t130);
								_v20 = 0;
								_t65 = _t102 >> 4;
								_t131 = 0x20;
								__eflags = 1 & _t65;
								if((1 & _t65) == 0) {
									L46:
									_t129 =  *(_t136 + 0x32) & 0x0000ffff;
									_t132 = 0x78;
									__eflags = _t129 - _t132;
									if(_t129 == _t132) {
										L48:
										_t67 = _t102 >> 5;
										__eflags = _t67 & 0x00000001;
										if((_t67 & 0x00000001) == 0) {
											L50:
											_t103 = 0;
											__eflags = 0;
											L51:
											__eflags = _t129 - 0x61;
											if(_t129 == 0x61) {
												L54:
												_t68 = 1;
												L55:
												_v24 = 0x30;
												__eflags = _t103;
												if(_t103 != 0) {
													L57:
													 *((short*)(_t137 + _t113 * 2 - 0xc)) = _v24;
													_t70 = 0x58;
													__eflags = _t129 - _t70;
													if(_t129 == _t70) {
														L59:
														_t132 = _t70;
														L60:
														 *((short*)(_t137 + _t113 * 2 - 0xa)) = _t132;
														_t113 = _t113 + 2;
														__eflags = _t113;
														_v20 = _t113;
														L61:
														_t71 = _t136 + 0x18;
														_t133 = _t136 + 0x448;
														_t106 =  *((intOrPtr*)(_t136 + 0x24)) -  *((intOrPtr*)(_t136 + 0x38)) - _t113;
														__eflags =  *(_t136 + 0x20) & 0x0000000c;
														if(( *(_t136 + 0x20) & 0x0000000c) == 0) {
															E003FA1C1(_t133, 0x20, _t106, _t71);
															_t113 = _v20;
															_t138 = _t138 + 0x10;
														}
														_push(_t136 + 0xc);
														E003FC00B(_t133,  &_v16, _t113, _t136 + 0x18);
														_t115 =  *(_t136 + 0x20);
														_t77 = _t115 >> 3;
														__eflags = _t77 & 0x00000001;
														if((_t77 & 0x00000001) != 0) {
															_t118 = _t115 >> 2;
															__eflags = _t118 & 0x00000001;
															if((_t118 & 0x00000001) == 0) {
																E003FA1C1(_t133, _v24, _t106, _t136 + 0x18);
																_t138 = _t138 + 0x10;
															}
														}
														E003FBF4C(_t136, _t129, 0);
														_t117 = _t136 + 0x18;
														__eflags =  *_t117;
														if( *_t117 >= 0) {
															_t80 =  *(_t136 + 0x20) >> 2;
															__eflags = _t80 & 0x00000001;
															if((_t80 & 0x00000001) != 0) {
																E003FA1C1(_t133, 0x20, _t106, _t117);
															}
														}
														goto L70;
													}
													_t107 = 0x41;
													__eflags = _t129 - _t107;
													if(_t129 != _t107) {
														goto L60;
													}
													goto L59;
												}
												__eflags = _t68;
												if(_t68 == 0) {
													goto L61;
												}
												goto L57;
											}
											_t85 = 0x41;
											__eflags = _t129 - _t85;
											if(_t129 == _t85) {
												goto L54;
											}
											_t68 = 0;
											goto L55;
										}
										_t103 = 1;
										goto L51;
									}
									_t86 = 0x58;
									__eflags = _t129 - _t86;
									if(_t129 != _t86) {
										goto L50;
									}
									goto L48;
								}
								_t88 = _t102 >> 6;
								__eflags = 1 & _t88;
								if((1 & _t88) == 0) {
									__eflags = 1 & _t102;
									if((1 & _t102) == 0) {
										_t90 = _t102 >> 1;
										__eflags = 1 & _t90;
										if((1 & _t90) != 0) {
											_v16 = _t131;
											_t113 = 1;
											_v20 = 1;
										}
										goto L46;
									}
									_push(0x2b);
									L43:
									_pop(_t91);
									_t113 = 1;
									_v16 = _t91;
									_v20 = 1;
									goto L46;
								}
								_push(0x2d);
								goto L43;
							}
							L11:
							goto L71;
						}
						_t94 = _t60;
						__eflags = _t94;
						if(__eflags == 0) {
							L29:
							_push(0);
							_push(0xa);
							L30:
							_t61 = E003FB9E3(_t136, __eflags);
							goto L10;
						}
						__eflags = _t94 - 3;
						if(__eflags != 0) {
							goto L11;
						}
						_push(0);
						L13:
						_push(0x10);
						goto L30;
					}
					if(__eflags == 0) {
						_t61 = E003FBC02(__ecx);
						goto L10;
					}
					__eflags = _t59 - 0x65;
					if(_t59 < 0x65) {
						goto L11;
					}
					__eflags = _t59 - 0x67;
					if(_t59 <= 0x67) {
						L31:
						_t61 = E003FB607(_t136);
						goto L10;
					}
					__eflags = _t59 - 0x69;
					if(_t59 == 0x69) {
						L28:
						_t3 = _t136 + 0x20;
						 *_t3 =  *(_t136 + 0x20) | 0x00000010;
						__eflags =  *_t3;
						goto L29;
					}
					__eflags = _t59 - 0x6e;
					if(_t59 == 0x6e) {
						_t61 = E003FBB38(__ecx, _t126);
						goto L10;
					}
					__eflags = _t59 - 0x6f;
					if(_t59 != 0x6f) {
						goto L11;
					}
					_t61 = E003FBBCB(__ecx);
					goto L10;
				}
				if(_t140 == 0) {
					goto L28;
				}
				_t141 = _t59 - _t109;
				if(_t141 > 0) {
					_t96 = _t59 - 0x5a;
					__eflags = _t96;
					if(_t96 == 0) {
						_t61 = E003FB45E(__ecx);
						goto L10;
					}
					_t97 = _t96 - 7;
					__eflags = _t97;
					if(_t97 == 0) {
						goto L31;
					}
					__eflags = _t97;
					if(__eflags != 0) {
						goto L11;
					}
					L17:
					_t61 = E003FB7FC(_t136, _t126, __eflags, 0);
					goto L10;
				}
				if(_t141 == 0) {
					_push(1);
					goto L13;
				}
				if(_t59 == _t126) {
					goto L31;
				}
				if(_t59 == 0x43) {
					goto L17;
				}
				if(_t59 <= 0x44) {
					goto L11;
				}
				if(_t59 <= 0x47) {
					goto L31;
				}
				if(_t59 != 0x53) {
					goto L11;
				}
				goto L9;
			}

0x003fb0f4
0x003fb0fc
0x003fb103
0x003fb108
0x003fb10e
0x003fb111
0x003fb115
0x003fb116
0x003fb119
0x003fb186
0x003fb189
0x003fb1e0
0x003fb1e0
0x003fb1e3
0x003fb147
0x003fb149
0x003fb14e
0x003fb150
0x003fb1fe
0x003fb201
0x003fb349
0x003fb34b
0x003fb358
0x003fb358
0x003fb207
0x003fb209
0x003fb20c
0x003fb212
0x003fb216
0x003fb219
0x003fb21c
0x003fb221
0x003fb222
0x003fb224
0x003fb256
0x003fb256
0x003fb25c
0x003fb25d
0x003fb260
0x003fb26a
0x003fb26c
0x003fb26f
0x003fb271
0x003fb277
0x003fb277
0x003fb277
0x003fb279
0x003fb279
0x003fb27c
0x003fb28a
0x003fb28a
0x003fb28c
0x003fb28c
0x003fb293
0x003fb295
0x003fb29b
0x003fb2a0
0x003fb2a5
0x003fb2a6
0x003fb2a9
0x003fb2b3
0x003fb2b3
0x003fb2b5
0x003fb2b5
0x003fb2ba
0x003fb2ba
0x003fb2bd
0x003fb2c0
0x003fb2c3
0x003fb2c9
0x003fb2cf
0x003fb2d1
0x003fb2d5
0x003fb2dc
0x003fb2e1
0x003fb2e4
0x003fb2e4
0x003fb2ea
0x003fb2f6
0x003fb2fb
0x003fb300
0x003fb303
0x003fb305
0x003fb307
0x003fb30a
0x003fb30d
0x003fb318
0x003fb31d
0x003fb31d
0x003fb30d
0x003fb324
0x003fb329
0x003fb32c
0x003fb32f
0x003fb334
0x003fb337
0x003fb339
0x003fb340
0x003fb345
0x003fb339
0x00000000
0x003fb348
0x003fb2ad
0x003fb2ae
0x003fb2b1
0x00000000
0x00000000
0x00000000
0x003fb2b1
0x003fb297
0x003fb299
0x00000000
0x00000000
0x00000000
0x003fb299
0x003fb280
0x003fb281
0x003fb284
0x00000000
0x00000000
0x003fb286
0x00000000
0x003fb286
0x003fb273
0x00000000
0x003fb273
0x003fb264
0x003fb265
0x003fb268
0x00000000
0x00000000
0x00000000
0x003fb268
0x003fb228
0x003fb22b
0x003fb22d
0x003fb233
0x003fb235
0x003fb247
0x003fb249
0x003fb24b
0x003fb24d
0x003fb251
0x003fb253
0x003fb253
0x00000000
0x003fb24b
0x003fb237
0x003fb239
0x003fb239
0x003fb23a
0x003fb23c
0x003fb240
0x00000000
0x003fb240
0x003fb22f
0x00000000
0x003fb22f
0x003fb156
0x00000000
0x003fb156
0x003fb1ea
0x003fb1ea
0x003fb1ed
0x003fb1bc
0x003fb1bc
0x003fb1bd
0x003fb1bf
0x003fb1c1
0x00000000
0x003fb1c1
0x003fb1ef
0x003fb1f2
0x00000000
0x00000000
0x003fb1f8
0x003fb15f
0x003fb15f
0x00000000
0x003fb15f
0x003fb18b
0x003fb1d6
0x00000000
0x003fb1d6
0x003fb18d
0x003fb190
0x00000000
0x00000000
0x003fb192
0x003fb195
0x003fb1c8
0x003fb1ca
0x00000000
0x003fb1ca
0x003fb197
0x003fb19a
0x003fb1b8
0x003fb1b8
0x003fb1b8
0x003fb1b8
0x00000000
0x003fb1b8
0x003fb19c
0x003fb19f
0x003fb1b1
0x00000000
0x003fb1b1
0x003fb1a1
0x003fb1a4
0x00000000
0x00000000
0x003fb1a8
0x00000000
0x003fb1a8
0x003fb11b
0x00000000
0x00000000
0x003fb121
0x003fb123
0x003fb163
0x003fb163
0x003fb166
0x003fb17f
0x00000000
0x003fb17f
0x003fb168
0x003fb168
0x003fb16b
0x00000000
0x00000000
0x003fb16e
0x003fb171
0x00000000
0x00000000
0x003fb173
0x003fb176
0x00000000
0x003fb176
0x003fb125
0x003fb15d
0x00000000
0x003fb15d
0x003fb129
0x00000000
0x00000000
0x003fb132
0x00000000
0x00000000
0x003fb137
0x00000000
0x00000000
0x003fb13c
0x00000000
0x00000000
0x003fb145
0x00000000
0x00000000
0x00000000

Strings

0, xrefs: 003FB28C

Memory Dump Source

Source File: 00000003.00000002.300378751.00000000003F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000003.00000002.300374579.00000000003F0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.300394386.000000000040D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.300406424.0000000000416000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.300411239.0000000000420000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3f0000_fa_rss.jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: fea403fd099fa358ae03aa10d0962e77bae724b17052af7c3f97bec9ae79cec4
Instruction ID: 34b0b19864ff89f1b6e6ca3a78d8236df64f325770ba3db346bd68dffda36eb8
Opcode Fuzzy Hash: fea403fd099fa358ae03aa10d0962e77bae724b17052af7c3f97bec9ae79cec4
Instruction Fuzzy Hash: AA6167F060030DA6DB3B9A28C9A2BBEF3A9AF42740F15091AE742DB791D721DD45C345

Uniqueness

Uniqueness Score: -1.00%

Function 003FAEC2 Relevance: 1.5, Strings: 1, Instructions: 216
COMMONCrypto

Download Yara Rule

C-Code - Quality: 84%

			E003FAEC2(intOrPtr* __ecx) {
				char _v6;
				char _v8;
				signed int _v12;
				void* __ebx;
				void* __edi;
				void* __esi;
				char _t51;
				signed int _t52;
				void* _t53;
				signed int _t54;
				signed char _t56;
				signed char _t58;
				signed int _t59;
				void* _t61;
				signed char _t66;
				signed char _t69;
				signed char _t76;
				signed char _t78;
				signed int _t80;
				signed int _t82;
				signed int _t83;
				unsigned int _t89;
				signed int _t90;
				signed int* _t91;
				void* _t93;
				signed int _t95;
				unsigned int _t97;
				signed char _t99;
				void* _t107;
				intOrPtr _t110;
				void* _t114;
				intOrPtr* _t117;
				void* _t119;
				void* _t120;
				void* _t122;
				void* _t123;

				_push(__ecx);
				_push(__ecx);
				_t117 = __ecx;
				_t93 = 0x58;
				_t51 =  *((char*)(__ecx + 0x31));
				_t122 = _t51 - 0x64;
				if(_t122 > 0) {
					__eflags = _t51 - 0x70;
					if(__eflags > 0) {
						_t52 = _t51 - 0x73;
						__eflags = _t52;
						if(_t52 == 0) {
							L9:
							_t53 = E003FBC1A(_t117);
							L10:
							if(_t53 != 0) {
								__eflags =  *(_t117 + 0x30);
								if( *(_t117 + 0x30) != 0) {
									L70:
									_t54 = 1;
									L71:
									return _t54;
								}
								_t95 = 0;
								_v8 = 0;
								_v6 = 0;
								_t89 =  *(_t117 + 0x20);
								_v12 = 0;
								_t56 = _t89 >> 4;
								__eflags = 1 & _t56;
								if((1 & _t56) == 0) {
									L45:
									_t110 =  *((intOrPtr*)(_t117 + 0x31));
									__eflags = _t110 - 0x78;
									if(_t110 == 0x78) {
										L47:
										_t58 = _t89 >> 5;
										__eflags = _t58 & 0x00000001;
										if((_t58 & 0x00000001) == 0) {
											L49:
											_t90 = 0;
											__eflags = 0;
											L50:
											__eflags = _t110 - 0x61;
											if(_t110 == 0x61) {
												L53:
												_t59 = 1;
												L54:
												__eflags = _t90;
												if(_t90 != 0) {
													L56:
													 *((char*)(_t119 + _t95 - 4)) = 0x30;
													__eflags = _t110 - 0x58;
													if(_t110 == 0x58) {
														L59:
														0x78 = 0x58;
														L60:
														 *((char*)(_t119 + _t95 - 3)) = 0x78;
														_t95 = _t95 + 2;
														__eflags = _t95;
														_v12 = _t95;
														L61:
														_t91 = _t117 + 0x18;
														_t61 = _t117 + 0x448;
														_t114 =  *((intOrPtr*)(_t117 + 0x24)) -  *((intOrPtr*)(_t117 + 0x38)) - _t95;
														__eflags =  *(_t117 + 0x20) & 0x0000000c;
														if(( *(_t117 + 0x20) & 0x0000000c) == 0) {
															E003FA186(_t61, 0x20, _t114, _t91);
															_t95 = _v12;
															_t120 = _t120 + 0x10;
														}
														_push(_t117 + 0xc);
														E003FBFDF(_t117 + 0x448,  &_v8, _t95, _t91);
														_t97 =  *(_t117 + 0x20);
														_t66 = _t97 >> 3;
														__eflags = _t66 & 0x00000001;
														if((_t66 & 0x00000001) != 0) {
															_t99 = _t97 >> 2;
															__eflags = _t99 & 0x00000001;
															if((_t99 & 0x00000001) == 0) {
																E003FA186(_t117 + 0x448, 0x30, _t114, _t91);
																_t120 = _t120 + 0x10;
															}
														}
														E003FBEA5(_t91, _t117, _t114, _t117, 0);
														__eflags =  *_t91;
														if( *_t91 >= 0) {
															_t69 =  *(_t117 + 0x20) >> 2;
															__eflags = _t69 & 0x00000001;
															if((_t69 & 0x00000001) != 0) {
																E003FA186(_t117 + 0x448, 0x20, _t114, _t91);
															}
														}
														goto L70;
													}
													__eflags = _t110 - 0x41;
													if(_t110 == 0x41) {
														goto L59;
													}
													goto L60;
												}
												__eflags = _t59;
												if(_t59 == 0) {
													goto L61;
												}
												goto L56;
											}
											__eflags = _t110 - 0x41;
											if(_t110 == 0x41) {
												goto L53;
											}
											_t59 = 0;
											goto L54;
										}
										_t90 = 1;
										goto L50;
									}
									__eflags = _t110 - 0x58;
									if(_t110 != 0x58) {
										goto L49;
									}
									goto L47;
								}
								_t76 = _t89 >> 6;
								__eflags = 1 & _t76;
								if((1 & _t76) == 0) {
									__eflags = 1 & _t89;
									if((1 & _t89) == 0) {
										_t78 = _t89 >> 1;
										__eflags = 1 & _t78;
										if((1 & _t78) != 0) {
											_v8 = 0x20;
											_t95 = 1;
											_v12 = 1;
										}
										goto L45;
									}
									_v8 = 0x2b;
									L42:
									_t95 = 1;
									_v12 = 1;
									goto L45;
								}
								_v8 = 0x2d;
								goto L42;
							}
							L11:
							_t54 = 0;
							goto L71;
						}
						_t80 = _t52;
						__eflags = _t80;
						if(__eflags == 0) {
							L28:
							_push(0);
							_push(0xa);
							L29:
							_t53 = E003FB892(_t117, _t107, __eflags);
							goto L10;
						}
						__eflags = _t80 - 3;
						if(__eflags != 0) {
							goto L11;
						}
						_push(0);
						L13:
						_push(0x10);
						goto L29;
					}
					if(__eflags == 0) {
						_t53 = E003FBBEA(__ecx);
						goto L10;
					}
					__eflags = _t51 - 0x67;
					if(_t51 <= 0x67) {
						L30:
						_t53 = E003FB4B8(0, _t117);
						goto L10;
					}
					__eflags = _t51 - 0x69;
					if(_t51 == 0x69) {
						L27:
						_t2 = _t117 + 0x20;
						 *_t2 =  *(_t117 + 0x20) | 0x00000010;
						__eflags =  *_t2;
						goto L28;
					}
					__eflags = _t51 - 0x6e;
					if(_t51 == 0x6e) {
						_t53 = E003FBB38(__ecx, _t107);
						goto L10;
					}
					__eflags = _t51 - 0x6f;
					if(_t51 != 0x6f) {
						goto L11;
					}
					_t53 = E003FBBAC(__ecx);
					goto L10;
				}
				if(_t122 == 0) {
					goto L27;
				}
				_t123 = _t51 - _t93;
				if(_t123 > 0) {
					_t82 = _t51 - 0x5a;
					__eflags = _t82;
					if(_t82 == 0) {
						_t53 = E003FB404(__ecx);
						goto L10;
					}
					_t83 = _t82 - 7;
					__eflags = _t83;
					if(_t83 == 0) {
						goto L30;
					}
					__eflags = _t83;
					if(__eflags != 0) {
						goto L11;
					}
					L17:
					_t53 = E003FB76C(0, _t117, __eflags, 0);
					goto L10;
				}
				if(_t123 == 0) {
					_push(1);
					goto L13;
				}
				if(_t51 == 0x41) {
					goto L30;
				}
				if(_t51 == 0x43) {
					goto L17;
				}
				if(_t51 <= 0x44) {
					goto L11;
				}
				if(_t51 <= 0x47) {
					goto L30;
				}
				if(_t51 != 0x53) {
					goto L11;
				}
				goto L9;
			}

0x003faec7
0x003faec8
0x003faecb
0x003faed1
0x003faed2
0x003faed6
0x003faed9
0x003faf47
0x003faf4a
0x003faf99
0x003faf99
0x003faf9c
0x003faf08
0x003faf0a
0x003faf0f
0x003faf11
0x003fafb7
0x003fafba
0x003fb0ee
0x003fb0ee
0x003fb0f0
0x003fb0f3
0x003fb0f3
0x003fafc0
0x003fafc2
0x003fafc6
0x003fafcb
0x003fafd1
0x003fafd4
0x003fafd7
0x003fafd9
0x003fb00a
0x003fb00a
0x003fb00d
0x003fb010
0x003fb017
0x003fb019
0x003fb01c
0x003fb01e
0x003fb024
0x003fb024
0x003fb024
0x003fb026
0x003fb026
0x003fb029
0x003fb034
0x003fb034
0x003fb036
0x003fb036
0x003fb038
0x003fb03e
0x003fb03e
0x003fb043
0x003fb046
0x003fb051
0x003fb053
0x003fb054
0x003fb054
0x003fb058
0x003fb058
0x003fb05b
0x003fb05e
0x003fb062
0x003fb068
0x003fb06e
0x003fb070
0x003fb074
0x003fb07b
0x003fb080
0x003fb083
0x003fb083
0x003fb089
0x003fb096
0x003fb09b
0x003fb0a0
0x003fb0a3
0x003fb0a5
0x003fb0a7
0x003fb0aa
0x003fb0ad
0x003fb0ba
0x003fb0bf
0x003fb0bf
0x003fb0ad
0x003fb0c6
0x003fb0cb
0x003fb0ce
0x003fb0d3
0x003fb0d6
0x003fb0d8
0x003fb0e5
0x003fb0ea
0x003fb0d8
0x00000000
0x003fb0ed
0x003fb048
0x003fb04b
0x00000000
0x00000000
0x00000000
0x003fb04d
0x003fb03a
0x003fb03c
0x00000000
0x00000000
0x00000000
0x003fb03c
0x003fb02b
0x003fb02e
0x00000000
0x00000000
0x003fb030
0x00000000
0x003fb030
0x003fb020
0x00000000
0x003fb020
0x003fb012
0x003fb015
0x00000000
0x00000000
0x00000000
0x003fb015
0x003fafdd
0x003fafe0
0x003fafe2
0x003fafea
0x003fafec
0x003faffb
0x003faffd
0x003fafff
0x003fb001
0x003fb005
0x003fb007
0x003fb007
0x00000000
0x003fafff
0x003fafee
0x003faff2
0x003faff2
0x003faff4
0x00000000
0x003faff4
0x003fafe4
0x00000000
0x003fafe4
0x003faf17
0x003faf17
0x00000000
0x003faf17
0x003fafa3
0x003fafa3
0x003fafa6
0x003faf78
0x003faf78
0x003faf79
0x003faf7b
0x003faf7d
0x00000000
0x003faf7d
0x003fafa8
0x003fafab
0x00000000
0x00000000
0x003fafb1
0x003faf20
0x003faf20
0x00000000
0x003faf20
0x003faf4c
0x003faf8f
0x00000000
0x003faf8f
0x003faf4e
0x003faf51
0x003faf84
0x003faf86
0x00000000
0x003faf86
0x003faf53
0x003faf56
0x003faf74
0x003faf74
0x003faf74
0x003faf74
0x00000000
0x003faf74
0x003faf58
0x003faf5b
0x003faf6d
0x00000000
0x003faf6d
0x003faf5d
0x003faf60
0x00000000
0x00000000
0x003faf64
0x00000000
0x003faf64
0x003faedb
0x00000000
0x00000000
0x003faee1
0x003faee3
0x003faf24
0x003faf24
0x003faf27
0x003faf40
0x00000000
0x003faf40
0x003faf29
0x003faf29
0x003faf2c
0x00000000
0x00000000
0x003faf2f
0x003faf32
0x00000000
0x00000000
0x003faf34
0x003faf37
0x00000000
0x003faf37
0x003faee5
0x003faf1e
0x00000000
0x003faf1e
0x003faeea
0x00000000
0x00000000
0x003faef3
0x00000000
0x00000000
0x003faef8
0x00000000
0x00000000
0x003faefd
0x00000000
0x00000000
0x003faf06
0x00000000
0x00000000
0x00000000

Strings

0, xrefs: 003FB03E

Memory Dump Source

Source File: 00000003.00000002.300378751.00000000003F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000003.00000002.300374579.00000000003F0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.300394386.000000000040D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.300406424.0000000000416000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.300411239.0000000000420000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3f0000_fa_rss.jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 801936159c0b51fbc74673c646c584da5f3bfc13b341ecf0d01892c458861519
Instruction ID: d2158451eccc7b1121d76d2e3637b0e878b52a3cd836c86315c9e2b252d280f5
Opcode Fuzzy Hash: 801936159c0b51fbc74673c646c584da5f3bfc13b341ecf0d01892c458861519
Instruction Fuzzy Hash: DF5176F0204F4D56DB3B9A28CD957BFA7999B01300F054129E79ACF692DB169D488313

Uniqueness

Uniqueness Score: -1.00%

Function 003F1030 Relevance: 1.3, Strings: 1, Instructions: 70
COMMON

Download Yara Rule

C-Code - Quality: 30%

			E003F1030(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _v8;
				intOrPtr _v16;
				char _v24;
				char _v48;
				signed int _t16;
				signed int _t22;
				void* _t33;
				void* _t39;
				intOrPtr _t43;
				intOrPtr* _t50;
				intOrPtr* _t51;
				intOrPtr* _t52;
				intOrPtr* _t53;
				signed int _t68;
				signed int _t72;

				_t66 = __esi;
				_t50 = E003F5450(__esi);
				if(_t50 == 0) {
					_push(0x80004005);
					E003F5550(__ebx, __edx, __edi, __esi);
					asm("int3");
					asm("int3");
					_t51 = E003F5450(__esi);
					__eflags = _t51;
					if(_t51 == 0) {
						_push(0x80004005);
						E003F5550(__ebx, __edx, __edi, __esi);
						asm("int3");
						asm("int3");
						_t68 = _t72;
						_push(0xffffffff);
						_push(E0040C58A);
						_push( *[fs:0x0]);
						_t16 =  *0x416014; // 0x9d5f503d
						_push(_t16 ^ _t68);
						 *[fs:0x0] =  &_v24;
						_t52 = E003F5450(__esi);
						__eflags = _t52;
						if(_t52 == 0) {
							_push(0x80004005);
							E003F5550(__ebx, __edx, __edi, __esi);
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							_push(_t68);
							_push(0xffffffff);
							_push(E0040C64A);
							_push( *[fs:0x0]);
							_t22 =  *0x416014; // 0x9d5f503d
							_push(_t22 ^ _t72);
							 *[fs:0x0] =  &_v48;
							_t53 = E003F5450(_t66);
							__eflags = _t53;
							if(_t53 == 0) {
								_push(0x80004005);
								E003F5550(__ebx, __edx, __edi, _t66);
								asm("int3");
								E003F698C(0x416f28, __eflags);
								return E003F6153(0x416f28, __eflags, E0040CA31);
							} else {
								 *0x417950 =  *((intOrPtr*)( *_t53 + 0xc))() + 0x10;
								_t56 = 0x417950;
								_v16 = 0;
								__eflags = E003F4640(__ebx, 0x417950, __edx, L"Software\\FA_RSS");
								if(__eflags == 0) {
									_push(0xf);
									_t56 = 0x417950;
									E003F4890(__ebx, 0x417950, L"Software\\FA_RSS");
								}
								_t33 = E003F6153(_t56, __eflags, E0040C9E0);
								 *[fs:0x0] = _v24;
								return _t33;
							}
						} else {
							 *0x41794c =  *((intOrPtr*)( *_t52 + 0xc))() + 0x10;
							_t59 = 0x41794c;
							_v8 = 0;
							__eflags = E003F4640(__ebx, 0x41794c, __edx, 0x413548);
							if(__eflags == 0) {
								_push(0);
								_t59 = 0x41794c;
								E003F4890(__ebx, 0x41794c, 0x413548);
							}
							_t39 = E003F6153(_t59, __eflags, E0040C9C0);
							 *[fs:0x0] = _v16;
							return _t39;
						}
					} else {
						_t43 =  *((intOrPtr*)( *_t51 + 0xc))() + 0x10;
						__eflags = _t43;
						 *0x417948 = _t43;
						return E003F6153(_t51, _t43, E0040C9A0);
					}
				} else {
					 *0x417944 =  *((intOrPtr*)( *_t50 + 0xc))() + 0x10;
					return E003F6153(_t50,  *((intOrPtr*)( *_t50 + 0xc))() + 0x10, E0040C980);
				}
			}

0x003f1030
0x003f1035
0x003f1039
0x003f1054
0x003f1059
0x003f105e
0x003f105f
0x003f1065
0x003f1067
0x003f1069
0x003f1084
0x003f1089
0x003f108e
0x003f108f
0x003f1091
0x003f1093
0x003f1095
0x003f10a0
0x003f10a1
0x003f10a8
0x003f10ac
0x003f10b7
0x003f10b9
0x003f10bb
0x003f1111
0x003f1116
0x003f111b
0x003f111c
0x003f111d
0x003f111e
0x003f111f
0x003f1120
0x003f1123
0x003f1125
0x003f1130
0x003f1131
0x003f1138
0x003f113c
0x003f1147
0x003f1149
0x003f114b
0x003f11a1
0x003f11a6
0x003f11ab
0x003f11b1
0x003f11c1
0x003f114d
0x003f1155
0x003f115f
0x003f1164
0x003f1170
0x003f1172
0x003f1174
0x003f117b
0x003f1180
0x003f1180
0x003f118a
0x003f1195
0x003f11a0
0x003f11a0
0x003f10bd
0x003f10c5
0x003f10cf
0x003f10d4
0x003f10e0
0x003f10e2
0x003f10e4
0x003f10eb
0x003f10f0
0x003f10f0
0x003f10fa
0x003f1105
0x003f1110
0x003f1110
0x003f106b
0x003f1070
0x003f1070
0x003f1078
0x003f1083
0x003f1083
0x003f103b
0x003f1048
0x003f1053
0x003f1053

Strings

tyA, xrefs: 003F10C5, 003F10CF, 003F10EB

Memory Dump Source

Source File: 00000003.00000002.300378751.00000000003F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000003.00000002.300374579.00000000003F0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.300394386.000000000040D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.300406424.0000000000416000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.300411239.0000000000420000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3f0000_fa_rss.jbxd

Similarity

API ID: Init_thread_footer$HeapProcess
String ID: tyA
API String ID: 275895251-1402972711
Opcode ID: 39d11f88bc1bb455a19f3f02ef20e328404e0c848bc35c7fe9199cc6e2347020
Instruction ID: 824e362524be2a88955a7e9e05669c733b6e189006d0724e6889348a8d7fbdc0
Opcode Fuzzy Hash: 39d11f88bc1bb455a19f3f02ef20e328404e0c848bc35c7fe9199cc6e2347020
Instruction Fuzzy Hash: 4C1124B0640648EBDB06AF64DC06B7977A0DB01715F10807EF71A9F792EF35D8048A49

Uniqueness

Uniqueness Score: -1.00%

Function 003F1CD0 Relevance: .1, Instructions: 112
COMMONCrypto

Download Yara Rule

C-Code - Quality: 70%

			E003F1CD0(void* __ecx) {
				signed int _v8;
				void* __edi;
				signed int _t44;
				unsigned int _t50;
				unsigned int _t53;
				unsigned int _t54;
				unsigned int _t55;
				unsigned int _t56;
				unsigned int _t57;
				unsigned int _t58;
				signed char _t59;
				void* _t76;
				void* _t92;
				intOrPtr* _t95;

				_push(__ecx);
				_t92 = __ecx;
				E003F7720(__ecx, __ecx, 0, 0x400);
				_t53 = 0;
				_v8 = 0;
				do {
					if((_t53 & 0x00000001) != 0) {
						asm("bts eax, 0x7");
					}
					_t54 = _t53 >> 1;
					if((_t54 & 0x00000001) != 0) {
						asm("bts eax, 0x6");
					}
					_t55 = _t54 >> 1;
					if((_t55 & 0x00000001) != 0) {
						asm("bts eax, 0x5");
					}
					_t56 = _t55 >> 1;
					if((_t56 & 0x00000001) != 0) {
						asm("bts eax, 0x4");
					}
					_t57 = _t56 >> 1;
					if((_t57 & 0x00000001) != 0) {
						asm("bts eax, 0x3");
					}
					_t58 = _t57 >> 1;
					if((_t58 & 0x00000001) != 0) {
						asm("bts eax, 0x2");
					}
					_t59 = _t58 >> 1;
					if((_t59 & 0x00000001) != 0) {
						asm("bts eax, 0x1");
					}
					if((_t59 & 0x00000002) != 0) {
						asm("bts eax, 0x0");
					}
					_t50 = 0xc5533963;
					_t44 = _v8;
					_t95 = _t92 + _t44 * 4;
					_t76 = 1;
					do {
						if((_t50 & 0x00000001) != 0) {
							_t44 = 0x20 - _t76;
							asm("bts edx, eax");
						}
						_t76 = _t76 + 1;
						_t50 = _t50 >> 1;
					} while (_t76 < 0x21);
					_t53 = _v8 + 1;
					 *_t95 = 0;
					_v8 = _t53;
				} while (_t53 <= 0xff);
				return _t44;
			}

0x003f1cd3
0x003f1cdc
0x003f1ce1
0x003f1ce9
0x003f1ceb
0x003f1cf0
0x003f1cf5
0x003f1cf7
0x003f1cf7
0x003f1cfb
0x003f1d00
0x003f1d02
0x003f1d02
0x003f1d06
0x003f1d0b
0x003f1d0d
0x003f1d0d
0x003f1d11
0x003f1d16
0x003f1d18
0x003f1d18
0x003f1d1c
0x003f1d21
0x003f1d23
0x003f1d23
0x003f1d27
0x003f1d2c
0x003f1d2e
0x003f1d2e
0x003f1d32
0x003f1d37
0x003f1d39
0x003f1d39
0x003f1d40
0x003f1d42
0x003f1d42
0x003f1dc6
0x003f1dc8
0x003f1dcd
0x003f1dd0
0x003f1dd3
0x003f1dd6
0x003f1ddd
0x003f1ddf
0x003f1ddf
0x003f1de2
0x003f1de3
0x003f1de5
0x003f1ded
0x003f1dee
0x003f1df0
0x003f1df3
0x003f1e05

Memory Dump Source

Source File: 00000003.00000002.300378751.00000000003F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000003.00000002.300374579.00000000003F0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.300394386.000000000040D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.300406424.0000000000416000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.300411239.0000000000420000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3f0000_fa_rss.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1607511daf2ef41f7925a788e783a0b7feac88b636278245fb0a9d207e9d0a0f
Instruction ID: 822ef419d4be8ab86cf98b51fb0f63d2a4a66f81f5badeb78e05ee29e125fe54
Opcode Fuzzy Hash: 1607511daf2ef41f7925a788e783a0b7feac88b636278245fb0a9d207e9d0a0f
Instruction Fuzzy Hash: AC310A716409194BE31DC56CCC62BFE33D29B9A305F4D017CDB43DAAD2E9A6E6419200

Uniqueness

Uniqueness Score: -1.00%

Function 0040A321 Relevance: .1, Instructions: 104
COMMONCrypto

Download Yara Rule

C-Code - Quality: 72%

			E0040A321(unsigned int _a4) {
				signed int _v8;
				signed int _v32;
				void _v36;
				signed int _t56;
				signed int _t59;
				unsigned int _t61;
				unsigned int _t63;
				signed int _t70;
				signed int _t81;
				void* _t101;

				_t61 = _a4;
				_t68 = _t61 >> 0x00000010 & 0x0000003f;
				_t70 = 7;
				memset( &_v36, 0, _t70 << 2);
				asm("fnstenv [ebp-0x20]");
				_v32 = _v32 ^ (_v32 ^ ((_t61 >> 0x00000010 & 1) << 0x00000005 | ((_t61 >> 0x00000010 & 0x0000003f) >> 0x00000001 & 1) << 0x00000004 | (_t68 >> 0x00000002 & 1) << 0x00000003 | (_t68 >> 0x00000003 & 1) << 0x00000002 | _t68 >> 0x00000004 & 1 | (_t68 >> 0x00000005 & 1) + (_t68 >> 0x00000005 & 1))) & 0x0000003f;
				asm("fldenv [ebp-0x20]");
				_t63 = _t61 >> 0x00000018 & 0x0000003f;
				_t56 = (_t63 >> 0x00000005 & 1) + (_t63 >> 0x00000005 & 1);
				_t81 = (_t63 & 1) << 0x00000005 | (_t63 >> 0x00000001 & 1) << 0x00000004 | (_t63 >> 0x00000002 & 1) << 0x00000003 | (_t63 >> 0x00000003 & 1) << 0x00000002 | _t63 >> 0x00000004 & 1 | _t56;
				_t101 =  *0x416f1c - 1; // 0x6
				if(_t101 >= 0) {
					asm("stmxcsr dword [ebp-0x4]");
					_t59 = _v8 & 0xffffffc0 | _t81 & 0x0000003f;
					_v8 = _t59;
					asm("ldmxcsr dword [ebp-0x4]");
					return _t59;
				}
				return _t56;
			}

0x0040a32c
0x0040a334
0x0040a38c
0x0040a38d
0x0040a38f
0x0040a39e
0x0040a3a1
0x0040a3a7
0x0040a3f1
0x0040a3f4
0x0040a3f6
0x0040a3fe
0x0040a400
0x0040a40d
0x0040a40f
0x0040a412
0x00000000
0x0040a412
0x0040a417

Memory Dump Source

Source File: 00000003.00000002.300378751.00000000003F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000003.00000002.300374579.00000000003F0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.300394386.000000000040D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.300406424.0000000000416000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.300411239.0000000000420000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3f0000_fa_rss.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e3c570b4fce5989fb5d2f017565074a21b1dd420178e39b0ef900c692014042
Instruction ID: 2ff7a8dae0c94dd2c49bdb53e090edd02094bbc24b33d03d2718a14ccd177065
Opcode Fuzzy Hash: 1e3c570b4fce5989fb5d2f017565074a21b1dd420178e39b0ef900c692014042
Instruction Fuzzy Hash: C121B373F205394B7B0CC47E8C572BDB6E1C68C641745823AE8A6EA2C1D96CD917E2E4

Uniqueness

Uniqueness Score: -1.00%

Function 0040A201 Relevance: .1, Instructions: 81
COMMONCrypto

Download Yara Rule

C-Code - Quality: 72%

			E0040A201(void* __ecx) {
				signed int _v8;
				signed int _v12;
				unsigned int _t55;
				signed int _t70;
				void* _t72;

				_v8 = 0;
				asm("fnstsw word [ebp-0x4]");
				_t70 = ((_v8 & 0x3f) >> 0x00000001 & 1) << 0x00000005 | ((_v8 & 0x3f) >> 0x00000002 & 1) << 0x00000003 | ((_v8 & 0x3f) >> 0x00000003 & 1) << 0x00000002 | (_t43 >> 0x00000004 & 1) + (_t43 >> 0x00000004 & 1) | (_t43 & 1) << 0x00000004 | _t43 >> 0x00000005;
				_t72 =  *0x416f1c - 1; // 0x6
				if(_t72 >= 0) {
					asm("stmxcsr dword [ebp-0x8]");
					_t55 = _v12 & 0x0000003f;
				} else {
					_t55 = 0;
				}
				return (((_t55 >> 0x00000001 & 1) << 0x00000005 | (_t55 >> 0x00000002 & 1) << 0x00000003 | (_t55 >> 0x00000003 & 1) << 0x00000002 | (_t55 >> 0x00000004 & 1) + (_t55 >> 0x00000004 & 1) | (_t55 & 1) << 0x00000004 | _t55 >> 0x00000005) << 0x00000008 | _t70) << 0x00000010 | (_t55 >> 0x00000001 & 1) << 0x00000005 | (_t55 >> 0x00000002 & 1) << 0x00000003 | (_t55 >> 0x00000003 & 1) << 0x00000002 | (_t55 >> 0x00000004 & 1) + (_t55 >> 0x00000004 & 1) | (_t55 & 1) << 0x00000004 | _t55 >> 0x00000005 | _t70;
			}

0x0040a20c
0x0040a210
0x0040a255
0x0040a257
0x0040a25d
0x0040a263
0x0040a26a
0x0040a25f
0x0040a25f
0x0040a25f
0x0040a2b8

Memory Dump Source

Source File: 00000003.00000002.300378751.00000000003F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000003.00000002.300374579.00000000003F0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.300394386.000000000040D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.300406424.0000000000416000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.300411239.0000000000420000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3f0000_fa_rss.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07114c1ad41cfac002ab735c620985283dd598a1fd81cf7d5ac34f120aa02987
Instruction ID: fa1510c451f291283ae6fb4c6654e18c326ad27923449344233d6abfbdd3dfe3
Opcode Fuzzy Hash: 07114c1ad41cfac002ab735c620985283dd598a1fd81cf7d5ac34f120aa02987
Instruction Fuzzy Hash: 44117723F30C255B675C81798C172BA95D2DBD825070F537ED826E73C4E9A4DE23D290

Uniqueness

Uniqueness Score: -1.00%

Function 00402DEB Relevance: .0, Instructions: 29
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00402DEB(void* __ecx) {
				signed int _v8;
				intOrPtr _t10;
				signed int _t18;

				_t18 =  *0x4176cc; // 0x0
				if(_t18 == 0) {
					_v8 = _v8 & _t18;
					_t18 = _t18 + 1;
					_t10 =  *((intOrPtr*)( *[fs:0x30] + 0x10));
					_t21 =  *((intOrPtr*)(_t10 + 8));
					if( *((intOrPtr*)(_t10 + 8)) >= 0) {
						E003FFAC1(_t21,  &_v8);
						if(_v8 == _t18) {
							_t18 = 2;
						}
					}
					 *0x4176cc = _t18;
				}
				return _t18;
			}

0x00402df2
0x00402dfb
0x00402e03
0x00402e06
0x00402e07
0x00402e0a
0x00402e0e
0x00402e14
0x00402e1c
0x00402e20
0x00402e20
0x00402e1c
0x00402e28
0x00402e28
0x00402e2e

Memory Dump Source

Source File: 00000003.00000002.300378751.00000000003F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000003.00000002.300374579.00000000003F0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.300394386.000000000040D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.300406424.0000000000416000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.300411239.0000000000420000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3f0000_fa_rss.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6394e328749dfbcdf531ba3b622db2c59b497f1a25be01218ff83556895bc4e9
Instruction ID: 700cbe3c87d24be188cc8397a06642f46707d7aa863b982124fbe52cd9f5261d
Opcode Fuzzy Hash: 6394e328749dfbcdf531ba3b622db2c59b497f1a25be01218ff83556895bc4e9
Instruction Fuzzy Hash: 3EF0A031650224DFCB17C74CC909B9973B8EB04B20F114077E505EB291C2B4DE00C7C4

Uniqueness

Uniqueness Score: -1.00%

Function 00402E2F Relevance: .0, Instructions: 22
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E00402E2F(void* __ecx) {
				char _v8;
				intOrPtr _t7;
				char _t13;

				_t13 = 0;
				_v8 = 0;
				_t7 =  *((intOrPtr*)( *[fs:0x30] + 0x10));
				_t16 =  *((intOrPtr*)(_t7 + 8));
				if( *((intOrPtr*)(_t7 + 8)) < 0) {
					L2:
					_t13 = 1;
				} else {
					E003FFA81(_t16,  &_v8);
					if(_v8 != 1) {
						goto L2;
					}
				}
				return _t13;
			}

0x00402e3c
0x00402e3e
0x00402e41
0x00402e44
0x00402e47
0x00402e58
0x00402e5a
0x00402e49
0x00402e4d
0x00402e56
0x00000000
0x00000000
0x00402e56
0x00402e5f

Memory Dump Source

Source File: 00000003.00000002.300378751.00000000003F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000003.00000002.300374579.00000000003F0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.300394386.000000000040D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.300406424.0000000000416000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.300411239.0000000000420000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3f0000_fa_rss.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 54f7741dc530c19225310b666ab06aa1ebe69653ea2bf657a35685a88ab55f30
Instruction ID: 07d72a8b39a034107d06f190cf93a01bd26c917fe40c1e02bd07f483a89b8760
Opcode Fuzzy Hash: 54f7741dc530c19225310b666ab06aa1ebe69653ea2bf657a35685a88ab55f30
Instruction Fuzzy Hash: 45E08632951138EBCB15DBCCC60494AF3ECEB44F04B11046AB505E3140C2B4DE41C7D0

Uniqueness

Uniqueness Score: -1.00%

Function 003F1A80 Relevance: 40.4, APIs: 17, Strings: 6, Instructions: 178
windowcomregistryCOMMON

Download Yara Rule

C-Code - Quality: 22%

			E003F1A80(void* __ebx, void* __edx, void* __edi, void* __esi, intOrPtr _a4) {
				signed int _v8;
				signed int _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				void _v28;
				struct tagMSG _v56;
				struct _WNDCLASSEXW _v104;
				char _v128;
				void* _v136;
				short _v140;
				char _v144;
				intOrPtr* _v148;
				char _v168;
				intOrPtr* _v176;
				signed int _t31;
				intOrPtr _t33;
				struct HWND__* _t39;
				struct HWND__* _t42;
				long _t66;
				intOrPtr* _t67;
				intOrPtr* _t72;
				intOrPtr _t87;
				void* _t88;
				void* _t92;
				struct HINSTANCE__* _t97;
				signed int _t101;

				_t88 = __edx;
				_t103 = (_t101 & 0xfffffff8) - 0x74;
				_t31 =  *0x416014; // 0x9d5f503d
				_v8 = _t31 ^ (_t101 & 0xfffffff8) - 0x00000074;
				_t33 = _a4;
				_t97 =  *0x417938; // 0x3f0000
				_t92 = __edx;
				 *0x41f9c8 = _t33;
				 *0x41f9c0 = 0x417738;
				__imp__OleInitialize(0, __edi, __esi, __ebx);
				if(_t33 != 0) {
					MessageBoxW(0, L"Can\'t open OLE!", L"ERROR", 0);
					return E003F5D05(_v12 ^ _t103);
				} else {
					_v104.style = _t33;
					asm("xorps xmm0, xmm0");
					_v104.hIconSm = _t33;
					asm("movlpd [esp+0x30], xmm0");
					asm("movlpd [esp+0x3c], xmm0");
					asm("movlpd [esp+0x44], xmm0");
					_v104.cbSize = 0x30;
					_v104.hInstance = _t97;
					_v104.lpfnWndProc = E003F1760;
					_v104.lpszClassName = L"Notification";
					RegisterClassExW( &_v104);
					_t39 = CreateWindowExW(0, L"Notification", L"App Store by Fast!", 0x86800000, 0x80000000, 0, 0x80000000, 0, 0, 0, _t97, 0);
					 *0x41f9c4 = _t39;
					if(_t39 != 0) {
						SystemParametersInfoW(0x30, 0,  &_v28, 0);
						asm("cdq");
						asm("cdq");
						SetWindowPos( *0x41f9c4, 0xffffffff, _v20 - _v28 - 0x258 - _t88 >> 1, _v16 - _v24 - 0x190 - _t88 >> 1, 0x258, 0x190, 0);
						SetTimer( *0x41f9c4, 0x8fff, 0x2710, 0);
						_t66 = GetWindowLongW( *0x41f9c4, 0xffffffeb);
						_push( &_v128);
						_push(0x40d330);
						_t67 =  *_t66;
						_push(_t67);
						if( *((intOrPtr*)( *((intOrPtr*)( *_t67))))() == 0) {
							__imp__#8( &_v136);
							_v140 = 8;
							__imp__#2(_t92);
							_v136 = 8;
							_t72 = _v148;
							_t87 =  *_t72;
							if(8 != 0) {
								 *((intOrPtr*)( *((intOrPtr*)(_t87 + 0xd0))))(_t72,  &_v144, 0, 0, 0, 0);
								__imp__#9( &_v168);
								_t72 = _v176;
								_t87 =  *_t72;
							}
							 *((intOrPtr*)( *((intOrPtr*)(_t87 + 8))))(_t72);
						}
					}
					if(GetMessageW( &_v56, 0, 0, 0) == 1) {
						asm("o16 nop [eax+eax]");
						do {
							TranslateMessage( &_v56);
							DispatchMessageW( &_v56);
						} while (GetMessageW( &_v56, 0, 0, 0) == 1);
					}
					__imp__OleUninitialize();
					_t42 =  *0x41f9c4;
					if(_t42 != 0) {
						DestroyWindow(_t42);
					}
					return E003F5D05(_v12 ^ _t103);
				}
			}

0x003f1a80
0x003f1a86
0x003f1a89
0x003f1a90
0x003f1a94
0x003f1a99
0x003f1aa2
0x003f1aa4
0x003f1aa9
0x003f1ab3
0x003f1abb
0x003f1ca8
0x003f1cc2
0x003f1ac1
0x003f1ac1
0x003f1ac5
0x003f1ac8
0x003f1ad1
0x003f1ad7
0x003f1add
0x003f1ae3
0x003f1aeb
0x003f1aef
0x003f1af7
0x003f1aff
0x003f1b2b
0x003f1b31
0x003f1b38
0x003f1b49
0x003f1b5c
0x003f1b7e
0x003f1b8c
0x003f1ba4
0x003f1bb2
0x003f1bbc
0x003f1bbd
0x003f1bc2
0x003f1bc4
0x003f1bcd
0x003f1bd4
0x003f1be0
0x003f1be5
0x003f1beb
0x003f1bf1
0x003f1bf5
0x003f1bf7
0x003f1c0d
0x003f1c14
0x003f1c1a
0x003f1c1e
0x003f1c1e
0x003f1c24
0x003f1c24
0x003f1bcd
0x003f1c3c
0x003f1c4a
0x003f1c50
0x003f1c55
0x003f1c5c
0x003f1c6b
0x003f1c50
0x003f1c70
0x003f1c76
0x003f1c7d
0x003f1c80
0x003f1c80
0x003f1c99
0x003f1c99

APIs

OleInitialize.OLE32(00000000), ref: 003F1AB3
RegisterClassExW.USER32 ref: 003F1AFF
CreateWindowExW.USER32 ref: 003F1B2B
SystemParametersInfoW.USER32 ref: 003F1B49
SetWindowPos.USER32(000000FF,?,?,00000258,00000190,00000000), ref: 003F1B8C
SetTimer.USER32 ref: 003F1BA4
GetWindowLongW.USER32(000000EB), ref: 003F1BB2
VariantInit.OLEAUT32(?), ref: 003F1BD4
SysAllocString.OLEAUT32 ref: 003F1BE5
VariantClear.OLEAUT32(?), ref: 003F1C14
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 003F1C37
TranslateMessage.USER32(?), ref: 003F1C55
DispatchMessageW.USER32 ref: 003F1C5C
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 003F1C69
OleUninitialize.OLE32 ref: 003F1C70
DestroyWindow.USER32(?), ref: 003F1C80
MessageBoxW.USER32(00000000,Can't open OLE!,ERROR,00000000), ref: 003F1CA8

Strings

App Store by Fast!, xrefs: 003F1B1F
ERROR, xrefs: 003F1C9C
0, xrefs: 003F1AE3
32BB3542-7533-27D2-5200-3CE24BD43271, xrefs: 003F1AA9
Can't open OLE!, xrefs: 003F1CA1
Notification, xrefs: 003F1AF7, 003F1B24

Memory Dump Source

Source File: 00000003.00000002.300378751.00000000003F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000003.00000002.300374579.00000000003F0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.300394386.000000000040D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.300406424.0000000000416000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.300411239.0000000000420000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3f0000_fa_rss.jbxd

Similarity

API ID: Message$Window$Variant$AllocClassClearCreateDestroyDispatchInfoInitInitializeLongParametersRegisterStringSystemTimerTranslateUninitialize
String ID: 0$32BB3542-7533-27D2-5200-3CE24BD43271$App Store by Fast!$Can't open OLE!$ERROR$Notification
API String ID: 412711247-1813017386
Opcode ID: 7feb3d546176cd152bacbecfd6237cff03dd53cc97c3ae2c32e141558926d0ba
Instruction ID: 14918b922b6b13a56ed7287631cf4a6eafa49b7f2262dedc75d815e5f5b8d31e
Opcode Fuzzy Hash: 7feb3d546176cd152bacbecfd6237cff03dd53cc97c3ae2c32e141558926d0ba
Instruction Fuzzy Hash: 51516171A54305AFD310DFA8DE45F6AB7E8FB88710F10462AF654EB1E0DBB0E4048B5A

Uniqueness

Uniqueness Score: -1.00%

Function 003F1880 Relevance: 24.7, APIs: 7, Strings: 7, Instructions: 157
windowtimeCOMMON

Download Yara Rule

C-Code - Quality: 57%

			E003F1880(void* __ebx, signed short* __edx, void* __edi, void* __esi) {
				intOrPtr _v0;
				signed int _v8;
				signed int _v12;
				signed int _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				void _v32;
				struct tagMSG _v60;
				struct _WNDCLASSEXW _v108;
				char _v132;
				void* _v140;
				short _v144;
				char _v148;
				intOrPtr* _v152;
				char _v172;
				intOrPtr* _v180;
				short _v8200;
				signed int _t51;
				signed int _t53;
				signed int _t55;
				signed int _t56;
				intOrPtr _t58;
				signed int _t60;
				intOrPtr _t62;
				struct HWND__* _t68;
				struct HWND__* _t71;
				long _t95;
				intOrPtr* _t96;
				intOrPtr* _t101;
				signed int _t108;
				signed int _t109;
				signed int _t112;
				signed int _t113;
				signed int _t114;
				signed int _t115;
				void* _t124;
				signed short* _t128;
				short* _t129;
				void* _t132;
				intOrPtr _t138;
				intOrPtr* _t139;
				intOrPtr* _t140;
				intOrPtr* _t141;
				intOrPtr* _t142;
				void* _t145;
				void* _t148;
				void* _t149;
				void* _t150;
				intOrPtr _t151;
				intOrPtr _t152;
				intOrPtr _t153;
				void* _t154;
				void* _t155;
				void* _t162;
				void* _t163;
				struct HINSTANCE__* _t164;
				intOrPtr _t168;
				signed int _t169;
				signed int _t171;

				_t154 = __edi;
				_t142 = __edx;
				_t124 = __ebx;
				E0040BEE0();
				_t51 =  *0x416014; // 0x9d5f503d
				_v8 = _t51 ^ _t169;
				_t128 = __edx;
				goto L1;
				while(1) {
					L3:
					_t162 =  *_t55;
					if(_t162 !=  *_t129) {
						break;
					}
					if(_t162 == 0) {
						L7:
						_t56 = 0;
					} else {
						_t5 = _t55 + 2; // 0x0
						_t168 =  *_t5;
						if(_t168 !=  *((intOrPtr*)(_t129 + 2))) {
							break;
						} else {
							_t55 = _t55 + 4;
							_t129 = _t129 + 4;
							if(_t168 != 0) {
								continue;
							} else {
								goto L7;
							}
						}
					}
					L9:
					_pop(_t163);
					if(_t56 != 0) {
						L41:
						return E003F5D05(_v8 ^ _t169);
					} else {
						_t132 = _t142 + 2;
						asm("o16 nop [eax+eax]");
						do {
							_t58 =  *_t142;
							_t142 = _t142 + 2;
						} while (_t58 != 0);
						_t145 = (_t142 - _t132 >> 1) * 2 - 2;
						if(_t145 >= 0x8000) {
							E003F5E37();
							asm("int3");
							_t173 = (_t171 & 0xfffffff8) - 0x74;
							_t60 =  *0x416014; // 0x9d5f503d
							_v12 = _t60 ^ (_t171 & 0xfffffff8) - 0x00000074;
							_t62 = _v0;
							_t164 =  *0x417938; // 0x3f0000
							_t155 = _t145;
							 *0x41f9c8 = _t62;
							 *0x41f9c0 = 0x417738;
							__imp__OleInitialize(0, _t154, _t163, _t124, _t169);
							if(_t62 != 0) {
								MessageBoxW(0, L"Can\'t open OLE!", L"ERROR", 0);
								return E003F5D05(_v16 ^ _t173);
							} else {
								_v108.style = _t62;
								asm("xorps xmm0, xmm0");
								_v108.hIconSm = _t62;
								asm("movlpd [esp+0x30], xmm0");
								asm("movlpd [esp+0x3c], xmm0");
								asm("movlpd [esp+0x44], xmm0");
								_v108.cbSize = 0x30;
								_v108.hInstance = _t164;
								_v108.lpfnWndProc = E003F1760;
								_v108.lpszClassName = L"Notification";
								RegisterClassExW( &_v108);
								_t68 = CreateWindowExW(0, L"Notification", L"App Store by Fast!", 0x86800000, 0x80000000, 0, 0x80000000, 0, 0, 0, _t164, 0);
								 *0x41f9c4 = _t68;
								if(_t68 != 0) {
									SystemParametersInfoW(0x30, 0,  &_v32, 0);
									asm("cdq");
									asm("cdq");
									SetWindowPos( *0x41f9c4, 0xffffffff, _v24 - _v32 - 0x258 - _t145 >> 1, _v20 - _v28 - 0x190 - _t145 >> 1, 0x258, 0x190, 0);
									SetTimer( *0x41f9c4, 0x8fff, 0x2710, 0);
									_t95 = GetWindowLongW( *0x41f9c4, 0xffffffeb);
									_push( &_v132);
									_push(0x40d330);
									_t96 =  *_t95;
									_push(_t96);
									if( *((intOrPtr*)( *((intOrPtr*)( *_t96))))() == 0) {
										__imp__#8( &_v140);
										_v144 = 8;
										__imp__#2(_t155);
										_v140 = 8;
										_t101 = _v152;
										_t138 =  *_t101;
										if(8 != 0) {
											 *((intOrPtr*)( *((intOrPtr*)(_t138 + 0xd0))))(_t101,  &_v148, 0, 0, 0, 0);
											__imp__#9( &_v172);
											_t101 = _v180;
											_t138 =  *_t101;
										}
										 *((intOrPtr*)( *((intOrPtr*)(_t138 + 8))))(_t101);
									}
								}
								if(GetMessageW( &_v60, 0, 0, 0) == 1) {
									asm("o16 nop [eax+eax]");
									do {
										TranslateMessage( &_v60);
										DispatchMessageW( &_v60);
									} while (GetMessageW( &_v60, 0, 0, 0) == 1);
								}
								__imp__OleUninitialize();
								_t71 =  *0x41f9c4;
								if(_t71 != 0) {
									DestroyWindow(_t71);
								}
								return E003F5D05(_v16 ^ _t173);
							}
						} else {
							_t139 = L"\'close\'";
							 *((short*)(_t145 + 0x4179c0)) = 0;
							_t108 = 0x4179de;
							while(1) {
								_t148 =  *_t108;
								if(_t148 !=  *_t139) {
									break;
								}
								if(_t148 == 0) {
									L18:
									_t109 = 0;
								} else {
									_t11 = _t108 + 2; // 0x0
									_t153 =  *_t11;
									if(_t153 !=  *((intOrPtr*)(_t139 + 2))) {
										break;
									} else {
										_t108 = _t108 + 4;
										_t139 = _t139 + 4;
										if(_t153 != 0) {
											continue;
										} else {
											goto L18;
										}
									}
								}
								L20:
								if(_t109 == 0) {
									L30:
									PostMessageW( *0x41f9c4, 0x10, 0, 0);
								} else {
									_t140 = L"\'open\'";
									_t112 = 0x4179de;
									while(1) {
										_t149 =  *_t112;
										if(_t149 !=  *_t140) {
											break;
										}
										if(_t149 == 0) {
											L26:
											_t113 = 0;
										} else {
											_t13 = _t112 + 2; // 0x0
											_t152 =  *_t13;
											if(_t152 !=  *((intOrPtr*)(_t140 + 2))) {
												break;
											} else {
												_t112 = _t112 + 4;
												_t140 = _t140 + 4;
												if(_t152 != 0) {
													continue;
												} else {
													goto L26;
												}
											}
										}
										L28:
										if(_t113 != 0) {
											_t141 = L"\'loaded\'";
											_t114 = 0x4179de;
											while(1) {
												_t150 =  *_t114;
												if(_t150 !=  *_t141) {
													break;
												}
												if(_t150 == 0) {
													L36:
													_t115 = 0;
												} else {
													_t17 = _t114 + 2; // 0x0
													_t151 =  *_t17;
													if(_t151 !=  *((intOrPtr*)(_t141 + 2))) {
														break;
													} else {
														_t114 = _t114 + 4;
														_t141 = _t141 + 4;
														if(_t151 != 0) {
															continue;
														} else {
															goto L36;
														}
													}
												}
												L38:
												if(_t115 == 0) {
													KillTimer( *0x41f9c4, 0x8fff);
													ShowWindow( *0x41f9c4, 5);
													UpdateWindow( *0x41f9c4);
												}
												goto L40;
											}
											asm("sbb eax, eax");
											_t115 = _t114 | 0x00000001;
											goto L38;
										} else {
											wsprintfW( &_v8200, L"https://veryfast.io/notify_click_v2.php?&oid=%d&guid=%ws&nocache=%d",  *0x41f9c8,  *0x41f9c0, GetTickCount());
											_t171 = _t171 + 0x14;
											ShellExecuteW(0, L"open",  &_v8200, 0, 0, 0);
											goto L30;
										}
										goto L40;
									}
									asm("sbb eax, eax");
									_t113 = _t112 | 0x00000001;
									goto L28;
								}
								L40:
								E003F11F0("%ws\n", 0x4179de);
								goto L41;
							}
							asm("sbb eax, eax");
							_t109 = _t108 | 0x00000001;
							goto L20;
						}
					}
				}
				asm("sbb eax, eax");
				_t56 = _t55 | 0x00000001;
				goto L9;
				L1:
				_t53 =  *_t128 & 0x0000ffff;
				_t128 =  &(_t128[1]);
				 *(0x4179c0 + _t128 - 2) = _t53;
				if(_t53 != 0) {
					goto L1;
				} else {
					_t129 = L"javascript:___";
					 *0x4179dc = 0;
					_t55 = 0x4179c0;
				}
				goto L3;
			}

0x003f1880
0x003f1880
0x003f1880
0x003f1888
0x003f188d
0x003f1894
0x003f189d
0x003f189f
0x003f18c3
0x003f18c3
0x003f18c3
0x003f18c9
0x00000000
0x00000000
0x003f18ce
0x003f18e5
0x003f18e5
0x003f18d0
0x003f18d0
0x003f18d0
0x003f18d8
0x00000000
0x003f18da
0x003f18da
0x003f18dd
0x003f18e3
0x00000000
0x00000000
0x00000000
0x00000000
0x003f18e3
0x003f18d8
0x003f18ee
0x003f18ee
0x003f18f1
0x003f1a6c
0x003f1a79
0x003f18f7
0x003f18f7
0x003f18fa
0x003f1900
0x003f1900
0x003f1903
0x003f1906
0x003f190f
0x003f191c
0x003f1a7a
0x003f1a7f
0x003f1a86
0x003f1a89
0x003f1a90
0x003f1a94
0x003f1a99
0x003f1aa2
0x003f1aa4
0x003f1aa9
0x003f1ab3
0x003f1abb
0x003f1ca8
0x003f1cc2
0x003f1ac1
0x003f1ac1
0x003f1ac5
0x003f1ac8
0x003f1ad1
0x003f1ad7
0x003f1add
0x003f1ae3
0x003f1aeb
0x003f1aef
0x003f1af7
0x003f1aff
0x003f1b2b
0x003f1b31
0x003f1b38
0x003f1b49
0x003f1b5c
0x003f1b7e
0x003f1b8c
0x003f1ba4
0x003f1bb2
0x003f1bbc
0x003f1bbd
0x003f1bc2
0x003f1bc4
0x003f1bcd
0x003f1bd4
0x003f1be0
0x003f1be5
0x003f1beb
0x003f1bf1
0x003f1bf5
0x003f1bf7
0x003f1c0d
0x003f1c14
0x003f1c1a
0x003f1c1e
0x003f1c1e
0x003f1c24
0x003f1c24
0x003f1bcd
0x003f1c3c
0x003f1c4a
0x003f1c50
0x003f1c55
0x003f1c5c
0x003f1c6b
0x003f1c50
0x003f1c70
0x003f1c76
0x003f1c7d
0x003f1c80
0x003f1c80
0x003f1c99
0x003f1c99
0x003f1922
0x003f1924
0x003f1929
0x003f1930
0x003f1935
0x003f1935
0x003f193b
0x00000000
0x00000000
0x003f1940
0x003f1957
0x003f1957
0x003f1942
0x003f1942
0x003f1942
0x003f194a
0x00000000
0x003f194c
0x003f194c
0x003f194f
0x003f1955
0x00000000
0x00000000
0x00000000
0x00000000
0x003f1955
0x003f194a
0x003f1960
0x003f1962
0x003f19e1
0x003f19ed
0x003f1964
0x003f1964
0x003f1969
0x003f1970
0x003f1970
0x003f1976
0x00000000
0x00000000
0x003f197b
0x003f1992
0x003f1992
0x003f197d
0x003f197d
0x003f197d
0x003f1985
0x00000000
0x003f1987
0x003f1987
0x003f198a
0x003f1990
0x00000000
0x00000000
0x00000000
0x00000000
0x003f1990
0x003f1985
0x003f199b
0x003f199d
0x003f19f5
0x003f19fa
0x003f1a00
0x003f1a00
0x003f1a06
0x00000000
0x00000000
0x003f1a0b
0x003f1a22
0x003f1a22
0x003f1a0d
0x003f1a0d
0x003f1a0d
0x003f1a15
0x00000000
0x003f1a17
0x003f1a17
0x003f1a1a
0x003f1a20
0x00000000
0x00000000
0x00000000
0x00000000
0x003f1a20
0x003f1a15
0x003f1a2b
0x003f1a2d
0x003f1a3a
0x003f1a48
0x003f1a54
0x003f1a54
0x00000000
0x003f1a2d
0x003f1a26
0x003f1a28
0x00000000
0x003f199f
0x003f19be
0x003f19c4
0x003f19db
0x00000000
0x003f19db
0x00000000
0x003f199d
0x003f1996
0x003f1998
0x00000000
0x003f1998
0x003f1a5a
0x003f1a64
0x00000000
0x003f1a69
0x003f195b
0x003f195d
0x00000000
0x003f195d
0x003f191c
0x003f18f1
0x003f18e9
0x003f18eb
0x00000000
0x003f18a1
0x003f18a1
0x003f18a4
0x003f18a7
0x003f18af
0x00000000
0x003f18b1
0x003f18b3
0x003f18b8
0x003f18be
0x003f18be
0x00000000

APIs

GetTickCount.KERNEL32 ref: 003F199F
wsprintfW.USER32 ref: 003F19BE
ShellExecuteW.SHELL32(00000000,open,?,00000000,00000000,00000000), ref: 003F19DB
PostMessageW.USER32(00000010,00000000,00000000), ref: 003F19ED
KillTimer.USER32(00008FFF,?,003F12FB), ref: 003F1A3A
ShowWindow.USER32(00000005,?,003F12FB), ref: 003F1A48
UpdateWindow.USER32 ref: 003F1A54

Strings

https://veryfast.io/notify_click_v2.php?&oid=%d&guid=%ws&nocache=%d, xrefs: 003F19B8
open, xrefs: 003F19D4
'close', xrefs: 003F1924
javascript:___, xrefs: 003F18B3
'open', xrefs: 003F1964
'loaded', xrefs: 003F19F5
%ws, xrefs: 003F1A5F

Memory Dump Source

Source File: 00000003.00000002.300378751.00000000003F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000003.00000002.300374579.00000000003F0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.300394386.000000000040D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.300406424.0000000000416000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.300411239.0000000000420000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3f0000_fa_rss.jbxd

Similarity

API ID: Window$CountExecuteKillMessagePostShellShowTickTimerUpdatewsprintf
String ID: %ws$'close'$'loaded'$'open'$https://veryfast.io/notify_click_v2.php?&oid=%d&guid=%ws&nocache=%d$javascript:___$open
API String ID: 74887147-2763260779
Opcode ID: 544a4a846bd94d88e038222d18126845b96488147a193f0acfe6a0587122cb5d
Instruction ID: f58efc422c754b18d2090bc202f48e766f13559eb5f967d0945cb293fa8eec0c
Opcode Fuzzy Hash: 544a4a846bd94d88e038222d18126845b96488147a193f0acfe6a0587122cb5d
Instruction Fuzzy Hash: F9516B72610109DAEB266B60EE02BF23272FF34744F568076DB06EB1A5F762DD45C398

Uniqueness

Uniqueness Score: -1.00%

Function 00404A1B Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 113
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E00404A1B(intOrPtr _a4) {
				intOrPtr _v8;
				intOrPtr _t25;
				intOrPtr* _t26;
				intOrPtr _t28;
				intOrPtr* _t29;
				intOrPtr* _t31;
				intOrPtr* _t45;
				intOrPtr* _t46;
				intOrPtr* _t47;
				intOrPtr* _t55;
				intOrPtr* _t70;
				intOrPtr _t74;

				_t74 = _a4;
				_t25 =  *((intOrPtr*)(_t74 + 0x88));
				if(_t25 != 0 && _t25 != 0x416840) {
					_t45 =  *((intOrPtr*)(_t74 + 0x7c));
					if(_t45 != 0 &&  *_t45 == 0) {
						_t46 =  *((intOrPtr*)(_t74 + 0x84));
						if(_t46 != 0 &&  *_t46 == 0) {
							E003FF8AF(_t46);
							E004045CA( *((intOrPtr*)(_t74 + 0x88)));
						}
						_t47 =  *((intOrPtr*)(_t74 + 0x80));
						if(_t47 != 0 &&  *_t47 == 0) {
							E003FF8AF(_t47);
							E004046C8( *((intOrPtr*)(_t74 + 0x88)));
						}
						E003FF8AF( *((intOrPtr*)(_t74 + 0x7c)));
						E003FF8AF( *((intOrPtr*)(_t74 + 0x88)));
					}
				}
				_t26 =  *((intOrPtr*)(_t74 + 0x8c));
				if(_t26 != 0 &&  *_t26 == 0) {
					E003FF8AF( *((intOrPtr*)(_t74 + 0x90)) - 0xfe);
					E003FF8AF( *((intOrPtr*)(_t74 + 0x94)) - 0x80);
					E003FF8AF( *((intOrPtr*)(_t74 + 0x98)) - 0x80);
					E003FF8AF( *((intOrPtr*)(_t74 + 0x8c)));
				}
				E00404B8C( *((intOrPtr*)(_t74 + 0x9c)));
				_t28 = 6;
				_t55 = _t74 + 0xa0;
				_v8 = _t28;
				_t70 = _t74 + 0x28;
				do {
					if( *((intOrPtr*)(_t70 - 8)) != 0x416210) {
						_t31 =  *_t70;
						if(_t31 != 0 &&  *_t31 == 0) {
							E003FF8AF(_t31);
							E003FF8AF( *_t55);
						}
						_t28 = _v8;
					}
					if( *((intOrPtr*)(_t70 - 0xc)) != 0) {
						_t29 =  *((intOrPtr*)(_t70 - 4));
						if(_t29 != 0 &&  *_t29 == 0) {
							E003FF8AF(_t29);
						}
						_t28 = _v8;
					}
					_t55 = _t55 + 4;
					_t70 = _t70 + 0x10;
					_t28 = _t28 - 1;
					_v8 = _t28;
				} while (_t28 != 0);
				return E003FF8AF(_t74);
			}

0x00404a23
0x00404a27
0x00404a2f
0x00404a38
0x00404a3d
0x00404a44
0x00404a4c
0x00404a54
0x00404a5f
0x00404a65
0x00404a66
0x00404a6e
0x00404a76
0x00404a81
0x00404a87
0x00404a8b
0x00404a96
0x00404a9c
0x00404a3d
0x00404a9d
0x00404aa5
0x00404ab8
0x00404acb
0x00404ad9
0x00404ae4
0x00404ae9
0x00404af2
0x00404afa
0x00404afb
0x00404b01
0x00404b04
0x00404b07
0x00404b0e
0x00404b10
0x00404b14
0x00404b1c
0x00404b23
0x00404b29
0x00404b2a
0x00404b2a
0x00404b31
0x00404b33
0x00404b38
0x00404b40
0x00404b45
0x00404b46
0x00404b46
0x00404b49
0x00404b4c
0x00404b4f
0x00404b52
0x00404b52
0x00404b62

APIs

___free_lconv_mon.LIBCMT ref: 00404A5F

Part of subcall function 004045CA: _free.LIBCMT ref: 004045E7
Part of subcall function 004045CA: _free.LIBCMT ref: 004045F9
Part of subcall function 004045CA: _free.LIBCMT ref: 0040460B
Part of subcall function 004045CA: _free.LIBCMT ref: 0040461D
Part of subcall function 004045CA: _free.LIBCMT ref: 0040462F
Part of subcall function 004045CA: _free.LIBCMT ref: 00404641
Part of subcall function 004045CA: _free.LIBCMT ref: 00404653
Part of subcall function 004045CA: _free.LIBCMT ref: 00404665
Part of subcall function 004045CA: _free.LIBCMT ref: 00404677
Part of subcall function 004045CA: _free.LIBCMT ref: 00404689
Part of subcall function 004045CA: _free.LIBCMT ref: 0040469B
Part of subcall function 004045CA: _free.LIBCMT ref: 004046AD
Part of subcall function 004045CA: _free.LIBCMT ref: 004046BF

_free.LIBCMT ref: 00404A54

Part of subcall function 003FF8AF: HeapFree.KERNEL32(00000000,00000000,?,0040475B,?,00000000,?,?,?,00404782,?,00000007,?,?,00404BB2,?), ref: 003FF8C5
Part of subcall function 003FF8AF: GetLastError.KERNEL32(?,?,0040475B,?,00000000,?,?,?,00404782,?,00000007,?,?,00404BB2,?,?), ref: 003FF8D7

_free.LIBCMT ref: 00404A76
_free.LIBCMT ref: 00404A8B
_free.LIBCMT ref: 00404A96
_free.LIBCMT ref: 00404AB8
_free.LIBCMT ref: 00404ACB
_free.LIBCMT ref: 00404AD9
_free.LIBCMT ref: 00404AE4
_free.LIBCMT ref: 00404B1C
_free.LIBCMT ref: 00404B23
_free.LIBCMT ref: 00404B40
_free.LIBCMT ref: 00404B58

Strings

@hA, xrefs: 00404A31

Memory Dump Source

Source File: 00000003.00000002.300378751.00000000003F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000003.00000002.300374579.00000000003F0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.300394386.000000000040D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.300406424.0000000000416000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.300411239.0000000000420000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3f0000_fa_rss.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID: @hA
API String ID: 161543041-589612155
Opcode ID: 59531c1c1c61aecd1d8a0be9a76af984e3c2e617c3f92041d0821576ee4a61c4
Instruction ID: 9d5d46bb79455ecac526a49c345b86717d2a19e48fa2ef1cd773d5103bc160ee
Opcode Fuzzy Hash: 59531c1c1c61aecd1d8a0be9a76af984e3c2e617c3f92041d0821576ee4a61c4
Instruction Fuzzy Hash: B8314FB1600305AFEB21AA79D845B6B77E9EF80350F14453AE655EB291DF38FD80CB18

Uniqueness

Uniqueness Score: -1.00%

Function 003F1550 Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 206
commemoryCOMMON

Download Yara Rule

C-Code - Quality: 34%

			E003F1550(void* __ebx, struct HWND__* __ecx, void* __edi, void* __esi) {
				signed int _v8;
				struct tagRECT _v24;
				void* _v28;
				void* _v32;
				int _v36;
				signed int _t46;
				int* _t49;
				void* _t55;
				int _t56;
				intOrPtr* _t57;
				intOrPtr* _t65;
				intOrPtr* _t76;
				int _t80;
				intOrPtr* _t81;
				intOrPtr* _t84;
				intOrPtr* _t87;
				intOrPtr* _t90;
				intOrPtr* _t93;
				intOrPtr* _t96;
				struct HWND__* _t107;
				intOrPtr* _t111;
				long _t136;
				void* _t137;
				void* _t139;
				void _t140;
				signed int _t141;

				_t46 =  *0x416014; // 0x9d5f503d
				_v8 = _t46 ^ _t141;
				_t107 = __ecx;
				_t136 = GlobalAlloc(0, 0x18);
				if(_t136 != 0) {
					_t49 =  &_v36;
					 *((intOrPtr*)(_t136 + 4)) = 0x416918;
					_t5 = _t136 + 4; // 0x4
					_t139 = _t5;
					 *((intOrPtr*)(_t139 + 4)) = 0x416978;
					 *((intOrPtr*)(_t139 + 8)) = 0x41693c;
					 *(_t139 + 0xc) = _t107;
					 *((intOrPtr*)(_t139 + 0x10)) = 0x4168d0;
					_v36 = 0;
					__imp__CoGetClassObject(0x40d340, 3, 0, 0x40d2e0, _t49);
					if(_t49 != 0) {
						L14:
						GlobalFree(_t136);
						return E003F5D05(_v8 ^ _t141);
					} else {
						_t111 = _v36;
						if(_t111 == 0) {
							goto L14;
						} else {
							_t55 =  *((intOrPtr*)( *((intOrPtr*)( *_t111 + 0xc))))(_t111, 0, 0x40d300,  &_v28);
							_t56 = _v36;
							_push(_t56);
							_t57 =  *((intOrPtr*)( *_t56 + 8));
							if(_t55 != 0) {
								 *_t57();
								GlobalFree(_t136);
								return E003F5D05(_v8 ^ _t141);
							} else {
								 *_t57();
								 *_t136 = _v28;
								SetWindowLongW(_t107, 0xffffffeb, _t136);
								_t65 = _v28;
								_push(_t139);
								_push(_t65);
								if( *((intOrPtr*)( *((intOrPtr*)( *_t65 + 0xc))))() != 0) {
									L10:
									_t137 = GetWindowLongW(_t107, 0xffffffeb);
									if(_t137 != 0) {
										_t140 =  *_t137;
										 *((intOrPtr*)( *((intOrPtr*)( *_t140 + 0x18))))(_t140, 1);
										 *((intOrPtr*)( *((intOrPtr*)( *_t140 + 8))))(_t140);
										GlobalFree(_t137);
									}
									return E003F5D05(_v8 ^ _t141);
								} else {
									_t76 = _v28;
									 *((intOrPtr*)( *((intOrPtr*)( *_t76 + 0x14))))(_t76, L"My Host Name", 0);
									_t80 = GetClientRect(_t107,  &_v24);
									__imp__OleSetContainedObject(_v28, 1);
									if(_t80 != 0) {
										goto L10;
									} else {
										_t81 = _v28;
										_push( &_v24);
										_push(_t107);
										_push(0xffffffff);
										_push(_t139);
										_push(0);
										_push(0xffffffff);
										_push(_t81);
										if( *((intOrPtr*)( *((intOrPtr*)( *_t81 + 0x2c))))() != 0) {
											goto L10;
										} else {
											_t84 = _v28;
											_push( &_v32);
											_push(0x40d330);
											_push(_t84);
											if( *((intOrPtr*)( *((intOrPtr*)( *_t84))))() != 0) {
												goto L10;
											} else {
												_t87 = _v32;
												 *((intOrPtr*)( *((intOrPtr*)( *_t87 + 0x58))))(_t87, 0);
												_t90 = _v32;
												 *((intOrPtr*)( *((intOrPtr*)( *_t90 + 0x60))))(_t90, 0);
												_t93 = _v32;
												 *((intOrPtr*)( *((intOrPtr*)( *_t93 + 0x68))))(_t93, _v24.right);
												_t96 = _v32;
												 *((intOrPtr*)( *((intOrPtr*)( *_t96 + 0x70))))(_t96, _v24.bottom);
												 *((intOrPtr*)( *((intOrPtr*)( *_v32 + 8))))();
												return E003F5D05(_v8 ^ _t141, _v32);
											}
										}
									}
								}
							}
						}
					}
				} else {
					return E003F5D05(_v8 ^ _t141);
				}
			}

0x003f1556
0x003f155d
0x003f1567
0x003f156f
0x003f1573
0x003f1589
0x003f158c
0x003f1599
0x003f1599
0x003f159c
0x003f15a7
0x003f15ae
0x003f15b1
0x003f15bd
0x003f15c4
0x003f15cc
0x003f173b
0x003f173c
0x003f1757
0x003f15d2
0x003f15d2
0x003f15d7
0x00000000
0x003f15dd
0x003f15ee
0x003f15f2
0x003f15f5
0x003f15f8
0x003f15fb
0x003f171c
0x003f171f
0x003f173a
0x003f1601
0x003f1601
0x003f160a
0x003f160c
0x003f1612
0x003f1615
0x003f1616
0x003f1620
0x003f16dc
0x003f16e5
0x003f16e9
0x003f16eb
0x003f16f5
0x003f16fd
0x003f1700
0x003f1700
0x003f171b
0x003f1626
0x003f1626
0x003f1636
0x003f163d
0x003f1648
0x003f1650
0x00000000
0x003f1656
0x003f1656
0x003f165c
0x003f165d
0x003f165e
0x003f1662
0x003f1663
0x003f1665
0x003f1667
0x003f166f
0x00000000
0x003f1671
0x003f1671
0x003f1677
0x003f1678
0x003f167d
0x003f1686
0x00000000
0x003f1688
0x003f1688
0x003f1693
0x003f1695
0x003f16a0
0x003f16a2
0x003f16ae
0x003f16b0
0x003f16bc
0x003f16c7
0x003f16db
0x003f16db
0x003f1686
0x003f166f
0x003f1650
0x003f1620
0x003f15fb
0x003f15d7
0x003f1575
0x003f1588
0x003f1588

APIs

GlobalAlloc.KERNEL32(00000000,00000018), ref: 003F1569
CoGetClassObject.OLE32(0040D340,00000003,00000000,0040D2E0,?), ref: 003F15C4
SetWindowLongW.USER32 ref: 003F160C
GetClientRect.USER32 ref: 003F163D
OleSetContainedObject.OLE32(?,00000001), ref: 003F1648

Strings

<iA, xrefs: 003F15A7
xiA, xrefs: 003F159C
My Host Name, xrefs: 003F162B

Memory Dump Source

Source File: 00000003.00000002.300378751.00000000003F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000003.00000002.300374579.00000000003F0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.300394386.000000000040D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.300406424.0000000000416000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.300411239.0000000000420000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3f0000_fa_rss.jbxd

Similarity

API ID: Object$AllocClassClientContainedGlobalLongRectWindow
String ID: <iA$My Host Name$xiA
API String ID: 2332255021-2466216439
Opcode ID: 04dc8a75d02ee8376843e32458d796262ff1cb15db1fbaf34471b2cce67d7286
Instruction ID: 1dbe01cdc84fae8065f4e4a5971b6312c12554a071752eebecb92e36d8b968ad
Opcode Fuzzy Hash: 04dc8a75d02ee8376843e32458d796262ff1cb15db1fbaf34471b2cce67d7286
Instruction Fuzzy Hash: 53613D75600109AFCB14DFA8DD95FAA77B8EF89310F104169F61AEB2A0DB31ED06CB54

Uniqueness

Uniqueness Score: -1.00%

Function 004008BC Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 69
COMMON

Download Yara Rule

C-Code - Quality: 77%

			E004008BC(void* __edx, void* __esi, char _a4) {
				char _v5;
				char _v12;
				char _v16;
				char _v20;
				void* __ebp;
				char _t55;
				char _t61;
				intOrPtr _t67;
				void* _t71;
				void* _t72;

				_t72 = __esi;
				_t71 = __edx;
				_t36 = _a4;
				_t67 =  *_a4;
				_t76 = _t67 - 0x40e240;
				if(_t67 != 0x40e240) {
					E003FF8AF(_t67);
					_t36 = _a4;
				}
				E003FF8AF( *((intOrPtr*)(_t36 + 0x3c)));
				E003FF8AF( *((intOrPtr*)(_a4 + 0x30)));
				E003FF8AF( *((intOrPtr*)(_a4 + 0x34)));
				E003FF8AF( *((intOrPtr*)(_a4 + 0x38)));
				E003FF8AF( *((intOrPtr*)(_a4 + 0x28)));
				E003FF8AF( *((intOrPtr*)(_a4 + 0x2c)));
				E003FF8AF( *((intOrPtr*)(_a4 + 0x40)));
				E003FF8AF( *((intOrPtr*)(_a4 + 0x44)));
				E003FF8AF( *((intOrPtr*)(_a4 + 0x360)));
				_v16 =  &_a4;
				_t55 = 5;
				_v12 = _t55;
				_v20 = _t55;
				_push( &_v12);
				_push( &_v16);
				_push( &_v20);
				E004006E8( &_v5, _t71, _t76);
				_v16 =  &_a4;
				_t61 = 4;
				_v20 = _t61;
				_v12 = _t61;
				_push( &_v20);
				_push( &_v16);
				_push( &_v12);
				return E00400753( &_v5, _t71, _t72, _t76);
			}

0x004008bc
0x004008bc
0x004008c1
0x004008c7
0x004008c9
0x004008cf
0x004008d2
0x004008d7
0x004008da
0x004008de
0x004008e9
0x004008f4
0x004008ff
0x0040090a
0x00400915
0x00400920
0x0040092b
0x00400939
0x00400944
0x0040094c
0x0040094d
0x00400950
0x00400956
0x0040095a
0x0040095e
0x0040095f
0x00400969
0x0040096f
0x00400970
0x00400973
0x00400979
0x0040097d
0x00400981
0x00400988

APIs

_free.LIBCMT ref: 004008D2

Part of subcall function 003FF8AF: HeapFree.KERNEL32(00000000,00000000,?,0040475B,?,00000000,?,?,?,00404782,?,00000007,?,?,00404BB2,?), ref: 003FF8C5
Part of subcall function 003FF8AF: GetLastError.KERNEL32(?,?,0040475B,?,00000000,?,?,?,00404782,?,00000007,?,?,00404BB2,?,?), ref: 003FF8D7

_free.LIBCMT ref: 004008DE
_free.LIBCMT ref: 004008E9
_free.LIBCMT ref: 004008F4
_free.LIBCMT ref: 004008FF
_free.LIBCMT ref: 0040090A
_free.LIBCMT ref: 00400915
_free.LIBCMT ref: 00400920
_free.LIBCMT ref: 0040092B
_free.LIBCMT ref: 00400939

Strings

@@, xrefs: 004008C9

Memory Dump Source

Source File: 00000003.00000002.300378751.00000000003F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000003.00000002.300374579.00000000003F0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.300394386.000000000040D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.300406424.0000000000416000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.300411239.0000000000420000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3f0000_fa_rss.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID: @@
API String ID: 776569668-4185446002
Opcode ID: 47ea654ac1d1cea2fcfc05f1195fd496cbdcc4e0a32ca672ea02454c9f0baf0e
Instruction ID: f3367a0ed71d7cb5f166cddd9b5d77f35c86fe58dac3658e0ccf75b94b628b43
Opcode Fuzzy Hash: 47ea654ac1d1cea2fcfc05f1195fd496cbdcc4e0a32ca672ea02454c9f0baf0e
Instruction Fuzzy Hash: 6921737691010CBFCB42EF95C881DEE7BB9FF48340B0586A6FA159B161DB31EA548B80

Uniqueness

Uniqueness Score: -1.00%

Function 00408803 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 273
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 43%

			E00408803(void* __ecx, void* __edx, void* __eflags, intOrPtr* _a4, signed int* _a8, intOrPtr _a12, signed int _a16, intOrPtr _a20, intOrPtr _a24) {
				signed int _v5;
				char _v6;
				void* _v12;
				signed int _v16;
				signed int _v20;
				char _v24;
				intOrPtr _v36;
				signed int _v44;
				void _v48;
				char _v72;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t114;
				signed int _t123;
				signed char _t124;
				signed int _t134;
				intOrPtr _t162;
				intOrPtr _t178;
				signed int* _t186;
				void* _t188;
				signed int* _t189;
				signed int _t191;
				char _t196;
				signed int _t202;
				signed int _t205;
				signed int _t214;
				signed int _t216;
				signed int _t218;
				signed int _t224;
				signed int _t226;
				signed int _t233;
				signed int _t234;
				signed int _t236;
				signed int _t238;
				void* _t239;
				signed char _t242;
				signed int _t243;
				intOrPtr _t247;
				void* _t254;
				void* _t264;
				signed int _t265;
				signed int _t268;
				signed int _t269;
				signed int _t272;
				void* _t274;
				void* _t276;
				void* _t277;
				void* _t279;
				void* _t280;
				void* _t282;
				void* _t286;
				signed int _t290;

				_t239 = __edx;
				_t264 = E004085DF(__ecx,  &_v72, _a16, _a20, _a24);
				_t191 = 6;
				memcpy( &_v48, _t264, _t191 << 2);
				_t276 = _t274 + 0x1c;
				_t265 = _t264 | 0xffffffff;
				_t289 = _v36 - _t265;
				if(_v36 != _t265) {
					_t114 = E004043BC(_t188, 0, _t239, __eflags);
					_t189 = _a8;
					 *_t189 = _t114;
					__eflags = _t114 - _t265;
					if(__eflags != 0) {
						_v20 = _v20 & 0x00000000;
						_v24 = 0xc;
						_t277 = _t276 - 0x18;
						 *_a4 = 1;
						_push(6);
						_v16 =  !(_a16 >> 7) & 1;
						_push( &_v24);
						_push(_a12);
						memcpy(_t277,  &_v48, 1 << 2);
						_t196 = 0;
						_t254 = E0040854A();
						_t279 = _t277 + 0x2c;
						_v12 = _t254;
						__eflags = _t254 - 0xffffffff;
						if(_t254 != 0xffffffff) {
							L11:
							_t123 = GetFileType(_t254);
							__eflags = _t123;
							if(_t123 != 0) {
								__eflags = _t123 - 2;
								if(_t123 != 2) {
									__eflags = _t123 - 3;
									_t124 = _v48;
									if(_t123 == 3) {
										_t124 = _t124 | 0x00000008;
										__eflags = _t124;
									}
								} else {
									_t124 = _v48 | 0x00000040;
								}
								_v5 = _t124;
								E00404307(_t196, _t254,  *_t189, _t254);
								_t242 = _v5 | 0x00000001;
								_v5 = _t242;
								_v48 = _t242;
								 *( *((intOrPtr*)(0x417358 + ( *_t189 >> 6) * 4)) + 0x28 + ( *_t189 & 0x0000003f) * 0x38) = _t242;
								_t202 =  *_t189;
								_t204 = (_t202 & 0x0000003f) * 0x38;
								__eflags = _a16 & 0x00000002;
								 *((char*)( *((intOrPtr*)(0x417358 + (_t202 >> 6) * 4)) + 0x29 + (_t202 & 0x0000003f) * 0x38)) = 0;
								if((_a16 & 0x00000002) == 0) {
									L22:
									_v6 = 0;
									_push( &_v6);
									_push(_a16);
									_t280 = _t279 - 0x18;
									_t205 = 6;
									_push( *_t189);
									memcpy(_t280,  &_v48, _t205 << 2);
									_t134 = E004082F7(_t189,  &_v48 + _t205 + _t205,  &_v48);
									_t243 =  *_t189;
									_t268 = _t134;
									_t282 = _t280 + 0x30;
									__eflags = _t268;
									if(__eflags == 0) {
										 *((char*)( *((intOrPtr*)(0x417358 + (_t243 >> 6) * 4)) + 0x29 + (_t243 & 0x0000003f) * 0x38)) = _v6;
										 *( *((intOrPtr*)(0x417358 + ( *_t189 >> 6) * 4)) + 0x2d + ( *_t189 & 0x0000003f) * 0x38) =  *( *((intOrPtr*)(0x417358 + ( *_t189 >> 6) * 4)) + 0x2d + ( *_t189 & 0x0000003f) * 0x38) ^ (_a16 >> 0x00000010 ^  *( *((intOrPtr*)(0x417358 + ( *_t189 >> 6) * 4)) + 0x2d + ( *_t189 & 0x0000003f) * 0x38)) & 0x00000001;
										__eflags = _v5 & 0x00000048;
										if((_v5 & 0x00000048) == 0) {
											__eflags = _a16 & 0x00000008;
											if((_a16 & 0x00000008) != 0) {
												_t224 =  *_t189;
												_t226 = (_t224 & 0x0000003f) * 0x38;
												_t162 =  *((intOrPtr*)(0x417358 + (_t224 >> 6) * 4));
												_t87 = _t162 + _t226 + 0x28;
												 *_t87 =  *(_t162 + _t226 + 0x28) | 0x00000020;
												__eflags =  *_t87;
											}
										}
										_t269 = _v44;
										__eflags = (_t269 & 0xc0000000) - 0xc0000000;
										if((_t269 & 0xc0000000) != 0xc0000000) {
											L32:
											__eflags = 0;
											return 0;
										} else {
											__eflags = _a16 & 0x00000001;
											if((_a16 & 0x00000001) == 0) {
												goto L32;
											}
											CloseHandle(_v12);
											_v44 = _t269 & 0x7fffffff;
											_t214 = 6;
											_push( &_v24);
											_push(_a12);
											memcpy(_t282 - 0x18,  &_v48, _t214 << 2);
											_t247 = E0040854A();
											__eflags = _t247 - 0xffffffff;
											if(_t247 != 0xffffffff) {
												_t216 =  *_t189;
												_t218 = (_t216 & 0x0000003f) * 0x38;
												__eflags = _t218;
												 *((intOrPtr*)( *((intOrPtr*)(0x417358 + (_t216 >> 6) * 4)) + _t218 + 0x18)) = _t247;
												goto L32;
											}
											E003FD847(GetLastError());
											 *( *((intOrPtr*)(0x417358 + ( *_t189 >> 6) * 4)) + 0x28 + ( *_t189 & 0x0000003f) * 0x38) =  *( *((intOrPtr*)(0x417358 + ( *_t189 >> 6) * 4)) + 0x28 + ( *_t189 & 0x0000003f) * 0x38) & 0x000000fe;
											E004044CF( *_t189);
											L10:
											goto L2;
										}
									}
									_push(_t243);
									goto L21;
								} else {
									_t268 = E00408759(_t204,  *_t189);
									__eflags = _t268;
									if(__eflags == 0) {
										goto L22;
									}
									_push( *_t189);
									L21:
									E00401DE4(__eflags);
									return _t268;
								}
							}
							_t272 = GetLastError();
							E003FD847(_t272);
							 *( *((intOrPtr*)(0x417358 + ( *_t189 >> 6) * 4)) + 0x28 + ( *_t189 & 0x0000003f) * 0x38) =  *( *((intOrPtr*)(0x417358 + ( *_t189 >> 6) * 4)) + 0x28 + ( *_t189 & 0x0000003f) * 0x38) & 0x000000fe;
							CloseHandle(_t254);
							__eflags = _t272;
							if(__eflags == 0) {
								 *((intOrPtr*)(E003FD87D(__eflags))) = 0xd;
							}
							goto L2;
						}
						_t233 = _v44;
						__eflags = (_t233 & 0xc0000000) - 0xc0000000;
						if((_t233 & 0xc0000000) != 0xc0000000) {
							L9:
							_t234 =  *_t189;
							_t236 = (_t234 & 0x0000003f) * 0x38;
							_t178 =  *((intOrPtr*)(0x417358 + (_t234 >> 6) * 4));
							_t33 = _t178 + _t236 + 0x28;
							 *_t33 =  *(_t178 + _t236 + 0x28) & 0x000000fe;
							__eflags =  *_t33;
							E003FD847(GetLastError());
							goto L10;
						}
						__eflags = _a16 & 0x00000001;
						if((_a16 & 0x00000001) == 0) {
							goto L9;
						}
						_t286 = _t279 - 0x18;
						_v44 = _t233 & 0x7fffffff;
						_t238 = 6;
						_push( &_v24);
						_push(_a12);
						memcpy(_t286,  &_v48, _t238 << 2);
						_t196 = 0;
						_t254 = E0040854A();
						_t279 = _t286 + 0x2c;
						_v12 = _t254;
						__eflags = _t254 - 0xffffffff;
						if(_t254 != 0xffffffff) {
							goto L11;
						}
						goto L9;
					} else {
						 *(E003FD86A(__eflags)) =  *_t184 & 0x00000000;
						 *_t189 = _t265;
						 *((intOrPtr*)(E003FD87D(__eflags))) = 0x18;
						goto L2;
					}
				} else {
					_t186 = E003FD86A(_t289);
					 *_t186 =  *_t186 & 0x00000000;
					_t290 =  *_t186;
					 *_a8 = _t265;
					L2:
					return  *((intOrPtr*)(E003FD87D(_t290)));
				}
			}

0x00408803
0x00408826
0x0040882a
0x0040882b
0x0040882b
0x0040882d
0x00408830
0x00408833
0x0040884e
0x00408853
0x00408856
0x00408858
0x0040885a
0x00408879
0x00408880
0x00408887
0x0040888a
0x00408896
0x00408899
0x004088a1
0x004088a2
0x004088a5
0x004088a5
0x004088ac
0x004088ae
0x004088b1
0x004088b9
0x004088bc
0x00408929
0x0040892a
0x00408930
0x00408932
0x0040897b
0x0040897e
0x00408987
0x0040898a
0x0040898d
0x0040898f
0x0040898f
0x0040898f
0x00408980
0x00408983
0x00408983
0x00408994
0x00408997
0x004089a3
0x004089a8
0x004089b4
0x004089be
0x004089c2
0x004089cc
0x004089cf
0x004089da
0x004089df
0x004089fe
0x00408a01
0x00408a05
0x00408a06
0x00408a0c
0x00408a11
0x00408a14
0x00408a16
0x00408a18
0x00408a1d
0x00408a1f
0x00408a21
0x00408a24
0x00408a26
0x00408a40
0x00408a64
0x00408a68
0x00408a6c
0x00408a6e
0x00408a72
0x00408a74
0x00408a7e
0x00408a81
0x00408a88
0x00408a88
0x00408a88
0x00408a88
0x00408a72
0x00408a8d
0x00408a99
0x00408a9b
0x00408b26
0x00408b26
0x00000000
0x00408aa1
0x00408aa1
0x00408aa5
0x00000000
0x00000000
0x00408aaa
0x00408abc
0x00408ac4
0x00408ac7
0x00408ac8
0x00408acb
0x00408ad2
0x00408ad7
0x00408ada
0x00408b0e
0x00408b18
0x00408b18
0x00408b22
0x00000000
0x00408b22
0x00408ae3
0x00408afc
0x00408b03
0x00408923
0x00000000
0x00408923
0x00408a9b
0x00408a28
0x00000000
0x004089e1
0x004089e8
0x004089eb
0x004089ed
0x00000000
0x00000000
0x004089ef
0x004089f1
0x004089f1
0x00000000
0x004089f7
0x004089df
0x0040893a
0x0040893d
0x00408958
0x0040895d
0x00408963
0x00408965
0x00408970
0x00408970
0x00000000
0x00408965
0x004088be
0x004088c5
0x004088c7
0x004088fe
0x004088fe
0x00408908
0x0040890b
0x00408912
0x00408912
0x00408912
0x0040891e
0x00000000
0x0040891e
0x004088c9
0x004088cd
0x00000000
0x00000000
0x004088cf
0x004088de
0x004088e3
0x004088e6
0x004088e7
0x004088ea
0x004088ea
0x004088f1
0x004088f3
0x004088f6
0x004088f9
0x004088fc
0x00000000
0x00000000
0x00000000
0x0040885c
0x00408861
0x00408864
0x0040886b
0x00000000
0x0040886b
0x00408835
0x00408835
0x0040883a
0x0040883a
0x00408840
0x00408842
0x00000000
0x00408847

APIs

Part of subcall function 0040854A: CreateFileW.KERNEL32(00000000,00000000,?,004088AC,?,?,00000000,?,004088AC,00000000,0000000C), ref: 00408567

GetLastError.KERNEL32 ref: 00408917
__dosmaperr.LIBCMT ref: 0040891E
GetFileType.KERNEL32(00000000), ref: 0040892A
GetLastError.KERNEL32 ref: 00408934
__dosmaperr.LIBCMT ref: 0040893D
CloseHandle.KERNEL32(00000000), ref: 0040895D
CloseHandle.KERNEL32(00000000), ref: 00408AAA
GetLastError.KERNEL32 ref: 00408ADC
__dosmaperr.LIBCMT ref: 00408AE3

Strings

H, xrefs: 00408A68

Memory Dump Source

Source File: 00000003.00000002.300378751.00000000003F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000003.00000002.300374579.00000000003F0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.300394386.000000000040D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.300406424.0000000000416000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.300411239.0000000000420000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3f0000_fa_rss.jbxd

Similarity

API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
String ID: H
API String ID: 4237864984-2852464175
Opcode ID: 27ca794759b927114118cb5a0541e73323d3f19354a39fb62b3dda6da87849a0
Instruction ID: a7c1f6075d73e2a0d4a4d34c052ca4849adf7352d5a8493d3fa60863a52b9147
Opcode Fuzzy Hash: 27ca794759b927114118cb5a0541e73323d3f19354a39fb62b3dda6da87849a0
Instruction Fuzzy Hash: 62A13832A041589FCF19AF68DD51BAE3BB1AB46324F18416EF851BF3D1CB399802C759

Uniqueness

Uniqueness Score: -1.00%

Function 003F81C5 Relevance: 16.1, APIs: 6, Strings: 3, Instructions: 308
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 63%

			E003F81C5(signed int __ecx, signed int __edx, signed char* _a4, signed int _a8, signed int _a12, char _a16, signed int* _a20, char _a24, signed int _a28, signed int _a32) {
				signed char* _v0;
				char _v5;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				intOrPtr _v24;
				char _v28;
				char _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				intOrPtr* _v48;
				signed int _v52;
				signed int* _v56;
				intOrPtr _v60;
				void _v64;
				signed int _v68;
				void* _v72;
				char _v88;
				intOrPtr _v92;
				signed int _v96;
				intOrPtr _v104;
				void _v108;
				intOrPtr* _v116;
				signed char* _v188;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t203;
				void* _t204;
				signed int _t205;
				char _t206;
				signed int _t208;
				signed int _t210;
				signed char* _t211;
				signed int _t212;
				signed int _t213;
				signed int _t217;
				void* _t220;
				signed char* _t223;
				void* _t225;
				void* _t226;
				signed char _t230;
				signed int _t231;
				void* _t233;
				signed int _t234;
				void* _t237;
				void* _t240;
				signed char _t247;
				intOrPtr* _t252;
				void* _t255;
				signed int* _t257;
				signed int _t258;
				intOrPtr _t259;
				signed int _t260;
				void* _t265;
				void* _t270;
				void* _t271;
				signed char* _t274;
				intOrPtr* _t275;
				signed char _t276;
				signed int _t277;
				signed int _t278;
				intOrPtr* _t280;
				signed int _t281;
				signed int _t282;
				signed int _t287;
				signed int _t294;
				signed int _t295;
				intOrPtr _t298;
				signed int _t300;
				signed int _t302;
				signed char* _t303;
				signed int _t304;
				signed int _t305;
				signed int* _t307;
				signed char* _t310;
				signed int _t320;
				signed int _t321;
				signed int _t323;
				signed int _t332;
				void* _t334;
				void* _t336;
				void* _t337;
				void* _t338;
				void* _t339;

				_t302 = __edx;
				_t279 = __ecx;
				_push(_t321);
				_t307 = _a20;
				_v32 = 0;
				_v5 = 0;
				_t203 = E003F917A(_a8, _a16, _t307);
				_t337 = _t336 + 0xc;
				_v16 = _t203;
				if(_t203 < 0xffffffff || _t203 >= _t307[1]) {
					L69:
					_t204 = E003FF6F6(_t274, _t279, _t302, _t307, _t321);
					asm("int3");
					_t334 = _t337;
					_t338 = _t337 - 0x38;
					_push(_t274);
					_t275 = _v116;
					__eflags =  *_t275 - 0x80000003;
					if( *_t275 == 0x80000003) {
						return _t204;
					} else {
						_push(_t321);
						_push(_t307);
						_t205 = E003F7E80(_t275, _t279, _t302, _t307, _t321);
						__eflags =  *(_t205 + 8);
						if( *(_t205 + 8) != 0) {
							__imp__EncodePointer(0);
							_t321 = _t205;
							_t225 = E003F7E80(_t275, _t279, _t302, 0, _t321);
							__eflags =  *((intOrPtr*)(_t225 + 8)) - _t321;
							if( *((intOrPtr*)(_t225 + 8)) != _t321) {
								__eflags =  *_t275 - 0xe0434f4d;
								if( *_t275 != 0xe0434f4d) {
									__eflags =  *_t275 - 0xe0434352;
									if( *_t275 != 0xe0434352) {
										_t217 = E003F6FF3(_t275, _a4, _a8, _a12, _a16, _a24, _a28);
										_t338 = _t338 + 0x1c;
										__eflags = _t217;
										if(_t217 != 0) {
											L86:
											return _t217;
										}
									}
								}
							}
						}
						_t206 = _a16;
						_v28 = _t206;
						_v24 = 0;
						__eflags =  *(_t206 + 0xc);
						if( *(_t206 + 0xc) > 0) {
							_push(_a24);
							E003F6F25(_t275, _t279, 0, _t321,  &_v44,  &_v28, _a20, _a12, _t206);
							_t304 = _v40;
							_t339 = _t338 + 0x18;
							_t217 = _v44;
							_v20 = _t217;
							_v12 = _t304;
							__eflags = _t304 - _v32;
							if(_t304 >= _v32) {
								goto L86;
							}
							_t281 = _t304 * 0x14;
							__eflags = _t281;
							_v16 = _t281;
							do {
								_t282 = 5;
								_t220 = memcpy( &_v64,  *((intOrPtr*)( *_t217 + 0x10)) + _t281, _t282 << 2);
								_t339 = _t339 + 0xc;
								__eflags = _v64 - _t220;
								if(_v64 > _t220) {
									goto L85;
								}
								__eflags = _t220 - _v60;
								if(_t220 > _v60) {
									goto L85;
								}
								_t223 = _v48 + 0xfffffff0 + (_v52 << 4);
								_t287 = _t223[4];
								__eflags = _t287;
								if(_t287 == 0) {
									L83:
									__eflags =  *_t223 & 0x00000040;
									if(( *_t223 & 0x00000040) == 0) {
										_push(0);
										_push(1);
										E003F8145(_t304, _t275, _a4, _a8, _a12, _a16, _t223, 0,  &_v64, _a24, _a28);
										_t304 = _v12;
										_t339 = _t339 + 0x30;
									}
									goto L85;
								}
								__eflags =  *((char*)(_t287 + 8));
								if( *((char*)(_t287 + 8)) != 0) {
									goto L85;
								}
								goto L83;
								L85:
								_t304 = _t304 + 1;
								_t217 = _v20;
								_t281 = _v16 + 0x14;
								_v12 = _t304;
								_v16 = _t281;
								__eflags = _t304 - _v32;
							} while (_t304 < _v32);
							goto L86;
						}
						E003FF6F6(_t275, _t279, _t302, 0, _t321);
						asm("int3");
						_push(_t334);
						_t303 = _v188;
						_push(_t275);
						_push(_t321);
						_push(0);
						_t208 = _t303[4];
						__eflags = _t208;
						if(_t208 == 0) {
							L111:
							_t210 = 1;
							__eflags = 1;
						} else {
							_t280 = _t208 + 8;
							__eflags =  *_t280;
							if( *_t280 == 0) {
								goto L111;
							} else {
								__eflags =  *_t303 & 0x00000080;
								_t310 = _v0;
								if(( *_t303 & 0x00000080) == 0) {
									L93:
									_t276 = _t310[4];
									_t323 = 0;
									__eflags = _t208 - _t276;
									if(_t208 == _t276) {
										L103:
										__eflags =  *_t310 & 0x00000002;
										if(( *_t310 & 0x00000002) == 0) {
											L105:
											_t211 = _a4;
											__eflags =  *_t211 & 0x00000001;
											if(( *_t211 & 0x00000001) == 0) {
												L107:
												__eflags =  *_t211 & 0x00000002;
												if(( *_t211 & 0x00000002) == 0) {
													L109:
													_t323 = 1;
													__eflags = 1;
												} else {
													__eflags =  *_t303 & 0x00000002;
													if(( *_t303 & 0x00000002) != 0) {
														goto L109;
													}
												}
											} else {
												__eflags =  *_t303 & 0x00000001;
												if(( *_t303 & 0x00000001) != 0) {
													goto L107;
												}
											}
										} else {
											__eflags =  *_t303 & 0x00000008;
											if(( *_t303 & 0x00000008) != 0) {
												goto L105;
											}
										}
										_t210 = _t323;
									} else {
										_t187 = _t276 + 8; // 0x6e
										_t212 = _t187;
										while(1) {
											_t277 =  *_t280;
											__eflags = _t277 -  *_t212;
											if(_t277 !=  *_t212) {
												break;
											}
											__eflags = _t277;
											if(_t277 == 0) {
												L99:
												_t213 = _t323;
											} else {
												_t278 =  *((intOrPtr*)(_t280 + 1));
												__eflags = _t278 -  *((intOrPtr*)(_t212 + 1));
												if(_t278 !=  *((intOrPtr*)(_t212 + 1))) {
													break;
												} else {
													_t280 = _t280 + 2;
													_t212 = _t212 + 2;
													__eflags = _t278;
													if(_t278 != 0) {
														continue;
													} else {
														goto L99;
													}
												}
											}
											L101:
											__eflags = _t213;
											if(_t213 == 0) {
												goto L103;
											} else {
												_t210 = 0;
											}
											goto L112;
										}
										asm("sbb eax, eax");
										_t213 = _t212 | 0x00000001;
										__eflags = _t213;
										goto L101;
									}
								} else {
									__eflags =  *_t310 & 0x00000010;
									if(( *_t310 & 0x00000010) != 0) {
										goto L111;
									} else {
										goto L93;
									}
								}
							}
						}
						L112:
						return _t210;
					}
				} else {
					_t274 = _a4;
					if( *_t274 != 0xe06d7363 || _t274[0x10] != 3 || _t274[0x14] != 0x19930520 && _t274[0x14] != 0x19930521 && _t274[0x14] != 0x19930522) {
						_t321 = 0;
						__eflags = 0;
						goto L24;
					} else {
						_t321 = 0;
						if(_t274[0x1c] != 0) {
							L24:
							_t279 = _a12;
							_v12 = _t279;
							goto L26;
						} else {
							_t226 = E003F7E80(_t274, _t279, _t302, _t307, 0);
							if( *((intOrPtr*)(_t226 + 0x10)) == 0) {
								L63:
								return _t226;
							} else {
								_t274 =  *(E003F7E80(_t274, _t279, _t302, _t307, 0) + 0x10);
								_t265 = E003F7E80(_t274, _t279, _t302, _t307, 0);
								_v32 = 1;
								_v12 =  *((intOrPtr*)(_t265 + 0x14));
								if(_t274 == 0 ||  *_t274 == 0xe06d7363 && _t274[0x10] == 3 && (_t274[0x14] == 0x19930520 || _t274[0x14] == 0x19930521 || _t274[0x14] == 0x19930522) && _t274[0x1c] == _t321) {
									goto L69;
								} else {
									if( *((intOrPtr*)(E003F7E80(_t274, _t279, _t302, _t307, _t321) + 0x1c)) == _t321) {
										L25:
										_t279 = _v12;
										_t203 = _v16;
										L26:
										_v56 = _t307;
										_v52 = _t321;
										__eflags =  *_t274 - 0xe06d7363;
										if( *_t274 != 0xe06d7363) {
											L59:
											__eflags = _t307[3] - _t321;
											if(_t307[3] <= _t321) {
												goto L62;
											} else {
												__eflags = _a24;
												if(_a24 != 0) {
													goto L69;
												} else {
													_push(_a32);
													_push(_a28);
													_push(_t203);
													_push(_t307);
													_push(_a16);
													_push(_t279);
													_push(_a8);
													_push(_t274);
													L70();
													_t337 = _t337 + 0x20;
													goto L62;
												}
											}
										} else {
											__eflags = _t274[0x10] - 3;
											if(_t274[0x10] != 3) {
												goto L59;
											} else {
												__eflags = _t274[0x14] - 0x19930520;
												if(_t274[0x14] == 0x19930520) {
													L31:
													__eflags = _t307[3] - _t321;
													if(_t307[3] > _t321) {
														_push(_a28);
														E003F6F25(_t274, _t279, _t307, _t321,  &_v72,  &_v56, _t203, _a16, _t307);
														_t302 = _v68;
														_t337 = _t337 + 0x18;
														_t252 = _v72;
														_v48 = _t252;
														_v20 = _t302;
														__eflags = _t302 - _v60;
														if(_t302 < _v60) {
															_t294 = _t302 * 0x14;
															__eflags = _t294;
															_v36 = _t294;
															do {
																_t295 = 5;
																_t255 = memcpy( &_v108,  *((intOrPtr*)( *_t252 + 0x10)) + _t294, _t295 << 2);
																_t337 = _t337 + 0xc;
																__eflags = _v108 - _t255;
																if(_v108 <= _t255) {
																	__eflags = _t255 - _v104;
																	if(_t255 <= _v104) {
																		_t298 = 0;
																		_v24 = 0;
																		__eflags = _v96;
																		if(_v96 != 0) {
																			_t257 =  *(_t274[0x1c] + 0xc);
																			_t305 =  *_t257;
																			_t258 =  &(_t257[1]);
																			__eflags = _t258;
																			_v40 = _t258;
																			_t259 = _v92;
																			_v44 = _t305;
																			_v28 = _t259;
																			do {
																				asm("movsd");
																				asm("movsd");
																				asm("movsd");
																				asm("movsd");
																				_t320 = _v40;
																				_t332 = _t305;
																				__eflags = _t332;
																				if(_t332 <= 0) {
																					goto L42;
																				} else {
																					while(1) {
																						_push(_t274[0x1c]);
																						_t260 =  &_v88;
																						_push( *_t320);
																						_push(_t260);
																						L89();
																						_t337 = _t337 + 0xc;
																						__eflags = _t260;
																						if(_t260 != 0) {
																							break;
																						}
																						_t332 = _t332 - 1;
																						_t320 = _t320 + 4;
																						__eflags = _t332;
																						if(_t332 > 0) {
																							continue;
																						} else {
																							_t298 = _v24;
																							_t259 = _v28;
																							_t305 = _v44;
																							goto L42;
																						}
																						goto L45;
																					}
																					_push(_a24);
																					_v5 = 1;
																					_push(_v32);
																					E003F8145(_t305, _t274, _a8, _v12, _a16, _a20,  &_v88,  *_t320,  &_v108, _a28, _a32);
																					_t337 = _t337 + 0x30;
																				}
																				L45:
																				_t302 = _v20;
																				goto L46;
																				L42:
																				_t298 = _t298 + 1;
																				_t259 = _t259 + 0x10;
																				_v24 = _t298;
																				_v28 = _t259;
																				__eflags = _t298 - _v96;
																			} while (_t298 != _v96);
																			goto L45;
																		}
																	}
																}
																L46:
																_t302 = _t302 + 1;
																_t252 = _v48;
																_t294 = _v36 + 0x14;
																_v20 = _t302;
																_v36 = _t294;
																__eflags = _t302 - _v60;
															} while (_t302 < _v60);
															_t307 = _a20;
															_t321 = 0;
															__eflags = 0;
														}
													}
													__eflags = _a24;
													if(__eflags != 0) {
														_push(1);
														E003F72CC(_t279, _t302, __eflags);
														_t279 = _t274;
													}
													__eflags = _v5;
													if(_v5 != 0) {
														L62:
														_t226 = E003F7E80(_t274, _t279, _t302, _t307, _t321);
														__eflags =  *((intOrPtr*)(_t226 + 0x1c)) - _t321;
														if( *((intOrPtr*)(_t226 + 0x1c)) != _t321) {
															goto L69;
														} else {
															goto L63;
														}
													} else {
														__eflags = ( *_t307 & 0x1fffffff) - 0x19930521;
														if(( *_t307 & 0x1fffffff) < 0x19930521) {
															goto L62;
														} else {
															__eflags = _t307[7];
															if(_t307[7] != 0) {
																L55:
																_t230 = _t307[8] >> 2;
																__eflags = _t230 & 0x00000001;
																if((_t230 & 0x00000001) == 0) {
																	_push(_t307[7]);
																	_t231 = E003F8BDB(_t274, _t307, _t321, _t274);
																	_pop(_t279);
																	__eflags = _t231;
																	if(_t231 == 0) {
																		goto L66;
																	} else {
																		goto L62;
																	}
																} else {
																	 *(E003F7E80(_t274, _t279, _t302, _t307, _t321) + 0x10) = _t274;
																	_t240 = E003F7E80(_t274, _t279, _t302, _t307, _t321);
																	_t290 = _v12;
																	 *((intOrPtr*)(_t240 + 0x14)) = _v12;
																	goto L64;
																}
															} else {
																_t247 = _t307[8] >> 2;
																__eflags = _t247 & 0x00000001;
																if((_t247 & 0x00000001) == 0) {
																	goto L62;
																} else {
																	__eflags = _a28;
																	if(_a28 != 0) {
																		goto L62;
																	} else {
																		goto L55;
																	}
																}
															}
														}
													}
												} else {
													__eflags = _t274[0x14] - 0x19930521;
													if(_t274[0x14] == 0x19930521) {
														goto L31;
													} else {
														__eflags = _t274[0x14] - 0x19930522;
														if(_t274[0x14] != 0x19930522) {
															goto L59;
														} else {
															goto L31;
														}
													}
												}
											}
										}
									} else {
										_v20 =  *((intOrPtr*)(E003F7E80(_t274, _t279, _t302, _t307, _t321) + 0x1c));
										_t270 = E003F7E80(_t274, _t279, _t302, _t307, _t321);
										_push(_v20);
										 *(_t270 + 0x1c) = _t321;
										_t271 = E003F8BDB(_t274, _t307, _t321, _t274);
										_pop(_t290);
										if(_t271 != 0) {
											goto L25;
										} else {
											_t307 = _v20;
											_t358 =  *_t307 - _t321;
											if( *_t307 <= _t321) {
												L64:
												E003FF64D(_t274, _t290, _t302, _t307, __eflags);
											} else {
												_t300 = _t321;
												_v20 = _t321;
												while(1) {
													_t290 =  *((intOrPtr*)(_t300 + _t307[1] + 4));
													if(E003F8874( *((intOrPtr*)(_t300 + _t307[1] + 4)), _t358, 0x416a74) != 0) {
														goto L65;
													}
													_t321 = _t321 + 1;
													_t290 = _v20 + 0x10;
													_v20 = _v20 + 0x10;
													_t358 = _t321 -  *_t307;
													if(_t321 >=  *_t307) {
														goto L64;
													} else {
														continue;
													}
													goto L65;
												}
											}
											L65:
											_push(1);
											_push(_t274);
											E003F72CC(_t290, _t302, __eflags);
											_t279 =  &_v68;
											E003F885C( &_v68);
											E003F787A( &_v68, 0x4144b4);
											L66:
											 *(E003F7E80(_t274, _t279, _t302, _t307, _t321) + 0x10) = _t274;
											_t233 = E003F7E80(_t274, _t279, _t302, _t307, _t321);
											_t279 = _v12;
											 *(_t233 + 0x14) = _v12;
											_t234 = _a32;
											__eflags = _t234;
											if(_t234 == 0) {
												_t234 = _a8;
											}
											E003F7109(_t279, _t234, _t274);
											E003F8ADB(_a8, _a16, _t307);
											_t237 = E003F8C98(_t307);
											_t337 = _t337 + 0x10;
											_push(_t237);
											E003F8A57(_t274, _t279, _t302, _t307, _t321, __eflags);
											goto L69;
										}
									}
								}
							}
						}
					}
				}
			}

0x003f81c5
0x003f81c5
0x003f81cc
0x003f81ce
0x003f81d7
0x003f81dd
0x003f81e0
0x003f81e5
0x003f81e8
0x003f81ee
0x003f8575
0x003f8575
0x003f857a
0x003f857c
0x003f857e
0x003f8581
0x003f8582
0x003f8585
0x003f858b
0x003f86aa
0x003f8591
0x003f8591
0x003f8592
0x003f8593
0x003f859a
0x003f859d
0x003f85a0
0x003f85a6
0x003f85a8
0x003f85ad
0x003f85b0
0x003f85b2
0x003f85b8
0x003f85ba
0x003f85c0
0x003f85d5
0x003f85da
0x003f85dd
0x003f85df
0x003f86a6
0x00000000
0x003f86a7
0x003f85df
0x003f85c0
0x003f85b8
0x003f85b0
0x003f85e5
0x003f85e8
0x003f85eb
0x003f85ee
0x003f85f1
0x003f85f7
0x003f8609
0x003f860e
0x003f8611
0x003f8614
0x003f8617
0x003f861a
0x003f861d
0x003f8620
0x00000000
0x00000000
0x003f8626
0x003f8626
0x003f8629
0x003f862c
0x003f863b
0x003f863c
0x003f863c
0x003f863e
0x003f8641
0x00000000
0x00000000
0x003f8643
0x003f8646
0x00000000
0x00000000
0x003f8654
0x003f8656
0x003f8659
0x003f865b
0x003f8663
0x003f8663
0x003f8666
0x003f8668
0x003f866a
0x003f8686
0x003f868b
0x003f868e
0x003f868e
0x00000000
0x003f8666
0x003f865d
0x003f8661
0x00000000
0x00000000
0x00000000
0x003f8691
0x003f8694
0x003f8695
0x003f8698
0x003f869b
0x003f869e
0x003f86a1
0x003f86a1
0x00000000
0x003f862c
0x003f86ab
0x003f86b0
0x003f86b1
0x003f86b4
0x003f86b7
0x003f86b8
0x003f86b9
0x003f86ba
0x003f86bd
0x003f86bf
0x003f8737
0x003f8739
0x003f8739
0x003f86c1
0x003f86c1
0x003f86c4
0x003f86c7
0x00000000
0x003f86c9
0x003f86c9
0x003f86cc
0x003f86cf
0x003f86d6
0x003f86d6
0x003f86d9
0x003f86db
0x003f86dd
0x003f870f
0x003f870f
0x003f8712
0x003f8719
0x003f8719
0x003f871c
0x003f871f
0x003f8726
0x003f8726
0x003f8729
0x003f8730
0x003f8732
0x003f8732
0x003f872b
0x003f872b
0x003f872e
0x00000000
0x00000000
0x003f872e
0x003f8721
0x003f8721
0x003f8724
0x00000000
0x00000000
0x003f8724
0x003f8714
0x003f8714
0x003f8717
0x00000000
0x00000000
0x003f8717
0x003f8733
0x003f86df
0x003f86df
0x003f86df
0x003f86e2
0x003f86e2
0x003f86e4
0x003f86e6
0x00000000
0x00000000
0x003f86e8
0x003f86ea
0x003f86fe
0x003f86fe
0x003f86ec
0x003f86ec
0x003f86ef
0x003f86f2
0x00000000
0x003f86f4
0x003f86f4
0x003f86f7
0x003f86fa
0x003f86fc
0x00000000
0x00000000
0x00000000
0x00000000
0x003f86fc
0x003f86f2
0x003f8707
0x003f8707
0x003f8709
0x00000000
0x003f870b
0x003f870b
0x003f870b
0x00000000
0x003f8709
0x003f8702
0x003f8704
0x003f8704
0x00000000
0x003f8704
0x003f86d1
0x003f86d1
0x003f86d4
0x00000000
0x00000000
0x00000000
0x00000000
0x003f86d4
0x003f86cf
0x003f86c7
0x003f873a
0x003f873e
0x003f873e
0x003f81fd
0x003f81fd
0x003f8206
0x003f8308
0x003f8308
0x00000000
0x003f8235
0x003f8235
0x003f823a
0x003f830a
0x003f830a
0x003f830d
0x00000000
0x003f8240
0x003f8240
0x003f8248
0x003f850c
0x003f8510
0x003f824e
0x003f8253
0x003f8256
0x003f825b
0x003f8262
0x003f8267
0x00000000
0x003f829f
0x003f82a7
0x003f8312
0x003f8312
0x003f8315
0x003f8318
0x003f8318
0x003f831b
0x003f831e
0x003f8324
0x003f84db
0x003f84db
0x003f84de
0x00000000
0x003f84e0
0x003f84e0
0x003f84e4
0x00000000
0x003f84ea
0x003f84ea
0x003f84ed
0x003f84f0
0x003f84f1
0x003f84f2
0x003f84f5
0x003f84f6
0x003f84f9
0x003f84fa
0x003f84ff
0x00000000
0x003f84ff
0x003f84e4
0x003f832a
0x003f832a
0x003f832e
0x00000000
0x003f8334
0x003f8334
0x003f833b
0x003f8353
0x003f8353
0x003f8356
0x003f835c
0x003f836c
0x003f8371
0x003f8374
0x003f8377
0x003f837a
0x003f837d
0x003f8380
0x003f8383
0x003f8389
0x003f8389
0x003f838c
0x003f838f
0x003f839e
0x003f839f
0x003f839f
0x003f83a1
0x003f83a4
0x003f83aa
0x003f83ad
0x003f83b3
0x003f83b5
0x003f83b8
0x003f83bb
0x003f83c4
0x003f83c7
0x003f83c9
0x003f83c9
0x003f83cc
0x003f83cf
0x003f83d2
0x003f83d5
0x003f83d8
0x003f83dd
0x003f83de
0x003f83df
0x003f83e0
0x003f83e1
0x003f83e4
0x003f83e6
0x003f83e8
0x00000000
0x003f83ea
0x003f83ea
0x003f83ea
0x003f83ed
0x003f83f0
0x003f83f2
0x003f83f3
0x003f83f8
0x003f83fb
0x003f83fd
0x00000000
0x00000000
0x003f83ff
0x003f8400
0x003f8403
0x003f8405
0x00000000
0x003f8407
0x003f8407
0x003f840a
0x003f840d
0x00000000
0x003f840d
0x00000000
0x003f8405
0x003f8421
0x003f8427
0x003f842b
0x003f8448
0x003f844d
0x003f844d
0x003f8450
0x003f8450
0x00000000
0x003f8410
0x003f8410
0x003f8411
0x003f8414
0x003f8417
0x003f841a
0x003f841a
0x00000000
0x003f841f
0x003f83bb
0x003f83ad
0x003f8453
0x003f8456
0x003f8457
0x003f845a
0x003f845d
0x003f8460
0x003f8463
0x003f8463
0x003f846c
0x003f846f
0x003f846f
0x003f846f
0x003f8383
0x003f8471
0x003f8475
0x003f8477
0x003f847a
0x003f8480
0x003f8480
0x003f8481
0x003f8485
0x003f8502
0x003f8502
0x003f8507
0x003f850a
0x00000000
0x00000000
0x00000000
0x00000000
0x003f8487
0x003f848e
0x003f8493
0x00000000
0x003f8495
0x003f8495
0x003f8499
0x003f84ab
0x003f84ae
0x003f84b1
0x003f84b3
0x003f84ca
0x003f84ce
0x003f84d4
0x003f84d5
0x003f84d7
0x00000000
0x003f84d9
0x00000000
0x003f84d9
0x003f84b5
0x003f84ba
0x003f84bd
0x003f84c2
0x003f84c5
0x00000000
0x003f84c5
0x003f849b
0x003f849e
0x003f84a1
0x003f84a3
0x00000000
0x003f84a5
0x003f84a5
0x003f84a9
0x00000000
0x00000000
0x00000000
0x00000000
0x003f84a9
0x003f84a3
0x003f8499
0x003f8493
0x003f833d
0x003f833d
0x003f8344
0x00000000
0x003f8346
0x003f8346
0x003f834d
0x00000000
0x00000000
0x00000000
0x00000000
0x003f834d
0x003f8344
0x003f833b
0x003f832e
0x003f82a9
0x003f82b1
0x003f82b4
0x003f82b9
0x003f82bd
0x003f82c0
0x003f82c6
0x003f82c9
0x00000000
0x003f82cb
0x003f82cb
0x003f82ce
0x003f82d0
0x003f8511
0x003f8511
0x003f82d6
0x003f82d6
0x003f82d8
0x003f82db
0x003f82e3
0x003f82ee
0x00000000
0x00000000
0x003f82f7
0x003f82f8
0x003f82fb
0x003f82fe
0x003f8300
0x00000000
0x003f8306
0x00000000
0x003f8306
0x00000000
0x003f8300
0x003f82db
0x003f8516
0x003f8516
0x003f8518
0x003f8519
0x003f8520
0x003f8523
0x003f8531
0x003f8536
0x003f853b
0x003f853e
0x003f8543
0x003f8546
0x003f8549
0x003f854c
0x003f854e
0x003f8550
0x003f8550
0x003f8555
0x003f8561
0x003f8567
0x003f856c
0x003f856f
0x003f8570
0x00000000
0x003f8570
0x003f82c9
0x003f82a7
0x003f8267
0x003f8248
0x003f823a
0x003f8206

APIs

IsInExceptionSpec.LIBVCRUNTIME ref: 003F82C0
type_info::operator==.LIBVCRUNTIME ref: 003F82E7
___TypeMatch.LIBVCRUNTIME ref: 003F83F3
IsInExceptionSpec.LIBVCRUNTIME ref: 003F84CE
_UnwindNestedFrames.LIBCMT ref: 003F8555
CallUnexpected.LIBVCRUNTIME ref: 003F8570

Strings

csm, xrefs: 003F831E
csm, xrefs: 003F8200
csm, xrefs: 003F826D

Memory Dump Source

Source File: 00000003.00000002.300378751.00000000003F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000003.00000002.300374579.00000000003F0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.300394386.000000000040D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.300406424.0000000000416000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.300411239.0000000000420000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3f0000_fa_rss.jbxd

Similarity

API ID: ExceptionSpec$CallFramesMatchNestedTypeUnexpectedUnwindtype_info::operator==
String ID: csm$csm$csm
API String ID: 2123188842-393685449
Opcode ID: 8d201be63b86172266ee1eba47d8a1d81ab5396ff04a7685a7f868fe06188343
Instruction ID: 31bc3e478bf17afbbdf639f74b96f1bc68a360ebbd07d7d7db03d8a7202ca6cd
Opcode Fuzzy Hash: 8d201be63b86172266ee1eba47d8a1d81ab5396ff04a7685a7f868fe06188343
Instruction Fuzzy Hash: 2CC1987580020EEFCF2ADFA4C8819BEBBB5FF15310F05455AEA156B212DB31EA51CB91

Uniqueness

Uniqueness Score: -1.00%

Function 003FCFA0 Relevance: 14.5, APIs: 1, Strings: 7, Instructions: 496
COMMON

Download Yara Rule

C-Code - Quality: 98%

			E003FCFA0(intOrPtr _a4, signed int _a8, intOrPtr* _a12, signed int _a16, signed char _a20) {
				signed int _v8;
				signed int _v12;
				signed short* _v16;
				signed int _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				intOrPtr _v76;
				intOrPtr _v80;
				intOrPtr _v84;
				intOrPtr _v88;
				intOrPtr _v92;
				intOrPtr _v96;
				intOrPtr _v100;
				intOrPtr _v104;
				intOrPtr _v108;
				intOrPtr _v112;
				intOrPtr _v116;
				intOrPtr _v120;
				intOrPtr _v124;
				intOrPtr _v128;
				intOrPtr _v132;
				intOrPtr _v136;
				intOrPtr _v140;
				intOrPtr _v144;
				intOrPtr _v148;
				signed int _v152;
				signed short* _v156;
				signed short* _v160;
				signed int _v164;
				intOrPtr _v168;
				signed short* _v172;
				char _v176;
				char _v188;
				signed short* _t176;
				signed int _t177;
				signed int _t178;
				signed short* _t179;
				signed int _t180;
				signed int _t182;
				signed int _t183;
				signed int _t184;
				intOrPtr _t186;
				void* _t187;
				signed char _t189;
				signed int _t193;
				signed int _t194;
				signed int _t196;
				void* _t199;
				intOrPtr _t200;
				signed int _t208;
				signed int _t209;
				signed short* _t211;
				signed int _t212;
				signed int _t214;
				intOrPtr _t219;
				void* _t220;
				signed short* _t221;
				signed int _t222;
				signed short* _t223;
				intOrPtr _t224;
				void* _t228;
				signed short* _t230;
				signed int _t232;
				signed short* _t234;
				signed int _t235;
				signed int _t236;
				signed int _t237;
				signed int _t238;
				signed int _t239;
				signed short* _t240;
				intOrPtr* _t244;
				signed short _t245;

				if(E003FBD66( &_a8) == 0) {
					L5:
					_t235 = 0;
					_t208 = 0;
					L6:
					_t244 = _a12;
					if(_t244 != 0) {
						 *_t244 = _a8;
					}
					return _t235;
				}
				_t209 = _a16;
				_t236 = 2;
				if(_t209 == 0) {
					L9:
					_t217 =  &_v188;
					E003FA2F9( &_v188, _t228, _a4);
					_v12 = 0;
					_v20 = 0;
					_t176 = _a8;
					_v172 = _t176;
					_t245 =  *_t176 & 0x0000ffff;
					_t177 =  &(_t176[1]);
					L11:
					_a8 = _t177;
					_t178 = E00402AEA(_t217, _t245, 8);
					_pop(_t217);
					__eflags = _t178;
					if(_t178 != 0) {
						_t179 = _a8;
						_t245 =  *_t179 & 0x0000ffff;
						_t177 = _t179 + _t236;
						__eflags = _t177;
						goto L11;
					}
					_t180 = _a20 & 0x000000ff;
					_v8 = _t180;
					__eflags = _t245 - 0x2d;
					if(_t245 != 0x2d) {
						__eflags = _t245 - 0x2b;
						if(_t245 != 0x2b) {
							_t230 = _a8;
							goto L17;
						}
						goto L15;
					} else {
						_v8 = _t180 | _t236;
						L15:
						_t234 = _a8;
						_t245 =  *_t234 & 0x0000ffff;
						_t230 = _t234 + _t236;
						_a8 = _t230;
						L17:
						_v16 = 0x3a;
						_t219 = 0xff10;
						_v148 = 0x66a;
						_v24 = 0x6f0;
						_v28 = 0x6fa;
						_v32 = 0x966;
						_v36 = 0x970;
						_v40 = 0x9e6;
						_v44 = 0x9f0;
						_v48 = 0xa66;
						_v52 = 0xa70;
						_v56 = 0xae6;
						_v60 = 0xaf0;
						_v64 = 0xb66;
						_v68 = 0xb70;
						_v72 = 0xc66;
						_v76 = 0xc70;
						_v80 = 0xce6;
						_v84 = 0xcf0;
						_v88 = 0xd66;
						_v92 = 0xd70;
						_v96 = 0xe50;
						_v100 = 0xe5a;
						_v104 = 0xed0;
						_v108 = 0xeda;
						_v112 = 0xf20;
						_v116 = 0xf2a;
						_v120 = 0x1040;
						_v124 = 0x104a;
						_v128 = 0x17e0;
						_v132 = 0x17ea;
						_v136 = 0x1810;
						_v140 = 0x181a;
						_v144 = 0xff1a;
						_t237 = 0x30;
						__eflags = _t209;
						if(_t209 == 0) {
							L19:
							__eflags = _t245 - _t237;
							if(_t245 < _t237) {
								L61:
								_t182 = _t245 & 0x0000ffff;
								__eflags = _t182 - 0x41;
								if(_t182 < 0x41) {
									L64:
									_t86 = _t182 - 0x61; // 0x5ff
									_t220 = _t86;
									__eflags = _t220 - 0x19;
									if(_t220 > 0x19) {
										_t183 = _t182 | 0xffffffff;
										__eflags = _t183;
										L69:
										__eflags = _t183;
										if(_t183 == 0) {
											_t184 =  *_t230 & 0x0000ffff;
											_t221 =  &(_t230[1]);
											_a8 = _t221;
											__eflags = _t184 - 0x78;
											if(_t184 == 0x78) {
												L77:
												__eflags = _t209;
												if(_t209 == 0) {
													_t209 = 0x10;
													_a16 = _t209;
												}
												_t245 =  *_t221 & 0x0000ffff;
												_t222 =  &(_t221[1]);
												__eflags = _t222;
												_a8 = _t222;
												L80:
												_t185 = _t209;
												asm("cdq");
												_push(_t209);
												_t223 = _t230;
												_v164 = _t209;
												_v160 = _t223;
												_t186 = E0040BD00(0xffffffff, 0xffffffff, _t185, _t223);
												_v152 = _t209;
												_v156 = _t223;
												_t211 = _t230;
												_t224 = _t186;
												_v16 = _t211;
												_v168 = _t224;
												while(1) {
													__eflags = _t245 - _t237;
													if(_t245 < _t237) {
														goto L122;
													}
													_t199 = 0x3a;
													__eflags = _t245 - _t199;
													if(_t245 >= _t199) {
														_t200 = 0xff10;
														__eflags = _t245 - 0xff10;
														if(_t245 >= 0xff10) {
															__eflags = _t245 - _v144;
															if(_t245 < _v144) {
																L87:
																_t239 = (_t245 & 0x0000ffff) - _t200;
																L121:
																__eflags = _t239 - 0xffffffff;
																if(_t239 != 0xffffffff) {
																	L130:
																	__eflags = _t239 - 0xffffffff;
																	if(_t239 == 0xffffffff) {
																		L144:
																		E003FD69A( &_a8, _t245);
																		_t189 = _v8;
																		__eflags = _t189 & 0x00000008;
																		if((_t189 & 0x00000008) != 0) {
																			_t208 = _v20;
																			_t235 = _v12;
																			__eflags = E003FC732(_t189, _t235, _t208);
																			if(__eflags == 0) {
																				__eflags = _v8 & 0x00000002;
																				if((_v8 & 0x00000002) != 0) {
																					_t235 =  ~_t235;
																					asm("adc ebx, 0x0");
																					_t208 =  ~_t208;
																				}
																				L155:
																				__eflags = _v176;
																				if(_v176 != 0) {
																					 *(_v188 + 0x350) =  *(_v188 + 0x350) & 0xfffffffd;
																				}
																				goto L6;
																			}
																			 *((intOrPtr*)(E003FD87D(__eflags))) = 0x22;
																			_t193 = _v8;
																			__eflags = _t193 & 0x00000001;
																			if((_t193 & 0x00000001) != 0) {
																				__eflags = _t193 & 0x00000002;
																				if((_t193 & 0x00000002) == 0) {
																					_t194 = _t193 | 0xffffffff;
																					__eflags = _t194;
																					_t208 = 0x7fffffff;
																				} else {
																					_t194 = 0;
																					_t208 = 0x80000000;
																				}
																				L152:
																				_t235 = _t194;
																				goto L155;
																			}
																			_t235 = _t235 | 0xffffffff;
																			_t208 = _t208 | 0xffffffff;
																			goto L155;
																		}
																		_a8 = _v172;
																		_t194 = 0;
																		_t208 = 0;
																		goto L152;
																	}
																	__eflags = _t239 - _a16;
																	if(_t239 >= _a16) {
																		goto L144;
																	}
																	_t196 = _v20;
																	_t232 = _v8 | 0x00000008;
																	__eflags = _t196 - _t211;
																	_v8 = _t232;
																	_t212 = _v12;
																	if(__eflags < 0) {
																		L141:
																		__eflags = 0;
																		L142:
																		_t214 = E0040BDA0(_v164, _v160, _t212, _t196) + _t239;
																		__eflags = _t214;
																		_v12 = _t214;
																		asm("adc eax, esi");
																		_v20 = _t232;
																		L143:
																		_t240 = _a8;
																		_t224 = _v168;
																		_t211 = _v16;
																		_t245 =  *_t240 & 0x0000ffff;
																		_a8 =  &(_t240[1]);
																		_t237 = 0x30;
																		continue;
																	}
																	if(__eflags > 0) {
																		L135:
																		__eflags = _t212 - _t224;
																		if(_t212 != _t224) {
																			L140:
																			_v8 = _t232 | 0x00000004;
																			goto L143;
																		}
																		__eflags = _t196 - _v16;
																		if(_t196 != _v16) {
																			goto L140;
																		}
																		__eflags = 0 - _v152;
																		if(__eflags < 0) {
																			goto L142;
																		}
																		if(__eflags > 0) {
																			goto L140;
																		}
																		__eflags = _t239 - _v156;
																		if(_t239 <= _v156) {
																			goto L142;
																		}
																		goto L140;
																	}
																	__eflags = _t212 - _t224;
																	if(_t212 < _t224) {
																		goto L141;
																	}
																	goto L135;
																}
																goto L122;
															}
															_t239 = _t237 | 0xffffffff;
															__eflags = _t239;
															goto L121;
														}
														_t200 = 0x660;
														__eflags = _t245 - 0x660;
														if(_t245 < 0x660) {
															goto L122;
														}
														__eflags = _t245 - _v148;
														if(_t245 >= _v148) {
															_t200 = _v24;
															__eflags = _t245 - _t200;
															if(_t245 < _t200) {
																goto L122;
															}
															__eflags = _t245 - _v28;
															if(_t245 < _v28) {
																goto L87;
															}
															_t200 = _v32;
															__eflags = _t245 - _t200;
															if(_t245 < _t200) {
																goto L122;
															}
															__eflags = _t245 - _v36;
															if(_t245 < _v36) {
																goto L87;
															}
															_t200 = _v40;
															__eflags = _t245 - _t200;
															if(_t245 < _t200) {
																goto L122;
															}
															__eflags = _t245 - _v44;
															if(_t245 < _v44) {
																goto L87;
															}
															_t200 = _v48;
															__eflags = _t245 - _t200;
															if(_t245 < _t200) {
																goto L122;
															}
															__eflags = _t245 - _v52;
															if(_t245 < _v52) {
																goto L87;
															}
															_t200 = _v56;
															__eflags = _t245 - _t200;
															if(_t245 < _t200) {
																goto L122;
															}
															__eflags = _t245 - _v60;
															if(_t245 < _v60) {
																goto L87;
															}
															_t200 = _v64;
															__eflags = _t245 - _t200;
															if(_t245 < _t200) {
																goto L122;
															}
															__eflags = _t245 - _v68;
															if(_t245 < _v68) {
																goto L87;
															}
															_t200 = _v72;
															__eflags = _t245 - _t200;
															if(_t245 < _t200) {
																goto L122;
															}
															__eflags = _t245 - _v76;
															if(_t245 < _v76) {
																goto L87;
															}
															_t200 = _v80;
															__eflags = _t245 - _t200;
															if(_t245 < _t200) {
																goto L122;
															}
															__eflags = _t245 - _v84;
															if(_t245 < _v84) {
																goto L87;
															}
															_t200 = _v88;
															__eflags = _t245 - _t200;
															if(_t245 < _t200) {
																goto L122;
															}
															__eflags = _t245 - _v92;
															if(_t245 < _v92) {
																goto L87;
															}
															_t200 = _v96;
															__eflags = _t245 - _t200;
															if(_t245 < _t200) {
																goto L122;
															}
															__eflags = _t245 - _v100;
															if(_t245 < _v100) {
																goto L87;
															}
															_t200 = _v104;
															__eflags = _t245 - _t200;
															if(_t245 < _t200) {
																goto L122;
															}
															__eflags = _t245 - _v108;
															if(_t245 < _v108) {
																goto L87;
															}
															_t200 = _v112;
															__eflags = _t245 - _t200;
															if(_t245 < _t200) {
																goto L122;
															}
															__eflags = _t245 - _v116;
															if(_t245 < _v116) {
																goto L87;
															}
															_t200 = _v120;
															__eflags = _t245 - _t200;
															if(_t245 < _t200) {
																goto L122;
															}
															__eflags = _t245 - _v124;
															if(_t245 < _v124) {
																goto L87;
															}
															_t200 = _v128;
															__eflags = _t245 - _t200;
															if(_t245 < _t200) {
																goto L122;
															}
															__eflags = _t245 - _v132;
															if(_t245 < _v132) {
																goto L87;
															}
															_t200 = _v136;
															__eflags = _t245 - _t200;
															if(_t245 < _t200) {
																goto L122;
															}
															__eflags = _t245 - _v140;
															if(_t245 >= _v140) {
																goto L122;
															}
														}
														goto L87;
													}
													_t239 = (_t245 & 0x0000ffff) - 0x30;
													goto L121;
													L122:
													_t238 = _t245 & 0x0000ffff;
													__eflags = _t238 - 0x41;
													if(_t238 < 0x41) {
														L125:
														_t133 = _t238 - 0x61; // -49
														_t187 = _t133;
														__eflags = _t187 - 0x19;
														if(_t187 > 0x19) {
															_t239 = _t238 | 0xffffffff;
															__eflags = _t239;
															goto L130;
														}
														L126:
														__eflags = _t187 - 0x19;
														if(_t187 <= 0x19) {
															_t238 = _t238 + 0xffffffe0;
															__eflags = _t238;
														}
														_t239 = _t238 + 0xffffffc9;
														goto L130;
													}
													__eflags = _t238 - 0x5a;
													if(_t238 > 0x5a) {
														goto L125;
													}
													_t132 = _t238 - 0x61; // -49
													_t187 = _t132;
													goto L126;
												}
											}
											__eflags = _t184 - 0x58;
											if(_t184 == 0x58) {
												goto L77;
											}
											__eflags = _t209;
											if(_t209 == 0) {
												_t209 = 8;
												_a16 = _t209;
											}
											E003FD69A( &_a8, _t184);
											goto L80;
										}
										__eflags = _t209;
										if(_t209 == 0) {
											_t209 = 0xa;
											_a16 = _t209;
										}
										goto L80;
									}
									L65:
									__eflags = _t220 - 0x19;
									if(_t220 <= 0x19) {
										_t182 = _t182 + 0xffffffe0;
										__eflags = _t182;
									}
									_t183 = _t182 + 0xffffffc9;
									goto L69;
								}
								__eflags = _t182 - 0x5a;
								if(_t182 > 0x5a) {
									goto L64;
								}
								_t85 = _t182 - 0x61; // 0x5ff
								_t220 = _t85;
								goto L65;
							}
							__eflags = _t245 - _v16;
							if(_t245 >= _v16) {
								__eflags = _t245 - _t219;
								if(_t245 >= _t219) {
									__eflags = _t245 - _v144;
									if(_t245 < _v144) {
										L28:
										_t183 = (_t245 & 0x0000ffff) - _t219;
										L60:
										__eflags = _t183 - 0xffffffff;
										if(_t183 != 0xffffffff) {
											goto L69;
										}
										goto L61;
									}
									_t183 = 0xffffffffffffffff;
									__eflags = 0xffffffffffffffff;
									goto L60;
								}
								__eflags = _t245 - 0x660;
								if(_t245 < 0x660) {
									goto L61;
								}
								__eflags = _t245 - _v148;
								if(_t245 >= _v148) {
									_t219 = _v24;
									__eflags = _t245 - _t219;
									if(_t245 < _t219) {
										goto L61;
									}
									__eflags = _t245 - _v28;
									if(_t245 >= _v28) {
										_t219 = _v32;
										__eflags = _t245 - _t219;
										if(_t245 < _t219) {
											goto L61;
										}
										__eflags = _t245 - _v36;
										if(_t245 < _v36) {
											goto L28;
										}
										_t219 = _v40;
										__eflags = _t245 - _t219;
										if(_t245 < _t219) {
											goto L61;
										}
										__eflags = _t245 - _v44;
										if(_t245 < _v44) {
											goto L28;
										}
										_t219 = _v48;
										__eflags = _t245 - _t219;
										if(_t245 < _t219) {
											goto L61;
										}
										__eflags = _t245 - _v52;
										if(_t245 < _v52) {
											goto L28;
										}
										_t219 = _v56;
										__eflags = _t245 - _t219;
										if(_t245 < _t219) {
											goto L61;
										}
										__eflags = _t245 - _v60;
										if(_t245 < _v60) {
											goto L28;
										}
										_t219 = _v64;
										__eflags = _t245 - _t219;
										if(_t245 < _t219) {
											goto L61;
										}
										__eflags = _t245 - _v68;
										if(_t245 < _v68) {
											goto L28;
										}
										_t219 = _v72;
										__eflags = _t245 - _t219;
										if(_t245 < _t219) {
											goto L61;
										}
										__eflags = _t245 - _v76;
										if(_t245 < _v76) {
											goto L28;
										}
										_t219 = _v80;
										__eflags = _t245 - _t219;
										if(_t245 < _t219) {
											goto L61;
										}
										__eflags = _t245 - _v84;
										if(_t245 < _v84) {
											goto L28;
										}
										_t219 = _v88;
										__eflags = _t245 - _t219;
										if(_t245 < _t219) {
											goto L61;
										}
										__eflags = _t245 - _v92;
										if(_t245 < _v92) {
											goto L28;
										}
										_t219 = _v96;
										__eflags = _t245 - _t219;
										if(_t245 < _t219) {
											goto L61;
										}
										__eflags = _t245 - _v100;
										if(_t245 < _v100) {
											goto L28;
										}
										_t219 = _v104;
										__eflags = _t245 - _t219;
										if(_t245 < _t219) {
											goto L61;
										}
										__eflags = _t245 - _v108;
										if(_t245 < _v108) {
											goto L28;
										}
										_t219 = _v112;
										__eflags = _t245 - _t219;
										if(_t245 < _t219) {
											goto L61;
										}
										__eflags = _t245 - _v116;
										if(_t245 < _v116) {
											goto L28;
										}
										_t219 = _v120;
										__eflags = _t245 - _t219;
										if(_t245 < _t219) {
											goto L61;
										}
										__eflags = _t245 - _v124;
										if(_t245 < _v124) {
											goto L28;
										}
										_t219 = _v128;
										__eflags = _t245 - _t219;
										if(_t245 < _t219) {
											goto L61;
										}
										__eflags = _t245 - _v132;
										if(_t245 < _v132) {
											goto L28;
										}
										_t219 = _v136;
										__eflags = _t245 - _t219;
										if(_t245 < _t219) {
											goto L61;
										}
										__eflags = _t245 - _v140;
										if(_t245 >= _v140) {
											goto L61;
										}
									}
									goto L28;
								}
								_t183 = (_t245 & 0x0000ffff) - 0x660;
								goto L60;
							}
							_t183 = (_t245 & 0x0000ffff) - _t237;
							goto L60;
						}
						__eflags = _t209 - 0x10;
						if(_t209 != 0x10) {
							goto L80;
						}
						goto L19;
					}
				}
				if(_t209 < _t236) {
					L4:
					 *((intOrPtr*)(E003FD87D(_t253))) = 0x16;
					E003FDA3C();
					goto L5;
				}
				_t253 = _t209 - 0x24;
				if(_t209 <= 0x24) {
					goto L9;
				}
				goto L4;
			}

0x003fcfb8
0x003fcfdd
0x003fcfdf
0x003fcfe1
0x003fcfe3
0x003fcfe3
0x003fcfe8
0x003fcfed
0x003fcfed
0x003fcff7
0x003fcff7
0x003fcfba
0x003fcfbf
0x003fcfc2
0x003fcff8
0x003fcffb
0x003fd001
0x003fd008
0x003fd00b
0x003fd00e
0x003fd011
0x003fd017
0x003fd01a
0x003fd027
0x003fd02a
0x003fd02d
0x003fd033
0x003fd034
0x003fd036
0x003fd01f
0x003fd022
0x003fd025
0x003fd025
0x00000000
0x003fd025
0x003fd038
0x003fd03c
0x003fd03f
0x003fd043
0x003fd04c
0x003fd050
0x003fd05f
0x00000000
0x003fd05f
0x00000000
0x003fd045
0x003fd047
0x003fd052
0x003fd052
0x003fd055
0x003fd058
0x003fd05a
0x003fd062
0x003fd062
0x003fd069
0x003fd06e
0x003fd07d
0x003fd084
0x003fd08b
0x003fd092
0x003fd099
0x003fd0a0
0x003fd0a7
0x003fd0ae
0x003fd0b5
0x003fd0bc
0x003fd0c3
0x003fd0ca
0x003fd0d1
0x003fd0d8
0x003fd0df
0x003fd0e6
0x003fd0ed
0x003fd0f4
0x003fd0fb
0x003fd102
0x003fd109
0x003fd110
0x003fd117
0x003fd11e
0x003fd125
0x003fd12c
0x003fd133
0x003fd13a
0x003fd141
0x003fd14b
0x003fd155
0x003fd161
0x003fd162
0x003fd164
0x003fd16f
0x003fd16f
0x003fd172
0x003fd2f0
0x003fd2f0
0x003fd2f3
0x003fd2f6
0x003fd302
0x003fd302
0x003fd302
0x003fd305
0x003fd308
0x003fd317
0x003fd317
0x003fd31a
0x003fd31a
0x003fd31c
0x003fd32a
0x003fd32d
0x003fd330
0x003fd333
0x003fd336
0x003fd352
0x003fd352
0x003fd354
0x003fd358
0x003fd359
0x003fd359
0x003fd35c
0x003fd35f
0x003fd35f
0x003fd362
0x003fd365
0x003fd365
0x003fd367
0x003fd368
0x003fd369
0x003fd36b
0x003fd377
0x003fd37d
0x003fd382
0x003fd38a
0x003fd390
0x003fd392
0x003fd394
0x003fd397
0x003fd39d
0x003fd39d
0x003fd3a0
0x00000000
0x00000000
0x003fd3a8
0x003fd3a9
0x003fd3ac
0x003fd3b9
0x003fd3be
0x003fd3c1
0x003fd50d
0x003fd514
0x003fd3de
0x003fd3e1
0x003fd51d
0x003fd51d
0x003fd520
0x003fd54c
0x003fd54c
0x003fd54f
0x003fd5de
0x003fd5e2
0x003fd5e7
0x003fd5ea
0x003fd5ec
0x003fd5fd
0x003fd600
0x003fd60e
0x003fd610
0x003fd645
0x003fd649
0x003fd64b
0x003fd64d
0x003fd650
0x003fd650
0x003fd652
0x003fd652
0x003fd659
0x003fd665
0x003fd665
0x00000000
0x003fd659
0x003fd617
0x003fd61d
0x003fd620
0x003fd622
0x003fd62c
0x003fd62e
0x003fd639
0x003fd639
0x003fd63c
0x003fd630
0x003fd630
0x003fd632
0x003fd632
0x003fd641
0x003fd641
0x00000000
0x003fd641
0x003fd624
0x003fd627
0x00000000
0x003fd627
0x003fd5f4
0x003fd5f7
0x003fd5f9
0x00000000
0x003fd5f9
0x003fd555
0x003fd558
0x00000000
0x00000000
0x003fd561
0x003fd564
0x003fd567
0x003fd569
0x003fd56c
0x003fd56f
0x003fd59e
0x003fd59e
0x003fd5a0
0x003fd5b7
0x003fd5b7
0x003fd5b9
0x003fd5bc
0x003fd5be
0x003fd5c1
0x003fd5c1
0x003fd5c4
0x003fd5ca
0x003fd5cf
0x003fd5d5
0x003fd5d8
0x00000000
0x003fd5d8
0x003fd571
0x003fd577
0x003fd577
0x003fd579
0x003fd596
0x003fd599
0x00000000
0x003fd599
0x003fd57b
0x003fd57e
0x00000000
0x00000000
0x003fd584
0x003fd58a
0x00000000
0x00000000
0x003fd58c
0x00000000
0x00000000
0x003fd58e
0x003fd594
0x00000000
0x00000000
0x00000000
0x003fd594
0x003fd573
0x003fd575
0x00000000
0x00000000
0x00000000
0x003fd575
0x00000000
0x003fd520
0x003fd51a
0x003fd51a
0x00000000
0x003fd51a
0x003fd3c7
0x003fd3cc
0x003fd3cf
0x00000000
0x00000000
0x003fd3d5
0x003fd3dc
0x003fd3e8
0x003fd3eb
0x003fd3ee
0x00000000
0x00000000
0x003fd3f4
0x003fd3f8
0x00000000
0x00000000
0x003fd3fa
0x003fd3fd
0x003fd400
0x00000000
0x00000000
0x003fd406
0x003fd40a
0x00000000
0x00000000
0x003fd40c
0x003fd40f
0x003fd412
0x00000000
0x00000000
0x003fd418
0x003fd41c
0x00000000
0x00000000
0x003fd41e
0x003fd421
0x003fd424
0x00000000
0x00000000
0x003fd42a
0x003fd42e
0x00000000
0x00000000
0x003fd430
0x003fd433
0x003fd436
0x00000000
0x00000000
0x003fd43c
0x003fd440
0x00000000
0x00000000
0x003fd442
0x003fd445
0x003fd448
0x00000000
0x00000000
0x003fd44e
0x003fd452
0x00000000
0x00000000
0x003fd454
0x003fd457
0x003fd45a
0x00000000
0x00000000
0x003fd460
0x003fd464
0x00000000
0x00000000
0x003fd46a
0x003fd46d
0x003fd470
0x00000000
0x00000000
0x003fd476
0x003fd47a
0x00000000
0x00000000
0x003fd480
0x003fd483
0x003fd486
0x00000000
0x00000000
0x003fd48c
0x003fd490
0x00000000
0x00000000
0x003fd496
0x003fd499
0x003fd49c
0x00000000
0x00000000
0x003fd4a2
0x003fd4a6
0x00000000
0x00000000
0x003fd4ac
0x003fd4af
0x003fd4b2
0x00000000
0x00000000
0x003fd4b4
0x003fd4b8
0x00000000
0x00000000
0x003fd4be
0x003fd4c1
0x003fd4c4
0x00000000
0x00000000
0x003fd4c6
0x003fd4ca
0x00000000
0x00000000
0x003fd4d0
0x003fd4d3
0x003fd4d6
0x00000000
0x00000000
0x003fd4d8
0x003fd4dc
0x00000000
0x00000000
0x003fd4e2
0x003fd4e5
0x003fd4e8
0x00000000
0x00000000
0x003fd4ea
0x003fd4ee
0x00000000
0x00000000
0x003fd4f4
0x003fd4fa
0x003fd4fd
0x00000000
0x00000000
0x003fd4ff
0x003fd506
0x00000000
0x00000000
0x003fd508
0x00000000
0x003fd3dc
0x003fd3b1
0x00000000
0x003fd522
0x003fd522
0x003fd525
0x003fd528
0x003fd534
0x003fd534
0x003fd534
0x003fd537
0x003fd53a
0x003fd549
0x003fd549
0x00000000
0x003fd549
0x003fd53c
0x003fd53c
0x003fd53f
0x003fd541
0x003fd541
0x003fd541
0x003fd544
0x00000000
0x003fd544
0x003fd52a
0x003fd52d
0x00000000
0x00000000
0x003fd52f
0x003fd52f
0x00000000
0x003fd52f
0x003fd39d
0x003fd338
0x003fd33b
0x00000000
0x00000000
0x003fd33d
0x003fd33f
0x003fd343
0x003fd344
0x003fd344
0x003fd34b
0x00000000
0x003fd34b
0x003fd31e
0x003fd320
0x003fd324
0x003fd325
0x003fd325
0x00000000
0x003fd320
0x003fd30a
0x003fd30a
0x003fd30d
0x003fd30f
0x003fd30f
0x003fd30f
0x003fd312
0x00000000
0x003fd312
0x003fd2f8
0x003fd2fb
0x00000000
0x00000000
0x003fd2fd
0x003fd2fd
0x00000000
0x003fd2fd
0x003fd178
0x003fd17c
0x003fd188
0x003fd18b
0x003fd2db
0x003fd2e2
0x003fd1c2
0x003fd1c5
0x003fd2eb
0x003fd2eb
0x003fd2ee
0x00000000
0x00000000
0x00000000
0x003fd2ee
0x003fd2e8
0x003fd2e8
0x00000000
0x003fd2e8
0x003fd191
0x003fd194
0x00000000
0x00000000
0x003fd19a
0x003fd1a1
0x003fd1b0
0x003fd1b3
0x003fd1b6
0x00000000
0x00000000
0x003fd1bc
0x003fd1c0
0x003fd1cc
0x003fd1cf
0x003fd1d2
0x00000000
0x00000000
0x003fd1d8
0x003fd1dc
0x00000000
0x00000000
0x003fd1de
0x003fd1e1
0x003fd1e4
0x00000000
0x00000000
0x003fd1ea
0x003fd1ee
0x00000000
0x00000000
0x003fd1f0
0x003fd1f3
0x003fd1f6
0x00000000
0x00000000
0x003fd1fc
0x003fd200
0x00000000
0x00000000
0x003fd202
0x003fd205
0x003fd208
0x00000000
0x00000000
0x003fd20e
0x003fd212
0x00000000
0x00000000
0x003fd214
0x003fd217
0x003fd21a
0x00000000
0x00000000
0x003fd220
0x003fd224
0x00000000
0x00000000
0x003fd226
0x003fd229
0x003fd22c
0x00000000
0x00000000
0x003fd232
0x003fd236
0x00000000
0x00000000
0x003fd238
0x003fd23b
0x003fd23e
0x00000000
0x00000000
0x003fd244
0x003fd248
0x00000000
0x00000000
0x003fd24e
0x003fd251
0x003fd254
0x00000000
0x00000000
0x003fd25a
0x003fd25e
0x00000000
0x00000000
0x003fd264
0x003fd267
0x003fd26a
0x00000000
0x00000000
0x003fd270
0x003fd274
0x00000000
0x00000000
0x003fd27a
0x003fd27d
0x003fd280
0x00000000
0x00000000
0x003fd282
0x003fd286
0x00000000
0x00000000
0x003fd28c
0x003fd28f
0x003fd292
0x00000000
0x00000000
0x003fd294
0x003fd298
0x00000000
0x00000000
0x003fd29e
0x003fd2a1
0x003fd2a4
0x00000000
0x00000000
0x003fd2a6
0x003fd2aa
0x00000000
0x00000000
0x003fd2b0
0x003fd2b3
0x003fd2b6
0x00000000
0x00000000
0x003fd2b8
0x003fd2bc
0x00000000
0x00000000
0x003fd2c2
0x003fd2c8
0x003fd2cb
0x00000000
0x00000000
0x003fd2cd
0x003fd2d4
0x00000000
0x00000000
0x003fd2d6
0x00000000
0x003fd1c0
0x003fd1a6
0x00000000
0x003fd1a6
0x003fd181
0x00000000
0x003fd181
0x003fd166
0x003fd169
0x00000000
0x00000000
0x00000000
0x003fd169
0x003fd043
0x003fcfc6
0x003fcfcd
0x003fcfd2
0x003fcfd8
0x00000000
0x003fcfd8
0x003fcfc8
0x003fcfcb
0x00000000
0x00000000
0x00000000

APIs

__aulldvrm.LIBCMT ref: 003FD37D

Strings

p, xrefs: 003FD092
:, xrefs: 003FD062
f, xrefs: 003FD08B
f, xrefs: 003FD0A7
p, xrefs: 003FD0AE
f, xrefs: 003FD0ED
p, xrefs: 003FD0F4

Memory Dump Source

Source File: 00000003.00000002.300378751.00000000003F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000003.00000002.300374579.00000000003F0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.300394386.000000000040D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.300406424.0000000000416000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.300411239.0000000000420000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3f0000_fa_rss.jbxd

Similarity

API ID: __aulldvrm
String ID: :$f$f$f$p$p$p
API String ID: 1302938615-1434680307
Opcode ID: cf24321ae9eddb303c0f8a2dd7b79bea113bfed4b087e31e8304b28ff9d3da89
Instruction ID: febad0942b6bce993765fa3de6ee159626735841c756a852793893423996cf35
Opcode Fuzzy Hash: cf24321ae9eddb303c0f8a2dd7b79bea113bfed4b087e31e8304b28ff9d3da89
Instruction Fuzzy Hash: 84029E79A1021C9BDF328FA4C88C6FDB7B7FB41B18FA44516D219BB284D7708D888B15

Uniqueness

Uniqueness Score: -1.00%

Function 00402498 Relevance: 13.8, APIs: 9, Instructions: 301
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 82%

			E00402498(signed int _a4, void* _a8, unsigned int _a12) {
				char _v5;
				signed int _v12;
				unsigned int _v16;
				signed int _v20;
				void* _v24;
				void* _v28;
				long _v32;
				char _v36;
				void* _v40;
				long _v44;
				signed int* _t137;
				signed int _t139;
				intOrPtr _t143;
				unsigned int _t154;
				intOrPtr _t158;
				signed int _t160;
				signed int _t163;
				long _t164;
				intOrPtr _t169;
				signed int _t170;
				intOrPtr _t172;
				signed int _t174;
				signed int _t178;
				void _t180;
				char _t185;
				char _t190;
				signed int _t198;
				signed int _t199;
				signed int _t200;
				signed int _t207;
				long _t210;
				unsigned int _t212;
				intOrPtr _t214;
				unsigned int _t217;
				signed int _t219;
				signed int _t220;
				signed int _t221;
				signed int _t222;
				signed char _t224;
				char _t226;
				signed int _t228;
				void* _t229;
				signed int _t230;
				char* _t231;
				char* _t232;
				signed int _t235;
				signed int _t236;
				void* _t240;
				void* _t242;
				void* _t243;

				_t198 = _a4;
				_t246 = _t198 - 0xfffffffe;
				if(_t198 != 0xfffffffe) {
					__eflags = _t198;
					if(__eflags < 0) {
						L59:
						_t137 = E003FD86A(__eflags);
						 *_t137 =  *_t137 & 0x00000000;
						__eflags =  *_t137;
						 *((intOrPtr*)(E003FD87D( *_t137))) = 9;
						L60:
						_t139 = E003FDA3C();
						goto L61;
					}
					__eflags = _t198 -  *0x417558; // 0x40
					if(__eflags >= 0) {
						goto L59;
					}
					_t207 = _t198 >> 6;
					_t235 = (_t198 & 0x0000003f) * 0x38;
					_v12 = _t207;
					_t143 =  *((intOrPtr*)(0x417358 + _t207 * 4));
					_v20 = _t235;
					_v36 = 1;
					_t224 =  *((intOrPtr*)(_t143 + _t235 + 0x28));
					__eflags = 1 & _t224;
					if(__eflags == 0) {
						goto L59;
					}
					_t210 = _a12;
					__eflags = _t210 - 0x7fffffff;
					if(__eflags <= 0) {
						__eflags = _t210;
						if(_t210 == 0) {
							L58:
							return 0;
						}
						__eflags = _t224 & 0x00000002;
						if((_t224 & 0x00000002) != 0) {
							goto L58;
						}
						__eflags = _a8;
						if(__eflags == 0) {
							goto L6;
						}
						_v28 =  *((intOrPtr*)(_t143 + _t235 + 0x18));
						_t226 =  *((intOrPtr*)(_t143 + _t235 + 0x29));
						_v5 = _t226;
						_t240 = 0;
						_t228 = _t226 - 1;
						__eflags = _t228;
						if(_t228 == 0) {
							__eflags =  !_t210 & 0x00000001;
							if(__eflags == 0) {
								L14:
								 *(E003FD86A(__eflags)) =  *_t149 & _t240;
								 *((intOrPtr*)(E003FD87D(__eflags))) = 0x16;
								E003FDA3C();
								goto L39;
							} else {
								_t154 = 4;
								_t212 = _t210 >> 1;
								_v16 = _t154;
								__eflags = _t212 - _t154;
								if(_t212 >= _t154) {
									_t154 = _t212;
									_v16 = _t212;
								}
								_t240 = E00400374(_t212, _t154);
								E003FF8AF(0);
								E003FF8AF(0);
								_t243 = _t242 + 0xc;
								_v24 = _t240;
								__eflags = _t240;
								if(__eflags != 0) {
									_t158 = E00408CF0(_t198, 0, 0, 1);
									_t242 = _t243 + 0x10;
									_t214 =  *((intOrPtr*)(0x417358 + _v12 * 4));
									 *((intOrPtr*)(_t235 + _t214 + 0x20)) = _t158;
									 *(_t235 + _t214 + 0x24) = _t228;
									_t229 = _t240;
									_t210 = _v16;
									_t143 =  *((intOrPtr*)(0x417358 + _v12 * 4));
									L22:
									_t199 = _v20;
									_t235 = 0;
									_v40 = _t229;
									__eflags =  *(_t199 + _t143 + 0x28) & 0x00000048;
									_t200 = _a4;
									if(( *(_t199 + _t143 + 0x28) & 0x00000048) != 0) {
										_t57 = _t143 + 0x2a; // 0x10c483c2
										_t180 =  *((intOrPtr*)(_v20 + _t57));
										_t200 = _a4;
										__eflags = _t180 - 0xa;
										if(_t180 != 0xa) {
											__eflags = _t210;
											if(_t210 != 0) {
												_t235 = 1;
												 *_t229 = _t180;
												_t231 = _t229 + 1;
												_t220 = _t210 - 1;
												__eflags = _v5;
												_v24 = _t231;
												_v16 = _t220;
												 *((char*)(_v20 +  *((intOrPtr*)(0x417358 + _v12 * 4)) + 0x2a)) = 0xa;
												_t200 = _a4;
												if(_v5 != 0) {
													_t74 =  *((intOrPtr*)(0x417358 + _v12 * 4)) + 0x2b; // 0x8310c483
													_t185 =  *((intOrPtr*)(_v20 + _t74));
													_t200 = _a4;
													__eflags = _t185 - 0xa;
													if(_t185 != 0xa) {
														__eflags = _t220;
														if(_t220 != 0) {
															 *_t231 = _t185;
															_t232 = _t231 + 1;
															_t221 = _t220 - 1;
															__eflags = _v5 - 1;
															_v24 = _t232;
															_t235 = 2;
															_v16 = _t221;
															 *((char*)(_v20 +  *((intOrPtr*)(0x417358 + _v12 * 4)) + 0x2b)) = 0xa;
															_t200 = _a4;
															if(_v5 == 1) {
																_t91 =  *((intOrPtr*)(0x417358 + _v12 * 4)) + 0x2c; // 0xf88310c4
																_t190 =  *((intOrPtr*)(_v20 + _t91));
																_t200 = _a4;
																__eflags = _t190 - 0xa;
																if(_t190 != 0xa) {
																	__eflags = _t221;
																	if(_t221 != 0) {
																		 *_t232 = _t190;
																		_t222 = _t221 - 1;
																		__eflags = _t222;
																		_v16 = _t222;
																		_v24 = _t232 + 1;
																		_t235 = 3;
																		 *((char*)(_v20 +  *((intOrPtr*)(0x417358 + _v12 * 4)) + 0x2c)) = 0xa;
																	}
																}
															}
														}
													}
												}
											}
										}
									}
									_t160 = E00408033(_t200);
									__eflags = _t160;
									if(_t160 == 0) {
										L42:
										_v36 = 0;
										L43:
										_t163 = ReadFile(_v28, _v24, _v16,  &_v32, 0);
										__eflags = _t163;
										if(_t163 == 0) {
											L54:
											_t164 = GetLastError();
											_t235 = 5;
											__eflags = _t164 - _t235;
											if(__eflags != 0) {
												__eflags = _t164 - 0x6d;
												if(_t164 != 0x6d) {
													L38:
													E003FD847(_t164);
													goto L39;
												}
												_t236 = 0;
												goto L40;
											}
											 *((intOrPtr*)(E003FD87D(__eflags))) = 9;
											 *(E003FD86A(__eflags)) = _t235;
											goto L39;
										}
										_t217 = _a12;
										__eflags = _v32 - _t217;
										if(_v32 > _t217) {
											goto L54;
										}
										_t236 = _t235 + _v32;
										__eflags = _t236;
										L46:
										_t230 = _v20;
										_t169 =  *((intOrPtr*)(0x417358 + _v12 * 4));
										__eflags =  *((char*)(_t230 + _t169 + 0x28));
										if( *((char*)(_t230 + _t169 + 0x28)) < 0) {
											__eflags = _v5 - 2;
											if(_v5 == 2) {
												__eflags = _v36;
												_push(_t236 >> 1);
												_push(_v40);
												_push(_t200);
												if(_v36 == 0) {
													_t170 = E00401FE1();
												} else {
													_t170 = E00402309();
												}
											} else {
												_t218 = _t217 >> 1;
												__eflags = _t217 >> 1;
												_t170 = E004021B2(_t217 >> 1, _t217 >> 1, _t200, _v24, _t236, _a8, _t218);
											}
											_t236 = _t170;
										}
										goto L40;
									}
									_t219 = _v20;
									_t172 =  *((intOrPtr*)(0x417358 + _v12 * 4));
									__eflags =  *((char*)(_t219 + _t172 + 0x28));
									if( *((char*)(_t219 + _t172 + 0x28)) >= 0) {
										goto L42;
									}
									_t174 = GetConsoleMode(_v28,  &_v44);
									__eflags = _t174;
									if(_t174 == 0) {
										goto L42;
									}
									__eflags = _v5 - 2;
									if(_v5 != 2) {
										goto L43;
									}
									_t178 = ReadConsoleW(_v28, _v24, _v16 >> 1,  &_v32, 0);
									__eflags = _t178;
									if(_t178 != 0) {
										_t217 = _a12;
										_t236 = _t235 + _v32 * 2;
										goto L46;
									}
									_t164 = GetLastError();
									goto L38;
								} else {
									 *((intOrPtr*)(E003FD87D(__eflags))) = 0xc;
									 *(E003FD86A(__eflags)) = 8;
									L39:
									_t236 = _t235 | 0xffffffff;
									__eflags = _t236;
									L40:
									E003FF8AF(_t240);
									return _t236;
								}
							}
						}
						__eflags = _t228 == 1;
						if(_t228 == 1) {
							__eflags =  !_t210 & 0x00000001;
							if(__eflags != 0) {
								_t229 = _a8;
								_v16 = _t210;
								_v24 = _t229;
								_t143 =  *((intOrPtr*)(0x417358 + _v12 * 4));
								goto L22;
							}
							goto L14;
						} else {
							_t229 = _a8;
							_v16 = _t210;
							_v24 = _t229;
							goto L22;
						}
					}
					L6:
					 *(E003FD86A(__eflags)) =  *_t145 & 0x00000000;
					 *((intOrPtr*)(E003FD87D(__eflags))) = 0x16;
					goto L60;
				} else {
					 *(E003FD86A(_t246)) =  *_t197 & 0x00000000;
					_t139 = E003FD87D(_t246);
					 *_t139 = 9;
					L61:
					return _t139 | 0xffffffff;
				}
			}

0x004024a1
0x004024a5
0x004024a8
0x004024c2
0x004024c4
0x00402829
0x00402829
0x0040282e
0x0040282e
0x00402836
0x0040283c
0x0040283c
0x00000000
0x0040283c
0x004024ca
0x004024d0
0x00000000
0x00000000
0x004024da
0x004024e0
0x004024e3
0x004024e6
0x004024f0
0x004024f3
0x004024f6
0x004024fa
0x004024fc
0x00000000
0x00000000
0x00402502
0x00402505
0x0040250b
0x00402525
0x00402527
0x00402825
0x00000000
0x00402825
0x0040252d
0x00402530
0x00000000
0x00000000
0x00402536
0x0040253a
0x00000000
0x00000000
0x00402540
0x00402543
0x00402547
0x0040254e
0x00402550
0x00402550
0x00402553
0x004025a8
0x004025aa
0x00402570
0x00402575
0x0040257c
0x00402582
0x00000000
0x004025ac
0x004025ae
0x004025af
0x004025b1
0x004025b4
0x004025b6
0x004025b8
0x004025ba
0x004025ba
0x004025c5
0x004025c7
0x004025ce
0x004025d3
0x004025d6
0x004025d9
0x004025db
0x004025ff
0x00402607
0x0040260a
0x00402611
0x00402618
0x0040261c
0x0040261e
0x00402621
0x00402628
0x00402628
0x0040262b
0x0040262d
0x00402630
0x00402635
0x00402638
0x00402641
0x00402641
0x00402645
0x00402648
0x0040264a
0x00402650
0x00402652
0x0040265b
0x0040265c
0x0040265e
0x00402662
0x00402663
0x00402667
0x0040266a
0x00402674
0x00402679
0x0040267c
0x0040268b
0x0040268b
0x0040268f
0x00402692
0x00402694
0x00402696
0x00402698
0x0040269d
0x0040269f
0x004026a3
0x004026a4
0x004026aa
0x004026b4
0x004026b5
0x004026b8
0x004026bd
0x004026c0
0x004026cf
0x004026cf
0x004026d3
0x004026d6
0x004026d8
0x004026da
0x004026dc
0x004026de
0x004026e4
0x004026e4
0x004026e5
0x004026f4
0x004026f7
0x004026f8
0x004026f8
0x004026dc
0x004026d8
0x004026c0
0x00402698
0x00402694
0x0040267c
0x00402652
0x0040264a
0x004026fe
0x00402704
0x00402706
0x00402779
0x00402779
0x0040277d
0x0040278d
0x00402793
0x00402795
0x004027f1
0x004027f1
0x004027f9
0x004027fa
0x004027fc
0x00402815
0x00402818
0x00402755
0x00402756
0x00000000
0x0040275b
0x0040281e
0x00000000
0x0040281e
0x00402803
0x0040280e
0x00000000
0x0040280e
0x00402797
0x0040279a
0x0040279d
0x00000000
0x00000000
0x0040279f
0x0040279f
0x004027a2
0x004027a5
0x004027a8
0x004027af
0x004027b4
0x004027b6
0x004027ba
0x004027d5
0x004027d9
0x004027da
0x004027dd
0x004027de
0x004027ea
0x004027e0
0x004027e0
0x004027e0
0x004027bc
0x004027bc
0x004027bc
0x004027c7
0x004027cc
0x004027cf
0x004027cf
0x00000000
0x004027b4
0x0040270b
0x0040270e
0x00402715
0x0040271a
0x00000000
0x00000000
0x00402723
0x00402729
0x0040272b
0x00000000
0x00000000
0x0040272d
0x00402731
0x00000000
0x00000000
0x00402745
0x0040274b
0x0040274d
0x00402771
0x00402774
0x00000000
0x00402774
0x0040274f
0x00000000
0x004025dd
0x004025e2
0x004025ed
0x0040275c
0x0040275c
0x0040275c
0x0040275f
0x00402760
0x00000000
0x00402768
0x004025db
0x004025aa
0x00402555
0x00402558
0x0040256c
0x0040256e
0x0040258f
0x00402592
0x00402595
0x00402598
0x00000000
0x00402598
0x00000000
0x0040255a
0x0040255a
0x0040255d
0x00402560
0x00000000
0x00402560
0x00402558
0x0040250d
0x00402512
0x0040251a
0x00000000
0x004024aa
0x004024af
0x004024b2
0x004024b7
0x00402841
0x00000000
0x00402841

Memory Dump Source

Source File: 00000003.00000002.300378751.00000000003F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000003.00000002.300374579.00000000003F0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.300394386.000000000040D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.300406424.0000000000416000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.300411239.0000000000420000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3f0000_fa_rss.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b9ef57e2e4040d604c8d1ee279e33d9611cbb14c3fb31d7d780807371ffa5083
Instruction ID: 19c036bfc28370a273de30b9f81d5fe9a7f4a7768e5f2df9db373a964e182a65
Opcode Fuzzy Hash: b9ef57e2e4040d604c8d1ee279e33d9611cbb14c3fb31d7d780807371ffa5083
Instruction Fuzzy Hash: BBC1F670D042499FDF05DF98C988BAE7BB1AF49300F04416AE915BB3D2C7B99941CB69

Uniqueness

Uniqueness Score: -1.00%

Function 00403E08 Relevance: 13.7, APIs: 9, Instructions: 208
COMMON

Download Yara Rule

C-Code - Quality: 84%

			E00403E08(void* __ebx, void* __ecx, void* __edi, void* __esi, signed int _a4, signed int _a8) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v48;
				signed int _t58;
				signed int _t61;
				signed int _t62;
				signed int _t64;
				signed int _t65;
				signed int _t68;
				void* _t69;
				signed int _t74;
				signed int* _t76;
				signed int _t82;
				signed int _t85;
				void* _t86;
				signed int _t91;
				intOrPtr* _t100;
				signed int _t105;
				signed int _t111;
				signed int _t113;
				signed int _t114;
				void* _t128;
				signed int _t129;
				signed int _t130;
				signed int _t136;
				signed int _t140;
				signed int _t143;
				signed int _t145;
				void* _t146;
				signed int _t147;
				signed int _t149;
				signed int _t151;
				signed int _t155;
				signed int _t156;
				WCHAR* _t157;
				signed int _t158;
				void* _t161;
				void* _t165;
				void* _t166;
				void* _t168;
				void* _t170;

				_t161 = _t165;
				_t166 = _t165 - 0x10;
				_push(__ebx);
				_t113 = _a4;
				_t171 = _t113;
				if(_t113 != 0) {
					_push(0x3d);
					_push(_t113);
					_t149 = _t113;
					_t58 = E0040C43B(__ecx);
					_v16 = _t58;
					__eflags = _t58;
					if(__eflags == 0) {
						L38:
						 *((intOrPtr*)(E003FD87D(__eflags))) = 0x16;
						goto L39;
					} else {
						__eflags = _t58 - _t113;
						if(__eflags == 0) {
							goto L38;
						} else {
							_t122 =  *(_t58 + 2) & 0x0000ffff;
							_t62 =  *(_t58 + 2) & 0x0000ffff;
							_v20 = _t62;
							_v12 = _t62;
							L60();
							_t155 =  *0x417238; // 0x144e898
							_t114 = 0;
							__eflags = _t155;
							if(_t155 != 0) {
								L16:
								_v16 = _v16 - _t149 >> 1;
								_t64 = E00404133(_t149, _v16 - _t149 >> 1);
								_v8 = _t64;
								__eflags = _t64;
								if(_t64 < 0) {
									L24:
									__eflags = _v12 - _t114;
									if(_v12 == _t114) {
										goto L40;
									} else {
										_t65 =  ~_t64;
										_v8 = _t65;
										_t27 = _t65 + 2; // 0x2
										_t128 = _t27;
										__eflags = _t128 - _t65;
										if(_t128 < _t65) {
											goto L39;
										} else {
											__eflags = _t128 - 0x3fffffff;
											if(_t128 >= 0x3fffffff) {
												goto L39;
											} else {
												_t156 = E003FF689(_t155, _t128, 4);
												E003FF8AF(_t114);
												_t166 = _t166 + 0x10;
												__eflags = _t156;
												if(_t156 == 0) {
													goto L39;
												} else {
													_t129 = _v8;
													_t149 = _t114;
													_t68 = _a4;
													 *(_t156 + _t129 * 4) = _t68;
													 *(_t156 + 4 + _t129 * 4) = _t114;
													goto L29;
												}
											}
										}
									}
								} else {
									__eflags =  *_t155 - _t114;
									if( *_t155 == _t114) {
										goto L24;
									} else {
										E003FF8AF( *((intOrPtr*)(_t155 + _t64 * 4)));
										_t145 = _v8;
										__eflags = _v12 - _t114;
										if(_v12 == _t114) {
											while(1) {
												__eflags =  *(_t155 + _t145 * 4) - _t114;
												if( *(_t155 + _t145 * 4) == _t114) {
													break;
												}
												 *(_t155 + _t145 * 4) =  *(_t155 + 4 + _t145 * 4);
												_t145 = _t145 + 1;
												__eflags = _t145;
											}
											_t156 = E003FF689(_t155, _t145, 4);
											E003FF8AF(_t114);
											_t166 = _t166 + 0x10;
											_t68 = _t149;
											__eflags = _t156;
											if(_t156 != 0) {
												L29:
												 *0x417238 = _t156;
											}
										} else {
											_t68 = _a4;
											_t149 = _t114;
											 *(_t155 + _t145 * 4) = _t68;
										}
										__eflags = _a8 - _t114;
										if(_a8 == _t114) {
											goto L40;
										} else {
											_t130 = _t68;
											_t146 = _t130 + 2;
											do {
												_t69 =  *_t130;
												_t130 = _t130 + 2;
												__eflags = _t69 - _t114;
											} while (_t69 != _t114);
											_v12 = (_t130 - _t146 >> 1) + 2;
											_t157 = E003FF852(_t130 - _t146 >> 1, (_t130 - _t146 >> 1) + 2, 2);
											_pop(_t134);
											__eflags = _t157;
											if(_t157 == 0) {
												L37:
												E003FF8AF(_t157);
												goto L40;
											} else {
												_t74 = E004029DD(_t157, _v12, _a4);
												_t168 = _t166 + 0xc;
												__eflags = _t74;
												if(_t74 != 0) {
													_push(_t114);
													_push(_t114);
													_push(_t114);
													_push(_t114);
													_push(_t114);
													E003FDA69();
													asm("int3");
													_push(_t161);
													_push(_t134);
													_push(_t149);
													_t151 = _v48;
													__eflags = _t151;
													if(_t151 != 0) {
														_t147 = 0;
														_t76 = _t151;
														_t136 = 0;
														_v12 = 0;
														__eflags =  *_t151;
														if( *_t151 != 0) {
															do {
																_t76 =  &(_t76[1]);
																_t136 = _t136 + 1;
																__eflags =  *_t76;
															} while ( *_t76 != 0);
														}
														_t49 = _t136 + 1; // 0x2
														_t158 = E003FF852(_t136, _t49, 4);
														_t138 = _t157;
														__eflags = _t158;
														if(_t158 == 0) {
															L58:
															E003FF6F6(_t114, _t138, _t147, _t151, _t158);
															goto L59;
														} else {
															_t140 =  *_t151;
															__eflags = _t140;
															if(_t140 == 0) {
																L57:
																E003FF8AF(0);
																_t85 = _t158;
																goto L45;
															} else {
																_push(_t114);
																_t114 = _t158 - _t151;
																__eflags = _t114;
																do {
																	_t50 = _t140 + 2; // 0x6
																	_t147 = _t50;
																	do {
																		_t86 =  *_t140;
																		_t140 = _t140 + 2;
																		__eflags = _t86 - _v12;
																	} while (_t86 != _v12);
																	_t52 = (_t140 - _t147 >> 1) + 1; // 0x3
																	_v16 = _t52;
																	 *(_t114 + _t151) = E003FF852(_t140 - _t147 >> 1, _t52, 2);
																	E003FF8AF(0);
																	_t170 = _t168 + 0xc;
																	__eflags =  *(_t114 + _t151);
																	if( *(_t114 + _t151) == 0) {
																		goto L58;
																	} else {
																		_t91 = E004029DD( *(_t114 + _t151), _v16,  *_t151);
																		_t168 = _t170 + 0xc;
																		__eflags = _t91;
																		if(_t91 != 0) {
																			L59:
																			_push(0);
																			_push(0);
																			_push(0);
																			_push(0);
																			_push(0);
																			E003FDA69();
																			asm("int3");
																			_t82 =  *0x417238; // 0x144e898
																			__eflags = _t82 -  *0x41723c; // 0x144e898
																			if(__eflags == 0) {
																				_push(_t82);
																				L43();
																				 *0x417238 = _t82;
																				return _t82;
																			}
																			return _t82;
																		} else {
																			goto L55;
																		}
																	}
																	goto L63;
																	L55:
																	_t151 = _t151 + 4;
																	_t140 =  *_t151;
																	__eflags = _t140;
																} while (_t140 != 0);
																goto L57;
															}
														}
													} else {
														_t85 = 0;
														__eflags = 0;
														L45:
														return _t85;
													}
												} else {
													_t143 =  &(_t157[_v16 + 1]);
													 *((short*)(_t143 - 2)) = 0;
													asm("sbb eax, eax");
													__eflags = SetEnvironmentVariableW(_t157,  ~(_v20 & 0x0000ffff) & _t143);
													if(__eflags == 0) {
														_t100 = E003FD87D(__eflags);
														_t114 = _t114 | 0xffffffff;
														__eflags = _t114;
														 *_t100 = 0x2a;
													}
													goto L37;
												}
											}
										}
									}
								}
							} else {
								_t105 =  *0x417234; // 0x0
								__eflags = _a8;
								if(_a8 == 0) {
									L9:
									__eflags = _v12 - _t114;
									if(_v12 != _t114) {
										__eflags = _t105;
										if(_t105 != 0) {
											L14:
											 *0x417238 = E003FF852(_t122, 1, 4);
											E003FF8AF(_t114);
											_t166 = _t166 + 0xc;
											goto L15;
										} else {
											 *0x417234 = E003FF852(_t122, 1, 4);
											E003FF8AF(_t114);
											_t166 = _t166 + 0xc;
											__eflags =  *0x417234 - _t114; // 0x0
											if(__eflags == 0) {
												goto L39;
											} else {
												_t155 =  *0x417238; // 0x144e898
												__eflags = _t155;
												if(_t155 != 0) {
													goto L16;
												} else {
													goto L14;
												}
											}
										}
									} else {
										_t114 = 0;
										goto L40;
									}
								} else {
									__eflags = _t105;
									if(_t105 == 0) {
										goto L9;
									} else {
										__eflags = L003FEA9A(0);
										if(__eflags == 0) {
											goto L38;
										} else {
											L60();
											L15:
											_t155 =  *0x417238; // 0x144e898
											__eflags = _t155;
											if(_t155 == 0) {
												L39:
												_t114 = _t113 | 0xffffffff;
												__eflags = _t114;
												L40:
												E003FF8AF(_t149);
												_t61 = _t114;
												goto L41;
											} else {
												goto L16;
											}
										}
									}
								}
							}
						}
					}
				} else {
					_t111 = E003FD87D(_t171);
					 *_t111 = 0x16;
					_t61 = _t111 | 0xffffffff;
					L41:
					return _t61;
				}
				L63:
			}

0x00403e0b
0x00403e0d
0x00403e10
0x00403e11
0x00403e14
0x00403e16
0x00403e2d
0x00403e2f
0x00403e30
0x00403e32
0x00403e37
0x00403e3c
0x00403e3e
0x00404034
0x00404039
0x00000000
0x00403e44
0x00403e44
0x00403e46
0x00000000
0x00403e4c
0x00403e4c
0x00403e50
0x00403e52
0x00403e55
0x00403e58
0x00403e5d
0x00403e63
0x00403e65
0x00403e67
0x00403ef2
0x00403efd
0x00403f00
0x00403f05
0x00403f0a
0x00403f0c
0x00403f5a
0x00403f5a
0x00403f5e
0x00000000
0x00403f64
0x00403f64
0x00403f66
0x00403f69
0x00403f69
0x00403f6c
0x00403f6e
0x00000000
0x00403f74
0x00403f74
0x00403f7a
0x00000000
0x00403f80
0x00403f8a
0x00403f8c
0x00403f91
0x00403f94
0x00403f96
0x00000000
0x00403f9c
0x00403f9c
0x00403f9f
0x00403fa1
0x00403fa4
0x00403fa7
0x00000000
0x00403fa7
0x00403f96
0x00403f7a
0x00403f6e
0x00403f0e
0x00403f0e
0x00403f10
0x00000000
0x00403f12
0x00403f15
0x00403f1b
0x00403f1e
0x00403f22
0x00403f39
0x00403f39
0x00403f3c
0x00000000
0x00000000
0x00403f35
0x00403f38
0x00403f38
0x00403f38
0x00403f48
0x00403f4a
0x00403f4f
0x00403f52
0x00403f54
0x00403f56
0x00403fab
0x00403fab
0x00403fab
0x00403f24
0x00403f24
0x00403f27
0x00403f29
0x00403f29
0x00403fb1
0x00403fb4
0x00000000
0x00403fba
0x00403fba
0x00403fbc
0x00403fbf
0x00403fbf
0x00403fc2
0x00403fc5
0x00403fc5
0x00403fd4
0x00403fdc
0x00403fdf
0x00403fe0
0x00403fe2
0x0040402b
0x0040402c
0x00000000
0x00403fe4
0x00403fec
0x00403ff1
0x00403ff4
0x00403ff6
0x00404050
0x00404051
0x00404052
0x00404053
0x00404054
0x00404055
0x0040405a
0x0040405d
0x00404061
0x00404062
0x00404063
0x00404066
0x00404068
0x0040406f
0x00404071
0x00404073
0x00404075
0x00404078
0x0040407a
0x0040407c
0x0040407c
0x0040407f
0x00404080
0x00404080
0x0040407c
0x00404085
0x00404090
0x00404093
0x00404094
0x00404096
0x00404107
0x00404107
0x00000000
0x00404098
0x00404098
0x0040409a
0x0040409c
0x004040f6
0x004040f9
0x004040ff
0x00000000
0x0040409e
0x0040409e
0x004040a1
0x004040a1
0x004040a3
0x004040a3
0x004040a3
0x004040a6
0x004040a6
0x004040a9
0x004040ac
0x004040ac
0x004040b8
0x004040bc
0x004040c4
0x004040ca
0x004040cf
0x004040d2
0x004040d6
0x00000000
0x004040d8
0x004040e0
0x004040e5
0x004040e8
0x004040ea
0x0040410c
0x0040410e
0x0040410f
0x00404110
0x00404111
0x00404112
0x00404113
0x00404118
0x00404119
0x0040411e
0x00404124
0x00404126
0x00404127
0x0040412d
0x00000000
0x0040412d
0x00404132
0x00000000
0x00000000
0x00000000
0x004040ea
0x00000000
0x004040ec
0x004040ec
0x004040ef
0x004040f1
0x004040f1
0x00000000
0x004040f5
0x0040409c
0x0040406a
0x0040406a
0x0040406a
0x0040406c
0x0040406e
0x0040406e
0x00403ff8
0x00403ffc
0x00404001
0x0040400d
0x00404019
0x0040401b
0x0040401d
0x00404022
0x00404022
0x00404025
0x00404025
0x00000000
0x0040401b
0x00403ff6
0x00403fe2
0x00403fb4
0x00403f10
0x00403e6d
0x00403e6d
0x00403e72
0x00403e75
0x00403e8f
0x00403e8f
0x00403e93
0x00403e9c
0x00403e9e
0x00403ecd
0x00403ed7
0x00403edc
0x00403ee1
0x00000000
0x00403ea0
0x00403eaa
0x00403eaf
0x00403eb4
0x00403eb7
0x00403ebd
0x00000000
0x00403ec3
0x00403ec3
0x00403ec9
0x00403ecb
0x00000000
0x00000000
0x00000000
0x00000000
0x00403ecb
0x00403ebd
0x00403e95
0x00403e95
0x00000000
0x00403e95
0x00403e77
0x00403e77
0x00403e79
0x00000000
0x00403e7b
0x00403e80
0x00403e82
0x00000000
0x00403e88
0x00403e88
0x00403ee4
0x00403ee4
0x00403eea
0x00403eec
0x0040403f
0x0040403f
0x0040403f
0x00404042
0x00404043
0x0040404a
0x00000000
0x00000000
0x00000000
0x00000000
0x00403eec
0x00403e82
0x00403e79
0x00403e75
0x00403e67
0x00403e46
0x00403e18
0x00403e18
0x00403e1d
0x00403e23
0x0040404d
0x0040404f
0x0040404f
0x00000000

APIs

_wcschr.LIBVCRUNTIME ref: 00403E32
_free.LIBCMT ref: 00403F15

Memory Dump Source

Source File: 00000003.00000002.300378751.00000000003F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000003.00000002.300374579.00000000003F0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.300394386.000000000040D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.300406424.0000000000416000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.300411239.0000000000420000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3f0000_fa_rss.jbxd

Similarity

API ID: _free_wcschr
String ID:
API String ID: 3422831350-0
Opcode ID: e492dcc70449a7074277e52948e3994ce598d07586ae6478ed01bd0936307be2
Instruction ID: d3e8cac592a88836f67089099c1ee4124e0c7441177934d762a723ec452c88a3
Opcode Fuzzy Hash: e492dcc70449a7074277e52948e3994ce598d07586ae6478ed01bd0936307be2
Instruction Fuzzy Hash: 7851F7B1D00205AFDB21AF64C88167B7BB8AF44351B14427FFB05BB2C1EB7999418799

Uniqueness

Uniqueness Score: -1.00%

Function 003F7550 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 120
COMMON

Download Yara Rule

C-Code - Quality: 64%

			E003F7550(void* __ebx, void* __ecx, void* __edi, void* __esi, void* __eflags, void* _a4, intOrPtr _a8, intOrPtr _a12) {
				char _v5;
				signed int _v12;
				char _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				char _v32;
				char _t52;
				signed int _t59;
				intOrPtr _t60;
				void* _t61;
				intOrPtr* _t62;
				intOrPtr _t64;
				intOrPtr _t67;
				intOrPtr _t72;
				intOrPtr* _t76;
				intOrPtr _t77;
				intOrPtr _t79;
				signed int _t82;
				char _t84;
				intOrPtr _t87;
				intOrPtr _t96;
				intOrPtr _t99;
				intOrPtr* _t101;
				void* _t105;
				void* _t107;
				void* _t115;

				_t76 = _a4;
				_v5 = 0;
				_v16 = 1;
				 *_t76 = E0040C502(__ecx,  *_t76);
				_t77 = _a8;
				_t6 = _t77 + 0x10; // 0x11
				_t99 = _t6;
				_push(_t99);
				_v20 = _t99;
				_v12 =  *(_t77 + 8) ^  *0x416014;
				E003F7510( *(_t77 + 8) ^  *0x416014);
				E003F8CFC(_a12);
				_t52 = _a4;
				_t107 = _t105 - 0x1c + 0x10;
				_t96 =  *((intOrPtr*)(_t77 + 0xc));
				if(( *(_t52 + 4) & 0x00000066) != 0) {
					__eflags = _t96 - 0xfffffffe;
					if(_t96 != 0xfffffffe) {
						E003F8EB0(_t77, 0xfffffffe, _t99, 0x416014);
						goto L13;
					}
					goto L14;
				} else {
					_v32 = _t52;
					_v28 = _a12;
					 *((intOrPtr*)(_t77 - 4)) =  &_v32;
					if(_t96 == 0xfffffffe) {
						L14:
						return _v16;
					} else {
						do {
							_t82 = _v12;
							_t59 = _t96 + (_t96 + 2) * 2;
							_t79 =  *((intOrPtr*)(_t82 + _t59 * 4));
							_t60 = _t82 + _t59 * 4;
							_t83 =  *((intOrPtr*)(_t60 + 4));
							_v24 = _t60;
							if( *((intOrPtr*)(_t60 + 4)) == 0) {
								_t84 = _v5;
								goto L7;
							} else {
								_t61 = E003F8E60(_t83, _t99);
								_t84 = 1;
								_v5 = 1;
								_t115 = _t61;
								if(_t115 < 0) {
									_v16 = 0;
									L13:
									_push(_t99);
									E003F7510(_v12);
									goto L14;
								} else {
									if(_t115 > 0) {
										_t62 = _a4;
										__eflags =  *_t62 - 0xe06d7363;
										if( *_t62 == 0xe06d7363) {
											__eflags =  *0x40d528;
											if(__eflags != 0) {
												_t72 = E0040BBD0(__eflags, 0x40d528);
												_t107 = _t107 + 4;
												__eflags = _t72;
												if(_t72 != 0) {
													_t101 =  *0x40d528; // 0x3f72cc
													 *0x40d254(_a4, 1);
													 *_t101();
													_t99 = _v20;
													_t107 = _t107 + 8;
												}
												_t62 = _a4;
											}
										}
										E003F8E94(_t62, _a8, _t62);
										_t64 = _a8;
										__eflags =  *((intOrPtr*)(_t64 + 0xc)) - _t96;
										if( *((intOrPtr*)(_t64 + 0xc)) != _t96) {
											E003F8EB0(_t64, _t96, _t99, 0x416014);
											_t64 = _a8;
										}
										_push(_t99);
										 *((intOrPtr*)(_t64 + 0xc)) = _t79;
										E003F7510(_v12);
										_t87 =  *((intOrPtr*)(_v24 + 8));
										E003F8E78();
										asm("int3");
										__eflags = E003F8EC7();
										if(__eflags != 0) {
											_t67 = E003F7F20(_t87, __eflags);
											__eflags = _t67;
											if(_t67 != 0) {
												return 1;
											} else {
												E003F8F03();
												goto L24;
											}
										} else {
											L24:
											__eflags = 0;
											return 0;
										}
									} else {
										goto L7;
									}
								}
							}
							goto L28;
							L7:
							_t96 = _t79;
						} while (_t79 != 0xfffffffe);
						if(_t84 != 0) {
							goto L13;
						}
						goto L14;
					}
				}
				L28:
			}

0x003f7557
0x003f755c
0x003f7562
0x003f756e
0x003f7570
0x003f7576
0x003f7576
0x003f757f
0x003f7581
0x003f7584
0x003f7587
0x003f758f
0x003f7594
0x003f7597
0x003f759a
0x003f75a1
0x003f75fd
0x003f7600
0x003f760f
0x00000000
0x003f760f
0x00000000
0x003f75a3
0x003f75a3
0x003f75a9
0x003f75af
0x003f75b5
0x003f7620
0x003f7629
0x003f75b7
0x003f75b7
0x003f75b7
0x003f75bd
0x003f75c0
0x003f75c3
0x003f75c6
0x003f75c9
0x003f75ce
0x003f75e4
0x00000000
0x003f75d0
0x003f75d2
0x003f75d7
0x003f75d9
0x003f75dc
0x003f75de
0x003f75f4
0x003f7614
0x003f7614
0x003f7618
0x00000000
0x003f75e0
0x003f75e0
0x003f762a
0x003f762d
0x003f7633
0x003f7635
0x003f763c
0x003f7643
0x003f7648
0x003f764b
0x003f764d
0x003f764f
0x003f765c
0x003f7662
0x003f7664
0x003f7667
0x003f7667
0x003f766a
0x003f766a
0x003f763c
0x003f7672
0x003f7677
0x003f767a
0x003f767d
0x003f7689
0x003f768e
0x003f768e
0x003f7691
0x003f7695
0x003f7698
0x003f76a5
0x003f76a8
0x003f76ad
0x003f76b3
0x003f76b5
0x003f76ba
0x003f76bf
0x003f76c1
0x003f76cc
0x003f76c3
0x003f76c3
0x00000000
0x003f76c3
0x003f76b7
0x003f76b7
0x003f76b7
0x003f76b9
0x003f76b9
0x003f75e2
0x00000000
0x003f75e2
0x003f75e0
0x003f75de
0x00000000
0x003f75e7
0x003f75e7
0x003f75e9
0x003f75f0
0x00000000
0x003f75f2
0x00000000
0x003f75f0
0x003f75b5
0x00000000

APIs

_ValidateLocalCookies.LIBCMT ref: 003F7587
___except_validate_context_record.LIBVCRUNTIME ref: 003F758F
_ValidateLocalCookies.LIBCMT ref: 003F7618
__IsNonwritableInCurrentImage.LIBCMT ref: 003F7643
_ValidateLocalCookies.LIBCMT ref: 003F7698

Strings

csm, xrefs: 003F762D

Memory Dump Source

Source File: 00000003.00000002.300378751.00000000003F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000003.00000002.300374579.00000000003F0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.300394386.000000000040D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.300406424.0000000000416000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.300411239.0000000000420000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3f0000_fa_rss.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: ca3eade35375382d346d2e4b60c5c8b044d7ae613c5b45ce7f1cd491098658b5
Instruction ID: 4570087161dc776b6d0ff3a2d6c221d9874e483d7e467baa3325591ef0e9df83
Opcode Fuzzy Hash: ca3eade35375382d346d2e4b60c5c8b044d7ae613c5b45ce7f1cd491098658b5
Instruction Fuzzy Hash: 9C41C530E0421CABCF11DF6CC884ABEBFB5AF45324F158065EA18AB392D775D905CB94

Uniqueness

Uniqueness Score: -1.00%

Function 003FF937 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 77
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E003FF937(void* __ecx, signed int* _a4, intOrPtr _a8) {
				signed int* _v8;
				void** _t12;
				void* _t16;
				void* _t18;
				signed int _t22;
				WCHAR* _t23;
				void** _t26;
				signed int* _t29;
				void* _t32;
				void* _t34;

				_t29 = _a4;
				while(_t29 != _a8) {
					_t22 =  *_t29;
					_t12 = 0x417280 + _t22 * 4;
					_t32 =  *_t12;
					_v8 = _t12;
					if(_t32 == 0) {
						_t23 =  *(0x40e388 + _t22 * 4);
						_t32 = LoadLibraryExW(_t23, 0, 0x800);
						if(_t32 != 0) {
							L12:
							_t26 = _v8;
							 *_t26 = _t32;
							if( *_t26 != 0) {
								FreeLibrary(_t32);
							}
							L14:
							if(_t32 != 0) {
								_t16 = _t32;
								L18:
								return _t16;
							}
							L15:
							_t29 =  &(_t29[1]);
							continue;
						}
						_t18 = GetLastError();
						if(_t18 != 0x57) {
							L9:
							_t32 = 0;
							L10:
							if(_t32 != 0) {
								goto L12;
							}
							 *_v8 = _t18 | 0xffffffff;
							goto L15;
						}
						_t18 = E003FF818(_t23, L"api-ms-", 7);
						_t34 = _t34 + 0xc;
						if(_t18 == 0) {
							goto L9;
						}
						_t18 = E003FF818(_t23, L"ext-ms-", 7);
						_t34 = _t34 + 0xc;
						if(_t18 == 0) {
							goto L9;
						}
						_t18 = LoadLibraryExW(_t23, _t32, _t32);
						_t32 = _t18;
						goto L10;
					}
					if(_t32 == 0xffffffff) {
						goto L15;
					}
					goto L14;
				}
				_t16 = 0;
				goto L18;
			}

0x003ff940
0x003ff9ea
0x003ff948
0x003ff94a
0x003ff951
0x003ff953
0x003ff959
0x003ff966
0x003ff97b
0x003ff97f
0x003ff9d1
0x003ff9d1
0x003ff9d6
0x003ff9da
0x003ff9dd
0x003ff9dd
0x003ff9e3
0x003ff9e5
0x003ff9fa
0x003ff9f5
0x003ff9f9
0x003ff9f9
0x003ff9e7
0x003ff9e7
0x00000000
0x003ff9e7
0x003ff981
0x003ff98a
0x003ff9c1
0x003ff9c1
0x003ff9c3
0x003ff9c5
0x00000000
0x00000000
0x003ff9cd
0x00000000
0x003ff9cd
0x003ff994
0x003ff999
0x003ff99e
0x00000000
0x00000000
0x003ff9a8
0x003ff9ad
0x003ff9b2
0x00000000
0x00000000
0x003ff9b7
0x003ff9bd
0x00000000
0x003ff9bd
0x003ff95e
0x00000000
0x00000000
0x00000000
0x003ff964
0x003ff9f3
0x00000000

Strings

ext-ms-, xrefs: 003FF9A2
api-ms-, xrefs: 003FF98E

Memory Dump Source

Source File: 00000003.00000002.300378751.00000000003F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000003.00000002.300374579.00000000003F0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.300394386.000000000040D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.300406424.0000000000416000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.300411239.0000000000420000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3f0000_fa_rss.jbxd

Similarity

API ID:
String ID: api-ms-$ext-ms-
API String ID: 0-537541572
Opcode ID: 6da25d6b5c7a262dc7ad84a92d4d1e9ac6fe85cace484f59affe51a596dc7ce2
Instruction ID: dbe7b7a377358e4182ddb5e8d2da54d347a49e95a4b086087c6d8b7c55b89c3d
Opcode Fuzzy Hash: 6da25d6b5c7a262dc7ad84a92d4d1e9ac6fe85cace484f59affe51a596dc7ce2
Instruction Fuzzy Hash: D721D532A0522ABFDB234B649C41F7F36589F017A4F220631EE46B7290D7B4ED00C5E4

Uniqueness

Uniqueness Score: -1.00%

Function 00404769 Relevance: 10.6, APIs: 7, Instructions: 65
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E00404769(intOrPtr _a4) {
				void* _t18;

				_t45 = _a4;
				if(_a4 != 0) {
					E00404731(_t45, 7);
					E00404731(_t45 + 0x1c, 7);
					E00404731(_t45 + 0x38, 0xc);
					E00404731(_t45 + 0x68, 0xc);
					E00404731(_t45 + 0x98, 2);
					E003FF8AF( *((intOrPtr*)(_t45 + 0xa0)));
					E003FF8AF( *((intOrPtr*)(_t45 + 0xa4)));
					E003FF8AF( *((intOrPtr*)(_t45 + 0xa8)));
					E00404731(_t45 + 0xb4, 7);
					E00404731(_t45 + 0xd0, 7);
					E00404731(_t45 + 0xec, 0xc);
					E00404731(_t45 + 0x11c, 0xc);
					E00404731(_t45 + 0x14c, 2);
					E003FF8AF( *((intOrPtr*)(_t45 + 0x154)));
					E003FF8AF( *((intOrPtr*)(_t45 + 0x158)));
					E003FF8AF( *((intOrPtr*)(_t45 + 0x15c)));
					return E003FF8AF( *((intOrPtr*)(_t45 + 0x160)));
				}
				return _t18;
			}

0x0040476f
0x00404774
0x0040477d
0x00404788
0x00404793
0x0040479e
0x004047ac
0x004047b7
0x004047c2
0x004047cd
0x004047db
0x004047e9
0x004047fa
0x00404808
0x00404816
0x00404821
0x0040482c
0x00404837
0x00000000
0x00404847
0x0040484c

APIs

Part of subcall function 00404731: _free.LIBCMT ref: 00404756

_free.LIBCMT ref: 004047B7

Part of subcall function 003FF8AF: HeapFree.KERNEL32(00000000,00000000,?,0040475B,?,00000000,?,?,?,00404782,?,00000007,?,?,00404BB2,?), ref: 003FF8C5
Part of subcall function 003FF8AF: GetLastError.KERNEL32(?,?,0040475B,?,00000000,?,?,?,00404782,?,00000007,?,?,00404BB2,?,?), ref: 003FF8D7

_free.LIBCMT ref: 004047C2
_free.LIBCMT ref: 004047CD
_free.LIBCMT ref: 00404821
_free.LIBCMT ref: 0040482C
_free.LIBCMT ref: 00404837
_free.LIBCMT ref: 00404842

Memory Dump Source

Source File: 00000003.00000002.300378751.00000000003F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000003.00000002.300374579.00000000003F0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.300394386.000000000040D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.300406424.0000000000416000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.300411239.0000000000420000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3f0000_fa_rss.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: f6ed98e04170380524c468615c42389a16b2cba1c9deea2703856d9df2c1db56
Instruction ID: 61b010a960db32acedc5e53599b782bac48963fdc1085f9df04ff4dd5737de6e
Opcode Fuzzy Hash: f6ed98e04170380524c468615c42389a16b2cba1c9deea2703856d9df2c1db56
Instruction Fuzzy Hash: B51159B1540B08BEDA21BBB1CC86FDB779CEF41701F80483AF799AB492DB38A5048654

Uniqueness

Uniqueness Score: -1.00%

Function 0040585E Relevance: 9.3, APIs: 6, Instructions: 318
fileCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 64%

			E0040585E(void* __ebx, void* __edi, void* __esi, void* __eflags, void* _a4, signed int _a8, long _a12, intOrPtr _a16) {
				signed int _v8;
				char _v16;
				char _v23;
				char _v24;
				void _v32;
				signed int _v33;
				long _v40;
				long _v44;
				char _v47;
				void _v48;
				intOrPtr _v52;
				long _v56;
				char _v60;
				intOrPtr _v68;
				char _v72;
				struct _OVERLAPPED* _v76;
				signed int _v80;
				signed int _v84;
				intOrPtr _v88;
				signed int _v92;
				long _v96;
				long _v100;
				intOrPtr _v104;
				intOrPtr _v108;
				long _v112;
				void* _v116;
				char _v120;
				int _v124;
				intOrPtr _v128;
				struct _OVERLAPPED* _v132;
				struct _OVERLAPPED* _v136;
				struct _OVERLAPPED* _v140;
				struct _OVERLAPPED* _v144;
				signed int _t172;
				signed int _t174;
				int _t178;
				intOrPtr _t183;
				intOrPtr _t186;
				void* _t188;
				void* _t190;
				long _t193;
				void _t198;
				long _t202;
				void* _t206;
				intOrPtr _t212;
				signed char* _t213;
				char _t216;
				signed int _t219;
				char* _t220;
				void* _t222;
				long _t228;
				intOrPtr _t229;
				char _t231;
				long _t235;
				struct _OVERLAPPED* _t243;
				signed int _t246;
				intOrPtr _t249;
				signed int _t252;
				signed int _t253;
				signed int _t255;
				struct _OVERLAPPED* _t256;
				intOrPtr _t258;
				void* _t262;
				long _t263;
				signed char _t264;
				signed int _t265;
				void* _t266;
				void* _t268;
				struct _OVERLAPPED* _t269;
				long _t270;
				signed int _t271;
				long _t275;
				signed int _t278;
				long _t279;
				struct _OVERLAPPED* _t280;
				signed int _t282;
				intOrPtr _t284;
				signed int _t286;
				signed int _t289;
				long _t290;
				long _t291;
				signed int _t292;
				intOrPtr _t293;
				signed int _t294;
				void* _t295;
				void* _t296;

				_t172 =  *0x416014; // 0x9d5f503d
				_v8 = _t172 ^ _t294;
				_t174 = _a8;
				_t263 = _a12;
				_t282 = (_t174 & 0x0000003f) * 0x38;
				_t246 = _t174 >> 6;
				_v112 = _t263;
				_v84 = _t246;
				_v80 = _t282;
				_t284 = _a16 + _t263;
				_v116 =  *((intOrPtr*)(_t282 +  *((intOrPtr*)(0x417358 + _t246 * 4)) + 0x18));
				_v104 = _t284;
				_t178 = GetConsoleCP();
				_t243 = 0;
				_v124 = _t178;
				E003FA2F9( &_v72, _t263, 0);
				asm("stosd");
				_t249 =  *((intOrPtr*)(_v68 + 8));
				_v128 = _t249;
				asm("stosd");
				asm("stosd");
				_t275 = _v112;
				_v40 = _t275;
				if(_t275 >= _t284) {
					L52:
					__eflags = _v60 - _t243;
				} else {
					_t286 = _v92;
					while(1) {
						_v47 =  *_t275;
						_v76 = _t243;
						_v44 = 1;
						_t186 =  *((intOrPtr*)(0x417358 + _v84 * 4));
						_v52 = _t186;
						if(_t249 != 0xfde9) {
							goto L23;
						}
						_t265 = _v80;
						_t212 = _t186 + 0x2e + _t265;
						_t256 = _t243;
						_v108 = _t212;
						while( *((intOrPtr*)(_t212 + _t256)) != _t243) {
							_t256 =  &(_t256->Internal);
							if(_t256 < 5) {
								continue;
							}
							break;
						}
						_t213 = _v40;
						_t278 = _v104 - _t213;
						_v44 = _t256;
						if(_t256 <= 0) {
							_t258 =  *((char*)(( *_t213 & 0x000000ff) + 0x416218)) + 1;
							_v52 = _t258;
							__eflags = _t258 - _t278;
							if(_t258 > _t278) {
								__eflags = _t278;
								if(_t278 <= 0) {
									goto L44;
								} else {
									_t290 = _v40;
									do {
										_t266 = _t265 + _t243;
										_t216 =  *((intOrPtr*)(_t243 + _t290));
										_t243 =  &(_t243->Internal);
										 *((char*)(_t266 +  *((intOrPtr*)(0x417358 + _v84 * 4)) + 0x2e)) = _t216;
										_t265 = _v80;
										__eflags = _t243 - _t278;
									} while (_t243 < _t278);
									goto L43;
								}
							} else {
								_t279 = _v40;
								__eflags = _t258 - 4;
								_v144 = _t243;
								_t260 =  &_v144;
								_v140 = _t243;
								_v56 = _t279;
								_t219 = (0 | _t258 == 0x00000004) + 1;
								__eflags = _t219;
								_push( &_v144);
								_v44 = _t219;
								_push(_t219);
								_t220 =  &_v56;
								goto L21;
							}
						} else {
							_t228 =  *((char*)(( *(_t265 + _v52 + 0x2e) & 0x000000ff) + 0x416218)) + 1;
							_v56 = _t228;
							_t229 = _t228 - _t256;
							_v52 = _t229;
							if(_t229 > _t278) {
								__eflags = _t278;
								if(_t278 > 0) {
									_t291 = _v40;
									do {
										_t268 = _t265 + _t243 + _t256;
										_t231 =  *((intOrPtr*)(_t243 + _t291));
										_t243 =  &(_t243->Internal);
										 *((char*)(_t268 +  *((intOrPtr*)(0x417358 + _v84 * 4)) + 0x2e)) = _t231;
										_t256 = _v44;
										_t265 = _v80;
										__eflags = _t243 - _t278;
									} while (_t243 < _t278);
									L43:
									_t286 = _v92;
								}
								L44:
								_t289 = _t286 + _t278;
								__eflags = _t289;
								L45:
								__eflags = _v60;
								_v92 = _t289;
							} else {
								_t269 = _t243;
								if(_t256 > 0) {
									_t293 = _v108;
									do {
										 *((char*)(_t294 + _t269 - 0xc)) =  *((intOrPtr*)(_t293 + _t269));
										_t269 =  &(_t269->Internal);
									} while (_t269 < _t256);
									_t229 = _v52;
								}
								_t279 = _v40;
								if(_t229 > 0) {
									E003F92F0( &_v16 + _t256, _t279, _v52);
									_t256 = _v44;
									_t295 = _t295 + 0xc;
								}
								if(_t256 > 0) {
									_t270 = _v44;
									_t280 = _t243;
									_t292 = _v80;
									do {
										_t262 = _t292 + _t280;
										_t280 =  &(_t280->Internal);
										 *(_t262 +  *((intOrPtr*)(0x417358 + _v84 * 4)) + 0x2e) = _t243;
									} while (_t280 < _t270);
									_t279 = _v40;
								}
								_v136 = _t243;
								_v120 =  &_v16;
								_t260 =  &_v136;
								_v132 = _t243;
								_push( &_v136);
								_t235 = (0 | _v56 == 0x00000004) + 1;
								_v44 = _t235;
								_push(_t235);
								_t220 =  &_v120;
								L21:
								_push(_t220);
								_push( &_v76);
								_t222 = E00406351(_t260);
								_t296 = _t295 + 0x10;
								if(_t222 == 0xffffffff) {
									goto L52;
								} else {
									_t275 = _t279 + _v52 - 1;
									L31:
									_t275 = _t275 + 1;
									_v40 = _t275;
									_t193 = E00403CD4(_v124, _t243,  &_v76, _v44,  &_v32, 5, _t243, _t243);
									_t295 = _t296 + 0x20;
									_v56 = _t193;
									if(_t193 == 0) {
										goto L52;
									} else {
										if(WriteFile(_v116,  &_v32, _t193,  &_v100, _t243) == 0) {
											L51:
											_v96 = GetLastError();
											goto L52;
										} else {
											_t286 = _v88 - _v112 + _t275;
											_v92 = _t286;
											if(_v100 < _v56) {
												goto L52;
											} else {
												if(_v47 != 0xa) {
													L38:
													if(_t275 >= _v104) {
														goto L52;
													} else {
														_t249 = _v128;
														continue;
													}
												} else {
													_t198 = 0xd;
													_v48 = _t198;
													if(WriteFile(_v116,  &_v48, 1,  &_v100, _t243) == 0) {
														goto L51;
													} else {
														if(_v100 < 1) {
															goto L52;
														} else {
															_v88 = _v88 + 1;
															_t286 = _t286 + 1;
															_v92 = _t286;
															goto L38;
														}
													}
												}
											}
										}
									}
								}
							}
						}
						goto L53;
						L23:
						_t252 = _v80;
						_t264 =  *((intOrPtr*)(_t252 + _t186 + 0x2d));
						__eflags = _t264 & 0x00000004;
						if((_t264 & 0x00000004) == 0) {
							_v33 =  *_t275;
							_t188 = E00402AC6(_t264);
							_t253 = _v33 & 0x000000ff;
							__eflags =  *((intOrPtr*)(_t188 + _t253 * 2)) - _t243;
							if( *((intOrPtr*)(_t188 + _t253 * 2)) >= _t243) {
								_push(1);
								_push(_t275);
								goto L30;
							} else {
								_t202 = _t275 + 1;
								_v56 = _t202;
								__eflags = _t202 - _v104;
								if(_t202 >= _v104) {
									_t271 = _v84;
									_t255 = _v80;
									 *((char*)(_t255 +  *((intOrPtr*)(0x417358 + _t271 * 4)) + 0x2e)) = _v33;
									 *(_t255 +  *((intOrPtr*)(0x417358 + _t271 * 4)) + 0x2d) =  *(_t255 +  *((intOrPtr*)(0x417358 + _t271 * 4)) + 0x2d) | 0x00000004;
									_t289 = _t286 + 1;
									goto L45;
								} else {
									_t206 = E00400504( &_v76, _t275, 2);
									_t296 = _t295 + 0xc;
									__eflags = _t206 - 0xffffffff;
									if(_t206 == 0xffffffff) {
										goto L52;
									} else {
										_t275 = _v56;
										goto L31;
									}
								}
							}
						} else {
							_v24 =  *((intOrPtr*)(_t252 + _t186 + 0x2e));
							_v23 =  *_t275;
							_push(2);
							 *(_t252 + _v52 + 0x2d) = _t264 & 0x000000fb;
							_push( &_v24);
							L30:
							_push( &_v76);
							_t190 = E00400504();
							_t296 = _t295 + 0xc;
							__eflags = _t190 - 0xffffffff;
							if(_t190 == 0xffffffff) {
								goto L52;
							} else {
								goto L31;
							}
						}
						goto L53;
					}
				}
				L53:
				if(__eflags != 0) {
					_t183 = _v72;
					_t167 = _t183 + 0x350;
					 *_t167 =  *(_t183 + 0x350) & 0xfffffffd;
					__eflags =  *_t167;
				}
				__eflags = _v8 ^ _t294;
				asm("movsd");
				asm("movsd");
				asm("movsd");
				return E003F5D05(_v8 ^ _t294);
			}

0x00405869
0x00405870
0x00405873
0x00405878
0x00405880
0x00405883
0x00405887
0x0040588a
0x00405894
0x0040589e
0x004058a0
0x004058a3
0x004058a6
0x004058ac
0x004058ae
0x004058b5
0x004058c2
0x004058c3
0x004058c6
0x004058c9
0x004058ca
0x004058cb
0x004058ce
0x004058d3
0x00405bdf
0x00405bdf
0x004058d9
0x004058d9
0x004058dc
0x004058de
0x004058e4
0x004058e7
0x004058ee
0x004058f5
0x004058fe
0x00000000
0x00000000
0x00405904
0x0040590a
0x0040590c
0x0040590e
0x00405911
0x00405916
0x0040591a
0x00000000
0x00000000
0x00000000
0x0040591a
0x0040591f
0x00405922
0x00405924
0x00405929
0x004059db
0x004059dc
0x004059df
0x004059e1
0x00405b8f
0x00405b91
0x00000000
0x00405b93
0x00405b93
0x00405b96
0x00405b99
0x00405ba2
0x00405ba5
0x00405ba6
0x00405baa
0x00405bad
0x00405bad
0x00000000
0x00405bb1
0x004059e7
0x004059e7
0x004059ec
0x004059ef
0x004059f5
0x004059fb
0x00405a04
0x00405a07
0x00405a07
0x00405a08
0x00405a09
0x00405a0c
0x00405a0d
0x00000000
0x00405a0d
0x0040592f
0x0040593e
0x0040593f
0x00405942
0x00405944
0x00405949
0x00405b5a
0x00405b5c
0x00405b5e
0x00405b61
0x00405b66
0x00405b6f
0x00405b72
0x00405b73
0x00405b77
0x00405b7a
0x00405b7d
0x00405b7d
0x00405b81
0x00405b81
0x00405b81
0x00405b84
0x00405b84
0x00405b84
0x00405b86
0x00405b86
0x00405b8a
0x0040594f
0x0040594f
0x00405953
0x00405955
0x00405958
0x0040595b
0x0040595f
0x00405960
0x00405964
0x00405964
0x00405967
0x0040596c
0x00405978
0x0040597d
0x00405980
0x00405980
0x00405985
0x00405987
0x0040598a
0x0040598c
0x0040598f
0x00405992
0x00405995
0x0040599d
0x004059a1
0x004059a5
0x004059a5
0x004059ab
0x004059b1
0x004059b4
0x004059bc
0x004059c3
0x004059c7
0x004059c8
0x004059cb
0x004059cc
0x00405a10
0x00405a10
0x00405a14
0x00405a15
0x00405a1a
0x00405a20
0x00000000
0x00405a26
0x00405a2a
0x00405ab3
0x00405aba
0x00405ac2
0x00405aca
0x00405acf
0x00405ad2
0x00405ad7
0x00000000
0x00405add
0x00405af2
0x00405bd6
0x00405bdc
0x00000000
0x00405af8
0x00405b01
0x00405b03
0x00405b09
0x00000000
0x00405b0f
0x00405b13
0x00405b49
0x00405b4c
0x00000000
0x00405b52
0x00405b52
0x00000000
0x00405b52
0x00405b15
0x00405b17
0x00405b19
0x00405b32
0x00000000
0x00405b38
0x00405b3c
0x00000000
0x00405b42
0x00405b42
0x00405b45
0x00405b46
0x00000000
0x00405b46
0x00405b3c
0x00405b32
0x00405b13
0x00405b09
0x00405af2
0x00405ad7
0x00405a20
0x00405949
0x00000000
0x00405a31
0x00405a31
0x00405a34
0x00405a38
0x00405a3b
0x00405a5d
0x00405a60
0x00405a65
0x00405a69
0x00405a6d
0x00405a9b
0x00405a9d
0x00000000
0x00405a6f
0x00405a6f
0x00405a72
0x00405a75
0x00405a78
0x00405bb3
0x00405bb6
0x00405bc3
0x00405bce
0x00405bd3
0x00000000
0x00405a7e
0x00405a85
0x00405a8a
0x00405a8d
0x00405a90
0x00000000
0x00405a96
0x00405a96
0x00000000
0x00405a96
0x00405a90
0x00405a78
0x00405a3d
0x00405a44
0x00405a49
0x00405a4f
0x00405a51
0x00405a58
0x00405a9e
0x00405aa1
0x00405aa2
0x00405aa7
0x00405aaa
0x00405aad
0x00000000
0x00000000
0x00000000
0x00000000
0x00405aad
0x00000000
0x00405a3b
0x004058dc
0x00405be2
0x00405be2
0x00405be4
0x00405be7
0x00405be7
0x00405be7
0x00405be7
0x00405bf9
0x00405bfb
0x00405bfc
0x00405bfd
0x00405c07

APIs

GetConsoleCP.KERNEL32(00000020,00000000,00000000), ref: 004058A6
__fassign.LIBCMT ref: 00405A85
__fassign.LIBCMT ref: 00405AA2
WriteFile.KERNEL32(?,00000000,00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00405AEA
WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 00405B2A
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000), ref: 00405BD6

Memory Dump Source

Source File: 00000003.00000002.300378751.00000000003F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000003.00000002.300374579.00000000003F0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.300394386.000000000040D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.300406424.0000000000416000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.300411239.0000000000420000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3f0000_fa_rss.jbxd

Similarity

API ID: FileWrite__fassign$ConsoleErrorLast
String ID:
API String ID: 4031098158-0
Opcode ID: ee34724682a93d68495f15f5c40c20c36f8ec283b8e1946a5717eac3f8e33a4f
Instruction ID: 1fe72a8ab12110e7b990d0b1ba527b9cdd8af4b76a4155eac3c6dfccbb7eedaa
Opcode Fuzzy Hash: ee34724682a93d68495f15f5c40c20c36f8ec283b8e1946a5717eac3f8e33a4f
Instruction Fuzzy Hash: 12D19E71D046589FCF15CFA8C8809EEBBB5EF48314F28416AE856BB381D634AD46CF58

Uniqueness

Uniqueness Score: -1.00%

Function 003F6C50 Relevance: 9.2, APIs: 6, Instructions: 154
memoryCOMMON

Download Yara Rule

C-Code - Quality: 45%

			E003F6C50(void* __ebx, char* _a4) {
				int _v8;
				signed int _v12;
				char _v20;
				short* _v28;
				signed int _v32;
				short* _v36;
				int _v40;
				int _v44;
				intOrPtr _v60;
				signed int _t30;
				signed int _t31;
				char _t33;
				int _t34;
				signed short _t36;
				signed short _t38;
				void* _t49;
				short* _t50;
				int _t52;
				char* _t58;
				int _t59;
				char* _t61;
				intOrPtr* _t62;
				intOrPtr* _t63;
				char* _t69;
				intOrPtr _t70;
				int _t71;
				intOrPtr* _t72;
				short* _t75;
				signed int _t79;
				void* _t81;
				short* _t82;

				_push(0xfffffffe);
				_push(0x414360);
				_push(E003F7550);
				_push( *[fs:0x0]);
				_t82 = _t81 - 0x18;
				_t30 =  *0x416014; // 0x9d5f503d
				_v12 = _v12 ^ _t30;
				_t31 = _t30 ^ _t79;
				_v32 = _t31;
				_push(_t75);
				_push(_t71);
				_push(_t31);
				 *[fs:0x0] =  &_v20;
				_v28 = _t82;
				_t58 = _a4;
				if(_t58 != 0) {
					_t61 = _t58;
					_t10 =  &(_t61[1]); // 0x3f58db
					_t69 = _t10;
					do {
						_t33 =  *_t61;
						_t61 =  &(_t61[1]);
					} while (_t33 != 0);
					_t62 = _t61 - _t69;
					_t11 = _t62 + 1; // 0x3f58dc
					_t34 = _t11;
					_v44 = _t34;
					if(_t34 > 0x7fffffff) {
						L17:
						E003F6C30(0x80070057);
						goto L18;
					} else {
						_t71 = MultiByteToWideChar(0, 0, _t58, _t34, 0, 0);
						_v40 = _t71;
						if(_t71 == 0) {
							L18:
							_t36 = GetLastError();
							if(_t36 > 0) {
								_t36 = _t36 & 0x0000ffff | 0x80070000;
							}
							E003F6C30(_t36);
							goto L21;
						} else {
							_v8 = 0;
							_t49 = _t71 + _t71;
							if(_t71 >= 0x1000) {
								_push(_t49);
								_t50 = E003FC2D4(_t62);
								_t82 =  &(_t82[2]);
								_t75 = _t50;
								_v36 = _t75;
								_v8 = 0xfffffffe;
							} else {
								E0040BB50();
								_v28 = _t82;
								_t75 = _t82;
								_v36 = _t75;
								_v8 = 0xfffffffe;
							}
							if(_t75 == 0) {
								L16:
								E003F6C30(0x8007000e);
								goto L17;
							} else {
								_t52 = MultiByteToWideChar(0, 0, _t58, _v44, _t75, _t71);
								if(_t52 == 0) {
									L21:
									if(_t71 >= 0x1000) {
										E003FC3DA(_t75);
										_t82 =  &(_t82[2]);
									}
									_t38 = GetLastError();
									if(_t38 > 0) {
										_t38 = _t38 & 0x0000ffff | 0x80070000;
									}
									E003F6C30(_t38);
									asm("int3");
									asm("int3");
									asm("int3");
									asm("int3");
									asm("int3");
									asm("int3");
									asm("int3");
									asm("int3");
									_push(_t79);
									_t70 = _v60;
									_push(_t71);
									_t72 = _t62;
									 *_t72 = 0x40d524;
									 *((intOrPtr*)(_t72 + 4)) =  *((intOrPtr*)(_t70 + 4));
									_t63 =  *((intOrPtr*)(_t70 + 8));
									 *((intOrPtr*)(_t72 + 8)) = _t63;
									 *(_t72 + 0xc) = 0;
									if(_t63 != 0) {
										 *0x40d254(_t63, _t75);
										 *((intOrPtr*)( *((intOrPtr*)( *_t63 + 4))))();
									}
									return _t72;
								} else {
									__imp__#2(_t75);
									_t59 = _t52;
									if(_t71 >= 0x1000) {
										E003FC3DA(_t75);
										_t82 =  &(_t82[2]);
									}
									if(_t59 == 0) {
										goto L16;
									} else {
										goto L2;
									}
								}
							}
						}
					}
				} else {
					L2:
					 *[fs:0x0] = _v20;
					return E003F5D05(_v32 ^ _t79);
				}
			}

0x003f6c53
0x003f6c55
0x003f6c5a
0x003f6c65
0x003f6c66
0x003f6c69
0x003f6c6e
0x003f6c71
0x003f6c73
0x003f6c77
0x003f6c78
0x003f6c79
0x003f6c7d
0x003f6c83
0x003f6c86
0x003f6c8b
0x003f6cb0
0x003f6cb2
0x003f6cb2
0x003f6cb5
0x003f6cb5
0x003f6cb7
0x003f6cb8
0x003f6cbc
0x003f6cbe
0x003f6cbe
0x003f6cc1
0x003f6cc9
0x003f6d8d
0x003f6d92
0x00000000
0x003f6ccf
0x003f6cdf
0x003f6ce1
0x003f6ce6
0x003f6d97
0x003f6d97
0x003f6d9f
0x003f6da4
0x003f6da4
0x003f6daa
0x00000000
0x003f6cec
0x003f6cec
0x003f6cf3
0x003f6cfc
0x003f6d14
0x003f6d15
0x003f6d1a
0x003f6d1d
0x003f6d1f
0x003f6d22
0x003f6cfe
0x003f6cfe
0x003f6d03
0x003f6d06
0x003f6d08
0x003f6d0b
0x003f6d0b
0x003f6d48
0x003f6d83
0x003f6d88
0x00000000
0x003f6d4a
0x003f6d54
0x003f6d5c
0x003f6daf
0x003f6db5
0x003f6db8
0x003f6dbd
0x003f6dbd
0x003f6dc0
0x003f6dc8
0x003f6dcd
0x003f6dcd
0x003f6dd3
0x003f6dd8
0x003f6dd9
0x003f6dda
0x003f6ddb
0x003f6ddc
0x003f6ddd
0x003f6dde
0x003f6ddf
0x003f6de0
0x003f6de3
0x003f6de6
0x003f6de7
0x003f6de9
0x003f6df2
0x003f6df5
0x003f6df8
0x003f6dfb
0x003f6e04
0x003f6e0f
0x003f6e15
0x003f6e17
0x003f6e1c
0x003f6d5e
0x003f6d5f
0x003f6d65
0x003f6d6d
0x003f6d70
0x003f6d75
0x003f6d75
0x003f6d7a
0x00000000
0x003f6d7c
0x00000000
0x003f6d7c
0x003f6d7a
0x003f6d5c
0x003f6d48
0x003f6ce6
0x003f6c8d
0x003f6c8f
0x003f6c95
0x003f6cad
0x003f6cad

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,003F58DA,003F58DC,00000000,00000000,9D5F503D,00000000,00000000,?,003F7550,00414360,000000FE,?,003F58DA,WQL), ref: 003F6CD9
__alloca_probe_16.LIBCMT ref: 003F6CFE
MultiByteToWideChar.KERNEL32(00000000,00000000,003F58DA,?,00000000,00000000,?,?,?,?,?,003F58DA), ref: 003F6D54
SysAllocString.OLEAUT32(00000000), ref: 003F6D5F
GetLastError.KERNEL32(80070057,9D5F503D,00000000,00000000,?,003F7550,00414360,000000FE,?,003F58DA,WQL), ref: 003F6D97
GetLastError.KERNEL32(00000000,?,003F58DA,WQL), ref: 003F6DC0

Memory Dump Source

Source File: 00000003.00000002.300378751.00000000003F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000003.00000002.300374579.00000000003F0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.300394386.000000000040D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.300406424.0000000000416000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.300411239.0000000000420000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3f0000_fa_rss.jbxd

Similarity

API ID: ByteCharErrorLastMultiWide$AllocString__alloca_probe_16
String ID:
API String ID: 361600049-0
Opcode ID: 670ee9df9c1d082291d222c88b6b24fa5a0b3883a3821b5694fe2582665bc42c
Instruction ID: b5e9561e09b93e0d213c4c8728879dedf00e7e93568338ea05a66d06ec7c2a2e
Opcode Fuzzy Hash: 670ee9df9c1d082291d222c88b6b24fa5a0b3883a3821b5694fe2582665bc42c
Instruction Fuzzy Hash: 9741EA71B0020DABDB119FA8DD46BBEBBB8EF44750F114239F649EB281D7349804C7A5

Uniqueness

Uniqueness Score: -1.00%

Function 003F1760 Relevance: 9.1, APIs: 6, Instructions: 111
windowtimeCOMMON

Download Yara Rule

C-Code - Quality: 63%

			E003F1760(struct HWND__* _a4, struct HWND__* _a8, unsigned int _a16) {
				void* __edi;
				void* __esi;
				struct HWND__* _t17;
				long _t21;
				intOrPtr* _t22;
				intOrPtr* _t29;
				intOrPtr* _t32;
				signed int _t35;
				void* _t46;
				intOrPtr* _t48;
				void* _t52;
				void* _t59;
				void* _t60;
				void* _t61;
				unsigned int _t62;
				void _t64;
				void* _t67;

				_t17 = _a8;
				_t67 = _t17 - 5;
				if(_t67 > 0) {
					if(_t17 != 0x113) {
						goto L14;
					}
					PostMessageW( *0x41f9c4, 0x10, 0, 0);
					return 1;
				} else {
					if(_t67 == 0) {
						_t21 = GetWindowLongW(_a4, 0xffffffeb);
						_push( &_a4);
						_push(0x40d330);
						_t22 =  *_t21;
						_push(_t22);
						if( *((intOrPtr*)( *((intOrPtr*)( *_t22))))() == 0) {
							_t48 = _a4;
							_t62 = _a16;
							 *((intOrPtr*)( *((intOrPtr*)( *_t48 + 0x68))))(_t48, _t62 & 0x0000ffff);
							_t29 = _a4;
							 *((intOrPtr*)( *((intOrPtr*)( *_t29 + 0x70))))(_t29, _t62 >> 0x10);
							_t32 = _a4;
							 *((intOrPtr*)( *((intOrPtr*)( *_t32 + 8))))(_t32);
						}
						return 0;
					} else {
						_t52 = _t17 - 1;
						if(_t52 == 0) {
							_t35 = E003F1550(_t46, _a4, _t59, _t61);
							if(_t35 == 0) {
								 *0x417730 =  *0x417730 + 1;
								return 0;
							} else {
								return _t35 | 0xffffffff;
							}
						} else {
							if(_t52 != 1) {
								L14:
								return DefWindowProcW(_t17);
							}
							_t60 = GetWindowLongW(_a4, 0xffffffeb);
							if(_t60 != 0) {
								_t64 =  *_t60;
								 *((intOrPtr*)( *((intOrPtr*)( *_t64 + 0x18))))(_t64, 1);
								 *((intOrPtr*)( *((intOrPtr*)( *_t64 + 8))))(_t64);
								GlobalFree(_t60);
							}
							KillTimer(_a4, 0x8fff);
							PostQuitMessage(0);
							return 1;
						}
					}
				}
			}

0x003f1763
0x003f1768
0x003f176b
0x003f1851
0x00000000
0x00000000
0x003f186b
0x003f1879
0x003f1771
0x003f1771
0x003f17fc
0x003f1805
0x003f1806
0x003f180b
0x003f180d
0x003f1816
0x003f1818
0x003f181b
0x003f1828
0x003f182a
0x003f1837
0x003f1839
0x003f1842
0x003f1842
0x003f1849
0x003f1777
0x003f1779
0x003f177c
0x003f17d7
0x003f17de
0x003f17e9
0x003f17f4
0x003f17e0
0x003f17e6
0x003f17e6
0x003f177e
0x003f1781
0x003f1855
0x003f1859
0x003f1859
0x003f1792
0x003f1796
0x003f1798
0x003f17a2
0x003f17aa
0x003f17ad
0x003f17ad
0x003f17bb
0x003f17c3
0x003f17d1
0x003f17d1
0x003f177c
0x003f1771

APIs

GetWindowLongW.USER32(?,000000EB), ref: 003F178C
GlobalFree.KERNEL32 ref: 003F17AD
KillTimer.USER32(?,00008FFF), ref: 003F17BB
PostQuitMessage.USER32(00000000), ref: 003F17C3
GetWindowLongW.USER32(?,000000EB), ref: 003F17FC
PostMessageW.USER32(00000010,00000000,00000000), ref: 003F186B

Memory Dump Source

Source File: 00000003.00000002.300378751.00000000003F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000003.00000002.300374579.00000000003F0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.300394386.000000000040D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.300406424.0000000000416000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.300411239.0000000000420000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3f0000_fa_rss.jbxd

Similarity

API ID: LongMessagePostWindow$FreeGlobalKillQuitTimer
String ID:
API String ID: 2369879578-0
Opcode ID: 23446283b5cccf09533fdfe7ed6fcf750825dcd71e55f31d00e1339eb6e58e2b
Instruction ID: 7af870066b6467b8a1f851017c662403a3f74a89372294d68b436a49ecd74dc5
Opcode Fuzzy Hash: 23446283b5cccf09533fdfe7ed6fcf750825dcd71e55f31d00e1339eb6e58e2b
Instruction Fuzzy Hash: 72316136200108AFC715DFACED44FAA37A9EB89360F104176F619DB2A1CB71DC55DB94

Uniqueness

Uniqueness Score: -1.00%

Function 003F7E8E Relevance: 9.1, APIs: 6, Instructions: 60
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 83%

			E003F7E8E(void* __ecx) {
				void* _t4;
				void* _t8;
				void* _t11;
				void* _t13;
				void* _t14;
				void* _t16;
				void* _t18;
				void* _t23;
				long _t24;
				void* _t27;

				_t13 = __ecx;
				if( *0x416030 != 0xffffffff) {
					_t24 = GetLastError();
					_t11 = E003F909D(_t13, __eflags,  *0x416030);
					_t14 = _t23;
					__eflags = _t11 - 0xffffffff;
					if(_t11 == 0xffffffff) {
						L5:
						_t11 = 0;
					} else {
						__eflags = _t11;
						if(__eflags == 0) {
							_t4 = E003F90D8(_t14, __eflags,  *0x416030, 0xffffffff);
							_pop(_t16);
							__eflags = _t4;
							if(_t4 != 0) {
								_push(0x28);
								_t27 = E003FF794(_t16);
								_t18 = 1;
								__eflags = _t27;
								if(__eflags == 0) {
									L8:
									_t11 = 0;
									E003F90D8(_t18, __eflags,  *0x416030, 0);
								} else {
									_t8 = E003F90D8(_t18, __eflags,  *0x416030, _t27);
									_pop(_t18);
									__eflags = _t8;
									if(__eflags != 0) {
										_t11 = _t27;
										_t27 = 0;
										__eflags = 0;
									} else {
										goto L8;
									}
								}
								E003FC3DA(_t27);
							} else {
								goto L5;
							}
						}
					}
					SetLastError(_t24);
					return _t11;
				} else {
					return 0;
				}
			}

0x003f7e8e
0x003f7e95
0x003f7ea8
0x003f7eaf
0x003f7eb1
0x003f7eb2
0x003f7eb5
0x003f7ece
0x003f7ece
0x003f7eb7
0x003f7eb7
0x003f7eb9
0x003f7ec3
0x003f7ec9
0x003f7eca
0x003f7ecc
0x003f7ed3
0x003f7edc
0x003f7edf
0x003f7ee0
0x003f7ee2
0x003f7ef6
0x003f7ef6
0x003f7eff
0x003f7ee4
0x003f7eeb
0x003f7ef1
0x003f7ef2
0x003f7ef4
0x003f7f08
0x003f7f0a
0x003f7f0a
0x00000000
0x00000000
0x00000000
0x003f7ef4
0x003f7f0d
0x00000000
0x00000000
0x00000000
0x003f7ecc
0x003f7eb9
0x003f7f15
0x003f7f1f
0x003f7e97
0x003f7e99
0x003f7e99

APIs

GetLastError.KERNEL32(?,?,003F7E85,003F7478,003F66A7), ref: 003F7E9C
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 003F7EAA
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 003F7EC3
SetLastError.KERNEL32(00000000,003F7E85,003F7478,003F66A7), ref: 003F7F15

Memory Dump Source

Source File: 00000003.00000002.300378751.00000000003F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000003.00000002.300374579.00000000003F0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.300394386.000000000040D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.300406424.0000000000416000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.300411239.0000000000420000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3f0000_fa_rss.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 078d19a4e081dc8adc3792b173dd08c1cdb4ec0e5075b58cbafcea995ea77a7d
Instruction ID: a9b6125fd880da01eca57468525287e42c097e7cba376511761a3af04ce237da
Opcode Fuzzy Hash: 078d19a4e081dc8adc3792b173dd08c1cdb4ec0e5075b58cbafcea995ea77a7d
Instruction Fuzzy Hash: 4801473221E31E5EE6276BB87C85BB62B58DF007B5B21023BF710581E0EF518C04D144

Uniqueness

Uniqueness Score: -1.00%

Function 004009D4 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 72
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 73%

			E004009D4(void* __ecx, void* __edx) {
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr _t2;
				long _t3;
				intOrPtr _t5;
				long _t6;
				intOrPtr _t9;
				long _t10;
				signed int _t39;
				signed int _t40;
				void* _t43;
				void* _t49;
				signed int _t51;
				signed int _t53;
				signed int _t54;
				long _t56;
				long _t60;
				long _t61;
				void* _t65;

				_t49 = __edx;
				_t43 = __ecx;
				_t60 = GetLastError();
				_t2 =  *0x416148; // 0x6
				_t67 = _t2 - 0xffffffff;
				if(_t2 == 0xffffffff) {
					L6:
					_t3 = E003FFC1B(__eflags, _t2, 0xffffffff);
					__eflags = _t3;
					if(_t3 == 0) {
						goto L3;
					} else {
						_t51 = E003FF852(_t43, 1, 0x364);
						_pop(_t43);
						__eflags = _t51;
						if(__eflags != 0) {
							__eflags = E003FFC1B(__eflags,  *0x416148, _t51);
							if(__eflags != 0) {
								E00400802(_t51, "PaA");
								E003FF8AF(0);
								_t65 = _t65 + 0xc;
								goto L13;
							} else {
								_t39 = 0;
								E003FFC1B(__eflags,  *0x416148, 0);
								_push(_t51);
								goto L9;
							}
						} else {
							_t39 = 0;
							__eflags = 0;
							E003FFC1B(0,  *0x416148, 0);
							_push(0);
							L9:
							E003FF8AF();
							_pop(_t43);
							goto L4;
						}
					}
				} else {
					_t51 = E003FFBDC(_t67, _t2);
					if(_t51 == 0) {
						_t2 =  *0x416148; // 0x6
						goto L6;
					} else {
						if(_t51 != 0xffffffff) {
							L13:
							_t39 = _t51;
						} else {
							L3:
							_t39 = 0;
							L4:
							_t51 = _t39;
						}
					}
				}
				SetLastError(_t60);
				asm("sbb edi, edi");
				_t53 =  ~_t51 & _t39;
				if(_t53 == 0) {
					E003FF6F6(_t39, _t43, _t49, _t53, _t60);
					asm("int3");
					_t5 =  *0x416148; // 0x6
					_push(_t60);
					__eflags = _t5 - 0xffffffff;
					if(__eflags == 0) {
						L22:
						_t6 = E003FFC1B(__eflags, _t5, 0xffffffff);
						__eflags = _t6;
						if(_t6 == 0) {
							goto L31;
						} else {
							_t60 = E003FF852(_t43, 1, 0x364);
							_pop(_t43);
							__eflags = _t60;
							if(__eflags != 0) {
								__eflags = E003FFC1B(__eflags,  *0x416148, _t60);
								if(__eflags != 0) {
									E00400802(_t60, "PaA");
									E003FF8AF(0);
									_t65 = _t65 + 0xc;
									goto L29;
								} else {
									E003FFC1B(__eflags,  *0x416148, _t21);
									_push(_t60);
									goto L25;
								}
							} else {
								E003FFC1B(__eflags,  *0x416148, _t20);
								_push(_t60);
								L25:
								E003FF8AF();
								_pop(_t43);
								goto L31;
							}
						}
					} else {
						_t60 = E003FFBDC(__eflags, _t5);
						__eflags = _t60;
						if(__eflags == 0) {
							_t5 =  *0x416148; // 0x6
							goto L22;
						} else {
							__eflags = _t60 - 0xffffffff;
							if(_t60 == 0xffffffff) {
								L31:
								E003FF6F6(_t39, _t43, _t49, _t53, _t60);
								asm("int3");
								_push(_t39);
								_push(_t60);
								_push(_t53);
								_t61 = GetLastError();
								_t9 =  *0x416148; // 0x6
								__eflags = _t9 - 0xffffffff;
								if(__eflags == 0) {
									L38:
									_t10 = E003FFC1B(__eflags, _t9, 0xffffffff);
									__eflags = _t10;
									if(_t10 == 0) {
										goto L35;
									} else {
										_t54 = E003FF852(_t43, 1, 0x364);
										__eflags = _t54;
										if(__eflags != 0) {
											__eflags = E003FFC1B(__eflags,  *0x416148, _t54);
											if(__eflags != 0) {
												E00400802(_t54, "PaA");
												E003FF8AF(0);
												goto L45;
											} else {
												_t40 = 0;
												E003FFC1B(__eflags,  *0x416148, 0);
												_push(_t54);
												goto L41;
											}
										} else {
											_t40 = 0;
											__eflags = 0;
											E003FFC1B(0,  *0x416148, 0);
											_push(0);
											L41:
											E003FF8AF();
											goto L36;
										}
									}
								} else {
									_t54 = E003FFBDC(__eflags, _t9);
									__eflags = _t54;
									if(__eflags == 0) {
										_t9 =  *0x416148; // 0x6
										goto L38;
									} else {
										__eflags = _t54 - 0xffffffff;
										if(_t54 != 0xffffffff) {
											L45:
											_t40 = _t54;
										} else {
											L35:
											_t40 = 0;
											__eflags = 0;
											L36:
											_t54 = _t40;
										}
									}
								}
								SetLastError(_t61);
								asm("sbb edi, edi");
								_t56 =  ~_t54 & _t40;
								__eflags = _t56;
								return _t56;
							} else {
								L29:
								__eflags = _t60;
								if(_t60 == 0) {
									goto L31;
								} else {
									return _t60;
								}
							}
						}
					}
				} else {
					return _t53;
				}
			}

0x004009d4
0x004009d4
0x004009df
0x004009e1
0x004009e6
0x004009e9
0x00400a07
0x00400a0a
0x00400a0f
0x00400a11
0x00000000
0x00400a13
0x00400a1f
0x00400a22
0x00400a23
0x00400a25
0x00400a4a
0x00400a4c
0x00400a65
0x00400a6c
0x00400a71
0x00000000
0x00400a4e
0x00400a4e
0x00400a57
0x00400a5c
0x00000000
0x00400a5c
0x00400a27
0x00400a27
0x00400a27
0x00400a30
0x00400a35
0x00400a36
0x00400a36
0x00400a3b
0x00000000
0x00400a3b
0x00400a25
0x004009eb
0x004009f1
0x004009f5
0x00400a02
0x00000000
0x004009f7
0x004009fa
0x00400a74
0x00400a74
0x004009fc
0x004009fc
0x004009fc
0x004009fe
0x004009fe
0x004009fe
0x004009fa
0x004009f5
0x00400a77
0x00400a7f
0x00400a81
0x00400a83
0x00400a8b
0x00400a90
0x00400a91
0x00400a96
0x00400a97
0x00400a9a
0x00400ab4
0x00400ab7
0x00400abc
0x00400abe
0x00000000
0x00400ac0
0x00400acc
0x00400acf
0x00400ad0
0x00400ad2
0x00400af5
0x00400af7
0x00400b0e
0x00400b15
0x00400b1a
0x00000000
0x00400af9
0x00400b00
0x00400b05
0x00000000
0x00400b05
0x00400ad4
0x00400adb
0x00400ae0
0x00400ae1
0x00400ae1
0x00400ae6
0x00000000
0x00400ae6
0x00400ad2
0x00400a9c
0x00400aa2
0x00400aa4
0x00400aa6
0x00400aaf
0x00000000
0x00400aa8
0x00400aa8
0x00400aab
0x00400b25
0x00400b25
0x00400b2a
0x00400b2d
0x00400b2e
0x00400b2f
0x00400b36
0x00400b38
0x00400b3d
0x00400b40
0x00400b5e
0x00400b61
0x00400b66
0x00400b68
0x00000000
0x00400b6a
0x00400b76
0x00400b7a
0x00400b7c
0x00400ba1
0x00400ba3
0x00400bbc
0x00400bc3
0x00000000
0x00400ba5
0x00400ba5
0x00400bae
0x00400bb3
0x00000000
0x00400bb3
0x00400b7e
0x00400b7e
0x00400b7e
0x00400b87
0x00400b8c
0x00400b8d
0x00400b8d
0x00000000
0x00400b92
0x00400b7c
0x00400b42
0x00400b48
0x00400b4a
0x00400b4c
0x00400b59
0x00000000
0x00400b4e
0x00400b4e
0x00400b51
0x00400bcb
0x00400bcb
0x00400b53
0x00400b53
0x00400b53
0x00400b53
0x00400b55
0x00400b55
0x00400b55
0x00400b51
0x00400b4c
0x00400bce
0x00400bd6
0x00400bd8
0x00400bd8
0x00400bdf
0x00400aad
0x00400b1d
0x00400b1d
0x00400b1f
0x00000000
0x00400b21
0x00400b24
0x00400b24
0x00400b1f
0x00400aab
0x00400aa6
0x00400a85
0x00400a8a
0x00400a8a

APIs

GetLastError.KERNEL32(?,8007000E,?,003FA339,8007000E,?,?,?,003F9BEA,?,?,8007000E,?), ref: 004009D9
_free.LIBCMT ref: 00400A36
_free.LIBCMT ref: 00400A6C
SetLastError.KERNEL32(00000000,00000006,000000FF,?,?,?,003F9BEA,?,?,8007000E,?), ref: 00400A77

Strings

PaA, xrefs: 00400A5F

Memory Dump Source

Source File: 00000003.00000002.300378751.00000000003F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000003.00000002.300374579.00000000003F0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.300394386.000000000040D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.300406424.0000000000416000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.300411239.0000000000420000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3f0000_fa_rss.jbxd

Similarity

API ID: ErrorLast_free
String ID: PaA
API String ID: 2283115069-4005616706
Opcode ID: c34589f768ec1e99b75fd84afc93fe9f05084c3b318f742c92c3feed30fe9e07
Instruction ID: c3656335b2c43622c782f31f458cd0081597423777e4ac07f96ac4e313083bf0
Opcode Fuzzy Hash: c34589f768ec1e99b75fd84afc93fe9f05084c3b318f742c92c3feed30fe9e07
Instruction Fuzzy Hash: EC11C6327002097ED61237749C85F7B25599FD0374F264236FE24AB2E2EE79CC42852C

Uniqueness

Uniqueness Score: -1.00%

Function 00400B2B Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 69
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 85%

			E00400B2B(void* __ecx) {
				intOrPtr _t2;
				signed int _t3;
				signed int _t13;
				void* _t14;
				signed int _t18;
				long _t21;

				_t14 = __ecx;
				_t21 = GetLastError();
				_t2 =  *0x416148; // 0x6
				_t24 = _t2 - 0xffffffff;
				if(_t2 == 0xffffffff) {
					L6:
					_t3 = E003FFC1B(__eflags, _t2, 0xffffffff);
					__eflags = _t3;
					if(_t3 == 0) {
						goto L3;
					} else {
						_t18 = E003FF852(_t14, 1, 0x364);
						__eflags = _t18;
						if(__eflags != 0) {
							__eflags = E003FFC1B(__eflags,  *0x416148, _t18);
							if(__eflags != 0) {
								E00400802(_t18, "PaA");
								E003FF8AF(0);
								goto L13;
							} else {
								_t13 = 0;
								E003FFC1B(__eflags,  *0x416148, 0);
								_push(_t18);
								goto L9;
							}
						} else {
							_t13 = 0;
							__eflags = 0;
							E003FFC1B(0,  *0x416148, 0);
							_push(0);
							L9:
							E003FF8AF();
							goto L4;
						}
					}
				} else {
					_t18 = E003FFBDC(_t24, _t2);
					if(_t18 == 0) {
						_t2 =  *0x416148; // 0x6
						goto L6;
					} else {
						if(_t18 != 0xffffffff) {
							L13:
							_t13 = _t18;
						} else {
							L3:
							_t13 = 0;
							L4:
							_t18 = _t13;
						}
					}
				}
				SetLastError(_t21);
				asm("sbb edi, edi");
				return  ~_t18 & _t13;
			}

0x00400b2b
0x00400b36
0x00400b38
0x00400b3d
0x00400b40
0x00400b5e
0x00400b61
0x00400b66
0x00400b68
0x00000000
0x00400b6a
0x00400b76
0x00400b7a
0x00400b7c
0x00400ba1
0x00400ba3
0x00400bbc
0x00400bc3
0x00000000
0x00400ba5
0x00400ba5
0x00400bae
0x00400bb3
0x00000000
0x00400bb3
0x00400b7e
0x00400b7e
0x00400b7e
0x00400b87
0x00400b8c
0x00400b8d
0x00400b8d
0x00000000
0x00400b92
0x00400b7c
0x00400b42
0x00400b48
0x00400b4c
0x00400b59
0x00000000
0x00400b4e
0x00400b51
0x00400bcb
0x00400bcb
0x00400b53
0x00400b53
0x00400b53
0x00400b55
0x00400b55
0x00400b55
0x00400b51
0x00400b4c
0x00400bce
0x00400bd6
0x00400bdf

APIs

GetLastError.KERNEL32(?,?,?,003FD882,0040568D,?,003FF6D2,?,00000004,00000004,?,00000000,?,003FF200,?,00000004), ref: 00400B30
_free.LIBCMT ref: 00400B8D
_free.LIBCMT ref: 00400BC3
SetLastError.KERNEL32(00000000,00000006,000000FF,?,003FF6D2,?,00000004,00000004,?,00000000,?,003FF200,?,00000004,00000004), ref: 00400BCE

Strings

PaA, xrefs: 00400BB6

Memory Dump Source

Source File: 00000003.00000002.300378751.00000000003F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000003.00000002.300374579.00000000003F0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.300394386.000000000040D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.300406424.0000000000416000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.300411239.0000000000420000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3f0000_fa_rss.jbxd

Similarity

API ID: ErrorLast_free
String ID: PaA
API String ID: 2283115069-4005616706
Opcode ID: 84e2328e9eb40911f6821fabe05c285621b805bbe58080b3eab331f457cbad38
Instruction ID: 72245906bdea7b24228626879cbe9ef6d42d1dd552776584f87fee0d5cbdae11
Opcode Fuzzy Hash: 84e2328e9eb40911f6821fabe05c285621b805bbe58080b3eab331f457cbad38
Instruction Fuzzy Hash: BE11A7322041083ED65236B5AC85F6B32699BC0379F250235FE24AB2E2DE75DC42412C

Uniqueness

Uniqueness Score: -1.00%

Function 003F8F32 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 68
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E003F8F32(void* __ecx, signed int* _a4, intOrPtr _a8) {
				signed int* _v8;
				void** _t12;
				void* _t16;
				void* _t18;
				signed int _t22;
				WCHAR* _t23;
				void** _t26;
				signed int* _t29;
				void* _t32;
				void* _t34;

				_t29 = _a4;
				while(_t29 != _a8) {
					_t22 =  *_t29;
					_t12 = 0x416fe8 + _t22 * 4;
					_t32 =  *_t12;
					_v8 = _t12;
					if(_t32 == 0) {
						_t23 =  *(0x40dee8 + _t22 * 4);
						_t32 = LoadLibraryExW(_t23, 0, 0x800);
						if(_t32 != 0) {
							L11:
							_t26 = _v8;
							 *_t26 = _t32;
							if( *_t26 != 0) {
								FreeLibrary(_t32);
							}
							L13:
							if(_t32 != 0) {
								_t16 = _t32;
								L17:
								return _t16;
							}
							L14:
							_t29 =  &(_t29[1]);
							continue;
						}
						_t18 = GetLastError();
						if(_t18 != 0x57) {
							L8:
							_t32 = 0;
							L9:
							if(_t32 != 0) {
								goto L11;
							}
							 *_v8 = _t18 | 0xffffffff;
							goto L14;
						}
						_t18 = E003FF818(_t23, L"api-ms-", 7);
						_t34 = _t34 + 0xc;
						if(_t18 == 0) {
							goto L8;
						}
						_t18 = LoadLibraryExW(_t23, _t32, _t32);
						_t32 = _t18;
						goto L9;
					}
					if(_t32 == 0xffffffff) {
						goto L14;
					}
					goto L13;
				}
				_t16 = 0;
				goto L17;
			}

0x003f8f39
0x003f8fca
0x003f8f41
0x003f8f43
0x003f8f4a
0x003f8f4c
0x003f8f51
0x003f8f5a
0x003f8f6f
0x003f8f73
0x003f8fb1
0x003f8fb1
0x003f8fb6
0x003f8fba
0x003f8fbd
0x003f8fbd
0x003f8fc3
0x003f8fc5
0x003f8fda
0x003f8fd5
0x003f8fd9
0x003f8fd9
0x003f8fc7
0x003f8fc7
0x00000000
0x003f8fc7
0x003f8f75
0x003f8f7e
0x003f8fa1
0x003f8fa1
0x003f8fa3
0x003f8fa5
0x00000000
0x00000000
0x003f8fad
0x00000000
0x003f8fad
0x003f8f88
0x003f8f8d
0x003f8f92
0x00000000
0x00000000
0x003f8f97
0x003f8f9d
0x00000000
0x003f8f9d
0x003f8f56
0x00000000
0x00000000
0x00000000
0x003f8f58
0x003f8fd3
0x00000000

Strings

api-ms-, xrefs: 003F8F82

Memory Dump Source

Source File: 00000003.00000002.300378751.00000000003F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000003.00000002.300374579.00000000003F0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.300394386.000000000040D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.300406424.0000000000416000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.300411239.0000000000420000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3f0000_fa_rss.jbxd

Similarity

API ID:
String ID: api-ms-
API String ID: 0-2084034818
Opcode ID: 00a447e966b21629cb48c1367d8dfeabf7d9e71eb3063719d6300f8c3791fdda
Instruction ID: 57098a3f3fd1cc84590ef45d73a747f9e37ac397a193d1b92ddc6cb731fc685c
Opcode Fuzzy Hash: 00a447e966b21629cb48c1367d8dfeabf7d9e71eb3063719d6300f8c3791fdda
Instruction Fuzzy Hash: 1D119A31E053299FCB274B68FC41E7A77599F05764B120521FF06A7290DE30DE0086E4

Uniqueness

Uniqueness Score: -1.00%

Function 003FDD09 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 55
threadCOMMON

Download Yara Rule

C-Code - Quality: 87%

			E003FDD09(void* __ecx, intOrPtr _a4, long _a8, char _a12) {
				signed int _v8;
				long _v12;
				long _t18;
				void* _t29;
				void* _t30;
				void* _t33;

				_push(__ecx);
				_push(__ecx);
				_t35 = _a4;
				if(_a4 != 0) {
					_push(_t29);
					_t2 =  &_a12; // 0x3f3f43
					_t33 = E003FDCB9(__ecx, __eflags, _a4,  *_t2);
					_v8 = _t33;
					__eflags = _t33;
					if(_t33 == 0) {
						L5:
						_t30 = _t29 | 0xffffffff;
						__eflags = _t30;
					} else {
						_v12 = _v12 & 0x00000000;
						_t29 = CreateThread(0, _a8, E003FDBAB, _t33, 4,  &_v12);
						__eflags = _t29;
						if(_t29 != 0) {
							 *(_t33 + 8) = _t29;
							_t18 = ResumeThread(_t29);
							__eflags = _t18 - 0xffffffff;
							if(_t18 == 0xffffffff) {
								goto L4;
							} else {
								_v8 = _v8 & 0x00000000;
							}
						} else {
							L4:
							E003FD847(GetLastError());
							goto L5;
						}
					}
					E003FDC2B( &_v8);
					return _t30;
				} else {
					 *((intOrPtr*)(E003FD87D(_t35))) = 0x16;
					return E003FDA3C() | 0xffffffff;
				}
			}

0x003fdd0e
0x003fdd0f
0x003fdd10
0x003fdd14
0x003fdd2c
0x003fdd2d
0x003fdd38
0x003fdd3a
0x003fdd3f
0x003fdd41
0x003fdd71
0x003fdd71
0x003fdd71
0x003fdd43
0x003fdd43
0x003fdd5e
0x003fdd60
0x003fdd62
0x003fdd83
0x003fdd86
0x003fdd8c
0x003fdd8f
0x00000000
0x003fdd91
0x003fdd91
0x003fdd91
0x003fdd64
0x003fdd64
0x003fdd6b
0x00000000
0x003fdd70
0x003fdd62
0x003fdd77
0x003fdd81
0x003fdd16
0x003fdd1b
0x003fdd2a
0x003fdd2a

APIs

CreateThread.KERNEL32 ref: 003FDD58
GetLastError.KERNEL32(?,?,?,?,?,003F3F43,003F3670), ref: 003FDD64
__dosmaperr.LIBCMT ref: 003FDD6B

Strings

C??p6?, xrefs: 003FDD2D

Memory Dump Source

Source File: 00000003.00000002.300378751.00000000003F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000003.00000002.300374579.00000000003F0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.300394386.000000000040D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.300406424.0000000000416000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.300411239.0000000000420000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3f0000_fa_rss.jbxd

Similarity

API ID: CreateErrorLastThread__dosmaperr
String ID: C??p6?
API String ID: 2744730728-3636251353
Opcode ID: 01b23ae0caf1024c626fb748926d8b91a53f48d367f158f3b27ff8cedb9fe9ef
Instruction ID: 20dbb6510930815482e0db68ba12dad9d68b1120117d8bc6e0941c71d1b4a6b8
Opcode Fuzzy Hash: 01b23ae0caf1024c626fb748926d8b91a53f48d367f158f3b27ff8cedb9fe9ef
Instruction Fuzzy Hash: 5101C47280020CBBDB12ABA5DC0DBBE7E6ADF81375F214214F625961E0DB708901D664

Uniqueness

Uniqueness Score: -1.00%

Function 003FED78 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 30
libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 25%

			E003FED78(void* __ecx, intOrPtr _a4) {
				signed int _v8;
				_Unknown_base(*)()* _t8;
				_Unknown_base(*)()* _t14;

				_v8 = _v8 & 0x00000000;
				_t8 =  &_v8;
				__imp__GetModuleHandleExW(0, L"mscoree.dll", _t8, __ecx);
				if(_t8 != 0) {
					_t8 = GetProcAddress(_v8, "CorExitProcess");
					_t14 = _t8;
					if(_t14 != 0) {
						 *0x40d254(_a4);
						_t8 =  *_t14();
					}
				}
				if(_v8 != 0) {
					return FreeLibrary(_v8);
				}
				return _t8;
			}

0x003fed7e
0x003fed82
0x003fed8d
0x003fed95
0x003feda0
0x003feda6
0x003fedaa
0x003fedb1
0x003fedb7
0x003fedb7
0x003fedb9
0x003fedbe
0x00000000
0x003fedc3
0x003fedca

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,003FED6D,?,?,003FED35,8007000E,?,?), ref: 003FED8D
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 003FEDA0
FreeLibrary.KERNEL32(00000000,?,?,003FED6D,?,?,003FED35,8007000E,?,?), ref: 003FEDC3

Strings

CorExitProcess, xrefs: 003FED98
mscoree.dll, xrefs: 003FED86

Memory Dump Source

Source File: 00000003.00000002.300378751.00000000003F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000003.00000002.300374579.00000000003F0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.300394386.000000000040D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.300406424.0000000000416000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.300411239.0000000000420000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3f0000_fa_rss.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: af33af2e2a14108040ac207c73c047b6f52ed295c5e6247160283a1e77c75ad7
Instruction ID: 65c5fb1b442bb841d1f1571620237fb668e81a1f530b3593cbb1b314503c327a
Opcode Fuzzy Hash: af33af2e2a14108040ac207c73c047b6f52ed295c5e6247160283a1e77c75ad7
Instruction Fuzzy Hash: 7DF08C34900219FBCB12AB91DE0ABEEBA79EB04756F1000B4F901B21B0CB748E04DAD4

Uniqueness

Uniqueness Score: -1.00%

Function 003F6330 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 25
COMMON

Download Yara Rule

C-Code - Quality: 50%

			E003F6330(long _a4) {
				long _t3;
				intOrPtr* _t7;

				_t7 =  *0x416f00;
				if(_t7 == 0) {
					LeaveCriticalSection(0x416ee8);
					_t3 = WaitForSingleObjectEx( *0x416ee4, _a4, 0);
					EnterCriticalSection(0x416ee8);
					return _t3;
				}
				 *0x40d254(0x416ee0, 0x416ee8, _a4);
				return  *_t7();
			}

0x003f6334
0x003f633c
0x003f635d
0x003f636e
0x003f6375
0x00000000
0x003f6375
0x003f634d
0x00000000

APIs

SleepConditionVariableCS.KERNELBASE(?,003F62CD,00000064), ref: 003F6353
LeaveCriticalSection.KERNEL32(00416EE8,?,?,003F62CD,00000064,?,?,?,003F54C7,00417958,003F10B7,9D5F503D,?,0040C58A,000000FF), ref: 003F635D
WaitForSingleObjectEx.KERNEL32(?,00000000,?,003F62CD,00000064,?,?,?,003F54C7,00417958,003F10B7,9D5F503D,?,0040C58A,000000FF), ref: 003F636E
EnterCriticalSection.KERNEL32(00416EE8,?,003F62CD,00000064,?,?,?,003F54C7,00417958,003F10B7,9D5F503D,?,0040C58A,000000FF), ref: 003F6375

Strings

nA, xrefs: 003F6357

Memory Dump Source

Source File: 00000003.00000002.300378751.00000000003F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000003.00000002.300374579.00000000003F0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.300394386.000000000040D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.300406424.0000000000416000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.300411239.0000000000420000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3f0000_fa_rss.jbxd

Similarity

API ID: CriticalSection$ConditionEnterLeaveObjectSingleSleepVariableWait
String ID: nA
API String ID: 3269011525-513057715
Opcode ID: 93f57cf2f70f4c0ab424dab0581fd9bdb078db2deea5ccd0e845d4da712b20e5
Instruction ID: 3e935bc084c5a09c94155a69abfc69b24c984277fcbd640b9160ee0c1a93b801
Opcode Fuzzy Hash: 93f57cf2f70f4c0ab424dab0581fd9bdb078db2deea5ccd0e845d4da712b20e5
Instruction Fuzzy Hash: 7FE0123AA41228E7C6026BD0ED09AEE7F29EB05751F024132F60566174CB79DC95CBDD

Uniqueness

Uniqueness Score: -1.00%

Function 004092C0 Relevance: 7.7, APIs: 5, Instructions: 199
COMMON

Download Yara Rule

C-Code - Quality: 61%

			E004092C0(void* __ebx, void* __ecx, void* __edi, void* __esi, intOrPtr* _a4, intOrPtr _a8, signed int _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, intOrPtr _a32, intOrPtr _a36) {
				signed int _v8;
				intOrPtr _v12;
				void* _v24;
				signed int _t41;
				signed int _t49;
				void* _t52;
				signed int _t56;
				void* _t60;
				intOrPtr _t63;
				void* _t64;
				intOrPtr _t68;
				intOrPtr* _t71;
				intOrPtr _t85;
				intOrPtr* _t91;
				intOrPtr _t93;
				signed int _t96;
				void* _t97;
				intOrPtr* _t98;
				intOrPtr* _t100;
				void* _t103;

				_push(__ecx);
				_push(__ecx);
				_t41 =  *0x416014; // 0x9d5f503d
				_v8 = _t41 ^ _t96;
				_t93 = _a20;
				if(_t93 > 0) {
					_t68 = E00409DAE(_a16, _t93);
					_t103 = _t68 - _t93;
					_t4 = _t68 + 1; // 0x1
					_t93 = _t4;
					if(_t103 >= 0) {
						_t93 = _t68;
					}
				}
				_t88 = _a32;
				if(_a32 == 0) {
					_t88 =  *((intOrPtr*)( *_a4 + 8));
					_a32 =  *((intOrPtr*)( *_a4 + 8));
				}
				_t85 = E00403C58(_t88, 1 + (0 | _a36 != 0x00000000) * 8, _a16, _t93, 0, 0);
				_t98 = _t97 + 0x18;
				_v12 = _t85;
				if(_t85 == 0) {
					L39:
					return E003F5D05(_v8 ^ _t96);
				} else {
					_t17 = _t85 + _t85 + 8; // 0x8
					_t75 = _t17;
					asm("sbb eax, eax");
					_t49 = _t85 + _t85 & _t17;
					if(_t49 == 0) {
						_t71 = 0;
						L15:
						if(_t71 == 0) {
							L37:
							_t95 = 0;
							L38:
							E003FC570(_t71);
							goto L39;
						}
						_t52 = E00403C58(_t88, 1, _a16, _t93, _t71, _t85);
						_t100 = _t98 + 0x18;
						if(_t52 == 0) {
							goto L37;
						}
						_t90 = _v12;
						_t95 = E003FFCA8(_a8, _a12, _t71, _v12, 0, 0, 0, 0, 0);
						if(_t95 == 0) {
							goto L37;
						}
						if((_a12 & 0x00000400) == 0) {
							_t31 = _t95 + _t95 + 8; // 0x8
							_t77 = _t31;
							asm("sbb eax, eax");
							_t56 = _t95 + _t95 & _t31;
							if(_t56 == 0) {
								_t91 = 0;
								L31:
								if(_t91 == 0 || E003FFCA8(_a8, _a12, _t71, _v12, _t91, _t95, 0, 0, 0) == 0) {
									L36:
									E003FC570(_t91);
									goto L37;
								} else {
									_push(0);
									_push(0);
									if(_a28 != 0) {
										_push(_a28);
										_push(_a24);
									} else {
										_push(0);
										_push(0);
									}
									_push(_t95);
									_push(_t91);
									_push(0);
									_push(_a32);
									_t60 = E00403CD4();
									_t95 = _t60;
									if(_t60 != 0) {
										E003FC570(_t91);
										goto L38;
									} else {
										goto L36;
									}
								}
							}
							if(_t56 > 0x400) {
								_t91 = E00400374(_t77, _t56);
								if(_t91 == 0) {
									goto L36;
								}
								 *_t91 = 0xdddd;
								L29:
								_t91 = _t91 + 8;
								goto L31;
							}
							E0040BB50();
							_t91 = _t100;
							if(_t91 == 0) {
								goto L36;
							}
							 *_t91 = 0xcccc;
							goto L29;
						}
						_t63 = _a28;
						if(_t63 == 0) {
							goto L38;
						}
						if(_t95 > _t63) {
							goto L37;
						}
						_t64 = E003FFCA8(_a8, _a12, _t71, _t90, _a24, _t63, 0, 0, 0);
						_t95 = _t64;
						if(_t64 != 0) {
							goto L38;
						}
						goto L37;
					}
					if(_t49 > 0x400) {
						_t71 = E00400374(_t75, _t49);
						if(_t71 == 0) {
							L13:
							_t85 = _v12;
							goto L15;
						}
						 *_t71 = 0xdddd;
						L12:
						_t71 = _t71 + 8;
						goto L13;
					}
					E0040BB50();
					_t71 = _t98;
					if(_t71 == 0) {
						goto L13;
					}
					 *_t71 = 0xcccc;
					goto L12;
				}
			}

0x004092c5
0x004092c6
0x004092c7
0x004092ce
0x004092d3
0x004092d9
0x004092df
0x004092e5
0x004092e8
0x004092e8
0x004092eb
0x004092ed
0x004092ed
0x004092eb
0x004092ef
0x004092f4
0x004092fb
0x004092fe
0x004092fe
0x0040931f
0x00409321
0x00409324
0x00409329
0x00409487
0x00409498
0x0040932f
0x00409332
0x00409332
0x00409337
0x00409339
0x0040933b
0x00409372
0x00409374
0x00409376
0x0040947c
0x0040947c
0x0040947e
0x0040947f
0x00000000
0x00409485
0x00409385
0x0040938a
0x0040938f
0x00000000
0x00000000
0x00409395
0x004093ac
0x004093b0
0x00000000
0x00000000
0x004093be
0x004093fb
0x004093fb
0x00409400
0x00409402
0x00409404
0x00409435
0x00409437
0x00409439
0x00409475
0x00409476
0x00000000
0x00409456
0x00409458
0x00409459
0x0040945d
0x00409499
0x0040949c
0x0040945f
0x0040945f
0x00409460
0x00409460
0x00409461
0x00409462
0x00409463
0x00409464
0x00409467
0x0040946c
0x00409473
0x004094a2
0x00000000
0x00000000
0x00000000
0x00000000
0x00409473
0x00409439
0x00409408
0x00409423
0x00409428
0x00000000
0x00000000
0x0040942a
0x00409430
0x00409430
0x00000000
0x00409430
0x0040940a
0x0040940f
0x00409413
0x00000000
0x00000000
0x00409415
0x00000000
0x00409415
0x004093c0
0x004093c5
0x00000000
0x00000000
0x004093cd
0x00000000
0x00000000
0x004093e4
0x004093e9
0x004093ed
0x00000000
0x00000000
0x00000000
0x004093f3
0x00409342
0x0040935d
0x00409362
0x0040936d
0x0040936d
0x00000000
0x0040936d
0x00409364
0x0040936a
0x0040936a
0x00000000
0x0040936a
0x00409344
0x00409349
0x0040934d
0x00000000
0x00000000
0x0040934f
0x00000000
0x0040934f

APIs

__alloca_probe_16.LIBCMT ref: 00409344
__alloca_probe_16.LIBCMT ref: 0040940A
__freea.LIBCMT ref: 00409476

Part of subcall function 00400374: RtlAllocateHeap.NTDLL(00000000,?,00000004,?,0040566F,?,00000000,?,003FF6D2,?,00000004,00000004,?,00000000,?,003FF200), ref: 004003A6

__freea.LIBCMT ref: 0040947F
__freea.LIBCMT ref: 004094A2

Memory Dump Source

Source File: 00000003.00000002.300378751.00000000003F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000003.00000002.300374579.00000000003F0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.300394386.000000000040D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.300406424.0000000000416000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.300411239.0000000000420000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3f0000_fa_rss.jbxd

Similarity

API ID: __freea$__alloca_probe_16$AllocateHeap
String ID:
API String ID: 1423051803-0
Opcode ID: 0b2500bcb017229ff1d0f1ecabdb8ad96e9a41186f7f25b42bc38b73a20f24e7
Instruction ID: e3249d718d0ef6dc47e12fac2293b181e227f0ea937c3f84798ebb2b299e2d83
Opcode Fuzzy Hash: 0b2500bcb017229ff1d0f1ecabdb8ad96e9a41186f7f25b42bc38b73a20f24e7
Instruction Fuzzy Hash: D751F37260421AABDF219F608C41EBB77A9EF85750F15413AFD08BB2D2D738DC018668

Uniqueness

Uniqueness Score: -1.00%

Function 004046C8 Relevance: 7.5, APIs: 5, Instructions: 40
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E004046C8(intOrPtr* _a4) {
				intOrPtr _t6;
				intOrPtr* _t21;
				void* _t23;
				void* _t24;
				void* _t25;
				void* _t26;
				void* _t27;

				_t21 = _a4;
				if(_t21 != 0) {
					_t23 =  *_t21 -  *0x416840; // 0x416890
					if(_t23 != 0) {
						E003FF8AF(_t7);
					}
					_t24 =  *((intOrPtr*)(_t21 + 4)) -  *0x416844; // 0x417700
					if(_t24 != 0) {
						E003FF8AF(_t8);
					}
					_t25 =  *((intOrPtr*)(_t21 + 8)) -  *0x416848; // 0x417700
					if(_t25 != 0) {
						E003FF8AF(_t9);
					}
					_t26 =  *((intOrPtr*)(_t21 + 0x30)) -  *0x416870; // 0x416894
					if(_t26 != 0) {
						E003FF8AF(_t10);
					}
					_t6 =  *((intOrPtr*)(_t21 + 0x34));
					_t27 = _t6 -  *0x416874; // 0x417704
					if(_t27 != 0) {
						return E003FF8AF(_t6);
					}
				}
				return _t6;
			}

0x004046ce
0x004046d3
0x004046d7
0x004046dd
0x004046e0
0x004046e5
0x004046e9
0x004046ef
0x004046f2
0x004046f7
0x004046fb
0x00404701
0x00404704
0x00404709
0x0040470d
0x00404713
0x00404716
0x0040471b
0x0040471c
0x0040471f
0x00404725
0x00000000
0x0040472d
0x00404725
0x00404730

APIs

_free.LIBCMT ref: 004046E0

Part of subcall function 003FF8AF: HeapFree.KERNEL32(00000000,00000000,?,0040475B,?,00000000,?,?,?,00404782,?,00000007,?,?,00404BB2,?), ref: 003FF8C5
Part of subcall function 003FF8AF: GetLastError.KERNEL32(?,?,0040475B,?,00000000,?,?,?,00404782,?,00000007,?,?,00404BB2,?,?), ref: 003FF8D7

_free.LIBCMT ref: 004046F2
_free.LIBCMT ref: 00404704
_free.LIBCMT ref: 00404716
_free.LIBCMT ref: 00404728

Memory Dump Source

Source File: 00000003.00000002.300378751.00000000003F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000003.00000002.300374579.00000000003F0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.300394386.000000000040D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.300406424.0000000000416000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.300411239.0000000000420000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3f0000_fa_rss.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: ccc9c5b34ae14b621703551f1c01b5cd255566f312ef77d0ca33edcd99a00f5a
Instruction ID: 53b96b5e5ddb5c72606be3f6beb631a344864ed8581032a0667402ebcb36789c
Opcode Fuzzy Hash: ccc9c5b34ae14b621703551f1c01b5cd255566f312ef77d0ca33edcd99a00f5a
Instruction Fuzzy Hash: 06F0C2B2502204BBC221FB68E5C1C6B33E9EE903507650936FA08EB640CB38FC80866C

Uniqueness

Uniqueness Score: -1.00%

Function 003FE4EA Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121
COMMON

Download Yara Rule

C-Code - Quality: 90%

			E003FE4EA(void* __edx, intOrPtr _a4) {
				signed int _v8;
				struct HINSTANCE__* _v12;
				char _v16;
				WCHAR* _v20;
				void* __ebx;
				void* __edi;
				void* __esi;
				WCHAR* _t25;
				WCHAR** _t35;
				WCHAR** _t36;
				WCHAR* _t39;
				WCHAR* _t41;
				WCHAR* _t42;
				intOrPtr* _t43;
				WCHAR** _t44;
				intOrPtr _t47;
				WCHAR* _t48;
				WCHAR* _t53;
				WCHAR** _t57;
				WCHAR* _t63;
				WCHAR* _t65;

				_t47 = _a4;
				if(_t47 != 0) {
					__eflags = _t47 - 2;
					if(_t47 == 2) {
						L5:
						GetModuleFileNameW(0, 0x417028, 0x104);
						_t25 =  *0x4176f8; // 0x1441c4a
						 *0x4176e4 = 0x417028;
						_v20 = _t25;
						__eflags = _t25;
						if(_t25 == 0) {
							L7:
							_t25 = 0x417028;
							_v20 = 0x417028;
							L8:
							_v8 = 0;
							_v16 = 0;
							_t63 = E003FE7AE(E003FE619(_t25, 0, 0,  &_v8,  &_v16), _v8, _v16, 2);
							__eflags = _t63;
							if(__eflags != 0) {
								E003FE619(_v20, _t63, _t63 + _v8 * 4,  &_v8,  &_v16);
								__eflags = _t47 - 1;
								if(_t47 != 1) {
									_v12 = 0;
									_push( &_v12);
									_t48 = E00403447(_t47, 0, _t63, _t63);
									__eflags = _t48;
									if(_t48 == 0) {
										_t57 = _v12;
										_t53 = 0;
										_t35 = _t57;
										__eflags =  *_t57;
										if( *_t57 == 0) {
											L17:
											_t36 = 0;
											 *0x4176e8 = _t53;
											_v12 = 0;
											_t48 = 0;
											 *0x4176f0 = _t57;
											L18:
											E003FF8AF(_t36);
											_v12 = 0;
											L19:
											E003FF8AF(_t63);
											_t39 = _t48;
											L20:
											return _t39;
										} else {
											goto L16;
										}
										do {
											L16:
											_t35 =  &(_t35[1]);
											_t53 =  &(_t53[0]);
											__eflags =  *_t35;
										} while ( *_t35 != 0);
										goto L17;
									}
									_t36 = _v12;
									goto L18;
								}
								_t41 = _v8 - 1;
								__eflags = _t41;
								 *0x4176e8 = _t41;
								_t42 = _t63;
								_t63 = 0;
								 *0x4176f0 = _t42;
								L12:
								_t48 = 0;
								goto L19;
							}
							_t43 = E003FD87D(__eflags);
							_push(0xc);
							_pop(0);
							 *_t43 = 0;
							goto L12;
						}
						__eflags =  *_t25;
						if( *_t25 != 0) {
							goto L8;
						}
						goto L7;
					}
					__eflags = _t47 - 1;
					if(__eflags == 0) {
						goto L5;
					}
					_t44 = E003FD87D(__eflags);
					_t65 = 0x16;
					 *_t44 = _t65;
					E003FDA3C();
					_t39 = _t65;
					goto L20;
				}
				return 0;
			}

0x003fe4f3
0x003fe4f8
0x003fe502
0x003fe505
0x003fe522
0x003fe531
0x003fe537
0x003fe53c
0x003fe542
0x003fe545
0x003fe547
0x003fe54e
0x003fe54e
0x003fe550
0x003fe553
0x003fe556
0x003fe55d
0x003fe576
0x003fe57b
0x003fe57d
0x003fe59e
0x003fe5a6
0x003fe5a9
0x003fe5c4
0x003fe5c7
0x003fe5ce
0x003fe5d2
0x003fe5d4
0x003fe5db
0x003fe5de
0x003fe5e0
0x003fe5e2
0x003fe5e4
0x003fe5ee
0x003fe5ee
0x003fe5f0
0x003fe5f6
0x003fe5f9
0x003fe5fb
0x003fe601
0x003fe602
0x003fe608
0x003fe60b
0x003fe60c
0x003fe612
0x003fe615
0x00000000
0x00000000
0x00000000
0x00000000
0x003fe5e6
0x003fe5e6
0x003fe5e6
0x003fe5e9
0x003fe5ea
0x003fe5ea
0x00000000
0x003fe5e6
0x003fe5d6
0x00000000
0x003fe5d6
0x003fe5ae
0x003fe5ae
0x003fe5af
0x003fe5b4
0x003fe5b6
0x003fe5b8
0x003fe5bd
0x003fe5bd
0x00000000
0x003fe5bd
0x003fe57f
0x003fe584
0x003fe586
0x003fe587
0x00000000
0x003fe587
0x003fe549
0x003fe54c
0x00000000
0x00000000
0x00000000
0x003fe54c
0x003fe507
0x003fe50a
0x00000000
0x00000000
0x003fe50c
0x003fe513
0x003fe514
0x003fe516
0x003fe51b
0x00000000
0x003fe51b
0x00000000

Strings

C:\Users\user\Desktop\fa_rss.exe, xrefs: 003FE528, 003FE52F, 003FE563

Memory Dump Source

Source File: 00000003.00000002.300378751.00000000003F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000003.00000002.300374579.00000000003F0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.300394386.000000000040D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.300406424.0000000000416000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.300411239.0000000000420000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3f0000_fa_rss.jbxd

Similarity

API ID:
String ID: C:\Users\user\Desktop\fa_rss.exe
API String ID: 0-1546546606
Opcode ID: c85b51ffcbff5b075ac272dc1f10a8721cfe65e0385b7d445b006fe54556686f
Instruction ID: 50bb23ef9485e31c9eea5f5cbd75db240592b7dae6ae683158755616fe36e25b
Opcode Fuzzy Hash: c85b51ffcbff5b075ac272dc1f10a8721cfe65e0385b7d445b006fe54556686f
Instruction Fuzzy Hash: 9D31A075A0421CABCB23DF998C85CBEBBB8EB99714B114066F605D7260E770CA40C794

Uniqueness

Uniqueness Score: -1.00%

Function 00400CE2 Relevance: 6.3, APIs: 4, Instructions: 320
COMMON

Download Yara Rule

C-Code - Quality: 79%

			E00400CE2(void* __edx, signed int* _a4, signed int _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, signed int _a24, signed int _a28, intOrPtr _a32, intOrPtr _a36) {
				signed int _v5;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				unsigned int _v24;
				signed int _v32;
				signed int _v40;
				char _v48;
				intOrPtr _v56;
				char _v60;
				void* __ebx;
				void* __edi;
				signed char _t85;
				void* _t91;
				signed int _t95;
				signed int _t97;
				signed int _t98;
				signed int _t99;
				signed int _t104;
				signed int _t105;
				void* _t106;
				signed int _t107;
				void* _t108;
				void* _t110;
				void* _t113;
				void* _t115;
				void* _t119;
				signed int* _t120;
				void* _t123;
				signed int _t125;
				signed int _t131;
				signed int* _t132;
				signed int* _t135;
				signed int _t136;
				signed int _t139;
				signed int _t141;
				signed int _t143;
				signed int _t148;
				signed int _t149;
				signed int _t153;
				signed int _t154;
				void* _t158;
				unsigned int _t159;
				signed int _t166;
				void* _t167;
				signed int _t168;
				signed int* _t169;
				signed int _t172;
				signed int _t180;
				signed int _t181;
				signed int _t182;
				signed int _t184;
				signed int _t185;
				signed int _t186;

				_t167 = __edx;
				_t180 = _a24;
				if(_t180 < 0) {
					_t180 = 0;
				}
				_t184 = _a8;
				 *_t184 = 0;
				E003FA2F9( &_v60, _t167, _a36);
				_t5 = _t180 + 0xb; // 0xb
				_t192 = _a12 - _t5;
				if(_a12 > _t5) {
					_t135 = _a4;
					_t141 = _t135[1];
					_t168 =  *_t135;
					__eflags = (_t141 >> 0x00000014 & 0x000007ff) - 0x7ff;
					if((_t141 >> 0x00000014 & 0x000007ff) != 0x7ff) {
						__eflags = _t141;
						if(__eflags > 0) {
							L14:
							_t17 = _t184 + 1; // 0x3fb1d1
							_t169 = _t17;
							_t85 = _a28 ^ 0x00000001;
							_v20 = 0x3ff;
							_v5 = _t85;
							_v40 = _t169;
							_v32 = ((_t85 & 0x000000ff) << 5) + 7;
							__eflags = _t141 & 0x7ff00000;
							_t91 = 0x30;
							if((_t141 & 0x7ff00000) != 0) {
								 *_t184 = 0x31;
								L19:
								_t143 = 0;
								__eflags = 0;
								L20:
								_t25 =  &(_t169[0]); // 0x3fb1d1
								_t185 = _t25;
								_v16 = _t185;
								__eflags = _t180;
								if(_t180 != 0) {
									_t95 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_v56 + 0x88))))));
								} else {
									_t95 = _t143;
								}
								 *_t169 = _t95;
								_t97 = _t135[1] & 0x000fffff;
								__eflags = _t97;
								_v24 = _t97;
								if(_t97 > 0) {
									L25:
									_t170 = _t143;
									_t144 = 0xf0000;
									_t98 = 0x30;
									_v12 = _t98;
									_v16 = _t143;
									_v24 = 0xf0000;
									do {
										__eflags = _t180;
										if(_t180 <= 0) {
											break;
										}
										_t123 = E0040BEC0( *_t135 & _t170, _v12, _t135[1] & _t144 & 0x000fffff);
										_t158 = 0x30;
										_t125 = _t123 + _t158 & 0x0000ffff;
										__eflags = _t125 - 0x39;
										if(_t125 > 0x39) {
											_t125 = _t125 + _v32;
											__eflags = _t125;
										}
										_t159 = _v24;
										_t170 = (_t159 << 0x00000020 | _v16) >> 4;
										 *_t185 = _t125;
										_t185 = _t185 + 1;
										_t144 = _t159 >> 4;
										_t98 = _v12 - 4;
										_t180 = _t180 - 1;
										_v16 = (_t159 << 0x00000020 | _v16) >> 4;
										_v24 = _t159 >> 4;
										_v12 = _t98;
										__eflags = _t98;
									} while (_t98 >= 0);
									_v16 = _t185;
									__eflags = _t98;
									if(_t98 < 0) {
										goto L42;
									}
									_t119 = E0040BEC0( *_t135 & _t170, _v12, _t135[1] & _t144 & 0x000fffff);
									__eflags = _t119 - 8;
									if(_t119 <= 8) {
										goto L42;
									}
									_t50 = _t185 - 1; // 0x3fb1d1
									_t120 = _t50;
									_t139 = 0x30;
									while(1) {
										_t153 =  *_t120;
										__eflags = _t153 - 0x66;
										if(_t153 == 0x66) {
											goto L35;
										}
										__eflags = _t153 - 0x46;
										if(_t153 != 0x46) {
											_t135 = _a4;
											__eflags = _t120 - _v40;
											if(_t120 == _v40) {
												_t54 = _t120 - 1;
												 *_t54 =  *(_t120 - 1) + 1;
												__eflags =  *_t54;
											} else {
												__eflags = _t153 - 0x39;
												if(_t153 != 0x39) {
													_t154 = _t153 + 1;
													__eflags = _t154;
												} else {
													_t154 = _v32 + 0x3a;
												}
												 *_t120 = _t154;
											}
											goto L42;
										}
										L35:
										 *_t120 = _t139;
										_t120 = _t120 - 1;
									}
								} else {
									__eflags =  *_t135 - _t143;
									if( *_t135 <= _t143) {
										L42:
										__eflags = _t180;
										if(_t180 > 0) {
											_push(_t180);
											_t115 = 0x30;
											_push(_t115);
											_push(_t185);
											E003F7720(_t180);
											_t185 = _t185 + _t180;
											__eflags = _t185;
											_v16 = _t185;
										}
										_t99 = _v40;
										__eflags =  *_t99;
										if( *_t99 == 0) {
											_t185 = _t99;
											_v16 = _t185;
										}
										 *_t185 = (_v5 << 5) + 0x50;
										_t104 = E0040BEC0( *_t135, 0x34, _t135[1]);
										_t186 = 0;
										_t105 = _v16;
										_t148 = (_t104 & 0x000007ff) - _v20;
										__eflags = _t148;
										asm("sbb esi, esi");
										_t63 = _t105 + 2; // 0x3fb1d1
										_t172 = _t63;
										_v40 = _t172;
										if(__eflags < 0) {
											L50:
											_t148 =  ~_t148;
											asm("adc esi, 0x0");
											_t186 =  ~_t186;
											_t136 = 0x2d;
											goto L51;
										} else {
											if(__eflags > 0) {
												L49:
												_t136 = 0x2b;
												L51:
												 *(_t105 + 1) = _t136;
												_t181 = _t172;
												_t106 = 0x30;
												 *_t172 = _t106;
												_t107 = 0;
												__eflags = _t186;
												if(__eflags < 0) {
													L55:
													__eflags = _t181 - _t172;
													if(_t181 != _t172) {
														L59:
														_push(_t136);
														_push(_t107);
														_push(0x64);
														_push(_t186);
														_t108 = E0040BDE0();
														_t186 = _t136;
														_t136 = _t148;
														_v32 = _t172;
														_t172 = _v40;
														 *_t181 = _t108 + 0x30;
														_t181 = _t181 + 1;
														_t107 = 0;
														__eflags = 0;
														L60:
														__eflags = _t181 - _t172;
														if(_t181 != _t172) {
															L64:
															_push(_t136);
															_push(_t107);
															_push(0xa);
															_push(_t186);
															_push(_t148);
															_t110 = E0040BDE0();
															_v40 = _t172;
															 *_t181 = _t110 + 0x30;
															_t181 = _t181 + 1;
															_t107 = 0;
															__eflags = 0;
															L65:
															_t149 = _t148 + 0x30;
															__eflags = _t149;
															 *_t181 = _t149;
															 *(_t181 + 1) = _t107;
															_t182 = _t107;
															L66:
															if(_v48 != 0) {
																 *(_v60 + 0x350) =  *(_v60 + 0x350) & 0xfffffffd;
															}
															return _t182;
														}
														__eflags = _t186 - _t107;
														if(__eflags < 0) {
															goto L65;
														}
														if(__eflags > 0) {
															goto L64;
														}
														__eflags = _t148 - 0xa;
														if(_t148 < 0xa) {
															goto L65;
														}
														goto L64;
													}
													__eflags = _t186 - _t107;
													if(__eflags < 0) {
														goto L60;
													}
													if(__eflags > 0) {
														goto L59;
													}
													__eflags = _t148 - 0x64;
													if(_t148 < 0x64) {
														goto L60;
													}
													goto L59;
												}
												_t136 = 0x3e8;
												if(__eflags > 0) {
													L54:
													_push(_t136);
													_push(_t107);
													_push(_t136);
													_push(_t186);
													_t113 = E0040BDE0();
													_t186 = _t136;
													_t136 = _t148;
													_v32 = _t172;
													_t172 = _v40;
													 *_t172 = _t113 + 0x30;
													_t181 = _t172 + 1;
													_t107 = 0;
													__eflags = 0;
													goto L55;
												}
												__eflags = _t148 - 0x3e8;
												if(_t148 < 0x3e8) {
													goto L55;
												}
												goto L54;
											}
											__eflags = _t148;
											if(_t148 < 0) {
												goto L50;
											}
											goto L49;
										}
									}
									goto L25;
								}
							}
							 *_t184 = _t91;
							_t143 =  *_t135 | _t135[1] & 0x000fffff;
							__eflags = _t143;
							if(_t143 != 0) {
								_v20 = 0x3fe;
								goto L19;
							}
							_v20 = _t143;
							goto L20;
						}
						if(__eflags < 0) {
							L13:
							 *_t184 = 0x2d;
							_t184 = _t184 + 1;
							__eflags = _t184;
							_t141 = _t135[1];
							goto L14;
						}
						__eflags = _t168;
						if(_t168 >= 0) {
							goto L14;
						}
						goto L13;
					}
					_t182 = E00400FFB(_t135, _t141, _t135, _t184, _a12, _a16, _a20, _t180, 0, _a32, 0);
					__eflags = _t182;
					if(_t182 == 0) {
						_t131 = E0040C1D0(_t184, 0x65);
						__eflags = _t131;
						if(_t131 != 0) {
							_t166 = ((_a28 ^ 0x00000001) << 5) + 0x50;
							__eflags = _t166;
							 *_t131 = _t166;
							 *((char*)(_t131 + 3)) = 0;
						}
						_t182 = 0;
					} else {
						 *_t184 = 0;
					}
					goto L66;
				}
				_t132 = E003FD87D(_t192);
				_t182 = 0x22;
				 *_t132 = _t182;
				E003FDA3C();
				goto L66;
			}

0x00400ce2
0x00400ced
0x00400cf2
0x00400cf4
0x00400cf4
0x00400cf8
0x00400d01
0x00400d03
0x00400d08
0x00400d0b
0x00400d0e
0x00400d24
0x00400d27
0x00400d2c
0x00400d36
0x00400d3b
0x00400d8f
0x00400d91
0x00400da0
0x00400da3
0x00400da3
0x00400da6
0x00400da8
0x00400daf
0x00400dc1
0x00400dc4
0x00400dc9
0x00400dcd
0x00400dce
0x00400dee
0x00400df1
0x00400df1
0x00400df1
0x00400df3
0x00400df3
0x00400df3
0x00400df6
0x00400df9
0x00400dfb
0x00400e0c
0x00400dfd
0x00400dfd
0x00400dfd
0x00400e0e
0x00400e13
0x00400e13
0x00400e18
0x00400e1b
0x00400e25
0x00400e27
0x00400e29
0x00400e2e
0x00400e2f
0x00400e32
0x00400e35
0x00400e38
0x00400e38
0x00400e3a
0x00000000
0x00000000
0x00400e51
0x00400e58
0x00400e5c
0x00400e5f
0x00400e62
0x00400e64
0x00400e64
0x00400e64
0x00400e6a
0x00400e6d
0x00400e71
0x00400e73
0x00400e77
0x00400e7a
0x00400e7d
0x00400e7e
0x00400e81
0x00400e84
0x00400e87
0x00400e87
0x00400e8c
0x00400e8f
0x00400e92
0x00000000
0x00000000
0x00400ea9
0x00400eae
0x00400eb2
0x00000000
0x00000000
0x00400eb6
0x00400eb6
0x00400eb9
0x00400eba
0x00400eba
0x00400ebc
0x00400ebf
0x00000000
0x00000000
0x00400ec1
0x00400ec4
0x00400ecb
0x00400ece
0x00400ed1
0x00400ee6
0x00400ee6
0x00400ee6
0x00400ed3
0x00400ed3
0x00400ed6
0x00400ee0
0x00400ee0
0x00400ed8
0x00400edb
0x00400edb
0x00400ee2
0x00400ee2
0x00000000
0x00400ed1
0x00400ec6
0x00400ec6
0x00400ec8
0x00400ec8
0x00400e1d
0x00400e1d
0x00400e1f
0x00400ee9
0x00400ee9
0x00400eeb
0x00400eed
0x00400ef0
0x00400ef1
0x00400ef2
0x00400ef3
0x00400efb
0x00400efb
0x00400efd
0x00400efd
0x00400f00
0x00400f03
0x00400f06
0x00400f08
0x00400f0a
0x00400f0a
0x00400f17
0x00400f1e
0x00400f25
0x00400f27
0x00400f30
0x00400f30
0x00400f33
0x00400f35
0x00400f35
0x00400f38
0x00400f3b
0x00400f47
0x00400f47
0x00400f4b
0x00400f4e
0x00400f50
0x00000000
0x00400f3d
0x00400f3d
0x00400f43
0x00400f43
0x00400f51
0x00400f51
0x00400f54
0x00400f58
0x00400f59
0x00400f5b
0x00400f5d
0x00400f5f
0x00400f89
0x00400f89
0x00400f8b
0x00400f98
0x00400f98
0x00400f99
0x00400f9a
0x00400f9c
0x00400f9e
0x00400fa3
0x00400fa5
0x00400fa9
0x00400fac
0x00400faf
0x00400fb1
0x00400fb2
0x00400fb2
0x00400fb4
0x00400fb4
0x00400fb6
0x00400fc3
0x00400fc3
0x00400fc4
0x00400fc5
0x00400fc7
0x00400fc8
0x00400fc9
0x00400fd2
0x00400fd5
0x00400fd7
0x00400fd8
0x00400fd8
0x00400fda
0x00400fda
0x00400fda
0x00400fdd
0x00400fdf
0x00400fe2
0x00400fe4
0x00400fea
0x00400fef
0x00400fef
0x00400ffa
0x00400ffa
0x00400fb8
0x00400fba
0x00000000
0x00000000
0x00400fbc
0x00000000
0x00000000
0x00400fbe
0x00400fc1
0x00000000
0x00000000
0x00000000
0x00400fc1
0x00400f8d
0x00400f8f
0x00000000
0x00000000
0x00400f91
0x00000000
0x00000000
0x00400f93
0x00400f96
0x00000000
0x00000000
0x00000000
0x00400f96
0x00400f61
0x00400f66
0x00400f6c
0x00400f6c
0x00400f6d
0x00400f6e
0x00400f6f
0x00400f71
0x00400f76
0x00400f78
0x00400f7a
0x00400f7f
0x00400f82
0x00400f84
0x00400f87
0x00400f87
0x00000000
0x00400f87
0x00400f68
0x00400f6a
0x00000000
0x00000000
0x00000000
0x00400f6a
0x00400f3f
0x00400f41
0x00000000
0x00000000
0x00000000
0x00400f41
0x00400f3b
0x00000000
0x00400e1f
0x00400e1b
0x00400dd0
0x00400ddc
0x00400ddc
0x00400dde
0x00400de5
0x00000000
0x00400de5
0x00400de0
0x00000000
0x00400de0
0x00400d93
0x00400d99
0x00400d99
0x00400d9c
0x00400d9c
0x00400d9d
0x00000000
0x00400d9d
0x00400d95
0x00400d97
0x00000000
0x00000000
0x00000000
0x00400d97
0x00400d55
0x00400d5a
0x00400d5c
0x00400d69
0x00400d70
0x00400d72
0x00400d7d
0x00400d7d
0x00400d80
0x00400d82
0x00400d82
0x00400d86
0x00400d5e
0x00400d5e
0x00400d5e
0x00000000
0x00400d5c
0x00400d10
0x00400d17
0x00400d18
0x00400d1a
0x00000000

APIs

_strrchr.LIBCMT ref: 00400D69

Memory Dump Source

Source File: 00000003.00000002.300378751.00000000003F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000003.00000002.300374579.00000000003F0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.300394386.000000000040D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.300406424.0000000000416000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.300411239.0000000000420000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3f0000_fa_rss.jbxd

Similarity

API ID: _strrchr
String ID:
API String ID: 3213747228-0
Opcode ID: 1bfd29257f1b2dd1dd5c4284c4e1fba18b956fa2d019243db6a65cbb2e227977
Instruction ID: 4789ff15ba2f204c90b3ad86249cee35cb98902d5b1986493ed5a9910011ad46
Opcode Fuzzy Hash: 1bfd29257f1b2dd1dd5c4284c4e1fba18b956fa2d019243db6a65cbb2e227977
Instruction Fuzzy Hash: 17B115319042869FDB21CF68C841BAFBBE5EF45340F14457BE845BB382D6789D02CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 003F4470 Relevance: 6.2, APIs: 4, Instructions: 177
COMMON

Download Yara Rule

C-Code - Quality: 25%

			E003F4470(short* __ebx, int __ecx, signed int __edx, void* __eflags, short* _a4) {
				signed short _v0;
				signed int _v4;
				int _v8;
				char _v16;
				intOrPtr* _v20;
				signed int _v24;
				intOrPtr* _v28;
				signed short _v40;
				signed int _v60;
				intOrPtr _v72;
				signed int _v76;
				signed int _v88;
				intOrPtr _v100;
				intOrPtr _v104;
				intOrPtr* _v108;
				intOrPtr _v120;
				void* __edi;
				void* __esi;
				signed int _t77;
				signed short _t83;
				signed int _t89;
				signed int _t91;
				signed short _t94;
				void* _t98;
				signed int _t100;
				intOrPtr _t101;
				intOrPtr* _t103;
				signed int _t104;
				intOrPtr* _t106;
				intOrPtr _t107;
				intOrPtr* _t109;
				signed int _t110;
				void* _t111;
				signed int _t113;
				signed int _t114;
				void* _t115;
				signed int _t117;
				intOrPtr* _t120;
				signed int _t124;
				intOrPtr* _t127;
				signed int _t134;
				signed int _t140;
				void* _t146;
				signed int _t150;
				short* _t157;
				struct HINSTANCE__* _t158;
				signed int _t160;
				intOrPtr _t161;
				intOrPtr _t162;
				intOrPtr _t163;
				struct HINSTANCE__* _t167;
				int _t169;
				signed int _t170;
				signed int _t176;
				intOrPtr* _t178;
				intOrPtr* _t180;
				intOrPtr _t181;
				intOrPtr _t182;
				void* _t196;
				void* _t203;
				void* _t207;
				intOrPtr* _t209;
				signed int _t216;
				int _t217;
				signed int _t219;
				intOrPtr* _t220;
				intOrPtr _t226;
				unsigned int _t229;
				int _t231;
				unsigned int _t232;
				signed int _t234;
				intOrPtr* _t235;
				signed int _t236;
				intOrPtr _t237;
				void* _t238;
				void* _t248;
				void* _t249;
				void* _t250;
				void* _t252;
				void* _t253;
				void* _t254;
				void* _t255;

				_t205 = __edx;
				_t157 = __ebx;
				_push(0xffffffff);
				_push(E0040C8C8);
				_push( *[fs:0x0]);
				_push(__ecx);
				_push(__ebx);
				_push(_t216);
				_t77 =  *0x416014; // 0x9d5f503d
				_push(_t77 ^ _t247);
				 *[fs:0x0] =  &_v16;
				_t231 = __ecx;
				_v20 = __ecx;
				_t169 = E003F5450(__ecx);
				if(_t169 == 0) {
					_push(0x80004005);
					E003F5550(__ebx, __edx, _t216, __ecx);
					goto L25;
				} else {
					 *((intOrPtr*)(__ecx)) =  *((intOrPtr*)( *_t169 + 0xc))() + 0x10;
					_t157 = _a4;
					_v8 = 0;
					if(_t157 == 0) {
						L16:
						_t134 =  *_t231;
						__eflags =  *(_t134 - 0xc);
						_t19 = _t134 - 0x10; // -32
						_t205 = _t19;
						_t216 =  *_t205;
						if( *(_t134 - 0xc) == 0) {
							goto L23;
						} else {
							__eflags =  *(_t205 + 0xc);
							_t21 = _t205 + 0xc; // -20
							_t169 = _t21;
							if( *(_t205 + 0xc) >= 0) {
								asm("lock xadd [ecx], eax");
								__eflags = (_t134 | 0xffffffff) - 1;
								if((_t134 | 0xffffffff) - 1 <= 0) {
									 *((intOrPtr*)( *( *_t205) + 4))(_t205);
								}
								_t140 =  *((intOrPtr*)( *_t216 + 0xc))() + 0x10;
								__eflags = _t140;
								 *_t231 = _t140;
								goto L23;
							} else {
								__eflags =  *(_t134 - 8);
								if( *(_t134 - 8) < 0) {
									goto L25;
								} else {
									 *(_t134 - 0xc) = 0;
									 *( *_t231) = 0;
									goto L23;
								}
							}
						}
					} else {
						_t262 = _t157 & 0xffff0000;
						if((_t157 & 0xffff0000) != 0) {
							_t12 = WideCharToMultiByte(3, 0, _t157, 0xffffffff, 0, 0, 0, 0) - 1; // -1
							_t216 = _t12;
							__eflags = _t216;
							if(_t216 <= 0) {
								goto L16;
							} else {
								_t196 =  *_t231;
								_t169 =  *((intOrPtr*)(_t196 - 8)) - _t216;
								_t205 = 0x00000001 -  *((intOrPtr*)(_t196 - 4)) | _t169;
								__eflags = 1;
								if(1 < 0) {
									_t169 = _t231;
									E003F49D0(_t157, _t169, _t205, _t216);
								}
								_push(0);
								_push(0);
								_push(_t216);
								_push( *_t231);
								_push(0xffffffff);
								_push(_t157);
								goto L14;
							}
						} else {
							_t229 = _t157 & 0x0000ffff;
							_t167 = E003F4E80(_t229, _t262);
							if(_t167 == 0) {
								L23:
								 *[fs:0x0] = _v16;
								return _t231;
							} else {
								_t150 = FindResourceW(_t167, (_t229 >> 4) + 1, 6);
								if(_t150 == 0) {
									goto L23;
								} else {
									_t205 = _t150;
									_t157 = E003F4E20(_t167, _t150, _t229);
									_t252 = _t252 + 4;
									if(_t157 == 0) {
										goto L23;
									} else {
										_t169 =  *_t157 & 0x0000ffff;
										_t8 =  &(_t157[1]); // 0x2
										_t216 = WideCharToMultiByte(3, 0, _t8, _t169, 0, 0, 0, 0);
										if(_t216 < 0) {
											L25:
											_push(0x80070057);
											E003F5550(_t157, _t205, _t216, _t231);
											asm("int3");
											asm("int3");
											asm("int3");
											asm("int3");
											asm("int3");
											asm("int3");
											asm("int3");
											asm("int3");
											asm("int3");
											asm("int3");
											_t248 = _t252;
											_t83 = _v40;
											_push(_t216);
											_t217 = _t169;
											_t170 = 0;
											__eflags = _t83;
											if(_t83 == 0) {
												L37:
												return _t170;
											} else {
												__eflags = _t83 & 0xffff0000;
												if(__eflags != 0) {
													goto L37;
												} else {
													_push(_t157);
													_push(_t231);
													_t232 = _t83 & 0x0000ffff;
													_t158 = E003F4E80(_t232, __eflags);
													__eflags = _t158;
													if(_t158 == 0) {
														L36:
														_t170 = 1;
														goto L37;
													} else {
														_t89 = FindResourceW(_t158, (_t232 >> 4) + 1, 6);
														__eflags = _t89;
														if(_t89 == 0) {
															goto L36;
														} else {
															_t160 = E003F4E20(_t158, _t89, _t232);
															_t253 = _t252 + 4;
															__eflags = _t160;
															if(_t160 == 0) {
																goto L36;
															} else {
																_t207 =  *_t217;
																_t91 =  *_t160 & 0x0000ffff;
																_t234 = _t91;
																_v0 = _t91;
																__eflags = 0x00000001 -  *((intOrPtr*)(_t207 - 4)) |  *((intOrPtr*)(_t207 - 8)) - _t234;
																if((0x00000001 -  *((intOrPtr*)(_t207 - 4)) |  *((intOrPtr*)(_t207 - 8)) - _t234) >= 0) {
																	_t94 = _v0;
																} else {
																	_push(_t234);
																	L49();
																	_t207 =  *_t217;
																	_t94 =  *_t160 & 0x0000ffff;
																}
																_t176 = _t94 & 0x0000ffff;
																_t34 = _t160 + 2; // 0x2
																_push(E003FE240(_t207, _t234, _t34, _t176));
																L003F5570(_t160, _t207, _t217, _t234);
																_t98 =  *_t217;
																_t254 = _t253 + 0x14;
																__eflags = _t234 -  *((intOrPtr*)(_t98 - 8));
																if(_t234 >  *((intOrPtr*)(_t98 - 8))) {
																	E003F5550(_t160, _t207, _t217, _t234);
																	asm("int3");
																	asm("int3");
																	asm("int3");
																	asm("int3");
																	asm("int3");
																	asm("int3");
																	asm("int3");
																	asm("int3");
																	asm("int3");
																	asm("int3");
																	asm("int3");
																	asm("int3");
																	asm("int3");
																	_t249 = _t254;
																	_t255 = _t254 - 8;
																	_t100 = _t176;
																	_v76 = _t100;
																	_t101 =  *_t100;
																	_t235 = _t101 - 0x10;
																	_t161 =  *((intOrPtr*)(_t235 + 4));
																	_v72 = _t101;
																	_t103 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t101 - 0x10)))) + 0x10))(_t217, _t234, _t160, _t248, 0x80070057);
																	_t219 = _v60;
																	_t178 = _t103;
																	_t208 =  *_t103;
																	_t104 =  *((intOrPtr*)( *_t103))(_t219, 2);
																	_v60 = _t104;
																	__eflags = _t104;
																	if(_t104 == 0) {
																		E003F4880(_t161, _t178, _t208, _t219, _t235);
																		asm("int3");
																		_t250 = _t255;
																		_t106 = _t178;
																		_v108 = _t106;
																		_t107 =  *_t106;
																		_t162 =  *((intOrPtr*)(_t107 - 0xc));
																		_t220 = _t107 - 0x10;
																		_v100 = _t107;
																		_v104 = _t162;
																		_t109 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t107 - 0x10)))) + 0x10))(_t219, _t235, _t161, _t249);
																		_t236 = _v88;
																		_t180 = _t109;
																		_t209 =  *_t109;
																		_t110 =  *_t209(_t236, 1);
																		_v88 = _t110;
																		__eflags = _t110;
																		if(_t110 == 0) {
																			_t111 = E003F4880(_t162, _t180, _t209, _t220, _t236);
																			asm("int3");
																			asm("int3");
																			asm("int3");
																			asm("int3");
																			asm("int3");
																			asm("int3");
																			asm("int3");
																			asm("int3");
																			asm("int3");
																			asm("int3");
																			asm("int3");
																			asm("int3");
																			asm("int3");
																			asm("int3");
																			asm("int3");
																			_push(_t250);
																			_push(_t236);
																			_t237 = _v120;
																			_push(_t220);
																			_t221 = _t180;
																			_t181 =  *_t180;
																			__eflags =  *((intOrPtr*)(_t181 - 0xc)) - _t237;
																			_t238 =  >  ?  *((void*)(_t181 - 0xc)) : _t237;
																			__eflags =  *((intOrPtr*)(_t181 - 4)) - 1;
																			if( *((intOrPtr*)(_t181 - 4)) <= 1) {
																				_t182 =  *((intOrPtr*)(_t181 - 8));
																				__eflags = _t182 - _t238;
																				if(_t182 < _t238) {
																					__eflags = _t182 - 0x40000000;
																					if(_t182 <= 0x40000000) {
																						asm("cdq");
																						_t113 = _t182 - _t209;
																						__eflags = _t113;
																						_t114 = _t113 >> 1;
																					} else {
																						_t114 = 0x100000;
																					}
																					_t115 = _t114 + _t182;
																					__eflags = _t115 - _t238;
																					_t240 =  >=  ? _t115 : _t238;
																					_push( >=  ? _t115 : _t238);
																					_t111 = E003F4A30(_t162, _t221);
																				}
																				return _t111;
																			} else {
																				_push(_t238);
																				L39();
																				return _t111;
																			}
																		} else {
																			__eflags = _t162 - _t236;
																			_t242 =  <  ? _t162 : _t236;
																			_t64 = _t110 + 0x10; // 0x10
																			_t163 = _t64;
																			_t243 = ( <  ? _t162 : _t236) + 1;
																			E003F4F00(_t163, ( <  ? _t162 : _t236) + 1, _v20, ( <  ? _t162 : _t236) + 1);
																			_t117 = _v24;
																			 *(_v8 + 4) = _t117;
																			asm("lock xadd [edi+0xc], eax");
																			__eflags = (_t117 | 0xffffffff) - 1;
																			if((_t117 | 0xffffffff) - 1 <= 0) {
																				 *((intOrPtr*)( *((intOrPtr*)( *_t220)) + 4))(_t220);
																			}
																			_t120 = _v28;
																			 *_t120 = _t163;
																			return _t120;
																		}
																	} else {
																		__eflags = _t161 - _t219;
																		_t225 =  <  ? _t161 : _t219;
																		_t211 = 2 + ( <  ? _t161 : _t219) * 2;
																		_t226 = _t104 + 0x10;
																		E003F4F00(_t226, 2 + ( <  ? _t161 : _t219) * 2, _v16, 2 + ( <  ? _t161 : _t219) * 2);
																		_t124 = _v4;
																		 *((intOrPtr*)(_t124 + 4)) = _t161;
																		asm("lock xadd [esi+0xc], eax");
																		__eflags = (_t124 | 0xffffffff) - 1;
																		if((_t124 | 0xffffffff) - 1 <= 0) {
																			 *((intOrPtr*)( *((intOrPtr*)( *_t235)) + 4))(_t235);
																		}
																		_t127 = _v20;
																		 *_t127 = _t226;
																		return _t127;
																	}
																} else {
																	 *(_t98 - 0xc) = _t234;
																	__eflags = 0;
																	 *((short*)( *_t217 + _t234 * 2)) = 0;
																	goto L36;
																}
															}
														}
													}
												}
											}
										} else {
											_t203 =  *_t231;
											_t169 =  *((intOrPtr*)(_t203 - 8)) - _t216;
											_t205 = 0x00000001 -  *((intOrPtr*)(_t203 - 4)) | _t169;
											if(1 < 0) {
												_t169 = _t231;
												E003F49D0(_t157, _t169, _t205, _t216);
											}
											_push(0);
											_push(0);
											_push(_t216);
											_push( *_t231);
											_push( *_t157 & 0x0000ffff);
											_t11 =  &(_t157[1]); // 0x2
											L14:
											WideCharToMultiByte(3, 0, ??, ??, ??, ??, ??, ??);
											_t146 =  *_t231;
											if(_t216 >  *((intOrPtr*)(_t146 - 8))) {
												goto L25;
											} else {
												 *(_t146 - 0xc) = _t216;
												 *((char*)(_t216 +  *_t231)) = 0;
												goto L23;
											}
										}
									}
								}
							}
						}
					}
				}
			}

0x003f4470
0x003f4470
0x003f4473
0x003f4475
0x003f4480
0x003f4481
0x003f4482
0x003f4484
0x003f4485
0x003f448c
0x003f4490
0x003f4496
0x003f4498
0x003f44a0
0x003f44a4
0x003f4622
0x003f4627
0x00000000
0x003f44aa
0x003f44b2
0x003f44b4
0x003f44b7
0x003f44c0
0x003f45c2
0x003f45c2
0x003f45c4
0x003f45c8
0x003f45c8
0x003f45cb
0x003f45cd
0x00000000
0x003f45cf
0x003f45cf
0x003f45d3
0x003f45d3
0x003f45d6
0x003f45ef
0x003f45f4
0x003f45f6
0x003f45fd
0x003f45fd
0x003f4607
0x003f4607
0x003f460a
0x00000000
0x003f45d8
0x003f45d8
0x003f45dc
0x00000000
0x003f45de
0x003f45de
0x003f45e7
0x00000000
0x003f45e7
0x003f45dc
0x003f45d6
0x003f44c6
0x003f44c6
0x003f44cc
0x003f457a
0x003f457a
0x003f457d
0x003f457f
0x00000000
0x003f4581
0x003f4581
0x003f458e
0x003f4590
0x003f4590
0x003f4592
0x003f4595
0x003f4597
0x003f4597
0x003f459c
0x003f459e
0x003f45a0
0x003f45a1
0x003f45a3
0x003f45a5
0x00000000
0x003f45a5
0x003f44d2
0x003f44d2
0x003f44dc
0x003f44e0
0x003f460c
0x003f4611
0x003f461f
0x003f44e6
0x003f44f0
0x003f44f8
0x00000000
0x003f44fe
0x003f44ff
0x003f4508
0x003f450a
0x003f450f
0x00000000
0x003f4515
0x003f4515
0x003f4518
0x003f452f
0x003f4533
0x003f462c
0x003f462c
0x003f4631
0x003f4636
0x003f4637
0x003f4638
0x003f4639
0x003f463a
0x003f463b
0x003f463c
0x003f463d
0x003f463e
0x003f463f
0x003f4641
0x003f4643
0x003f4646
0x003f4647
0x003f4649
0x003f464b
0x003f464d
0x003f46f2
0x003f46f6
0x003f4653
0x003f4653
0x003f4658
0x00000000
0x003f465e
0x003f465e
0x003f465f
0x003f4660
0x003f466a
0x003f466c
0x003f466e
0x003f46ee
0x003f46ef
0x00000000
0x003f4670
0x003f467a
0x003f4680
0x003f4682
0x00000000
0x003f4684
0x003f468e
0x003f4690
0x003f4693
0x003f4695
0x00000000
0x003f4697
0x003f4697
0x003f469e
0x003f46a1
0x003f46a3
0x003f46ae
0x003f46b0
0x003f46c1
0x003f46b2
0x003f46b2
0x003f46b5
0x003f46ba
0x003f46bc
0x003f46bc
0x003f46c4
0x003f46c7
0x003f46d3
0x003f46d4
0x003f46d9
0x003f46db
0x003f46de
0x003f46e1
0x003f46fe
0x003f4703
0x003f4704
0x003f4705
0x003f4706
0x003f4707
0x003f4708
0x003f4709
0x003f470a
0x003f470b
0x003f470c
0x003f470d
0x003f470e
0x003f470f
0x003f4711
0x003f4713
0x003f4716
0x003f4718
0x003f471d
0x003f4722
0x003f4725
0x003f4728
0x003f472e
0x003f4731
0x003f4734
0x003f4739
0x003f473b
0x003f473d
0x003f4740
0x003f4742
0x003f478a
0x003f478f
0x003f4791
0x003f4796
0x003f4799
0x003f479d
0x003f47a2
0x003f47a6
0x003f47a9
0x003f47ae
0x003f47b1
0x003f47b4
0x003f47b7
0x003f47bc
0x003f47be
0x003f47c0
0x003f47c3
0x003f47c5
0x003f480c
0x003f4811
0x003f4812
0x003f4813
0x003f4814
0x003f4815
0x003f4816
0x003f4817
0x003f4818
0x003f4819
0x003f481a
0x003f481b
0x003f481c
0x003f481d
0x003f481e
0x003f481f
0x003f4820
0x003f4823
0x003f4824
0x003f4827
0x003f4828
0x003f482a
0x003f482c
0x003f482f
0x003f4833
0x003f4837
0x003f4847
0x003f484a
0x003f484c
0x003f484e
0x003f4854
0x003f485f
0x003f4860
0x003f4860
0x003f4862
0x003f4856
0x003f4856
0x003f4856
0x003f4864
0x003f4868
0x003f486a
0x003f486d
0x003f486e
0x003f486e
0x003f4876
0x003f4839
0x003f4839
0x003f483c
0x003f4844
0x003f4844
0x003f47c7
0x003f47c7
0x003f47c9
0x003f47cc
0x003f47cc
0x003f47cf
0x003f47d8
0x003f47e3
0x003f47e6
0x003f47ec
0x003f47f2
0x003f47f4
0x003f47fb
0x003f47fb
0x003f47fe
0x003f4803
0x003f4809
0x003f4809
0x003f4744
0x003f4744
0x003f4746
0x003f4749
0x003f4754
0x003f4759
0x003f475e
0x003f4764
0x003f476a
0x003f4770
0x003f4772
0x003f4779
0x003f4779
0x003f477c
0x003f477f
0x003f4787
0x003f4787
0x003f46e3
0x003f46e3
0x003f46e6
0x003f46ea
0x00000000
0x003f46ea
0x003f46e1
0x003f4695
0x003f4682
0x003f466e
0x003f4658
0x003f4539
0x003f4539
0x003f4546
0x003f4548
0x003f454a
0x003f454d
0x003f454f
0x003f454f
0x003f4557
0x003f4559
0x003f455b
0x003f455c
0x003f455e
0x003f455f
0x003f45a6
0x003f45aa
0x003f45b0
0x003f45b5
0x00000000
0x003f45b7
0x003f45b7
0x003f45bc
0x00000000
0x003f45bc
0x003f45b5
0x003f4533
0x003f450f
0x003f44f8
0x003f44e0
0x003f44cc
0x003f44c0

APIs

Part of subcall function 003F5450: GetProcessHeap.KERNEL32 ref: 003F547C
Part of subcall function 003F5450: __Init_thread_footer.LIBCMT ref: 003F54A7
Part of subcall function 003F5450: __Init_thread_footer.LIBCMT ref: 003F5525

FindResourceW.KERNEL32(00000000,?,00000006,?,?,?,?,00000000,0040C8C8,000000FF,?,003F1E5E,?,9D5F503D), ref: 003F44F0

Part of subcall function 003F4E20: LoadResource.KERNEL32(00000000,00000000,00000001,00000000,?,?,003F4ECC,00000000,?,00000000,00000000,00417950), ref: 003F4E2C
Part of subcall function 003F4E20: LockResource.KERNEL32(00000000,?,?,003F4ECC,00000000,?,00000000,00000000,00417950,?,?,?,?,003F466A), ref: 003F4E37
Part of subcall function 003F4E20: SizeofResource.KERNEL32(00000000,00000000,?,?,003F4ECC,00000000,?,00000000,00000000,00417950,?,?,?,?,003F466A), ref: 003F4E45

WideCharToMultiByte.KERNEL32(00000003,00000000,00000002,?,00000000,00000000,00000000,00000000), ref: 003F4529
WideCharToMultiByte.KERNEL32(00000003,00000000,?,000000FF,00000000,00000000,00000000,00000000,?,?,?,?,00000000,0040C8C8,000000FF), ref: 003F4574
WideCharToMultiByte.KERNEL32(00000003,00000000,?,000000FF,?,-00000001,00000000,00000000,?,?,?,?,00000000,0040C8C8,000000FF), ref: 003F45AA

Part of subcall function 003F4E80: FindResourceExW.KERNEL32(00000000,00000006,?,00000000,00000000,00417950,?,?,?,?,003F466A,?,?,?,?,003F1170), ref: 003F4EB6

Memory Dump Source

Source File: 00000003.00000002.300378751.00000000003F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000003.00000002.300374579.00000000003F0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.300394386.000000000040D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.300406424.0000000000416000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.300411239.0000000000420000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3f0000_fa_rss.jbxd

Similarity

API ID: Resource$ByteCharMultiWide$FindInit_thread_footer$HeapLoadLockProcessSizeof
String ID:
API String ID: 379512009-0
Opcode ID: 7ce89437ba0bd53cfaf554a8197f06984e48262ce4f1296a509f882afa859c56
Instruction ID: 12814af01c70e59bc2b002b16b5789910fc88b23c1263079654d7a0738497239
Opcode Fuzzy Hash: 7ce89437ba0bd53cfaf554a8197f06984e48262ce4f1296a509f882afa859c56
Instruction Fuzzy Hash: F351CC70300208AFE7269F68CC89B3BB7A9EF96714F20412DA745DF2D0CBB4A804CB54

Uniqueness

Uniqueness Score: -1.00%

Function 003F7F6E Relevance: 6.2, APIs: 4, Instructions: 168
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 66%

			E003F7F6E(void* __ecx, void* __edx, void* __eflags) {
				signed int* _t52;
				signed int _t53;
				intOrPtr _t54;
				signed int _t58;
				signed int _t61;
				intOrPtr _t71;
				signed int _t74;
				signed int _t78;
				signed int _t81;
				signed int _t84;
				signed int _t85;
				signed int _t98;
				signed int* _t99;
				signed char* _t101;
				signed int _t106;
				void* _t110;

				E003F6720(__edx, 0x414478, 0x10);
				_t74 = 0;
				_t52 =  *(_t110 + 0x10);
				_t81 = _t52[1];
				if(_t81 == 0 ||  *((intOrPtr*)(_t81 + 8)) == 0) {
					L30:
					_t53 = 0;
					__eflags = 0;
					goto L31;
				} else {
					_t98 = _t52[2];
					if(_t98 != 0 ||  *_t52 < 0) {
						_t84 =  *_t52;
						_t106 =  *(_t110 + 0xc);
						if(_t84 >= 0) {
							_t106 = _t106 + 0xc + _t98;
						}
						 *(_t110 - 4) = _t74;
						_t101 =  *(_t110 + 0x14);
						if(_t84 >= 0 || ( *_t101 & 0x00000010) == 0) {
							L10:
							_t54 =  *((intOrPtr*)(_t110 + 8));
							__eflags = _t84 & 0x00000008;
							if((_t84 & 0x00000008) == 0) {
								__eflags =  *_t101 & 0x00000001;
								if(( *_t101 & 0x00000001) == 0) {
									_t84 =  *(_t54 + 0x18);
									__eflags = _t101[0x18] - _t74;
									if(_t101[0x18] != _t74) {
										__eflags = _t84;
										if(_t84 == 0) {
											goto L32;
										} else {
											__eflags = _t106;
											if(_t106 == 0) {
												goto L32;
											} else {
												__eflags =  *_t101 & 0x00000004;
												_t78 = 0;
												_t74 = (_t78 & 0xffffff00 | ( *_t101 & 0x00000004) != 0x00000000) + 1;
												__eflags = _t74;
												 *(_t110 - 0x20) = _t74;
												goto L29;
											}
										}
									} else {
										__eflags = _t84;
										if(_t84 == 0) {
											goto L32;
										} else {
											__eflags = _t106;
											if(_t106 == 0) {
												goto L32;
											} else {
												E003F78F0(_t106, E003F73F8(_t84,  &(_t101[8])), _t101[0x14]);
												goto L29;
											}
										}
									}
								} else {
									__eflags =  *(_t54 + 0x18);
									if( *(_t54 + 0x18) == 0) {
										goto L32;
									} else {
										__eflags = _t106;
										if(_t106 == 0) {
											goto L32;
										} else {
											E003F78F0(_t106,  *(_t54 + 0x18), _t101[0x14]);
											__eflags = _t101[0x14] - 4;
											if(_t101[0x14] == 4) {
												__eflags =  *_t106;
												if( *_t106 != 0) {
													_push( &(_t101[8]));
													_push( *_t106);
													goto L21;
												}
											}
											goto L29;
										}
									}
								}
							} else {
								_t84 =  *(_t54 + 0x18);
								goto L12;
							}
						} else {
							_t71 =  *0x416f64; // 0x0
							 *((intOrPtr*)(_t110 - 0x1c)) = _t71;
							if(_t71 == 0) {
								goto L10;
							} else {
								 *0x40d254();
								_t84 =  *((intOrPtr*)(_t110 - 0x1c))();
								L12:
								if(_t84 == 0 || _t106 == 0) {
									L32:
									E003FF6F6(_t74, _t84, _t98, _t101, _t106);
									asm("int3");
									E003F6720(_t98, 0x414498, 8);
									_t99 =  *(_t110 + 0x10);
									_t85 =  *(_t110 + 0xc);
									__eflags =  *_t99;
									if(__eflags >= 0) {
										_t103 = _t85 + 0xc + _t99[2];
										__eflags = _t85 + 0xc + _t99[2];
									} else {
										_t103 = _t85;
									}
									 *(_t110 - 4) =  *(_t110 - 4) & 0x00000000;
									_t107 =  *(_t110 + 0x14);
									_push( *(_t110 + 0x14));
									_push(_t99);
									_push(_t85);
									_t76 =  *((intOrPtr*)(_t110 + 8));
									_push( *((intOrPtr*)(_t110 + 8)));
									_t58 = E003F7F6E(_t85, _t99, __eflags) - 1;
									__eflags = _t58;
									if(_t58 == 0) {
										_t61 = E003F8C75(_t103, _t107[0x18], E003F73F8( *((intOrPtr*)(_t76 + 0x18)),  &(_t107[8])));
									} else {
										_t61 = _t58 - 1;
										__eflags = _t61;
										if(_t61 == 0) {
											_t61 = E003F8C85(_t103, _t107[0x18], E003F73F8( *((intOrPtr*)(_t76 + 0x18)),  &(_t107[8])), 1);
										}
									}
									 *(_t110 - 4) = 0xfffffffe;
									 *[fs:0x0] =  *((intOrPtr*)(_t110 - 0x10));
									return _t61;
								} else {
									 *_t106 = _t84;
									_push( &(_t101[8]));
									_push(_t84);
									L21:
									 *_t106 = E003F73F8();
									L29:
									 *(_t110 - 4) = 0xfffffffe;
									_t53 = _t74;
									L31:
									 *[fs:0x0] =  *((intOrPtr*)(_t110 - 0x10));
									return _t53;
								}
							}
						}
					} else {
						goto L30;
					}
				}
			}

0x003f7f75
0x003f7f7a
0x003f7f7c
0x003f7f7f
0x003f7f84
0x003f8094
0x003f8094
0x003f8094
0x00000000
0x003f7f93
0x003f7f93
0x003f7f98
0x003f7fa2
0x003f7fa4
0x003f7fa9
0x003f7fae
0x003f7fae
0x003f7fb0
0x003f7fb3
0x003f7fb8
0x003f7fda
0x003f7fda
0x003f7fdd
0x003f7fe0
0x003f7ffe
0x003f8001
0x003f8040
0x003f8043
0x003f8046
0x003f806b
0x003f806d
0x00000000
0x003f806f
0x003f806f
0x003f8071
0x00000000
0x003f8073
0x003f8073
0x003f8078
0x003f807c
0x003f807c
0x003f807d
0x00000000
0x003f807d
0x003f8071
0x003f8048
0x003f8048
0x003f804a
0x00000000
0x003f804c
0x003f804c
0x003f804e
0x00000000
0x003f8050
0x003f8061
0x00000000
0x003f8066
0x003f804e
0x003f804a
0x003f8003
0x003f8003
0x003f8007
0x00000000
0x003f800d
0x003f800d
0x003f800f
0x00000000
0x003f8015
0x003f801c
0x003f8024
0x003f8028
0x003f802a
0x003f802d
0x003f8032
0x003f8033
0x00000000
0x003f8033
0x003f802d
0x00000000
0x003f8028
0x003f800f
0x003f8007
0x003f7fe2
0x003f7fe2
0x00000000
0x003f7fe2
0x003f7fbf
0x003f7fbf
0x003f7fc4
0x003f7fc9
0x00000000
0x003f7fcb
0x003f7fcd
0x003f7fd6
0x003f7fe5
0x003f7fe7
0x003f80a6
0x003f80a6
0x003f80ab
0x003f80b3
0x003f80b8
0x003f80bb
0x003f80be
0x003f80c1
0x003f80ca
0x003f80ca
0x003f80c3
0x003f80c3
0x003f80c3
0x003f80cd
0x003f80d1
0x003f80d4
0x003f80d5
0x003f80d6
0x003f80d7
0x003f80da
0x003f80e3
0x003f80e3
0x003f80e6
0x003f811c
0x003f80e8
0x003f80e8
0x003f80e8
0x003f80eb
0x003f8102
0x003f8102
0x003f80eb
0x003f8121
0x003f812b
0x003f8137
0x003f7ff5
0x003f7ff5
0x003f7ffa
0x003f7ffb
0x003f8035
0x003f803c
0x003f8080
0x003f8080
0x003f8087
0x003f8096
0x003f8099
0x003f80a5
0x003f80a5
0x003f7fe7
0x003f7fc9
0x00000000
0x00000000
0x00000000
0x003f7f98

APIs

___AdjustPointer.LIBCMT ref: 003F8035
___AdjustPointer.LIBCMT ref: 003F8058
___AdjustPointer.LIBCMT ref: 003F80F4

Memory Dump Source

Source File: 00000003.00000002.300378751.00000000003F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000003.00000002.300374579.00000000003F0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.300394386.000000000040D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.300406424.0000000000416000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.300411239.0000000000420000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3f0000_fa_rss.jbxd

Similarity

API ID: AdjustPointer
String ID:
API String ID: 1740715915-0
Opcode ID: 62a26931cbd068582a4731d2836d54d185c7a14a6863671eee5222dd21b4c35c
Instruction ID: d932a40dbe043614edfbf1d39d866ba9af1dc24573976ea3083250c12856ac71
Opcode Fuzzy Hash: 62a26931cbd068582a4731d2836d54d185c7a14a6863671eee5222dd21b4c35c
Instruction Fuzzy Hash: D051D07260430AAFEB2E8F14D841BBAB7A4EF04700F15452DEA019B290EF31EC89D790

Uniqueness

Uniqueness Score: -1.00%

Function 00409C3E Relevance: 6.1, APIs: 4, Instructions: 132
fileCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 94%

			E00409C3E(signed int __edx, void* __eflags, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v20;
				int _v24;
				int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				int _t30;
				signed int _t31;
				intOrPtr* _t36;
				int _t40;
				int _t41;
				void* _t42;
				void* _t54;
				void* _t56;
				signed int _t58;
				intOrPtr _t59;
				int _t60;
				void* _t62;
				void* _t63;
				int _t68;

				_t58 = __edx;
				_t50 = _a4;
				_t51 =  &_v44;
				E00409BF1( &_v44, __edx, _a4, _a8, _a12);
				if((_v44 & _v40) == 0xffffffff || (_v36 & _v32) == 0xffffffff) {
					L28:
					_t59 =  *((intOrPtr*)(E003FD87D(__eflags)));
					goto L29;
				} else {
					_t30 = _v24;
					_t60 = _v28;
					_v8 = _t30;
					_t68 = _t30;
					if(_t68 < 0) {
						L25:
						_t31 = E00408CF0(_t50, _a8, _a12, 0);
						_t63 = _t63 + 0x10;
						__eflags = (_t31 & _t58) - 0xffffffff;
						if(__eflags == 0) {
							goto L28;
						}
						__eflags = SetEndOfFile(E00404560(_t50));
						if(__eflags != 0) {
							L18:
							_t59 = 0;
							L29:
							E00408CF0(_v20, _v44, _v40, 0);
							return _t59;
						}
						 *((intOrPtr*)(E003FD87D(__eflags))) = 0xd;
						_t36 = E003FD86A(__eflags);
						 *_t36 = GetLastError();
						goto L28;
					}
					if(_t68 > 0 || _t60 != 0) {
						_t62 = E003FF852(_t51, 0x1000, 1);
						_pop(_t54);
						_t70 = _t62;
						if(_t62 != 0) {
							_v12 = E003FEEB4(_t54, _t50, 0x8000);
							_t40 = _v24;
							_pop(_t56);
							do {
								__eflags = _t40;
								if(__eflags < 0) {
									L12:
									_t41 = _t60;
									L13:
									_t42 = E004060C9(_t50, _t62, _t41);
									_t63 = _t63 + 0xc;
									__eflags = _t42 - 0xffffffff;
									if(__eflags == 0) {
										__eflags =  *((intOrPtr*)(E003FD86A(__eflags))) - 5;
										if(__eflags == 0) {
											 *((intOrPtr*)(E003FD87D(__eflags))) = 0xd;
										}
										L21:
										_t59 =  *((intOrPtr*)(E003FD87D(_t70)));
										E003FF8AF(_t62);
										goto L29;
									}
									asm("cdq");
									_t60 = _t60 - _t42;
									_t40 = _v8;
									asm("sbb eax, edx");
									_v8 = _t40;
									__eflags = _t40;
									if(__eflags > 0) {
										L11:
										_t41 = 0x1000;
										goto L13;
									}
									if(__eflags < 0) {
										break;
									}
									goto L16;
								}
								if(__eflags > 0) {
									goto L11;
								}
								__eflags = _t60 - 0x1000;
								if(_t60 < 0x1000) {
									goto L12;
								}
								goto L11;
								L16:
								__eflags = _t60;
							} while (_t60 != 0);
							E003FEEB4(_t56, _t50, _v12);
							E003FF8AF(_t62);
							_t63 = _t63 + 0xc;
							goto L18;
						}
						 *((intOrPtr*)(E003FD87D(_t70))) = 0xc;
						goto L21;
					} else {
						__eflags = _t30;
						if(__eflags > 0) {
							goto L18;
						}
						if(__eflags < 0) {
							goto L25;
						}
						__eflags = _t60;
						if(_t60 >= 0) {
							goto L18;
						}
						goto L25;
					}
				}
			}

0x00409c3e
0x00409c47
0x00409c4a
0x00409c56
0x00409c64
0x00409d8d
0x00409d92
0x00000000
0x00409c79
0x00409c79
0x00409c7c
0x00409c7f
0x00409c82
0x00409c84
0x00409d49
0x00409d52
0x00409d59
0x00409d5c
0x00409d5f
0x00000000
0x00000000
0x00409d6f
0x00409d71
0x00409d16
0x00409d16
0x00409d94
0x00409d9f
0x00409dad
0x00409dad
0x00409d78
0x00409d7e
0x00409d8b
0x00000000
0x00409d8b
0x00409c8a
0x00409ca0
0x00409ca3
0x00409ca4
0x00409ca6
0x00409cc1
0x00409cc4
0x00409cc7
0x00409cc8
0x00409cc8
0x00409cca
0x00409cdd
0x00409cdd
0x00409cdf
0x00409ce2
0x00409ce7
0x00409cea
0x00409ced
0x00409d1f
0x00409d22
0x00409d29
0x00409d29
0x00409d2f
0x00409d35
0x00409d37
0x00000000
0x00409d3c
0x00409cef
0x00409cf0
0x00409cf2
0x00409cf5
0x00409cf7
0x00409cfa
0x00409cfc
0x00409cd6
0x00409cd6
0x00000000
0x00409cd6
0x00409cfe
0x00000000
0x00000000
0x00000000
0x00409cfe
0x00409ccc
0x00000000
0x00000000
0x00409cce
0x00409cd4
0x00000000
0x00000000
0x00000000
0x00409d00
0x00409d00
0x00409d00
0x00409d08
0x00409d0e
0x00409d13
0x00000000
0x00409d13
0x00409cad
0x00000000
0x00409d3f
0x00409d3f
0x00409d41
0x00000000
0x00000000
0x00409d43
0x00000000
0x00000000
0x00409d45
0x00409d47
0x00000000
0x00000000
0x00000000
0x00409d47
0x00409c8a

APIs

_free.LIBCMT ref: 00409D0E
_free.LIBCMT ref: 00409D37
SetEndOfFile.KERNEL32(00000000,004087DF,00000000,00401B68,?,?,?,?,?,?,?,004087DF,00401B68,00000000), ref: 00409D69
GetLastError.KERNEL32(?,?,?,?,?,?,?,004087DF,00401B68,00000000,?,?,?,?,00000000), ref: 00409D85

Memory Dump Source

Source File: 00000003.00000002.300378751.00000000003F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000003.00000002.300374579.00000000003F0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.300394386.000000000040D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.300406424.0000000000416000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.300411239.0000000000420000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3f0000_fa_rss.jbxd

Similarity

API ID: _free$ErrorFileLast
String ID:
API String ID: 1547350101-0
Opcode ID: 806355459d9dbf58ed81ee7ed73c8471c41b0e6e8f0f28e774a06aaba037be64
Instruction ID: 0feaba01ad435f2ab6a24bd80e16f19619fce13a2555113d385b96ce1774cf26
Opcode Fuzzy Hash: 806355459d9dbf58ed81ee7ed73c8471c41b0e6e8f0f28e774a06aaba037be64
Instruction Fuzzy Hash: F5418872D40609ABEB116BB9CC46B9E37B5AF45360F240536F915FB2E3E638CC418729

Uniqueness

Uniqueness Score: -1.00%

Function 00409E1F Relevance: 6.0, APIs: 4, Instructions: 29
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E00409E1F(void* _a4, long _a8, DWORD* _a12) {
				void* _t13;

				_t13 = WriteConsoleW( *0x4168b0, _a4, _a8, _a12, 0);
				if(_t13 == 0 && GetLastError() == 6) {
					E00409E08();
					E00409DCA();
					_t13 = WriteConsoleW( *0x4168b0, _a4, _a8, _a12, _t13);
				}
				return _t13;
			}

0x00409e3c
0x00409e40
0x00409e4d
0x00409e52
0x00409e6d
0x00409e6d
0x00409e73

APIs

WriteConsoleW.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00409644,00000000,00000001,00000000,00000000,?,00405C33,00000000,00000020,00000000), ref: 00409E36
GetLastError.KERNEL32(?,00409644,00000000,00000001,00000000,00000000,?,00405C33,00000000,00000020,00000000,00000000,00000000,?,00406187,00000000), ref: 00409E42

Part of subcall function 00409E08: CloseHandle.KERNEL32(FFFFFFFE,00409E52,?,00409644,00000000,00000001,00000000,00000000,?,00405C33,00000000,00000020,00000000,00000000,00000000), ref: 00409E18

___initconout.LIBCMT ref: 00409E52

Part of subcall function 00409DCA: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,00409DF9,00409631,00000000,?,00405C33,00000000,00000020,00000000,00000000), ref: 00409DDD

WriteConsoleW.KERNEL32(00000000,00000000,00000000,00000000,?,00409644,00000000,00000001,00000000,00000000,?,00405C33,00000000,00000020,00000000,00000000), ref: 00409E67

Memory Dump Source

Source File: 00000003.00000002.300378751.00000000003F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000003.00000002.300374579.00000000003F0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.300394386.000000000040D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.300406424.0000000000416000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.300411239.0000000000420000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3f0000_fa_rss.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
String ID:
API String ID: 2744216297-0
Opcode ID: 599f14d121b647c49c66d0d34a3f6f04a17a2275f76101eee948ff76c9a18585
Instruction ID: 4f2bcaaf9b749d5e4129b2f48d3e058a91f28cd82c7b972bce0bfcf32014ca73
Opcode Fuzzy Hash: 599f14d121b647c49c66d0d34a3f6f04a17a2275f76101eee948ff76c9a18585
Instruction Fuzzy Hash: 83F01C36800158BBCF226FE5EC0498A3F6AFB483A5F058431FA1CA5161D732CC61DBD8

Uniqueness

Uniqueness Score: -1.00%

Function 003FF496 Relevance: 6.0, APIs: 4, Instructions: 19
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E003FF496() {

				E003FF8AF( *0x417568);
				 *0x417568 = 0;
				E003FF8AF( *0x41756c);
				 *0x41756c = 0;
				E003FF8AF( *0x4176ec);
				 *0x4176ec = 0;
				E003FF8AF( *0x4176f0);
				 *0x4176f0 = 0;
				return 1;
			}

0x003ff49f
0x003ff4ac
0x003ff4b2
0x003ff4bd
0x003ff4c3
0x003ff4ce
0x003ff4d4
0x003ff4dc
0x003ff4e5

APIs

_free.LIBCMT ref: 003FF49F

Part of subcall function 003FF8AF: HeapFree.KERNEL32(00000000,00000000,?,0040475B,?,00000000,?,?,?,00404782,?,00000007,?,?,00404BB2,?), ref: 003FF8C5
Part of subcall function 003FF8AF: GetLastError.KERNEL32(?,?,0040475B,?,00000000,?,?,?,00404782,?,00000007,?,?,00404BB2,?,?), ref: 003FF8D7

_free.LIBCMT ref: 003FF4B2
_free.LIBCMT ref: 003FF4C3
_free.LIBCMT ref: 003FF4D4

Memory Dump Source

Source File: 00000003.00000002.300378751.00000000003F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000003.00000002.300374579.00000000003F0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.300394386.000000000040D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.300406424.0000000000416000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.300411239.0000000000420000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3f0000_fa_rss.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 96217ac9ffd68ac1ea0ca7df5b83da656f160e6b83b587ece94e6643f2457b82
Instruction ID: b043d04e5f6a95888ea973d1920d3190aa9e908975b2d4898dced094476193cd
Opcode Fuzzy Hash: 96217ac9ffd68ac1ea0ca7df5b83da656f160e6b83b587ece94e6643f2457b82
Instruction Fuzzy Hash: 51E0BDB1808924BEC602AF19FC818D93A36EB487A0301C236F9101A739CB321553DFD9

Uniqueness

Uniqueness Score: -1.00%

Function 00401FE1 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 158
fileCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E00401FE1(signed int _a4, signed short* _a8, char _a12) {
				void _v8;
				signed int _v12;
				signed int _v16;
				signed short* _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				signed short* _v32;
				void* _v36;
				long _v40;
				intOrPtr _v44;
				signed int _t84;
				intOrPtr _t86;
				signed short* _t87;
				signed int _t89;
				signed char _t90;
				signed int _t91;
				signed short _t97;
				void* _t99;
				signed short* _t100;
				signed short _t101;
				signed short* _t108;
				void* _t109;
				signed int _t111;
				intOrPtr _t112;
				signed short* _t113;
				signed int _t119;
				signed short* _t120;
				unsigned short _t121;
				char _t123;
				signed short _t124;
				signed int _t125;
				signed short* _t126;
				void* _t129;
				void* _t130;

				_t84 = _a4;
				_t108 = _a8;
				_t111 = _t84 >> 6;
				_t125 = (_t84 & 0x0000003f) * 0x38;
				_v12 = _t111;
				_t86 =  *((intOrPtr*)(0x417358 + _t111 * 4));
				_v44 = 0xa;
				_v36 =  *((intOrPtr*)(_t125 + _t86 + 0x18));
				_t10 =  &_a12; // 0x4027ef
				_t119 =  *_t10;
				if(_t119 == 0) {
					L3:
					 *(_t125 + _t86 + 0x28) =  *(_t125 + _t86 + 0x28) & 0x000000fb;
					L4:
					_t87 =  &(_t108[_t119]);
					_t126 = _t108;
					_v20 = _t87;
					_t120 = _t108;
					if(_t108 >= _t87) {
						L35:
						return _t126 - _t108 & 0xfffffffe;
					}
					_v24 = 0x1a;
					_v28 = 0xd;
					while(1) {
						_t89 =  *_t120 & 0x0000ffff;
						if(_t89 == _v24) {
							break;
						}
						_t113 =  &(_t120[1]);
						if(_t89 == _v28) {
							_t27 =  &_v20; // 0x4027ef
							if(_t113 >=  *_t27) {
								_v16 = _t113;
								if(ReadFile(_v36,  &_v8, 2,  &_v40, 0) == 0 || _v40 == 0) {
									_t120 = _v16;
									goto L27;
								} else {
									_t111 = _v12;
									if(( *(_t125 +  *((intOrPtr*)(0x417358 + _t111 * 4)) + 0x28) & 0x00000048) == 0) {
										_t97 = 0xa;
										if(_v8 != _t97 || _t126 != _t108) {
											E00408CF0(_a4, 0xfffffffe, 0xffffffff, 1);
											_t120 = _v16;
											_t130 = _t130 + 0x10;
											_t99 = 0xa;
											if(_v8 == _t99) {
												L29:
												_t111 = _v12;
												goto L30;
											}
											L27:
											_t89 = 0xd;
											L28:
											 *_t126 = _t89;
											_t126 =  &(_t126[1]);
											goto L29;
										} else {
											 *_t126 = _t97;
											_t126 =  &(_t126[1]);
											L23:
											_t120 = _v16;
											L30:
											_t75 =  &_v20; // 0x4027ef
											if(_t120 <  *_t75) {
												continue;
											}
											goto L35;
										}
									}
									_t121 = _v8;
									_t100 =  &(_t126[1]);
									_v32 = _t100;
									if(_t121 != _v44) {
										_t101 = 0xd;
										 *_t126 = _t101;
										 *(_t125 +  *((intOrPtr*)(0x417358 + _t111 * 4)) + 0x2a) = _t121;
										 *((char*)(_t125 +  *((intOrPtr*)(0x417358 + _t111 * 4)) + 0x2b)) = _t121 >> 8;
										_t123 = 0xa;
										 *((char*)(_t125 +  *((intOrPtr*)(0x417358 + _t111 * 4)) + 0x2c)) = _t123;
										_t100 = _v32;
									} else {
										_t124 = 0xa;
										 *_t126 = _t124;
									}
									_t126 = _t100;
									goto L23;
								}
							}
							_v16 =  *_t113 & 0x0000ffff;
							_v32 =  &(_t126[1]);
							_t109 = 0xa;
							if(_v16 == _t109) {
								_t89 = _t109;
							}
							_t108 = _a8;
							 *_t126 = _t89;
							_t126 = _v32;
							_t120 = _t120 + 2 + (0 | _v16 == _t109) * 2;
							goto L29;
						}
						_t120 = _t113;
						goto L28;
					}
					_t112 =  *((intOrPtr*)(0x417358 + _t111 * 4));
					_t90 =  *(_t112 + _t125 + 0x28);
					if((_t90 & 0x00000040) != 0) {
						_t91 = 0x1a;
						 *_t126 = _t91;
						_t126 =  &(_t126[1]);
					} else {
						 *(_t112 + _t125 + 0x28) = _t90 | 0x00000002;
					}
					goto L35;
				}
				_t129 = 0xa;
				if( *_t108 != _t129) {
					goto L3;
				}
				 *(_t125 + _t86 + 0x28) =  *(_t125 + _t86 + 0x28) | 0x00000004;
				goto L4;
			}

0x00401fe9
0x00401fef
0x00401ff6
0x00401ffa
0x00401ffd
0x00402000
0x00402007
0x00402012
0x00402015
0x00402015
0x0040201a
0x0040202b
0x0040202b
0x00402030
0x00402030
0x00402033
0x00402035
0x00402038
0x0040203c
0x004021a6
0x004021b1
0x004021b1
0x00402042
0x00402049
0x00402050
0x00402050
0x00402057
0x00000000
0x00000000
0x0040205d
0x00402064
0x0040206d
0x00402070
0x004020b2
0x004020c7
0x0040216c
0x00000000
0x004020d7
0x004020d7
0x004020e6
0x00402137
0x0040213c
0x00402156
0x0040215b
0x0040215e
0x00402163
0x00402168
0x00402178
0x00402178
0x00000000
0x00402178
0x0040216f
0x00402171
0x00402172
0x00402172
0x00402175
0x00000000
0x00402142
0x00402142
0x00402145
0x00402148
0x00402148
0x0040217b
0x0040217b
0x0040217e
0x00000000
0x00000000
0x00000000
0x00402184
0x0040213c
0x004020e8
0x004020ec
0x004020ef
0x004020f6
0x00402102
0x00402103
0x0040210f
0x0040211e
0x00402129
0x0040212a
0x0040212e
0x004020f8
0x004020fa
0x004020fb
0x004020fb
0x00402131
0x00000000
0x00402131
0x004020c7
0x00402075
0x0040207d
0x00402083
0x00402087
0x0040208a
0x0040208a
0x00402093
0x00402099
0x0040209c
0x004020a6
0x00000000
0x004020a6
0x00402066
0x00000000
0x00402066
0x00402186
0x0040218d
0x00402193
0x0040219f
0x004021a0
0x004021a3
0x00402195
0x00402197
0x00402197
0x00000000
0x00402193
0x0040201e
0x00402022
0x00000000
0x00000000
0x00402024
0x00000000

APIs

ReadFile.KERNEL32(?,?,00000002,?,00000000,?,00000000,?), ref: 004020BF

Strings

'@, xrefs: 00402015
'@, xrefs: 0040206D, 0040217B

Memory Dump Source

Source File: 00000003.00000002.300378751.00000000003F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000003.00000002.300374579.00000000003F0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.300394386.000000000040D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.300406424.0000000000416000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.300411239.0000000000420000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3f0000_fa_rss.jbxd

Similarity

API ID: FileRead
String ID: '@$'@
API String ID: 2738559852-3155417233
Opcode ID: 733ae51414ff21ce90447555c8278ea92e65a923176227d76d2a599219cdca05
Instruction ID: 2ed15b1b901dbfed77071264027e9a088c9d64b34a14980efa75b5a2a287058b
Opcode Fuzzy Hash: 733ae51414ff21ce90447555c8278ea92e65a923176227d76d2a599219cdca05
Instruction Fuzzy Hash: 79511631A04219EBCB20DF58C984BEEB7B1BF49310F24812AD955BB3D0D3B89D41CB59

Uniqueness

Uniqueness Score: -1.00%

Function 003FC3F5 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 140
COMMON

Download Yara Rule

C-Code - Quality: 83%

			E003FC3F5(void* __ecx, void* __edi, void* __esi, signed short* _a4, intOrPtr _a8, intOrPtr* _a12) {
				signed int _v8;
				signed int _v12;
				void* _v20;
				signed int _t19;
				signed int _t24;
				signed int _t26;
				signed int _t27;
				intOrPtr* _t31;
				intOrPtr* _t40;
				signed int _t45;
				signed int _t48;
				signed int _t54;
				signed int _t59;
				signed int _t60;
				signed int _t62;
				signed short* _t65;
				intOrPtr _t66;
				signed int _t68;
				void* _t69;
				signed int _t70;

				_push(__ecx);
				_push(__ecx);
				_t19 =  *0x416014; // 0x9d5f503d
				_v8 = _t19 ^ _t68;
				_t65 = _a4;
				_t74 = _t65;
				if(_t65 != 0) {
					__eflags = E003FE090(_t65, _a8) - _a8;
					if(__eflags < 0) {
						_t24 =  *( *_a12 + 0xa8);
						__eflags = _t24;
						if(_t24 != 0) {
							_t62 = 0;
							_t60 = E00402A41(_t24, 0x200, _t65, 0xffffffff, 0, 0);
							_t70 = _t69 + 0x18;
							_v12 = _t60;
							__eflags = _t60;
							if(__eflags != 0) {
								__eflags = _a8 - _t60;
								if(__eflags >= 0) {
									_t26 = _t60 + _t60;
									_t12 = _t26 + 8; // 0x8
									_t54 = _t12;
									__eflags = _t26 - _t54;
									asm("sbb eax, eax");
									_t27 = _t26 & _t54;
									__eflags = _t27;
									if(_t27 == 0) {
										L24:
										__eflags = _t62;
										if(__eflags != 0) {
											__eflags = E00402A41( *( *_a12 + 0xa8), 0x200, _t65, 0xffffffff, _t62, _t60);
											if(__eflags == 0) {
												_t31 = E003FD87D(__eflags);
												_t66 = 0x2a;
												 *_t31 = _t66;
											} else {
												_t66 = E004029DD(_t65, _a8, _t62);
											}
										} else {
											 *((intOrPtr*)(E003FD87D(__eflags))) = 0xc;
											_t66 =  *((intOrPtr*)(E003FD87D(__eflags)));
										}
										E003FC570(_t62);
										L30:
										L31:
										return E003F5D05(_v8 ^ _t68);
									}
									__eflags = _t27 - 0x400;
									if(_t27 > 0x400) {
										_t62 = E00400374(_t54, _t27);
										__eflags = _t62;
										if(_t62 == 0) {
											L23:
											_t60 = _v12;
											goto L24;
										}
										 *_t62 = 0xdddd;
										L22:
										_t62 = _t62 + 8;
										__eflags = _t62;
										goto L23;
									}
									E0040BB50();
									_t62 = _t70;
									__eflags = _t62;
									if(_t62 == 0) {
										goto L23;
									}
									 *_t62 = 0xcccc;
									goto L22;
								}
								 *_t65 = 0;
								_t40 = E003FD87D(__eflags);
								_push(0x22);
								L2:
								_pop(_t66);
								 *_t40 = _t66;
								E003FDA3C();
								goto L30;
							}
							 *((intOrPtr*)(E003FD87D(__eflags))) = 0x2a;
							E003FD87D(__eflags);
							goto L31;
						}
						_t45 =  *_t65 & 0x0000ffff;
						__eflags = _t45;
						if(_t45 == 0) {
							L11:
							goto L31;
						}
						_t59 = _t45;
						do {
							__eflags = _t59 - 0x61 - 0x19;
							if(_t59 - 0x61 <= 0x19) {
								 *_t65 = _t59 - 0x20;
							}
							_t65 =  &(_t65[1]);
							_t48 =  *_t65 & 0x0000ffff;
							_t59 = _t48;
							__eflags = _t48;
						} while (_t48 != 0);
						goto L11;
					}
					 *_t65 = 0;
				}
				_t40 = E003FD87D(_t74);
				_push(0x16);
				goto L2;
			}

0x003fc3fa
0x003fc3fb
0x003fc3fc
0x003fc403
0x003fc407
0x003fc40b
0x003fc40d
0x003fc42e
0x003fc431
0x003fc43f
0x003fc445
0x003fc447
0x003fc476
0x003fc488
0x003fc48a
0x003fc48d
0x003fc490
0x003fc492
0x003fc4ab
0x003fc4ae
0x003fc4c1
0x003fc4c4
0x003fc4c4
0x003fc4c7
0x003fc4c9
0x003fc4cb
0x003fc4cb
0x003fc4cd
0x003fc502
0x003fc502
0x003fc504
0x003fc537
0x003fc539
0x003fc54c
0x003fc553
0x003fc554
0x003fc53b
0x003fc548
0x003fc548
0x003fc506
0x003fc50b
0x003fc516
0x003fc516
0x003fc557
0x003fc55d
0x003fc55f
0x003fc56f
0x003fc56f
0x003fc4cf
0x003fc4d4
0x003fc4ef
0x003fc4f2
0x003fc4f4
0x003fc4ff
0x003fc4ff
0x00000000
0x003fc4ff
0x003fc4f6
0x003fc4fc
0x003fc4fc
0x003fc4fc
0x00000000
0x003fc4fc
0x003fc4d6
0x003fc4db
0x003fc4dd
0x003fc4df
0x00000000
0x00000000
0x003fc4e1
0x00000000
0x003fc4e1
0x003fc4b2
0x003fc4b5
0x003fc4ba
0x003fc416
0x003fc416
0x003fc417
0x003fc419
0x00000000
0x003fc419
0x003fc499
0x003fc49f
0x00000000
0x003fc4a4
0x003fc449
0x003fc44c
0x003fc44f
0x003fc46f
0x00000000
0x003fc46f
0x003fc451
0x003fc453
0x003fc456
0x003fc45a
0x003fc45f
0x003fc45f
0x003fc462
0x003fc465
0x003fc468
0x003fc46a
0x003fc46a
0x00000000
0x003fc453
0x003fc435
0x003fc435
0x003fc40f
0x003fc414
0x00000000

APIs

__alloca_probe_16.LIBCMT ref: 003FC4D6
__freea.LIBCMT ref: 003FC557

Part of subcall function 00400374: RtlAllocateHeap.NTDLL(00000000,?,00000004,?,0040566F,?,00000000,?,003FF6D2,?,00000004,00000004,?,00000000,?,003FF200), ref: 004003A6

Strings

\fa_rss, xrefs: 003FC40A

Memory Dump Source

Source File: 00000003.00000002.300378751.00000000003F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000003.00000002.300374579.00000000003F0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.300394386.000000000040D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.300406424.0000000000416000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.300411239.0000000000420000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3f0000_fa_rss.jbxd

Similarity

API ID: AllocateHeap__alloca_probe_16__freea
String ID: \fa_rss
API String ID: 809856575-182667134
Opcode ID: 1e1c96b328b15ce301b75fa4c4adb19be51185eec7e5df34bb62192dee867c10
Instruction ID: 81356f8f234ddc1c38b9953d55d50995913c87364523d851804b8416a1043348
Opcode Fuzzy Hash: 1e1c96b328b15ce301b75fa4c4adb19be51185eec7e5df34bb62192dee867c10
Instruction Fuzzy Hash: B4416A7166011DABDB23AF6ACD05EBA37E5EF81750B210529FA19DF291EB30D800C764

Uniqueness

Uniqueness Score: -1.00%

Function 003FF177 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 119
COMMON

Download Yara Rule

C-Code - Quality: 92%

			E003FF177(signed int* __ecx, signed int __edx) {
				signed int _v8;
				intOrPtr* _v12;
				signed int _v16;
				signed int _t27;
				signed int _t29;
				intOrPtr _t33;
				signed int _t38;
				signed int _t41;
				void* _t46;
				signed int _t50;
				intOrPtr* _t51;
				signed int _t61;
				signed int _t62;
				signed int _t63;
				signed int _t65;
				signed int _t67;
				signed int _t68;
				signed int _t69;
				signed int* _t70;
				signed int _t74;
				void* _t75;

				_t63 = __edx;
				_v12 = __ecx;
				_t27 =  *__ecx;
				_t70 =  *_t27;
				if(_t70 == 0) {
					L14:
					return _t27 | 0xffffffff;
				}
				_t29 =  *0x416014; // 0x9d5f503d
				_t50 =  *_t70 ^ _t29;
				_t67 = _t70[1] ^ _t29;
				_t72 = _t70[2] ^ _t29;
				asm("ror edi, cl");
				asm("ror esi, cl");
				asm("ror ebx, cl");
				if(_t67 != _t72) {
					L13:
					 *_t67 = E003FE45D( *((intOrPtr*)( *((intOrPtr*)(_v12 + 4)))));
					_t33 = E003FE45D(_t50);
					_t51 = _v12;
					 *((intOrPtr*)( *((intOrPtr*)( *_t51)))) = _t33;
					 *((intOrPtr*)( *((intOrPtr*)( *_t51)) + 4)) = E003FE45D(_t67 + 4);
					 *((intOrPtr*)( *((intOrPtr*)( *_t51)) + 8)) = E003FE45D(_t72);
					return 0;
				}
				_t38 = 0x200;
				_t74 = _t72 - _t50 >> 2;
				if(_t74 <= 0x200) {
					_t38 = _t74;
				}
				_t68 = _t38 + _t74;
				if(_t68 == 0) {
					_t68 = 0x20;
				}
				if(_t68 < _t74) {
					L8:
					_t7 = _t74 + 4; // 0x4
					_t68 = _t7;
					_v8 = E003FF689(_t50, _t68, 4);
					_t27 = E003FF8AF(0);
					_t61 = _v8;
					_t75 = _t75 + 0x10;
					if(_t61 == 0) {
						goto L14;
					}
					goto L9;
				} else {
					_v8 = E003FF689(_t50, _t68, 4);
					E003FF8AF(0);
					_t61 = _v8;
					_t75 = _t75 + 0x10;
					if(_t61 != 0) {
						L9:
						_t50 = _t61;
						_v8 = _t61 + _t74 * 4;
						_t72 = _t61 + _t68 * 4;
						_t41 =  *0x416014; // 0x9d5f503d
						_t67 = _v8;
						_t62 = _t67;
						_v16 = _t41;
						asm("sbb edx, edx");
						_t65 =  !_t63 & _t61 + _t68 * 0x00000004 - _t67 + 0x00000003 >> 0x00000002;
						if(_t65 == 0) {
							goto L13;
						}
						_t69 = _v16;
						_t46 = 0;
						do {
							_t46 = _t46 + 1;
							 *_t62 = _t69;
							_t62 = _t62 + 4;
						} while (_t46 != _t65);
						_t67 = _v8;
						goto L13;
					}
					goto L8;
				}
			}

0x003ff177
0x003ff181
0x003ff186
0x003ff189
0x003ff18d
0x003ff298
0x00000000
0x003ff298
0x003ff193
0x003ff1a2
0x003ff1a7
0x003ff1a9
0x003ff1ab
0x003ff1ad
0x003ff1af
0x003ff1b3
0x003ff256
0x003ff264
0x003ff266
0x003ff26b
0x003ff272
0x003ff282
0x003ff291
0x00000000
0x003ff294
0x003ff1bb
0x003ff1c0
0x003ff1c5
0x003ff1c7
0x003ff1c7
0x003ff1c9
0x003ff1ce
0x003ff1d2
0x003ff1d2
0x003ff1d5
0x003ff1f4
0x003ff1f6
0x003ff1f6
0x003ff202
0x003ff205
0x003ff20a
0x003ff20d
0x003ff212
0x00000000
0x00000000
0x00000000
0x003ff1d7
0x003ff1e2
0x003ff1e5
0x003ff1ea
0x003ff1ed
0x003ff1f2
0x003ff218
0x003ff21b
0x003ff21d
0x003ff220
0x003ff223
0x003ff228
0x003ff22b
0x003ff22d
0x003ff23c
0x003ff240
0x003ff242
0x00000000
0x00000000
0x003ff244
0x003ff247
0x003ff249
0x003ff249
0x003ff24a
0x003ff24c
0x003ff24f
0x003ff253
0x00000000
0x003ff253
0x00000000
0x003ff1f2

APIs

_free.LIBCMT ref: 003FF1E5
_free.LIBCMT ref: 003FF205

Strings

U?^a? U?, xrefs: 003FF20A, 003FF228, 003FF253, 003FF1EA, 003FF263

Memory Dump Source

Source File: 00000003.00000002.300378751.00000000003F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000003.00000002.300374579.00000000003F0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.300394386.000000000040D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.300406424.0000000000416000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.300411239.0000000000420000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3f0000_fa_rss.jbxd

Similarity

API ID: _free
String ID: U?^a? U?
API String ID: 269201875-1416405845
Opcode ID: fcb0178c3fed69403d43e3f2adf375f634bab94cfece3667588e6196b574620d
Instruction ID: f5f802ed2dd7e18b799a082129f67932509440251cf21ccf1c373536b7462e33
Opcode Fuzzy Hash: fcb0178c3fed69403d43e3f2adf375f634bab94cfece3667588e6196b574620d
Instruction Fuzzy Hash: B0419776A00208AFCB11DF79C881A6DB7B6EF89714B164579EA15EF351DB31ED01CB80

Uniqueness

Uniqueness Score: -1.00%

Function 003F857B Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 112
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 57%

			E003F857B(void* __ecx, void* __edx, signed char* _a4, signed char* _a8, intOrPtr _a12, intOrPtr _a16, char _a20, intOrPtr _a24, intOrPtr _a28, intOrPtr _a32) {
				signed int _v8;
				signed int _v12;
				intOrPtr* _v16;
				signed int _v20;
				char _v24;
				intOrPtr _v28;
				signed int _v36;
				void* _v40;
				intOrPtr _v44;
				signed int _v48;
				intOrPtr _v56;
				void _v60;
				signed char* _v68;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t74;
				void* _t75;
				char _t76;
				signed char _t78;
				signed int _t80;
				signed char* _t81;
				signed int _t82;
				signed int _t83;
				intOrPtr* _t87;
				void* _t90;
				signed char* _t93;
				intOrPtr* _t96;
				signed char _t97;
				intOrPtr _t98;
				intOrPtr _t99;
				intOrPtr* _t101;
				signed int _t102;
				signed int _t103;
				signed char _t108;
				signed char* _t111;
				signed int _t112;
				void* _t113;
				signed char* _t116;
				void* _t121;
				signed int _t123;
				void* _t130;
				void* _t131;

				_t110 = __edx;
				_t100 = __ecx;
				_t96 = _a4;
				if( *_t96 == 0x80000003) {
					return _t74;
				} else {
					_push(_t121);
					_push(_t113);
					_t75 = E003F7E80(_t96, __ecx, __edx, _t113, _t121);
					if( *((intOrPtr*)(_t75 + 8)) != 0) {
						__imp__EncodePointer(0);
						_t121 = _t75;
						if( *((intOrPtr*)(E003F7E80(_t96, __ecx, __edx, 0, _t121) + 8)) != _t121 &&  *_t96 != 0xe0434f4d &&  *_t96 != 0xe0434352) {
							_t87 = E003F6FF3(_t96, _a8, _a12, _a16, _a20, _a28, _a32);
							_t130 = _t130 + 0x1c;
							if(_t87 != 0) {
								L16:
								return _t87;
							}
						}
					}
					_t76 = _a20;
					_v24 = _t76;
					_v20 = 0;
					if( *((intOrPtr*)(_t76 + 0xc)) > 0) {
						_push(_a28);
						E003F6F25(_t96, _t100, 0, _t121,  &_v40,  &_v24, _a24, _a16, _t76);
						_t112 = _v36;
						_t131 = _t130 + 0x18;
						_t87 = _v40;
						_v16 = _t87;
						_v8 = _t112;
						if(_t112 < _v28) {
							_t102 = _t112 * 0x14;
							_v12 = _t102;
							do {
								_t103 = 5;
								_t90 = memcpy( &_v60,  *((intOrPtr*)( *_t87 + 0x10)) + _t102, _t103 << 2);
								_t131 = _t131 + 0xc;
								if(_v60 <= _t90 && _t90 <= _v56) {
									_t93 = _v44 + 0xfffffff0 + (_v48 << 4);
									_t108 = _t93[4];
									if(_t108 == 0 ||  *((char*)(_t108 + 8)) == 0) {
										if(( *_t93 & 0x00000040) == 0) {
											_push(0);
											_push(1);
											E003F8145(_t112, _t96, _a8, _a12, _a16, _a20, _t93, 0,  &_v60, _a28, _a32);
											_t112 = _v8;
											_t131 = _t131 + 0x30;
										}
									}
								}
								_t112 = _t112 + 1;
								_t87 = _v16;
								_t102 = _v12 + 0x14;
								_v8 = _t112;
								_v12 = _t102;
							} while (_t112 < _v28);
						}
						goto L16;
					}
					E003FF6F6(_t96, _t100, _t110, 0, _t121);
					asm("int3");
					_t111 = _v68;
					_push(_t96);
					_push(_t121);
					_push(0);
					_t78 = _t111[4];
					if(_t78 == 0) {
						L41:
						_t80 = 1;
					} else {
						_t101 = _t78 + 8;
						if( *_t101 == 0) {
							goto L41;
						} else {
							_t116 = _a4;
							if(( *_t111 & 0x00000080) == 0 || ( *_t116 & 0x00000010) == 0) {
								_t97 = _t116[4];
								_t123 = 0;
								if(_t78 == _t97) {
									L33:
									if(( *_t116 & 0x00000002) == 0 || ( *_t111 & 0x00000008) != 0) {
										_t81 = _a8;
										if(( *_t81 & 0x00000001) == 0 || ( *_t111 & 0x00000001) != 0) {
											if(( *_t81 & 0x00000002) == 0 || ( *_t111 & 0x00000002) != 0) {
												_t123 = 1;
											}
										}
									}
									_t80 = _t123;
								} else {
									_t59 = _t97 + 8; // 0x6e
									_t82 = _t59;
									while(1) {
										_t98 =  *_t101;
										if(_t98 !=  *_t82) {
											break;
										}
										if(_t98 == 0) {
											L29:
											_t83 = _t123;
										} else {
											_t99 =  *((intOrPtr*)(_t101 + 1));
											if(_t99 !=  *((intOrPtr*)(_t82 + 1))) {
												break;
											} else {
												_t101 = _t101 + 2;
												_t82 = _t82 + 2;
												if(_t99 != 0) {
													continue;
												} else {
													goto L29;
												}
											}
										}
										L31:
										if(_t83 == 0) {
											goto L33;
										} else {
											_t80 = 0;
										}
										goto L42;
									}
									asm("sbb eax, eax");
									_t83 = _t82 | 0x00000001;
									goto L31;
								}
							} else {
								goto L41;
							}
						}
					}
					L42:
					return _t80;
				}
			}

0x003f857b
0x003f857b
0x003f8582
0x003f858b
0x003f86aa
0x003f8591
0x003f8591
0x003f8592
0x003f8593
0x003f859d
0x003f85a0
0x003f85a6
0x003f85b0
0x003f85d5
0x003f85da
0x003f85df
0x003f86a6
0x00000000
0x003f86a7
0x003f85df
0x003f85b0
0x003f85e5
0x003f85e8
0x003f85eb
0x003f85f1
0x003f85f7
0x003f8609
0x003f860e
0x003f8611
0x003f8614
0x003f8617
0x003f861a
0x003f8620
0x003f8626
0x003f8629
0x003f862c
0x003f863b
0x003f863c
0x003f863c
0x003f8641
0x003f8654
0x003f8656
0x003f865b
0x003f8666
0x003f8668
0x003f866a
0x003f8686
0x003f868b
0x003f868e
0x003f868e
0x003f8666
0x003f865b
0x003f8694
0x003f8695
0x003f8698
0x003f869b
0x003f869e
0x003f86a1
0x003f862c
0x00000000
0x003f8620
0x003f86ab
0x003f86b0
0x003f86b4
0x003f86b7
0x003f86b8
0x003f86b9
0x003f86ba
0x003f86bf
0x003f8737
0x003f8739
0x003f86c1
0x003f86c1
0x003f86c7
0x00000000
0x003f86c9
0x003f86cc
0x003f86cf
0x003f86d6
0x003f86d9
0x003f86dd
0x003f870f
0x003f8712
0x003f8719
0x003f871f
0x003f8729
0x003f8732
0x003f8732
0x003f8729
0x003f871f
0x003f8733
0x003f86df
0x003f86df
0x003f86df
0x003f86e2
0x003f86e2
0x003f86e6
0x00000000
0x00000000
0x003f86ea
0x003f86fe
0x003f86fe
0x003f86ec
0x003f86ec
0x003f86f2
0x00000000
0x003f86f4
0x003f86f4
0x003f86f7
0x003f86fc
0x00000000
0x00000000
0x00000000
0x00000000
0x003f86fc
0x003f86f2
0x003f8707
0x003f8709
0x00000000
0x003f870b
0x003f870b
0x003f870b
0x00000000
0x003f8709
0x003f8702
0x003f8704
0x00000000
0x003f8704
0x00000000
0x00000000
0x00000000
0x003f86cf
0x003f86c7
0x003f873a
0x003f873e
0x003f873e

APIs

EncodePointer.KERNEL32(00000000,?,00000000,1FFFFFFF), ref: 003F85A0

Strings

MOC, xrefs: 003F85B2
RCC, xrefs: 003F85BA

Memory Dump Source

Source File: 00000003.00000002.300378751.00000000003F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000003.00000002.300374579.00000000003F0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.300394386.000000000040D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.300406424.0000000000416000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.300411239.0000000000420000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3f0000_fa_rss.jbxd

Similarity

API ID: EncodePointer
String ID: MOC$RCC
API String ID: 2118026453-2084237596
Opcode ID: b301f64183b7a8b9c9c4ab991b7082079527cf9548170d16511f79079ab04360
Instruction ID: a2cb370b076ebae1de90568c325a8d669338db12642c20b2872e6a15648b83fe
Opcode Fuzzy Hash: b301f64183b7a8b9c9c4ab991b7082079527cf9548170d16511f79079ab04360
Instruction Fuzzy Hash: 7C41487290020DAFCF1ADF94CD81AEEBBB5FF48304F154099FB08AA261DB359961DB50

Uniqueness

Uniqueness Score: -1.00%

Function 004037B7 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100
COMMON

Download Yara Rule

C-Code - Quality: 84%

			E004037B7(void* __ecx, void* __edx, void* __eflags, intOrPtr _a4, char _a8, char _a12, void* _a16) {
				char _v5;
				char _v12;
				char _v16;
				char* _v20;
				char _v24;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				char _t39;
				char _t48;
				char _t51;
				char _t58;
				signed int _t63;
				signed int _t64;
				void* _t76;
				void* _t81;
				signed int _t86;

				_t79 = __edx;
				_push(_a16);
				_push(_a12);
				E004038D0(__ecx, __edx, __eflags);
				_t39 = E00403560(__eflags, _a4);
				_v16 = _t39;
				_t69 =  *(_a12 + 0x48);
				if(_t39 !=  *((intOrPtr*)( *(_a12 + 0x48) + 4))) {
					_push(_t63);
					_t81 = E00400374(_t69, 0x220);
					_t64 = _t63 | 0xffffffff;
					__eflags = _t81;
					if(__eflags == 0) {
						L5:
						_t86 = _t64;
					} else {
						_t81 = memcpy(_t81,  *(_a12 + 0x48), 0x88 << 2);
						 *_t81 =  *_t81 & 0x00000000;
						_t86 = E004039CB(_t64, _t79, _t81,  *(_a12 + 0x48), __eflags, _v16, _t81);
						__eflags = _t86 - _t64;
						if(__eflags != 0) {
							__eflags = _a8;
							if(_a8 == 0) {
								E003FEFF1();
							}
							asm("lock xadd [eax], ebx");
							__eflags = _t64 == 1;
							if(_t64 == 1) {
								_t58 = _a12;
								__eflags =  *((intOrPtr*)(_t58 + 0x48)) - 0x416320;
								if( *((intOrPtr*)(_t58 + 0x48)) != 0x416320) {
									E003FF8AF( *((intOrPtr*)(_t58 + 0x48)));
								}
							}
							 *_t81 = 1;
							_t76 = _t81;
							_t81 = 0;
							 *(_a12 + 0x48) = _t76;
							_t48 = _a12;
							__eflags =  *(_t48 + 0x350) & 0x00000002;
							if(( *(_t48 + 0x350) & 0x00000002) == 0) {
								__eflags =  *0x416898 & 0x00000001;
								if(__eflags == 0) {
									_v24 =  &_a12;
									_v20 =  &_a16;
									_t51 = 5;
									_v16 = _t51;
									_v12 = _t51;
									_push( &_v16);
									_push( &_v24);
									_push( &_v12);
									E00403452( &_v5, _t79, __eflags);
									__eflags = _a8;
									if(_a8 != 0) {
										 *0x41620c =  *_a16;
									}
								}
							}
						} else {
							 *((intOrPtr*)(E003FD87D(__eflags))) = 0x16;
							goto L5;
						}
					}
					E003FF8AF(_t81);
					return _t86;
				} else {
					return 0;
				}
			}

0x004037b7
0x004037bf
0x004037c2
0x004037c5
0x004037cd
0x004037d8
0x004037db
0x004037e1
0x004037e7
0x004037f4
0x004037f6
0x004037fa
0x004037fc
0x0040382c
0x0040382c
0x004037fe
0x0040380b
0x00403811
0x00403819
0x0040381d
0x0040381f
0x0040383c
0x00403840
0x00403842
0x00403842
0x0040384d
0x00403851
0x00403852
0x00403854
0x00403857
0x0040385e
0x00403863
0x00403868
0x0040385e
0x00403869
0x0040386f
0x00403874
0x00403876
0x00403879
0x0040387c
0x00403883
0x00403885
0x0040388c
0x00403891
0x0040389c
0x0040389f
0x004038a0
0x004038a3
0x004038a9
0x004038ad
0x004038b1
0x004038b2
0x004038b7
0x004038bb
0x004038c6
0x004038c6
0x004038bb
0x0040388c
0x00403821
0x00403826
0x00000000
0x00403826
0x0040381f
0x0040382f
0x0040383b
0x004037e3
0x004037e6
0x004037e6

APIs

Part of subcall function 00403560: GetOEMCP.KERNEL32(00000000,004037D2,8007000E,?,003F9BEA,003F9BEA,?,?,8007000E), ref: 0040358B

_free.LIBCMT ref: 0040382F

Strings

cA, xrefs: 00403857

Memory Dump Source

Source File: 00000003.00000002.300378751.00000000003F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000003.00000002.300374579.00000000003F0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.300394386.000000000040D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.300406424.0000000000416000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.300411239.0000000000420000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3f0000_fa_rss.jbxd

Similarity

API ID: _free
String ID: cA
API String ID: 269201875-2282215056
Opcode ID: 1218a9286d23d58f9a382266f4ad162cb3aa4edc333861559877ecbee0c9590f
Instruction ID: a7b142b4de8ca295d2b75f537b92dc9814492e31927513d64d7134c37bd1a147
Opcode Fuzzy Hash: 1218a9286d23d58f9a382266f4ad162cb3aa4edc333861559877ecbee0c9590f
Instruction Fuzzy Hash: 6B319272900249AFCB11EF69D841A9A7BE8EF44315F1181BAF911AB2E1E735DE40CB54

Uniqueness

Uniqueness Score: -1.00%

Function 0040166B Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 70
COMMON

Download Yara Rule

C-Code - Quality: 96%

			E0040166B(void* __eflags, intOrPtr* _a4) {
				void* _t15;
				intOrPtr _t19;
				intOrPtr _t24;
				intOrPtr _t32;
				intOrPtr* _t33;
				intOrPtr* _t34;

				_t34 = _a4;
				if(E00408033(E00401606(_t34)) == 0) {
					L11:
					return 0;
				}
				_t15 = E003F992C(1);
				_t24 = 2;
				if(_t34 != _t15) {
					if(_t34 != E003F992C(_t24)) {
						goto L11;
					}
					_t33 = 0x41756c;
					L5:
					 *0x417014 =  *0x417014 + 1;
					_t29 = _t34 + 0xc;
					if(( *(_t34 + 0xc) & 0x000004c0) != 0) {
						goto L11;
					}
					asm("lock or [ecx], eax");
					_t19 =  *_t33;
					if(_t19 != 0) {
						L10:
						 *((intOrPtr*)(_t34 + 4)) = _t19;
						 *_t34 =  *_t33;
						 *((intOrPtr*)(_t34 + 8)) = 0x1000;
						 *((intOrPtr*)(_t34 + 0x18)) = 0x1000;
						L9:
						return 1;
					}
					 *_t33 = E00400374(_t29, 0x1000);
					E003FF8AF(0);
					_t19 =  *_t33;
					if(_t19 != 0) {
						goto L10;
					}
					_t32 = _t34 + 0x14;
					 *((intOrPtr*)(_t34 + 8)) = _t24;
					 *((intOrPtr*)(_t34 + 4)) = _t32;
					 *_t34 = _t32;
					 *((intOrPtr*)(_t34 + 0x18)) = _t24;
					goto L9;
				}
				_t33 = 0x417568;
				goto L5;
			}

0x00401672
0x00401686
0x00401717
0x00000000
0x00401717
0x0040168e
0x00401696
0x00401699
0x004016ab
0x00000000
0x00000000
0x004016ad
0x004016b2
0x004016b2
0x004016b8
0x004016c3
0x00000000
0x00000000
0x004016ca
0x004016cd
0x004016d1
0x00401700
0x00401700
0x00401705
0x00401707
0x0040170e
0x004016fc
0x00000000
0x004016fc
0x004016df
0x004016e1
0x004016e6
0x004016ec
0x00000000
0x00000000
0x004016ee
0x004016f1
0x004016f4
0x004016f7
0x004016f9
0x00000000
0x004016f9
0x0040169b
0x00000000

APIs

_free.LIBCMT ref: 004016E1

Strings

huA, xrefs: 0040169B
luA, xrefs: 004016AD

Memory Dump Source

Source File: 00000003.00000002.300378751.00000000003F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000003.00000002.300374579.00000000003F0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.300394386.000000000040D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.300406424.0000000000416000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.300411239.0000000000420000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3f0000_fa_rss.jbxd

Similarity

API ID: _free
String ID: huA$luA
API String ID: 269201875-642238191
Opcode ID: ab59e0260e82659426b14f6ad529eaa5897c03ee780470c2172ee9cda1eb30ae
Instruction ID: 7cbc0bdab0ebc98c8f3b1deceeb40a0856fe65f72b5a04e2aae299434ef2bc4e
Opcode Fuzzy Hash: ab59e0260e82659426b14f6ad529eaa5897c03ee780470c2172ee9cda1eb30ae
Instruction Fuzzy Hash: 4E11B1715043019BD7249F29D881B93B7E8EB453A8B20443FF589EB7E1EB79E8818758

Uniqueness

Uniqueness Score: -1.00%

Function 003F9864 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E003F9864(void* __ecx) {
				intOrPtr _t9;
				intOrPtr _t14;
				intOrPtr _t18;
				signed int _t21;
				void* _t23;
				signed int _t28;
				intOrPtr _t30;
				intOrPtr _t31;

				_t23 = __ecx;
				_t9 =  *0x41700c; // 0x200
				_t30 = 3;
				if(_t9 != 0) {
					__eflags = _t9 - _t30;
					if(_t9 < _t30) {
						_t9 = _t30;
						goto L4;
					}
				} else {
					_t9 = 0x200;
					L4:
					 *0x41700c = _t9;
				}
				 *0x417010 = E003FF852(_t23, _t9, 4);
				E003FF8AF(0);
				if( *0x417010 != 0) {
					L8:
					_t28 = 0;
					__eflags = 0;
					_t31 = 0x416050;
					do {
						_t1 = _t31 + 0x20; // 0x416070
						E003FFC5D(__eflags, _t1, 0xfa0, 0);
						_t14 =  *0x417010; // 0x0
						 *((intOrPtr*)(_t14 + _t28 * 4)) = _t31;
						_t18 =  *((intOrPtr*)( *((intOrPtr*)(0x417358 + (_t28 >> 6) * 4)) + 0x18 + (_t28 & 0x0000003f) * 0x38));
						__eflags = _t18 - 0xffffffff;
						if(_t18 == 0xffffffff) {
							L12:
							 *((intOrPtr*)(_t31 + 0x10)) = 0xfffffffe;
						} else {
							__eflags = _t18 - 0xfffffffe;
							if(_t18 == 0xfffffffe) {
								goto L12;
							} else {
								__eflags = _t18;
								if(_t18 == 0) {
									goto L12;
								}
							}
						}
						_t31 = _t31 + 0x38;
						_t28 = _t28 + 1;
						__eflags = _t31 - 0x4160f8;
					} while (__eflags != 0);
					__eflags = 0;
					return 0;
				} else {
					 *0x41700c = _t30;
					 *0x417010 = E003FF852(_t23, _t30, 4);
					_t21 = E003FF8AF(0);
					if( *0x417010 != 0) {
						goto L8;
					} else {
						return _t21 | 0xffffffff;
					}
				}
			}

0x003f9864
0x003f9864
0x003f986c
0x003f986f
0x003f9878
0x003f987a
0x003f987c
0x00000000
0x003f987c
0x003f9871
0x003f9871
0x003f987e
0x003f987e
0x003f987e
0x003f988d
0x003f9892
0x003f98a1
0x003f98ce
0x003f98cf
0x003f98cf
0x003f98d1
0x003f98d6
0x003f98dd
0x003f98e1
0x003f98e6
0x003f98f0
0x003f9902
0x003f9906
0x003f9909
0x003f9914
0x003f9914
0x003f990b
0x003f990b
0x003f990e
0x00000000
0x003f9910
0x003f9910
0x003f9912
0x00000000
0x00000000
0x003f9912
0x003f990e
0x003f991b
0x003f991e
0x003f991f
0x003f991f
0x003f9928
0x003f992b
0x003f98a3
0x003f98a6
0x003f98b3
0x003f98b8
0x003f98c7
0x00000000
0x003f98c9
0x003f98cd
0x003f98cd
0x003f98c7

APIs

_free.LIBCMT ref: 003F9892
_free.LIBCMT ref: 003F98B8

Strings

P`A, xrefs: 003F98D1

Memory Dump Source

Source File: 00000003.00000002.300378751.00000000003F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000003.00000002.300374579.00000000003F0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.300394386.000000000040D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.300406424.0000000000416000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.300411239.0000000000420000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3f0000_fa_rss.jbxd

Similarity

API ID: _free
String ID: P`A
API String ID: 269201875-4158385411
Opcode ID: 09c003739e79f37ef5b02e8d8f86edd2a9b06698d316f8bdd288d401e6634366
Instruction ID: c4edf1608447e37f990640b4664d4a909bf2d381cde6065a29a327d0689b6b25
Opcode Fuzzy Hash: 09c003739e79f37ef5b02e8d8f86edd2a9b06698d316f8bdd288d401e6634366
Instruction Fuzzy Hash: D711D371A043185BD7229F28AC01BF63BA4BB4A7B0F058A3BFB61DB1E0D3B4C9414794

Uniqueness

Uniqueness Score: -1.00%

Function 003F5100 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56
COMMON

Download Yara Rule

C-Code - Quality: 73%

			E003F5100(signed int __ebx, unsigned int* __ecx, void* __edi, void* __esi, intOrPtr _a4, signed int _a8) {
				signed int _v8;
				long _v16;
				void* __ebp;
				signed int _t25;
				void* _t31;
				void* _t32;
				intOrPtr _t34;
				signed int _t35;
				signed int _t38;
				unsigned int _t40;
				signed int _t44;
				intOrPtr _t45;
				unsigned int* _t52;
				unsigned int _t55;
				void* _t56;
				unsigned int _t57;
				unsigned int* _t60;
				signed int _t65;
				unsigned int _t66;
				void* _t67;
				void* _t69;
				void* _t73;

				_t49 = __ebx;
				_push(__ecx);
				_t25 = _a8;
				_push(__ebx);
				_push(__edi);
				_t60 = __ecx;
				_t55 =  *(__ecx + 0x14);
				_v8 = _t55;
				if(_t25 > _t55) {
					__eflags = _t25 - 0x7ffffffe;
					if(__eflags > 0) {
						L25:
						E003F4FA0(_t55);
						goto L26;
					} else {
						_t65 = _t25 | 0x00000007;
						__eflags = _t65 - 0x7ffffffe;
						if(_t65 <= 0x7ffffffe) {
							_t57 = _t55 >> 1;
							__eflags = _t55 - 0x7ffffffe - _t57;
							if(_t55 <= 0x7ffffffe - _t57) {
								_t31 = _t57 + _t55;
								__eflags = _t65 - _t31;
								_t66 =  <  ? _t31 : _t65;
							} else {
								_t66 = 0x7ffffffe;
							}
						} else {
							_t66 = 0x7ffffffe;
						}
						_t9 = _t66 + 1; // 0x7fffffff
						_t32 = _t9;
						__eflags = _t32 - 0x7fffffff;
						if(_t32 > 0x7fffffff) {
							L24:
							L003F50E0(_t49, _t60, _t66);
							goto L25;
						} else {
							_t34 = _t32 + _t32;
							__eflags = _t34 - 0x1000;
							if(_t34 < 0x1000) {
								__eflags = _t34;
								if(__eflags == 0) {
									_t49 = 0;
									__eflags = 0;
								} else {
									_t44 = E003F637E(_t49, _t55, _t60, __eflags, _t34);
									_t73 = _t73 + 4;
									_t49 = _t44;
								}
								goto L18;
							} else {
								_t55 = _t34 + 0x23;
								__eflags = _t55 - _t34;
								if(__eflags <= 0) {
									goto L24;
								} else {
									_t45 = E003F637E(_t49, _t55, _t60, __eflags, _t55);
									_t73 = _t73 + 4;
									__eflags = _t45;
									if(__eflags == 0) {
										L26:
										E003FDA4C(_t49, _t55, _t57, _t60, __eflags);
										asm("int3");
										asm("int3");
										asm("int3");
										asm("int3");
										asm("int3");
										asm("int3");
										asm("int3");
										asm("int3");
										asm("int3");
										asm("int3");
										asm("int3");
										asm("int3");
										asm("int3");
										asm("int3");
										asm("int3");
										return HeapAlloc( *(_t55 + 4), 0, _v16);
									} else {
										_t49 = _t45 + 0x00000023 & 0xffffffe0;
										 *((intOrPtr*)(_t49 - 4)) = _t45;
										L18:
										_t35 = _a8;
										_t60[5] = _t66;
										_t60[4] = _t35;
										_t67 = _t35 + _t35;
										E003F92F0(_t49, _a4, _t67);
										_t73 = _t73 + 0xc;
										 *((short*)(_t67 + _t49)) = 0;
										_t38 = _v8;
										__eflags = _t38 - 8;
										if(_t38 < 8) {
											L23:
											 *_t60 = _t49;
											return _t60;
										} else {
											_t56 = 2 + _t38 * 2;
											_t40 =  *_t60;
											__eflags = _t56 - 0x1000;
											if(_t56 < 0x1000) {
												L22:
												_push(_t56);
												E003F6168(_t40);
												goto L23;
											} else {
												_t57 =  *(_t40 - 4);
												_t55 = _t56 + 0x23;
												__eflags = _t40 - _t57 + 0xfffffffc - 0x1f;
												if(__eflags > 0) {
													goto L26;
												} else {
													_t40 = _t57;
													goto L22;
												}
											}
										}
									}
								}
							}
						}
					}
				} else {
					_t52 = __ecx;
					if(_t55 >= 8) {
						_t52 =  *((intOrPtr*)(__ecx));
					}
					_t69 = _t25 + _t25;
					_t60[4] = _t25;
					E003F78F0(_t52, _a4, _t69);
					 *((short*)(_t69 + _t52)) = 0;
					return _t60;
				}
			}

0x003f5100
0x003f5103
0x003f5104
0x003f5107
0x003f5109
0x003f510a
0x003f510c
0x003f510f
0x003f5114
0x003f5143
0x003f5148
0x003f5237
0x003f5237
0x00000000
0x003f514e
0x003f5150
0x003f5153
0x003f5159
0x003f5169
0x003f516d
0x003f516f
0x003f5178
0x003f517b
0x003f517d
0x003f5171
0x003f5171
0x003f5171
0x003f515b
0x003f515b
0x003f515b
0x003f5180
0x003f5180
0x003f5183
0x003f5188
0x003f5232
0x003f5232
0x00000000
0x003f518e
0x003f518e
0x003f5190
0x003f5195
0x003f51be
0x003f51c0
0x003f51cf
0x003f51cf
0x003f51c2
0x003f51c3
0x003f51c8
0x003f51cb
0x003f51cb
0x00000000
0x003f5197
0x003f5197
0x003f519a
0x003f519c
0x00000000
0x003f51a2
0x003f51a3
0x003f51a8
0x003f51ab
0x003f51ad
0x003f523c
0x003f523c
0x003f5241
0x003f5242
0x003f5243
0x003f5244
0x003f5245
0x003f5246
0x003f5247
0x003f5248
0x003f5249
0x003f524a
0x003f524b
0x003f524c
0x003f524d
0x003f524e
0x003f524f
0x003f5262
0x003f51b3
0x003f51b6
0x003f51b9
0x003f51d1
0x003f51d1
0x003f51d4
0x003f51d7
0x003f51da
0x003f51e2
0x003f51e9
0x003f51ec
0x003f51f0
0x003f51f3
0x003f51f6
0x003f5225
0x003f5225
0x003f522f
0x003f51f8
0x003f51f8
0x003f51ff
0x003f5201
0x003f5207
0x003f521b
0x003f521b
0x003f521d
0x00000000
0x003f5209
0x003f5209
0x003f520c
0x003f5214
0x003f5217
0x00000000
0x003f5219
0x003f5219
0x00000000
0x003f5219
0x003f5217
0x003f5207
0x003f51f6
0x003f51ad
0x003f519c
0x003f5195
0x003f5188
0x003f5116
0x003f5116
0x003f511b
0x003f511d
0x003f511d
0x003f511f
0x003f5122
0x003f512a
0x003f5134
0x003f5140
0x003f5140

Strings

\fa_rss, xrefs: 003F5109

Memory Dump Source

Source File: 00000003.00000002.300378751.00000000003F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000003.00000002.300374579.00000000003F0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.300394386.000000000040D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.300406424.0000000000416000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.300411239.0000000000420000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3f0000_fa_rss.jbxd

Similarity

API ID:
String ID: \fa_rss
API String ID: 0-182667134
Opcode ID: 7960c74413f128e1bd4f5feed009bfc32b8e7f4b12c088200587a3bc3122ba7c
Instruction ID: 9425a1fb9f2a52fb62378a7d4eac71489a77e0b098b70e1e076a52c5db1b4647
Opcode Fuzzy Hash: 7960c74413f128e1bd4f5feed009bfc32b8e7f4b12c088200587a3bc3122ba7c
Instruction Fuzzy Hash: C7F04C3290050DBBCB156A78D844DAEBADEEB41360B318739F739C71E1DB30EC4085A5

Uniqueness

Uniqueness Score: -1.00%

Function 00400A91 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56
COMMON

Download Yara Rule

C-Code - Quality: 74%

			E00400A91(void* __ebx, void* __ecx, void* __edx, void* __edi) {
				void* __esi;
				intOrPtr _t1;
				signed int _t2;
				intOrPtr _t5;
				signed int _t6;
				void* _t25;
				signed int _t26;
				void* _t28;
				void* _t33;
				void* _t34;
				signed int _t35;
				signed int _t37;
				signed int _t39;
				long _t40;
				void* _t43;

				_t34 = __edi;
				_t33 = __edx;
				_t28 = __ecx;
				_t25 = __ebx;
				_t1 =  *0x416148; // 0x6
				_push(_t39);
				_t45 = _t1 - 0xffffffff;
				if(_t1 == 0xffffffff) {
					L5:
					_t2 = E003FFC1B(__eflags, _t1, 0xffffffff);
					__eflags = _t2;
					if(_t2 == 0) {
						goto L14;
					} else {
						_t39 = E003FF852(_t28, 1, 0x364);
						_pop(_t28);
						__eflags = _t39;
						if(__eflags != 0) {
							__eflags = E003FFC1B(__eflags,  *0x416148, _t39);
							if(__eflags != 0) {
								E00400802(_t39, "PaA");
								E003FF8AF(0);
								_t43 = _t43 + 0xc;
								goto L12;
							} else {
								E003FFC1B(__eflags,  *0x416148, _t17);
								_push(_t39);
								goto L8;
							}
						} else {
							E003FFC1B(__eflags,  *0x416148, _t16);
							_push(_t39);
							L8:
							E003FF8AF();
							_pop(_t28);
							goto L14;
						}
					}
				} else {
					_t39 = E003FFBDC(_t45, _t1);
					if(_t39 == 0) {
						_t1 =  *0x416148; // 0x6
						goto L5;
					} else {
						if(_t39 == 0xffffffff) {
							L14:
							E003FF6F6(_t25, _t28, _t33, _t34, _t39);
							asm("int3");
							_push(_t25);
							_push(_t39);
							_push(_t34);
							_t40 = GetLastError();
							_t5 =  *0x416148; // 0x6
							__eflags = _t5 - 0xffffffff;
							if(__eflags == 0) {
								L21:
								_t6 = E003FFC1B(__eflags, _t5, 0xffffffff);
								__eflags = _t6;
								if(_t6 == 0) {
									goto L18;
								} else {
									_t35 = E003FF852(_t28, 1, 0x364);
									__eflags = _t35;
									if(__eflags != 0) {
										__eflags = E003FFC1B(__eflags,  *0x416148, _t35);
										if(__eflags != 0) {
											E00400802(_t35, "PaA");
											E003FF8AF(0);
											goto L28;
										} else {
											_t26 = 0;
											E003FFC1B(__eflags,  *0x416148, 0);
											_push(_t35);
											goto L24;
										}
									} else {
										_t26 = 0;
										__eflags = 0;
										E003FFC1B(0,  *0x416148, 0);
										_push(0);
										L24:
										E003FF8AF();
										goto L19;
									}
								}
							} else {
								_t35 = E003FFBDC(__eflags, _t5);
								__eflags = _t35;
								if(__eflags == 0) {
									_t5 =  *0x416148; // 0x6
									goto L21;
								} else {
									__eflags = _t35 - 0xffffffff;
									if(_t35 != 0xffffffff) {
										L28:
										_t26 = _t35;
									} else {
										L18:
										_t26 = 0;
										__eflags = 0;
										L19:
										_t35 = _t26;
									}
								}
							}
							SetLastError(_t40);
							asm("sbb edi, edi");
							_t37 =  ~_t35 & _t26;
							__eflags = _t37;
							return _t37;
						} else {
							L12:
							if(_t39 == 0) {
								goto L14;
							} else {
								return _t39;
							}
						}
					}
				}
			}

0x00400a91
0x00400a91
0x00400a91
0x00400a91
0x00400a91
0x00400a96
0x00400a97
0x00400a9a
0x00400ab4
0x00400ab7
0x00400abc
0x00400abe
0x00000000
0x00400ac0
0x00400acc
0x00400acf
0x00400ad0
0x00400ad2
0x00400af5
0x00400af7
0x00400b0e
0x00400b15
0x00400b1a
0x00000000
0x00400af9
0x00400b00
0x00400b05
0x00000000
0x00400b05
0x00400ad4
0x00400adb
0x00400ae0
0x00400ae1
0x00400ae1
0x00400ae6
0x00000000
0x00400ae6
0x00400ad2
0x00400a9c
0x00400aa2
0x00400aa6
0x00400aaf
0x00000000
0x00400aa8
0x00400aab
0x00400b25
0x00400b25
0x00400b2a
0x00400b2d
0x00400b2e
0x00400b2f
0x00400b36
0x00400b38
0x00400b3d
0x00400b40
0x00400b5e
0x00400b61
0x00400b66
0x00400b68
0x00000000
0x00400b6a
0x00400b76
0x00400b7a
0x00400b7c
0x00400ba1
0x00400ba3
0x00400bbc
0x00400bc3
0x00000000
0x00400ba5
0x00400ba5
0x00400bae
0x00400bb3
0x00000000
0x00400bb3
0x00400b7e
0x00400b7e
0x00400b7e
0x00400b87
0x00400b8c
0x00400b8d
0x00400b8d
0x00000000
0x00400b92
0x00400b7c
0x00400b42
0x00400b48
0x00400b4a
0x00400b4c
0x00400b59
0x00000000
0x00400b4e
0x00400b4e
0x00400b51
0x00400bcb
0x00400bcb
0x00400b53
0x00400b53
0x00400b53
0x00400b53
0x00400b55
0x00400b55
0x00400b55
0x00400b51
0x00400b4c
0x00400bce
0x00400bd6
0x00400bd8
0x00400bd8
0x00400bdf
0x00400aad
0x00400b1d
0x00400b1f
0x00000000
0x00400b21
0x00400b24
0x00400b24
0x00400b1f
0x00400aab
0x00400aa6

APIs

_free.LIBCMT ref: 00400AE1
_free.LIBCMT ref: 00400B15

Strings

PaA, xrefs: 00400B08

Memory Dump Source

Source File: 00000003.00000002.300378751.00000000003F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000003.00000002.300374579.00000000003F0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.300394386.000000000040D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.300406424.0000000000416000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.300411239.0000000000420000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3f0000_fa_rss.jbxd

Similarity

API ID: _free
String ID: PaA
API String ID: 269201875-4005616706
Opcode ID: 57926aa8dae117b11e67bc7eeeceb44a05cac91b812a1ad7e4f3d90df72497e3
Instruction ID: 56cf6eff731e8654aa18f3fa34c19e26eaf1f16c4405fc9c1b18d5a396a862fc
Opcode Fuzzy Hash: 57926aa8dae117b11e67bc7eeeceb44a05cac91b812a1ad7e4f3d90df72497e3
Instruction Fuzzy Hash: 8E018431A056283ED52336A4AC46FBF31584F01774F120232FE20BB2E2EB38DC92859D

Uniqueness

Uniqueness Score: -1.00%

Function 003F4E80 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 55
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E003F4E80(unsigned int __ecx, void* __eflags) {
				unsigned int _v8;
				void* _t7;
				WCHAR* _t12;
				void* _t23;
				struct HINSTANCE__* _t27;
				void* _t30;

				_push(__ecx);
				_v8 = __ecx;
				_t27 = E003F6A3D(0x416f28, 0);
				_t23 = 1;
				if(_t27 == 0) {
					L5:
					return 0;
				} else {
					_t12 = (__ecx >> 0x00000004) + 0x00000001 & 0x0000ffff;
					do {
						if(FindResourceExW(_t27, 6, _t12, 0) == 0) {
							goto L4;
						} else {
							_t7 = E003F4E20(_t27, _t5, _v8);
							_t30 = _t30 + 4;
							if(_t7 != 0) {
								return _t27;
							} else {
								goto L4;
							}
						}
						goto L7;
						L4:
						_t27 = E003F6A3D(0x416f28, _t23);
						_t23 = _t23 + 1;
					} while (_t27 != 0);
					goto L5;
				}
				L7:
			}

0x003f4e83
0x003f4e90
0x003f4e98
0x003f4e9a
0x003f4ea1
0x003f4ee5
0x003f4eed
0x003f4ea3
0x003f4ea9
0x003f4eb0
0x003f4ebe
0x00000000
0x003f4ec0
0x003f4ec7
0x003f4ecc
0x003f4ed1
0x003f4ef6
0x00000000
0x00000000
0x00000000
0x003f4ed1
0x00000000
0x003f4ed3
0x003f4ede
0x003f4ee0
0x003f4ee1
0x00000000
0x003f4eb0
0x00000000

APIs

Part of subcall function 003F6A3D: EnterCriticalSection.KERNEL32(00416F3C,00417950,?,?,003F4E98,00000000,00417950,?,?,?,?,003F466A), ref: 003F6A48
Part of subcall function 003F6A3D: LeaveCriticalSection.KERNEL32(00416F3C,?,?,003F4E98,00000000,00417950,?,?,?,?,003F466A,?,?,?,?,003F1170), ref: 003F6A74

FindResourceExW.KERNEL32(00000000,00000006,?,00000000,00000000,00417950,?,?,?,?,003F466A,?,?,?,?,003F1170), ref: 003F4EB6

Part of subcall function 003F4E20: LoadResource.KERNEL32(00000000,00000000,00000001,00000000,?,?,003F4ECC,00000000,?,00000000,00000000,00417950), ref: 003F4E2C
Part of subcall function 003F4E20: LockResource.KERNEL32(00000000,?,?,003F4ECC,00000000,?,00000000,00000000,00417950,?,?,?,?,003F466A), ref: 003F4E37
Part of subcall function 003F4E20: SizeofResource.KERNEL32(00000000,00000000,?,?,003F4ECC,00000000,?,00000000,00000000,00417950,?,?,?,?,003F466A), ref: 003F4E45

Strings

(oA, xrefs: 003F4ED4
(oA, xrefs: 003F4E89

Memory Dump Source

Source File: 00000003.00000002.300378751.00000000003F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000003.00000002.300374579.00000000003F0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.300394386.000000000040D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.300406424.0000000000416000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.300411239.0000000000420000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3f0000_fa_rss.jbxd

Similarity

API ID: Resource$CriticalSection$EnterFindLeaveLoadLockSizeof
String ID: (oA$(oA
API String ID: 529824247-129977772
Opcode ID: 971a0ff6f75267f249046fdb91df081f593ab6216c5249b4d93797007fa982ca
Instruction ID: 22bbd4530c65b61e609bfeb4e8fb77849935ba1a8d23be059ba297d2e0ba9160
Opcode Fuzzy Hash: 971a0ff6f75267f249046fdb91df081f593ab6216c5249b4d93797007fa982ca
Instruction Fuzzy Hash: 15F0D662F4521C27E72159997C02B7BE2C9EBA4765F02017AFF09E7381D556CC0142D4

Uniqueness

Uniqueness Score: -1.00%

Function 003FDCB9 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 35
COMMON

Download Yara Rule

C-Code - Quality: 60%

			E003FDCB9(void* __ecx, void* __eflags, intOrPtr _a4, intOrPtr _a8) {
				char _v8;
				intOrPtr _t16;
				intOrPtr* _t18;
				intOrPtr* _t21;

				_push(__ecx);
				_t21 = E003FF852(__ecx, 1, 0x14);
				_t18 = 0;
				_v8 = _t21;
				E003FF8AF(0);
				if(_t21 != 0) {
					_t16 = _a4;
					 *_t21 = _t16;
					 *((intOrPtr*)(_t21 + 4)) = _a8;
					_t5 = _t21 + 0xc; // 0xc
					__imp__GetModuleHandleExW(4, _t16, _t5);
					_v8 = 0;
					_t18 = _t21;
				}
				E003FDC2B( &_v8);
				return _t18;
			}

0x003fdcbe
0x003fdcca
0x003fdccc
0x003fdccf
0x003fdcd2
0x003fdcdc
0x003fdcde
0x003fdce4
0x003fdce6
0x003fdce9
0x003fdcf0
0x003fdcf6
0x003fdcf9
0x003fdcf9
0x003fdcfe
0x003fdd08

APIs

Part of subcall function 003FF852: RtlAllocateHeap.NTDLL(00000008,?,00000000,?,00400B76,00000001,00000364,00000006,000000FF,?,003FF6D2,?,00000004,00000004,?,00000000), ref: 003FF893

_free.LIBCMT ref: 003FDCD2

Part of subcall function 003FF8AF: HeapFree.KERNEL32(00000000,00000000,?,0040475B,?,00000000,?,?,?,00404782,?,00000007,?,?,00404BB2,?), ref: 003FF8C5
Part of subcall function 003FF8AF: GetLastError.KERNEL32(?,?,0040475B,?,00000000,?,?,?,00404782,?,00000007,?,?,00404BB2,?,?), ref: 003FF8D7

GetModuleHandleExW.KERNEL32(00000004,00000000,0000000C,003F3670), ref: 003FDCF0

Strings

C??p6?, xrefs: 003FDCBB

Memory Dump Source

Source File: 00000003.00000002.300378751.00000000003F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000003.00000002.300374579.00000000003F0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.300394386.000000000040D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.300406424.0000000000416000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.300411239.0000000000420000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3f0000_fa_rss.jbxd

Similarity

API ID: Heap$AllocateErrorFreeHandleLastModule_free
String ID: C??p6?
API String ID: 1586671728-3636251353
Opcode ID: 675e3c67adc388658985ed80e0ba97c55abe6e875e27e1eb347cf7d3e9fa0030
Instruction ID: 82d6ab91fdecab5486d928dd9693aa720b2262a9665f99a865f0c577b299398e
Opcode Fuzzy Hash: 675e3c67adc388658985ed80e0ba97c55abe6e875e27e1eb347cf7d3e9fa0030
Instruction Fuzzy Hash: 5CF08972901218BFD711DF55DC46DABBBA9DFC1760F054029FE4A9B341DAB09E01C6A4

Uniqueness

Uniqueness Score: -1.00%

Function 003F698C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E003F698C(intOrPtr* __ecx, void* __eflags) {
				intOrPtr* _t13;

				_t13 = __ecx;
				E003F69DF(__ecx);
				 *__ecx = 0x38;
				_t1 = _t13 + 0x14; // 0x416f3c
				 *((intOrPtr*)(__ecx + 8)) = 0x3f0000;
				 *((intOrPtr*)(__ecx + 4)) = 0x3f0000;
				 *((intOrPtr*)(__ecx + 0xc)) = 0xe00;
				 *((intOrPtr*)(__ecx + 0x10)) = 0x40d45c;
				if(E003F5690(0x3f0000, _t1) < 0) {
					if(IsDebuggerPresent() != 0) {
						OutputDebugStringW(L"ERROR : Unable to initialize critical section in CAtlBaseModule\n");
					}
					 *0x417988 = 1;
				}
				return _t13;
			}

0x003f698d
0x003f698f
0x003f6999
0x003f699f
0x003f69a2
0x003f69a5
0x003f69a8
0x003f69af
0x003f69bd
0x003f69c7
0x003f69ce
0x003f69ce
0x003f69d4
0x003f69d4
0x003f69de

APIs

Part of subcall function 003F5690: InitializeCriticalSectionEx.KERNEL32(00416F3C,00000000,00000000,003F69BB,?,003F11B6,80004005,9D5F503D,00000000,0040C64A,000000FF,?,80004005,9D5F503D,?,0040C58A), ref: 003F5695
Part of subcall function 003F5690: GetLastError.KERNEL32(?,003F11B6,80004005,9D5F503D,00000000,0040C64A,000000FF,?,80004005,9D5F503D,?,0040C58A,000000FF), ref: 003F569F

IsDebuggerPresent.KERNEL32(?,003F11B6,80004005,9D5F503D,00000000,0040C64A,000000FF,?,80004005,9D5F503D,?,0040C58A,000000FF), ref: 003F69BF
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,003F11B6,80004005,9D5F503D,00000000,0040C64A,000000FF,?,80004005,9D5F503D,?,0040C58A,000000FF), ref: 003F69CE

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 003F69C9

Memory Dump Source

Source File: 00000003.00000002.300378751.00000000003F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000003.00000002.300374579.00000000003F0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.300394386.000000000040D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.300406424.0000000000416000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.300411239.0000000000420000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3f0000_fa_rss.jbxd

Similarity

API ID: CriticalDebugDebuggerErrorInitializeLastOutputPresentSectionString
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 3511171328-631824599
Opcode ID: a9f487f3c3dbed226cc2f3be20db6a982fbe1dbf5dd94eef6df60ebbb1e1c85e
Instruction ID: ba8064359d7bb648bf092c39a4360407328b52b550c4def5da00c4ecdec8f775
Opcode Fuzzy Hash: a9f487f3c3dbed226cc2f3be20db6a982fbe1dbf5dd94eef6df60ebbb1e1c85e
Instruction Fuzzy Hash: E3E06DB06007148BD321AF64E905762BBE0AB04708F01883EE6D5DA646DBB4E4488BA5

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report fa_rss.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\pixel[1].gif

C:\Users\user\AppData\Local\Temp\temp_event

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

HTTPS Proxied Packets

Statistics

Windows Analysis Report
fa_rss.exe

Function 003F38C0 Relevance: 58.1, APIs: 11, Strings: 22, Instructions: 349
COMMON

Function 003F56C0 Relevance: 31.8, APIs: 12, Strings: 6, Instructions: 340
commemoryCOMMON

Function 003F1F10 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 142
filenetworkCOMMON

Function 003FED36 Relevance: 4.5, APIs: 3, Instructions: 20
COMMONLIBRARYCODE

Function 003F6657 Relevance: 1.5, APIs: 1, Instructions: 3
COMMON

Function 003F61C0 Relevance: 22.8, APIs: 9, Strings: 4, Instructions: 51
libraryloaderCOMMON

Function 00403DB8 Relevance: 4.5, APIs: 3, Instructions: 37
COMMON

Function 00404196 Relevance: 1.6, APIs: 1, Instructions: 52
COMMONLIBRARYCODE

Function 003FF852 Relevance: 1.5, APIs: 1, Instructions: 39
memoryCOMMONLIBRARYCODE

Function 00400374 Relevance: 1.5, APIs: 1, Instructions: 32
memoryCOMMONLIBRARYCODE

Function 00406A78 Relevance: 10.2, APIs: 1, Strings: 4, Instructions: 1451
COMMONCrypto

Function 003F5450 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 44
memoryCOMMON

Function 003F1090 Relevance: 6.3, Strings: 5, Instructions: 92
COMMON

Function 003FD890 Relevance: 4.6, APIs: 3, Instructions: 77
COMMONLIBRARYCODE

Function 003F4E20 Relevance: 4.5, APIs: 3, Instructions: 47
COMMON

Function 004065E0 Relevance: 3.4, APIs: 2, Instructions: 450
COMMONCrypto

Function 0040B57D Relevance: 1.8, APIs: 1, Instructions: 274
COMMONLIBRARYCODECrypto

Function 003F677B Relevance: 1.6, APIs: 1, Instructions: 144
COMMON

Function 00403176 Relevance: 1.6, APIs: 1, Instructions: 108
COMMON

Function 003FB0F4 Relevance: 1.5, Strings: 1, Instructions: 239
COMMONCrypto

Function 003FAEC2 Relevance: 1.5, Strings: 1, Instructions: 216
COMMONCrypto

Function 003F1030 Relevance: 1.3, Strings: 1, Instructions: 70
COMMON

Function 003F1CD0 Relevance: .1, Instructions: 112
COMMONCrypto

Function 0040A321 Relevance: .1, Instructions: 104
COMMONCrypto

Function 0040A201 Relevance: .1, Instructions: 81
COMMONCrypto

Function 00402DEB Relevance: .0, Instructions: 29
COMMON

Function 00402E2F Relevance: .0, Instructions: 22
COMMONLIBRARYCODE

Function 003F1A80 Relevance: 40.4, APIs: 17, Strings: 6, Instructions: 178
windowcomregistryCOMMON

Function 003F1880 Relevance: 24.7, APIs: 7, Strings: 7, Instructions: 157
windowtimeCOMMON

Function 00404A1B Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 113
COMMONLIBRARYCODE

Function 003F1550 Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 206
commemoryCOMMON

Function 004008BC Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 69
COMMON

Function 00408803 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 273
COMMONLIBRARYCODE

Function 003F81C5 Relevance: 16.1, APIs: 6, Strings: 3, Instructions: 308
COMMONLIBRARYCODE

Function 003FCFA0 Relevance: 14.5, APIs: 1, Strings: 7, Instructions: 496
COMMON

Function 00402498 Relevance: 13.8, APIs: 9, Instructions: 301
COMMONLIBRARYCODE

Function 00403E08 Relevance: 13.7, APIs: 9, Instructions: 208
COMMON

Function 003F7550 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 120
COMMON

Function 003FF937 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 77
COMMONLIBRARYCODE

Function 00404769 Relevance: 10.6, APIs: 7, Instructions: 65
COMMONLIBRARYCODE

Function 0040585E Relevance: 9.3, APIs: 6, Instructions: 318
fileCOMMONLIBRARYCODE

Function 003F6C50 Relevance: 9.2, APIs: 6, Instructions: 154
memoryCOMMON

Function 003F1760 Relevance: 9.1, APIs: 6, Instructions: 111
windowtimeCOMMON

Function 003F7E8E Relevance: 9.1, APIs: 6, Instructions: 60
COMMONLIBRARYCODE

Function 004009D4 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 72
COMMONLIBRARYCODE

Function 00400B2B Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 69
COMMONLIBRARYCODE

Function 003F8F32 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 68
COMMONLIBRARYCODE

Function 003FDD09 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 55
threadCOMMON